How to Build a Custom Watchlist From the Investigate Page
Article ID: 290537
Updated On: 04-09-2025
Products
Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Create a custom watchlist from the Investigate page
Environment
- Enterprise EDR Console: All Versions
Resolution
- Navigate to the Investigate page
- Execute a desired search query
- Select Add search to watchlist report under the search magnifying glass
- Under the Select Watchlist heading in the modal, select Create new watchlist
- Enter a name for the watchlist
- Enter a description for the watchlist if desired
- Enable Alert on Hit if the watchlist is desired to alert users when IOCs match incoming data
- Selecting Evaluate on all existing data will perform a one time query of all past data available in the console
- Enter a name for the Select Report that will contain the search query executed previously in step 2
- Enter a description for the report if desired
- Set a desired severity
- Enter any tags to be applied to the report
- Select Save
Additional Information
Additional product documentation for using watchlists can be found here
Feedback
Was this article helpful?
Yes
No
Powered by
