CB ThreatHunter: Reports not visible under Watchlist when added in bulk
book
Article ID: 289750
calendar_today
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Environment
- PSC Console: All Versions
Cause
Request Header too long
Resolution
A permanent fix to this issue is being investigated. This KB will be updated once that fix is made available.
Check Watchlist Reports (Developer Tools)
- Log into PSC Console
- Open DevTools (Chrome, Firefox) and select the Network tab
- Go to Enforce > Watchlists
- Check DevTools/Web Inspector for the 'watchlist' item (under Name in Chrome, under File in Firefox)
- Click on the Headers sub-tab to verify that the Request URL is https://<dashboardURL>/threathunter/watchlistmgr/v1/watchlist
- Click on the Preview sub-tab (Chrome) or Response sub-tab (Firefox)
- Search for the name of the desired Watchlist (shows as 'name: <WatchlistName>')
- Review the list and number of Report IDs (appearing between 'name: "<WatchlistName>"' and 'watchlist_id: <Watchlist_ID>')
Check Watchlist Reports (CB ThreatHunter API)
- Collect information on all Watchlists
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists
- Copy the Watchlist_ID for use in Step3, or check the number of Reports listed for the desired Watchlist
{
"name": "<WatchlistName",
"description": "<WatchlistDescription>",
"id": "<Watchlist_ID>",
...
- Using the Watchlist_ID above, collect information on the desired Watchlist
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists/<watchlist_id>
- Check the number of Reports listed
Feedback
thumb_up
Yes
thumb_down
No