logo

Knowledge Base

Access official resources from Carbon Black experts

IMPORTANT ANNOUNCEMENT: On May 6, 2024, Carbon Black User eXchange (UeX) and Case Management will move to a new platform!
The Community will be in read-only mode starting April 19th, 7:00 AM PDT. Check out the blog post!
You will still be able to use the case portal to create and interact with your support cases until the transition, view more information here!

CB ThreatHunter: Will nested watchlists trigger alerts?

CB ThreatHunter: Will nested watchlists trigger alerts?

Environment

  • CB ThreatHunter Web Console: All Versions

Question

Can a custom watchlist be created and subscribed to that will trigger an Alert when a separate watchlist Alerts on specific activity? i.e.
  • (watchlist_name:"Carbon Black Advanced Threats" AND -(process_name:<name>.exe OR process_name:<name>.exe))
  • ((watchlist_name:"MITRE ATT&CK - Execution" AND watchlist_name:"MITRE ATT&CK - Persistence"))

Answer

In the products current configuration the above examples are only able to return hits when executed on the Investigate page and not when saved in a custom watchlist.

Additional Notes

If this is a desired functionality in the product, please vote on the following Idea Central feature request: CB ThreatHunter: Nested Watchlists

Related Content


Was this article helpful? Yes No
100% helpful (1/1)
Article Information
Author:
CB_Support
Creation Date:
‎09-09-2020
Views:
587
Contributors
logo

Copyright © 2005-2023 Broadcom. All Rights Reserved. The term “Broadcom” refers to Broadcom Inc. and/or its subsidiaries.