Enterprise EDR: How to search by Watchlist name(s)
Article ID: 290150
Updated On:
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Be able to search on the investigate page based on Watchlist name(s)
Environment
- Carbon Black Cloud Console
- Enterprise EDR
Resolution
- Navigate to the Investigate page
- Use the "Processes" tab if you have both Enterprise EDR and Endpoint Standard
- Utilize the recently added watchlist_name field e.g.
- To search on a curated Watchlist the ATT&CK Framework for example see below:
- watchlist_name: att
- To search on a custom Watchlist see below:
- watchlist_name: "Malicious Hosts"
Additional Information
- Watchlists that contain zero hits will not provide a search guide suggestion while typing the Watchlist name
- The "Processes" tab contains EDR data. The "Observations" tab contains Endpoint Standard data
Feedback
Yes
No
Powered by
