Perform the following procedure to create a watchlist on the Watchlists page in the Carbon Black EDR console.

Procedure

  1. On the navigation bar, click Watchlists.
  2. Click the Create Watchlist button.
    The create watchlist button
    • Watchlist Name: Enter a meaningful name for the watchlist.
    • Description: Provide the purpose of the watchlist (optional).
    • Query: The query that is currently open, if any.
    • Query Existing Data: Define the time period for which existing data is queried on the first run of the watchlist. The longer the timeframe that is selected, the longer it will take the query to run directly after this watchlist is created. A longer time can also stress other product services, such as process search, while the watchlist is running. After the watchlist has run one time, it will run on new data in 10 minute intervals thereafter.
    • Email Me: Select the checkbox to receive email notifications for matching hits.
    • Create Alert: Select the checkbox to send an alert when conditions matching the watchlist occur. Triggered alerts are reported in the Alert Dashboard page and the Triage Alerts page. For more information on alerts, see Console and Email Alerts.
    • Log to Syslog: Select the checkbox to log all hits syslog. Syslogs are written to /var/log/cb/notifications/. In this case, the log filenames have the format cb-notifications-<watchlist ID>.log.
    • Watchlist Type: Identify the type as Process or Binary.
  3. Click Create.