Exporting A Correlation Rule; Dynamic Lists - Novell SENTINEL RAPID DEPLOYMENT 6.1 - 12-2009 User Manual

IMPORTANT: If you import a correlation rule using the
aligned to that rule must exist or you must create the dynamic list with the same name on the
system to which it is imported.

4.3.13 Exporting a Correlation Rule

1 Open the Correlation Rule Manager window and click the Import/Export Correlation Rule
icon. The Import Export Rule window displays.
2 Select the Export option from the Action pane. The description in the Description pane changes
to Export.d
3 Click Browse to export the rule. Specify a filename and click Export, then click Next. The
Export Rule window displays.
4 Select the Correlation rule you want to export. Click Finish.

4.4 Dynamic Lists

Dynamic lists are distributed list structures that can be used to store string elements, such as IP
addresses, server names, or usernames. The lists are then used within a Correlation rule for a quick
lookup to see whether an incoming event includes an element from the dynamic list. Some examples
of dynamic list include:
Terminated user lists
Suspicious user watchlist
Privileged user watchlist
Authorized ports and services list
Authorized server list
A dynamic list can be built by using the text values for any event meta tag. Elements can be added to
the list manually (by an administrator) or automatically whenever a Correlation rule fires. Elements
can be removed from a list manually (by an administrator), automatically whenever a correlation
rule fires, when their time limit expires, or when the maximum list size is reached.
IMPORTANT: The Time To Live (TTL) must be between 60 seconds and 90 days and the
maximum list size is 100,000.
98 Sentinel 6.1 Rapid Deployment User Guide
operator, the dynamic list
inlist