Just Published! Threat Report: Exposing Malware in Linux-Based Multi-Cloud Environments | Download Now

Carbon Black Cloud Console: How to Identify When a Watchlist Was Disabled

Carbon Black Cloud Console: How to Identify When a Watchlist Was Disabled

Environment

  • Carbon Black Cloud Console: All Versions

Objective

  • Identify when a Watchlist was enabled/disabled
  • Identify when a Watchlist was edited
  • Identify who enabled/disabled a Watchlist

Resolution

There are two steps needed to identify when and who disabled a Watchlist
  1. Get the watchlist Id's as part of the URL
    1. click on the watchlist under watchlist page.
    2.  Observe in the URL: 
      1. https://defense-prod05.conferdeploy.net/enforce/watchlists/<ID>
  2. Search Audit log for the watchlist_id
    1. Sort by All Time
  3. Watchlists that were edited or disabled will appear

Related Content


Was this article helpful? Yes No
No ratings
Article Information
Author:
Creation Date:
‎11-10-2022
Views:
126
Contributors