The Remove IOC from Watchlist Alert Action removes the specified IOCs from a report in a watchlist.
Note:
- This Alert Action requires Carbon Black Cloud Enterprise EDR.
- See also Watchlist API for Carbon Black Cloud Enterprise EDR.
Configuration:
- Watchlist
-
- The name of the watchlist
- Matches exactly
- If the watchlist does not exist, it will be created.
- The watchlist name can be overwritten with a field value in the results. Fieldname:
watchlist.
- Report Name
-
- The name of the report on the watchlist.
- Matches exactly
- If the report does not exist, it will be created.
- The report name can be overwritten with a field value in the results. Fieldname:
report_name.
- IOC Value Field
- The field name in the search results that contains the IOC to remove from the watchlist report. This will be a string match. If the report value is a query and contains the IOC string, the IOC will be removed. If the IOC that was removed was a single IOC in the report, the report is also removed.
