Enterprise EDR: Why Are There Continuous Watchlist Hits For The Same Watchlist?
search cancel

Enterprise EDR: Why Are There Continuous Watchlist Hits For The Same Watchlist?

book

Article ID: 290225

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Why Are There Continuous Watchlist Hits For The Same Watchlist?

Environment

  • Enterprise EDR (Formerly CB ThreatHunter) Console: All Supported Versions

Resolution

If a watchlist is only looking at metadata (e.g: process_cmdline) for a long running process, then anytime that process does anything (makes a netconn, filemod, etc), another hit will trigger

Additional Information

This is working as designed because watchlist searcher just sees a new segment with a copy of the the process metadata and the query is metadata only
Powered by Wolken Software