Table of Contents
Advertisement
2 Select the Export option from the Action pane. The Description in the Description pane
changes to Export.
3 Click Browse to export the rule. Specify a file name and click Export. Click Next. The Export
Rule window displays.
4 Select the Correlation Rule you want to export. Click Finish.
3.4 Dynamic Lists
Dynamic Lists are distributed list structures that can be used to store string elements, such as IP
addresses, server names, or usernames. The lists are then used within a correlation rule for a quick
lookup to see whether an incoming event includes an element from the Dynamic List. Some
examples of Dynamic Lists include:
Terminated user lists
Suspicious user watchlist
Privileged user watchlist
Authorized ports and services list
Authorized server list
A Dynamic List can be built using the text values for any event metatag. Elements can be added to
the list manually (by an administrator) or automatically whenever a correlation rule fires. Elements
can be removed from a list if manually (by an administrator), automatically whenever a correlation
rule fires, when their time limit expires, or when the maximum list size is reached.
IMPORTANT: The Time To Live (TTL) must be between 60 seconds and 90 days and the
maximum list size is 100,000.
Regardless of how the values were added, they can be Persistent (active until manually removed or
until the maximum list size is reached) or Transient (active only for a specified timeframe after
being added to the list, also known as the Time to Live). The Time to Live can range from 60
seconds to 90 days.
NOTE: If the Time to Live period is updated on an active Dynamic List, the change is not
retroactive to elements already on the list. Elements that are already added to the dynamic list retains
their original Time to Live.
82
Sentinel 6.1 User Guide
Advertisement
Table of Contents
