Perform the following procedure to create a watchlist on the Threat Intelligence Feeds page in the Carbon Black EDR console.


  1. On the navigation bar, click Threat Intelligence.
  2. Select the feed for which to create a watchlist.
  3. From the Actions menu, click Create Watchlist.
    The add watchlist
    • Watchlist Name: Enter a meaningful name for the watchlist.
    • Description: Provide the purpose of the watchlist (optional).
    • In the Feed Score Criteria section, use the fields to enter the score criteria for the severity of IOCs to track.
    • On the Type drop-down menu, click Process or Binary.
    • Email Me: Select the checkbox to receive email notifications for matching hits.
    • Create Alert: Select the checkbox to send an alert when conditions matching the watchlist occur. Triggered alerts are reported in the Alert Dashboard page and the Triage Alerts page. For more information on alerts, see Console and Email Alerts.
    • Log to Syslog: Select the checkbox to log all hits syslog. Syslogs are written to /var/log/cb/notifications/. In this case, the log filenames have the format cb-notifications-<watchlist ID>.log.
  4. Click Save changes.