Publish to Watchlist activity
The Publish to Watchlist workflow activity pushes observables in a security incident into a watchlist for generating alert or events. The alerts and events are displayed in the CrowdStrike Falcon Host system based on how it is configured.
The Publish to Watchlist activity can be used with any workflow to publish observables to a watchlist.
Results
Possible results for this activity are:
| Result | Description |
|---|---|
| Success | Configuration succeeded. . |
| Failure | An error occurred while attempting to verify the configuration. More error information is available in the activity output error. |
Input variables
Input variables determine the initial behavior of the activity.
| Variable | Description |
|---|---|
| observables | The list of observables from Security Incident Response. |
| user_name | The user name of the individual responsible for the CrowdStrike Falcon Host integration. |
| password | The password of the individual responsible for the CrowdStrike Falcon Host integration. |
| task_sys_id | The system identifier for this publish to watchlist job. |
| capabilityExecutionId | The name of the associated capability. |
Output variables
The output variables contain data that can be used in subsequent activities.
| Variable | Description |
|---|---|
| status | The status of the publish activity. |