Table of Contents
Advertisement
NOTE: Select a filter type from Quick Filter drop-down list and specify the name of the
element, to filter the available elements.
3.4.2 Modifying a Dynamic List
To edit a Dynamic List:
1 Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click
Dynamic Lists button on the Tool Bar.
2 Select a Dynamic List and click View/Edit link.
3 The Dynamic List Properties window displays. Edit the options as required and click OK.
3.4.3 Deleting a Dynamic List
WARNING: Do not delete a Dynamic List that is part of a correlation rule or rules.
To delete a Dynamic List:
1 Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click the
Dynamic Lists button on the Tool Bar.
2 Select a Dynamic List and click Delete link against it. Confirmation message alert displays.
3 Click Yes to delete.
3.4.4 Removing Dynamic List Elements
There are several ways an element can be removed from a Dynamic List.
A user can remove it manually
The element can be removed by a correlation rule action
The Transient elements life span can expire
If the maximum number of elements for a Dynamic List is reached, elements are removed from
the list to keep the list at or below the maximum list size. The transient elements are removed
(from oldest to newest) before any persistent elements are removed.
3.4.5 Using a Dynamic List in a Correlation Rule
Dynamic Lists can be referenced in a Correlation Rule by using the Custom/Freeform option of the
Correlation Rule Wizard. For example:
filter(e.<tagname> inlist <Dynamic List Name>)
where
e.<tagname> represents a metatag in the incoming event, such as e.shn (Source
Host Name) or e.dip (Destination IP address)
<Dynamic List Name> is the name of an existing Dynamic List, such as
CriticalServerList
84
Sentinel 6.1 User Guide
Advertisement
Table of Contents
