The Add IOC to Watchlist Alert Action adds the specified IOCs to a report in a watchlist.
Note:
- This Alert Action requires Carbon Black Cloud Enterprise EDR.
- See also Watchlist API for Carbon Black Cloud Enterprise EDR.
Configuration:
- Watchlist
-
- The name of the watchlist.
- Matches exactly
- If the watchlist does not exist, it will be created.
- The watchlist name can be overwritten with a field value in the results. Fieldname:
watchlist.
- Report Name:
-
- The name of the report on the watchlist.
- Matches exactly
- If the report does not exist, it will be created.
- The report name can be overwritten with a field value in the results. Fieldname:
report_name.
- IOC Match Type
-
The type of IOC to add to the watchlist report. The type is either
EqualityorQuery. - IOC Field
- The field name in the search results that contains the IOC to add to the watchlist report.
- Severity
-
- The severity to assign to the Alert Action report IOC.
- The severity assignment can be overwritten with a field value in the results. Fieldname:
severity.
