Skip to main content

Responses are generated using AI and may contain mistakes.

Threat CenterThreat Center Guide

Table of Contents

Monitor Entities of Interest in Threat Center

Track and understand entities of interest at a glance with watchlists.

A watchlist is a list of entities of interest sorted from highest to lowest risk score. You use watchlists to carefully observe and stay informed about entities in your environment and as a starting point to investigate noteworthy entities. Watchlists are available only with a New-Scale Security Operations portfolio license. Threat Center Watchlist permissions determine what you're permitted to see and do with watchlists.

View all watchlists in the Threat Center Overview tab:

The Threat Center Overview tab.

Each watchlist displays up to 50 entities. Entities with the same risk score are sorted by highest to lowest number of associated alerts.

For an entity in a watchlist, you can view:

threatcenter-overview-watchlist-entity.png

1 The highest case or alert risk score associated with the entity

2 The highest case or alert priority associated with the entity

3 The entity name

4 The number of open cases, closed cases, open alerts, and dismissed alerts associated with the entity

There are five pre-built watchlists. You can also create your own watchlist based on tags applied to entities in Attack Surface Insights. After you create a watchlist, you can also edit, reorder, and delete it.

To further investigate entities of interest, you can:

Adjust Watchlist Time Frame

Watchlists dynamically ranks entities from highest to lowest risk score over a time frame you specify. The default is seven days. To view how a watchlist changes over time, you can adjust the time frame applied to a watchlist.

To specify a time frame, click the current applied time frame, then select a time frame: Last day, Last 2 days, Last 7 days, Last 14 days, Last 30 days, or Last 60 days.

Notable Users watchlist with open time frame menu.

View Entity Details

To learn more about an entity in a watchlist, view entity details directly from the watchlist.

For an entity in the watchlist, click the entity name.

View Event Timeline

To understand all activity in which the entity was involved, navigate to a timeline of all events associated with the entity.

For an entity in the watchlist, click Two circles connected by two curved lines with a right angle in the center.. You're directed to the Search timeline view with a query entered for events with a risk score associated with the entity and created in the past 24 hours.

View Open Cases

If an entity is associated with a high number of open cases, it may indicate you should further investigate the entity.

View the number of open cases associated with an entity in the watchlist next to A blue outline of an open folder..

To navigate to the open cases, click A blue outline of an open folder.. You're directed to a list of open cases created in the same time frame applied to the watchlist whose detections are grouped by the entity.

View Closed Cases

If an entity is associated with a high number of closed cases, it may indicate you need to tune detection logic or continue closely monitoring the entity.

View the number of closed cases associated with an entity in the watchlist next to A blue outline of a folder with a diagonal line bisecting it through the center..

To navigate to the closed cases, click A blue outline of a folder with a diagonal line bisecting it through the center.. You're directed to a list of closed cases created in the same time frame applied to the watchlist whose detections are grouped by the entity.

View Open Alerts

If an entity is associated with a high number of open alerts, it may indicate you should further investigate the entity.

View the number of open alerts associated with an entity in the watchlist next to A blue outline of a triangle with a blue exclamation point in the center..

To navigate to the open alerts, click A blue outline of a triangle with a blue exclamation point in the center.. You're directed to a list of open alerts without an associated case, created in the same time frame applied to the watchlist, and whose detections are grouped by the entity.

View Dismissed Alerts

If an entity is associated with a high number of dismissed alerts, it may indicate you need to tune detection logic or continue closely monitoring the entity.

View the number of dismissed alerts associated with an entity in the watchlist next to A blue outline of a trianger with a diagonal line bisecting it through the center..

To navigate to the dismissed alerts, click A blue outline of a trianger with a diagonal line bisecting it through the center.. You're directed to a list of dismissed alerts without an associated cases, created in the same time frame applied to the watchlist, and whose detections are grouped by the entity.