CB ThreatHunter: When trying to add a report to a watchlist, some watchlists are not on the available dropdown list
Article ID: 288240
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When an administrator goes to "Add a search" report to a watchlist, only watchlists created by the Web UI appear.
Environment
- CB ThreatHunter Console: All Versions
- CB ThreatHunter SEnsor: All versions
Cause
The "missing" watchlists were created with the API script watchlists-manager.py.
Resolution
- Delete the watchlists created with watchlists-manager.py
- Use the the script watchlists_operations.py to create watchlists
- watchlists_operations.py should appear in the watchlists dropdown list.
Additional Information
- Adding a query to a watchlist is only allowed for watchlists that are not subscribed to a feed. If you want to add a query to a feed you will need to use the feed manager APIs.
- The feed manager route for getting the feeds will by default only show you the feeds create by your org. If you wish to view the public feeds which are read only then you will need to add a query parameter to the request include_public=true
- If a public feed is updated then your watchlist which is subscribed to that feed will automatically pick up those changes and will trigger hits based on those IOCs.
Feedback
Yes
No
Powered by
