Environment
- CB ThreatHunter Web Console: All Versions
Question
Can a custom watchlist be created and subscribed to that will trigger an Alert when a separate watchlist Alerts on specific activity? i.e.
- (watchlist_name:"Carbon Black Advanced Threats" AND -(process_name:<name>.exe OR process_name:<name>.exe))
- ((watchlist_name:"MITRE ATT&CK - Execution" AND watchlist_name:"MITRE ATT&CK - Persistence"))
Answer
In the products current configuration the above examples are only able to return hits when executed on the Investigate page and not when saved in a custom watchlist.
Additional Notes
Related Content