Knowledge Base

Yes

Environment

CB Response Server: 6.4.0 and later
CB Response Sensor: All versions

Question

Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

Answer

The origin of the query is from the API job that includes a watchlist search.

Additional Notes

Here is an example query using "watchlist_196":

| 699 | 2017-11-04 06:51:16.459+00 | | api 
+(parent_name:? +parent_name:? +process_name:? -SameCoreJoinQuery [fromQuery=childproc_name:?, fromField=id, toField=id, scoreMode=None] +os_type:?) +(+last_server_update:[? TO ?] -SameCoreJoinQuery [fromQuery=watchlist_196:*, fromField=id 
, toField=id, scoreMode=None]) | 490 | 2017-11-04 06:51:16.7+00 | 3b238372-1bd2-4be5-b112-xxxxxxxxxxxxx | feed 
id:?

Knowledge Base

CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

Environment

Question

Answer

Additional Notes

Related Content

EDR

Knowledge Base

CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

CB Response: Why is a watchlist entry showing under the API tab rather than the watchlist tab in the HUD Query Duration widget?

Environment

Question

Answer

Additional Notes

Related Content

EDR

Thank you for your feedback.

Thank you for your feedback.