CB ThreatHunter: How to build a custom watchlist from the Investigate page
search cancel

CB ThreatHunter: How to build a custom watchlist from the Investigate page

book

Article ID: 290537

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Create a custom watchlist from the Investigate page

Environment

  • CB ThreatHunter Web Console: All Versions

Resolution

  1. Navigate to the Investigate page
  2. Execute a desired search query
  3. Select Add search to Threat Report under the search magnifying glass
  4. Under the Select a Watchlist heading in the Add Query modal, select Add New
  5. Enter a name for the watchlist
  6. Enter a description for the watchlist if desired
  7. Enable Alert on Hit if the watchlist is desired to alert users when IOCs match incoming data
    • Selecting Include Historical Data will perform a one time query of all past data available in the console https://community.carbonblack.com/t5/Knowledge-Base/CB-ThreatHunter-How-long-is-event-data-stored-for/ta-p/72718
  8. Enter a name for the Threat Report that will contain the search query executed previously in step 2.
  9. Enter a description for the threat report if desired
  10. Set a desired severity
  11. Enter any tags to be applied to the threat report
  12. Select Save
Powered by Wolken Software