- Get Started with Threat Center
- Threat Center
- Threat Center Permissions
- Threat Center Alerts: Read
- Threat Center Alerts: Read, Write, and Delete
- Threat Center Cases: Read
- Threat Center Cases: Read, Write, and Delete
- Threat Center Detection Grouping Rules: Read
- Threat Center Detection Grouping Rules: Read, Write, and Delete
- Threat Center Watchlist: Read
- Threat Center Watchlist: Read, Write, and Delete
- Threat Center Cases
- Threat Center Alerts
- Threat Center Detections
- Threat Center Risk Score
- Configure Threat Center
- Monitor Entities of Interest in Threat Center
- Work on Cases
- Work on Alerts
- Edit and Collaborate in Threat Center
- Use Automation Tools in Threat Center
- Find Cases and Alerts
- View Case and Alert Metrics
- Get Notified About Threat Center
- Threat Center APIs
Monitor Entities of Interest in Threat Center
Track and understand entities of interest at a glance with watchlists.
A watchlist is a list of entities of interest sorted from highest to lowest risk score. You use watchlists to carefully observe and stay informed about entities in your environment and as a starting point to investigate noteworthy entities. Watchlists are available only with a New-Scale Security Operations portfolio license. Threat Center Watchlist permissions determine what you're permitted to see and do with watchlists.
View all watchlists in the Threat Center Overview tab:
![]() |
Each watchlist displays up to 50 entities. Entities with the same risk score are sorted by highest to lowest number of associated alerts.
For an entity in a watchlist, you can view:
![]() |
1 The highest case or alert risk score associated with the entity
2 The highest case or alert priority associated with the entity
3 The entity name
4 The number of open cases, closed cases, open alerts, and dismissed alerts associated with the entity
There are five pre-built watchlists. You can also create your own watchlist based on tags applied to entities in Attack Surface Insights. After you create a watchlist, you can also edit, reorder, and delete it.
To further investigate entities of interest, you can:
Adjust Watchlist Time Frame
Watchlists dynamically ranks entities from highest to lowest risk score over a time frame you specify. The default is seven days. To view how a watchlist changes over time, you can adjust the time frame applied to a watchlist.
To specify a time frame, click the current applied time frame, then select a time frame: Last day, Last 2 days, Last 7 days, Last 14 days, Last 30 days, or Last 60 days.
![]() |
View Entity Details
To learn more about an entity in a watchlist, view entity details directly from the watchlist.
For an entity in the watchlist, click the entity name.
View Event Timeline
To understand all activity in which the entity was involved, navigate to a timeline of all events associated with the entity.
For an entity in the watchlist, click
. You're directed to the Search timeline view with a query entered for events with a risk score associated with the entity and created in the past 24 hours.
View Open Cases
If an entity is associated with a high number of open cases, it may indicate you should further investigate the entity.
View the number of open cases associated with an entity in the watchlist next to
.
To navigate to the open cases, click
. You're directed to a list of open cases created in the same time frame applied to the watchlist whose detections are grouped by the entity.
View Closed Cases
If an entity is associated with a high number of closed cases, it may indicate you need to tune detection logic or continue closely monitoring the entity.
View the number of closed cases associated with an entity in the watchlist next to
.
To navigate to the closed cases, click
. You're directed to a list of closed cases created in the same time frame applied to the watchlist whose detections are grouped by the entity.
View Open Alerts
If an entity is associated with a high number of open alerts, it may indicate you should further investigate the entity.
View the number of open alerts associated with an entity in the watchlist next to
.
To navigate to the open alerts, click
. You're directed to a list of open alerts without an associated case, created in the same time frame applied to the watchlist, and whose detections are grouped by the entity.
View Dismissed Alerts
If an entity is associated with a high number of dismissed alerts, it may indicate you need to tune detection logic or continue closely monitoring the entity.
View the number of dismissed alerts associated with an entity in the watchlist next to
.
To navigate to the dismissed alerts, click
. You're directed to a list of dismissed alerts without an associated cases, created in the same time frame applied to the watchlist, and whose detections are grouped by the entity.


