This topic describes the Watchlists page in the Carbon Black EDR console.

  • On the navigation bar, click Watchlists.

On the Watchlists page, names of existing watchlists appear in a table on the left. Details and results for one watchlist (by default, the first one in the table) appear on the right. You can display the details and results of a different watchlist by clicking its name.

The watchlist page

The left panel on the Watchlists page shows all available watchlists, their status and type, the number of hits, and either the time of their last run or another status message if they have not run recently. There are two tools for filtering these watchlists:

  • At the top of the Watchlists page, use the Search box to search for watchlists by name.
  • Immediately above the table of Watchlists on the left, filters and sorting controls can modify what is shown in the table. In the Show field, you can chose to show all watchlists, process watchlists only, binary watchlists only, or enabled watchlists only. In the Sort by field, you can sort by name, by the time the watchlist was created, by duration (how long it took the query to run), or by when each watchlist was most recently triggered. See Managing Watchlists for how you can use these features to effectively manage watchlists.

Watchlist Details Panel

The Watchlist Details panel on the right shows details for the currently selected watchlist. It includes the following information:

  • Name and Description (if provided) of the watchlist.

  • If the most recent execution was successful, its time and duration. For unsuccessful executions, this line shows either timeout or error information. Typically watchlists are scheduled to run every 10 minutes, but if a previous watchlist session is still running, the next one will be delayed and try to start periodically (every 10 minutes).

  • Query used to match events to the watchlist.

  • The On Hit settings determine how (or if) you are notified when an event matches the query.

  • A graph that shows the number of hits on this watchlist over time.

  • Table of results showing details for each hit.

Note: For each watchlist that is run, the number of matching events that are tagged is limited to 100, even if more events actually match the watchlist. This limit prevents performance issues and eliminates the potential for excessive numbers of notification emails that are unlikely to add useful information.

Click the Search link to show query results in the context of the Process Search page or the Binary Search page.

The Watchlist Details panel also provides buttons in the top right to disable or delete the watchlist. When you click the Disable button, the watchlist is disabled and no longer runs. New results that match the search query do not result in any notification or record that they triggered a hit for the watchlist.

When you click the Delete button and confirm the deletion, the watchlist is permanently removed.