Perform the following procedure to create a watchlist on the Process Search or Binary Search page in the Carbon Black EDR console.


  1. On the navigation bar, select either Process Search or Binary Search.
  2. Enter the query for the processes or binaries from which to create a watchlist. The syntax should match a search box query in the Process or Binary Search page.
    Caution: Use of leading wildcards is discouraged because of performance issues.

    You cannot edit several aspects of a watchlist search query, so examine the results carefully before proceeding. For more information on editing queries, see Edit a Watchlist.

    For more information on performing searches, see:

    If you are using multiple MD5 or SHA-256 hash values for search criteria to create a watchlist, you must enclose the values in parentheses ().

    For example:

    (md5:45cc061d9581e52f008e90e81da2cfd9 md5:829e4805b0e12b383ee09abdc9e2dc3c md5:ac9fa2ba34225342a8897930503ae12f md5:5f7eaaf5d10e2a715d5e305ac992b2a7)

    If you do not enclose the list in parentheses, the only value that is tagged for the watchlist is the last value in the list.

  3. On the Process Search page, click Create Watchlist or, on the Binary Search page, click Create Watchlist from the Action menu.
    • Watchlist Name: Enter a meaningful name for the watchlist.
    • Description: Provide the purpose of the watchlist (optional).
    • Query: The query that is currently open, if any.
    • Query Existing Data: Define the time period for which existing data is queried on the first run of the watchlist. The longer the timeframe that is selected, the longer it will take the query to run directly after this watchlist is created. A longer time can also stress other product services, such as process search, while the watchlist is running. After the watchlist has run one time, it will run on new data in 10 minute intervals thereafter.
    • Email Me: Select the checkbox to receive email notifications for matching hits.
    • Create Alert: Select the checkbox to send an alert when conditions matching the watchlist occur. Triggered alerts are reported in the Alert Dashboard page and the Triage Alerts page. For more information on alerts, see Console and Email Alerts.
    • Log to Syslog: Select the checkbox to log all hits syslog. Syslogs are written to /var/log/cb/notifications/ . In this case, the log filenames have the format cb-notifications-<watchlist ID>.log.
    • Watchlist Type: Identify the type as Process or Binary.
  4. Click Create.