Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)
Issue/Introduction
Tune watchlists at the report and IOC levels
Environment
Enterprise EDR (Formerly CB ThreatHunter) Console: All Versions
Resolution
From the Enforce - Watchlists level
To tune at the report level, click the Reports tab, select a report, then click Take Action to:
Include or exclude a report from detection (Disable/Enable)
Remove a report from a watchlist (Remove)
To tune at the IOC level, click the Name of the report, select an IOC, then click Take Action to include or exclude an IOC from detection (Disable/Enable)
To create a new tuned IOC
Click on the IOC Investigate icon
Add any required changes to the query
Click "Add search to watchlist report"
Fill out the required information to create the tuned IOC