This topic describes specific use cases for Watchlist IOCs.

Get a hit or alert every time an endpoint connects to a specific IP address or domain or tries to execute a banned hash

Solution:

Use an equality IOC: https://developer.carbonblack.com/reference/carbon-black-cloud/cb-threathunter/latest/watchlist-api/#iocs-1.

Examples:

To get an alert every time an endpoint reaches out to one or more remote IP addresses, create a Watchlist with an equality IOC like this:

{
    "id": "netconn_iocs_list_1",
    "match_type": "equality",
    "field": "netconn_ipv4",
    "values": ["111.222.333.444"],
    "link": "https://my-internal-site.local/netconn_iocs/list_1"
}

To get a hit every time an endpoint tries to execute a banned hash, create a Watchlist with an equality IOC like this (make sure that the hash is in your Banned List on the Reputations page):

{
    "id": "hash_iocs_list_a",
    "match_type": "equality",
    "field": "process_sha256",
    "values": ["68e656b251e67e8358bef8483ab0d51c6619f3e7a1a9f0e75838d41ff368f728"],
    "link": "https://my-internal-site.local/hash_iocs/list_a"
}

Get one Watchlist alert each time a suspicious process gets launched

Solution:

Use a query IOC that includes at least one searchable, event-specific field in the query; for example, alert every time PowerShell is launched as a result of opening an Office document.

The following example does not work as intended if it is included as a Query IOC:

(((process_name:wscript.exe OR process_name:cscript.exe OR process_name:powershell.exe) AND (parent_name:winword.exe OR parent_name:powerpnt.exe OR parent_name:excel.exe) AND -(process_cmdline:"powershell.exe kill -processname winword") -process_cmdline:health_check -process_cmdline:SQL_Check*))

Instead, this example generates multiple alerts for a single process execution because all of the fields used in this query are always reported in any event that the sensor reports. That is, the sensor reports all events during the lifetime of that executed process, including not only the start of a process (a childproc operation), but also events that the process performs such as a filemod operation, regmod, netconn, fileless_scriptload, modload, and so forth.

Instead, the following example works as intended:

((childproc_name:wscript.exe OR childproc_name:cscript.exe OR childproc_name:powershell.exe) AND (process_name:winword.exe OR process_name:powerpnt.exe OR process_name:excel.exe) AND -(childproc_cmdline:"powershell.exe kill -processname winword") -childproc_cmdline:health_check -childproc_cmdline:SQL_Check*)

Including one or more event-specific fields such as childproc_name or childproc_cmdline in the Query IOC makes sure that the Watchlist feature only generates hits and alerts when the sensor reports the specific matching events for the process, rather than generate hits and alerts every time the sensor reports any activity from the process. In this case, the Watchlist only generates an alert when a child process is spawned - and does not generate alerts for subsequent activity that is reported for that child process.

Query IOCs in a Watchlist can include most of the fields that are marked Searchable in the Process and Events Search Fields list. Of those Searchable fields, any whose names begin with the following are considered event-specific fields so that you only get alerts when a specific event happens:

  • childproc_*
  • crossproc_*
  • fileless_scriptload_*
  • filemod_*
  • modload_*
  • netconn_*
  • regmod_*
  • scriptload_*

The following fields are not event-specific:

  • childproc_count
  • crossproc_count
  • filemod_count
  • modload_count
  • netconn_count
  • regmod_count
  • scriptload_count

Filter Watchlist alerts to ignore expected but unwanted processes

Solution:

Follow the Process Search Negation guidance described at https://developer.carbonblack.com/reference/carbon-black-cloud/guides/process-search-negation/.