Watchlists are saved searches that run periodically against the process or binary data in Carbon Black EDR. Watchlists are visible to all users.

Watchlists are named process or binary searches that the server runs periodically (approximately every 10 minutes) without user action. When those saved searches produce new results, the server notifies users about them in a configurable way.

First responders can use the Watchlists page to quickly see items that are potentially interesting. For example, the Newly Executed Applications watchlist gives you rapid access to a list of the latest applications that were executed. If known recent issues occur with any new applications, you can quickly scan the results of that watchlist to find potential problems.

For watchlists that are based on threat intelligence feeds, you can factor scoring into a saved search. These watchlists tag a process or binary that is found on one of your endpoints when the score from a specified feed matches a specified score or falls within a specified score range. The score is the rating that is used to calculate the severity that is assigned to IOCs from a feed.

Additional information about enabling and using watchlists in specific contexts displays in the following pages: