Environment
- Carbon Black Cloud Console: All Versions
Objective
- Identify when a Watchlist was enabled/disabled
- Identify when a Watchlist was edited
- Identify who enabled/disabled a Watchlist
Resolution
There are two steps needed to identify when and who disabled a Watchlist
- Get the watchlist Id's as part of the URL
- click on the watchlist under watchlist page.
- Observe in the URL:
-
https://defense-prod05.conferdeploy.net/enforce/watchlists/<ID>
- Search Audit log for the watchlist_id
- Sort by All Time
- Watchlists that were edited or disabled will appear
Related Content