How to tune watchlists
search cancel

How to tune watchlists

book

Article ID: 290654

calendar_today

Updated On:

Products

Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Tune watchlists at the report and IOC levels

Environment

  • Enterprise EDR (Formerly CB ThreatHunter) Console: All Versions

Resolution

  • From the Enforce - Watchlists level
  • To tune at the report level, click the Reports tab, select a report, then click Take Action to:
    • Include or exclude a report from detection (Disable/Enable)
    • Remove a report from a watchlist (Remove)
  • To tune at the IOC level, click the Name of the report, select an IOC, then click Take Action to include or exclude an IOC from detection (Disable/Enable)
  • To create a new tuned IOC
    1. Click on the IOC Investigate icon
    2. Add any required changes to the query
    3. Click "Add search to watchlist report"
    4. Fill out the required information to create the tuned IOC