Enterprise EDR: How to search by Watchlist name(s)
search cancel

Enterprise EDR: How to search by Watchlist name(s)


Article ID: 290150


Updated On:


Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)


Be able to search on the investigate page based on Watchlist name(s)


  • Carbon Black Cloud Console
    • Enterprise EDR


  1. Navigate to the Investigate page
    • Use the "Processes" tab if you have both Enterprise EDR and Endpoint Standard
  2. Utilize the recently added watchlist_name field e.g.
  • To search on a curated Watchlist the ATT&CK Framework for example see below:
    • watchlist_name: att
  • To search on a custom Watchlist see below:
    • watchlist_name: "Malicious Hosts"

Additional Information

  • Watchlists that contain zero hits will not provide a search guide suggestion while typing the Watchlist name
  • The "Processes" tab contains EDR data. The "Observations" tab contains Endpoint Standard data