Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Enterprise EDR: How to search by Watchlist name(s)

Enterprise EDR: How to search by Watchlist name(s)

Environment

  • Carbon Black Cloud Console
    • Enterprise EDR

Objective

Be able to search on the investigate page based on Watchlist name(s)

Resolution

  1. Navigate to the Investigate page
    • Use the "Processes" tab if you have both Enterprise EDR and Endpoint Standard
  2. Utilize the recently added watchlist_name field e.g.
  • To search on a curated Watchlist the ATT&CK Framework for example see below:
    • watchlist_name: att
  • To search on a custom Watchlist see below:
    • watchlist_name: "Malicious Hosts"

Additional Notes

  • Watchlists that contain zero hits will not provide a search guide suggestion while typing the Watchlist name
  • The "Processes" tab contains EDR data. The "Observations" tab contains Endpoint Standard data

Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
Creation Date:
‎09-09-2020
Views:
601
Contributors