Environment
- Carbon Black Cloud Console
Objective
Be able to search on the investigate page based on Watchlist name(s)
Resolution
- Navigate to the Investigate page
- Use the "Processes" tab if you have both Enterprise EDR and Endpoint Standard
- Utilize the recently added watchlist_name field e.g.
- To search on a curated Watchlist the ATT&CK Framework for example see below:
- To search on a custom Watchlist see below:
- watchlist_name: "Malicious Hosts"
Additional Notes
- Watchlists that contain zero hits will not provide a search guide suggestion while typing the Watchlist name
- The "Processes" tab contains EDR data. The "Observations" tab contains Endpoint Standard data