Publish observables to a third-party watchlist

  • Release version: Australia
  • Updated March 12, 2026
  • 1 minute to read

    • You can publish one or more observables or associated indicators to a third-party watchlist. Currently, the only implementation that supports this functionality is CrowdStrike Falcon Host.

    Before you begin

    Role required: sn_si.analyst

    About this task

    Note:
    If no implementations are available, capability actions are not displayed in product menus.

    Procedure

    1. Navigate to a security incident.
    2. Select Observables from the Related List tab.
    3. Select Publish to Watchlist in the Actions on selected rows... drop-down menu.
      The Publish to Watchlist dialog box appears.
    4. Enter or choose the implementation.
      Note:
      A workflow is triggered by the Security Operations Integration- Publish to Watchlist capability when you select the CrowdStrike Falcon Host implementation.
    5. Select Submit.