You can edit a watchlist in the Watchlist Details panel of the Watchlists page in the Carbon Black EDR console.
For most watchlist changes, the underlying ID that uniquely identifies the watchlist remains the same. However, if you edit the watchlist search query, it effectively becomes a new watchlist.
Procedure
- On the navigation bar, click Watchlists.
- In the left panel, select the watchlist to edit. Its details appear in the right panel.
- You can edit the following attributes of the watchlist:
- To change the name of the watchlist, click the pencil icon next to the name at the top of the page.
- To edit the watchlist query, click the pencil icon for the Query box. In the Edit Watchlist Query dialog, modify the query and then click Save Changes.
Note: Saving a modified watchlist query overwrites the watchlist ID even if the watchlist name is the same. Therefore, any references to the older version of the watchlist, such as in alerts or through the API, are no longer connected.
- To disable the watchlist, click Disable. To enable it, click Enable.
- To receive email notifications when there are hits that match your search, select Email Me. Deselect the checkbox to stop receiving email notifications.
- To send an alert when conditions matching the watchlist occur, select Create Alert. Deselect the checkbox to stop sending alerts.
- To log all hits that match the search to
syslog
, select Log to Syslog. Syslogs are written to /var/log/cb/notifications/
. In this case, the log filenames have the form cb-notifications-
<watchlist ID>.log.