Environment
- Enterprise EDR (Formerly CB ThreatHunter) Console: All Supported Versions
Question
Why Are There Continuous Watchlist Hits For The Same Watchlist?
Answer
If a watchlist is only looking at metadata (e.g: process_cmdline) for a long running process, then anytime that process does anything (makes a netconn, filemod, etc), another hit will trigger
Additional Notes
This is working as designed because watchlist searcher just sees a new segment with a copy of the the process metadata and the query is metadata only
Related Content