EDR: Can watchlists and feeds be assigned to specific endpoints or groups?
search cancel

EDR: Can watchlists and feeds be assigned to specific endpoints or groups?

book

Article ID: 289580

calendar_today

Updated On:

Products

Carbon Black EDR (formerly Cb Response)

Issue/Introduction

Can a watchlist or feed only alert on specific sensors / groups?

Environment

  • EDR Server: 7.x

Resolution

  • Watchlists can use the group or hostname fields to filter on a specific group / computer respectively
  • Feeds cannot be run against a specific group, but a watchlist can be created off the feed and filter the group
    1. On the desired feed, click "Process Matches" to go to the investigate page. 
    2. In the investigate page, add the 'group' or 'endpoint' field
      ex. (alliance_score_srstrust:*) and group:"<group_name>"
    3. Select "Create Watchlist" and save the watchlist
    4. If not already enabled, go back to the threat feed and enable it.
    5. Disable any notifications in the feed itself and enable notifications on the watchlist
Powered by Wolken Software