- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Monitor Entities of Interest in Threat Center
- Group Detections
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- Sort Cases or Alerts
- Filter Cases or Alerts
- Search for Cases or Alerts in Threat Center
- Build a Search in Threat Center
- Enter a Search Using Exabeam Query Language in Threat Center
- Enter a Search Using Natural Language in Threat Center
- Run a Recent Search in Threat Center
- Create a New Saved Search in Threat Center
- Run a Saved Search in Threat Center
- Edit a Saved Search in Threat Center
- Delete a Saved Search in Threat Center
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Monitor Entities of Interest in Threat Center
Track and understand entities of interest at a glance with watchlists.
A watchlist is a list of entities of interest sorted from highest to lowest risk score. You use watchlists to carefully observe and stay informed about entities in your environment and as a starting point to investigate noteworthy entities. Watchlists are available only with a New-Scale Security Operations portfolio license.
View all watchlists in the Threat Center Overview tab:
Each watchlist displays up to 50 entities. Entities with the same risk score are sorted by highest to lowest number of associated alerts.
For an entity in a watchlist, you can view:
 |
1 The highest case or alert risk score associated with the entity
2 The highest case or alert priority associated with the entity
3 The entity name
4 The number of cases associated with the entity
There are five pre-built watchlists. You can also create your own watchlist based on tags applied to entities in Attack Surface Insights. After you create a watchlist, you can also edit and delete it.
To further investigate entities of interest, you can:
Adjust Watchlist Time Frame
Watchlists dynamically ranks entities from highest to lowest risk score over a time frame you specify. The default is seven days. To view how a watchlist changes over time, you can adjust the time frame applied to a watchlist.
To specify a time frame, click the current applied time frame, then select a time frame: Last day, Last 2 days, Last 7 days, Last 14 days, Last 30 days, or Last 60 days.
 |
View Entity Details
To learn more about an entity in a watchlist, view entity attributes directly from the watchlist.
For an entity in the watchlist, click the More menu 
, then select Details.
View Event Timeline
To understand all activity in which the entity was involved, navigate to a timeline of all events associated with the entity.
For an entity in the watchlist, click the More menu , then select Timeline. You're directed to the Search timeline view with a query entered for events with a risk score associated with the entity and created in the past 24 hours.
View Associated Cases
If an entity is associated with a high number of cases, it may indicate you should further investigate the entity.
To view cases associated with an entity in the watchlist, you can either:
Click
<#> for the entity.
For an entity, click the More menu
, then select <#> Associated cases.
You're directed to a list of cases created in the same time frame applied to the watchlist whose detections are grouped by the entity.
View Associated Alerts
If an entity is associated with a high number of alerts, it may indicate you should further investigate the entity.
To view alerts associated with an entity in the watchlist, click the More menu for the entity, then select <#> Associated alerts. You're directed to a list of alerts without an associated case, created in the same time frame applied to the watchlist, and whose detections are grouped by the entity.