Carbon Black EDR provides access to two sources of pre-configured watchlists, in addition to the watchlists you create.

  • The VMware Carbon Black User Exchange provides a forum for sharing watchlists.
  • The Watchlists page in the console includes a list of default watchlists, which include the following:

    • Autoruns

    • Filemods to Webroot

    • Netconns to .cn or .ru

    • Newly Executed Applications

    • Newly Installed Applications

    • Newly Loaded Modules

    • Non-System Filemods to system

    • USB drive usage

    • Carbon Black Threat Reputation

In addition to the built-in Watchlists, in the top-right corner of the Watchlists page, you can click the Community Watchlists button to access Threat Research on the VMware Carbon Black User Exchange. Threat Research is a central portal where watchlist users can publish and discuss watchlists that might eventually be included as a feed.