CB ThreatHunter: Reports not visible under Watchlist when added in bulk
search cancel

CB ThreatHunter: Reports not visible under Watchlist when added in bulk


Article ID: 289750


Updated On:


Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


  • Watchlist added showed Reports
  • Adding more Reports to Watchlist removes all Reports from view in Console
  • Watchlist still returns hits with Report names listed
  • Developer Tools shows error on GET 'search?query=' call
    HTTP Status 400 – Bad Request


  • PSC Console: All Versions
    • CB ThreatHunter


Request Header too long


A permanent fix to this issue is being investigated. This KB will be updated once that fix is made available.

Check Watchlist Reports (Developer Tools)

  1. Log into PSC Console
  2. Open DevTools (Chrome, Firefox) and select the Network tab
  3. Go to Enforce > Watchlists
  4. Check DevTools/Web Inspector for the 'watchlist' item (under Name in Chrome, under File in Firefox)
  5. Click on the Headers sub-tab to verify that the Request URL is https://<dashboardURL>/threathunter/watchlistmgr/v1/watchlist
  6. Click on the Preview sub-tab (Chrome) or Response sub-tab (Firefox)
  7. Search for the name of the desired Watchlist (shows as 'name: <WatchlistName>')
  8. Review the list and number of Report IDs (appearing between 'name: "<WatchlistName>"' and 'watchlist_id: <Watchlist_ID>')

Check Watchlist Reports (CB ThreatHunter API)

  1. Collect information on all Watchlists
    GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists
  2. Copy the Watchlist_ID for use in Step3, or check the number of Reports listed for the desired Watchlist
                "name": "<WatchlistName",
                "description": "<WatchlistDescription>",
                "id": "<Watchlist_ID>",
  3. Using the Watchlist_ID above, collect information on the desired Watchlist
    GET <psc-hostname>/threathunter/watchlistmgr/v3/orgs/<org_key>/watchlists/<watchlist_id>
  4. Check the number of Reports listed