CB ThreatHunter: Reports not visible under Watchlist when added in bulk
Article ID: 289750
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
- Watchlist added showed Reports
- Adding more Reports to Watchlist removes all Reports from view in Console
- Watchlist still returns hits with Report names listed
- Developer Tools shows error on GET 'search?query=' call
HTTP Status 400 – Bad Request
Environment
- PSC Console: All Versions
- CB ThreatHunter
Cause
Request Header too long
Resolution
A permanent fix to this issue is being investigated. This KB will be updated once that fix is made available.
Check Watchlist Reports (Developer Tools)
- Log into PSC Console
- Open DevTools (Chrome, Firefox) and select the Network tab
- Go to Enforce > Watchlists
- Check DevTools/Web Inspector for the 'watchlist' item (under Name in Chrome, under File in Firefox)
- Click on the Headers sub-tab to verify that the Request URL is https://<dashboardURL>/threathunter/watchlistmgr/v1/watchlist
- Click on the Preview sub-tab (Chrome) or Response sub-tab (Firefox)
- Search for the name of the desired Watchlist (shows as 'name: <WatchlistName>')
- Review the list and number of Report IDs (appearing between 'name: "<WatchlistName>"' and 'watchlist_id: <Watchlist_ID>')
Check Watchlist Reports (CB ThreatHunter API)
- Collect information on all Watchlists
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists
- Copy the Watchlist_ID for use in Step3, or check the number of Reports listed for the desired Watchlist
{ "name": "<WatchlistName", "description": "<WatchlistDescription>", "id": "<Watchlist_ID>", ... - Using the Watchlist_ID above, collect information on the desired Watchlist
GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists/<watchlist_id>
- Check the number of Reports listed
Feedback
Yes
No
Powered by
