Why do watchlist hits and reviewing the query results for the same time period return different results?

• Carbon Black Cloud Console: All Supported Versions

Watchlist hits are 1 hour rolling windows vs a query which is not doing a point in time analysis of the data

• A normal investigate search does not replicate the 1 hour rolling window that is used in watchlist query detections.
• The closest thing that can be done is determining when the hit happened and limiting the search from that time minus 1 hour to that time, but even that will not be perfect because the time windows on investigate are fluid.

For long running processes, performing queries that do logical AND on multiple events or that negate an event are subject to a time window.