CB ThreatHunter: When trying to add a report to a watchlist, some watchlists are not on the available dropdown list
book
Article ID: 288240
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
When an administrator goes to "Add a search" report to a watchlist, only watchlists created by the Web UI appear.
Environment
CB ThreatHunter Console: All Versions
CB ThreatHunter SEnsor: All versions
Cause
The "missing" watchlists were created with the API script watchlists-manager.py.
Resolution
Delete the watchlists created with watchlists-manager.py
Use the the script watchlists_operations.py to create watchlists
watchlists_operations.py should appear in the watchlists dropdown list.
Additional Information
Adding a query to a watchlist is only allowed for watchlists that are not subscribed to a feed. If you want to add a query to a feed you will need to use the feed manager APIs.
The feed manager route for getting the feeds will by default only show you the feeds create by your org. If you wish to view the public feeds which are read only then you will need to add a query parameter to the request include_public=true
If a public feed is updated then your watchlist which is subscribed to that feed will automatically pick up those changes and will trigger hits based on those IOCs.