Watchlists are saved searches that run periodically against the process or binary data in Carbon Black EDR. Watchlists are visible to all users.
Watchlists are named process or binary searches that the server runs periodically (approximately every 10 minutes) without user action. When those saved searches produce new results, the server notifies users about them in a configurable way.
First responders can use the Watchlists page to quickly see items that are potentially interesting. For example, the Newly Executed Applications watchlist gives you rapid access to a list of the latest applications that were executed. If known recent issues occur with any new applications, you can quickly scan the results of that watchlist to find potential problems.
For watchlists that are based on threat intelligence feeds, you can factor scoring into a saved search. These watchlists tag a process or binary that is found on one of your endpoints when the score from a specified feed matches a specified score or falls within a specified score range. The score is the rating that is used to calculate the severity that is assigned to IOCs from a feed.
The severity calculation for alerts uses the following inputs:
- Feed rating
- Report score
- Confidence
- Criticality
For watchlist alerts, the first three values are constants; only the criticality varies, based on the sensor group (which defaults to 3):
- Feed rating = 3
- Report score = 75
- Confidence = 0.5
Using the default values, the severity is always 51.
The listed report score is not the score of the report that triggered the alert; instead, it is the score of the watchlist. The details for the watchlist alert on the Watchlists page shows the watchlist report score, not the report's report score. For example, if criticality is set to 5, the calculated severity is 61. If you perform a query requesting IOCs that have a watchlist score of over 80, the generated report shows all IOCs that have a severity over 61 even though the watchlist data is 80 and above.
Additional information about enabling and using watchlists in specific contexts displays in the following pages: