Showing results for 
Search instead for 
Did you mean: 

What does the "Watchlists" actually do???

Hello all,

Our company just got the SIEM system installed few weeks ago so it's new to everyone here. I have been flying blind pretty much from day one along with the network admins. I have 1 question. We found a system that had Adware-Bettersurf (Came through our ePO we added in SIEM) was easy to understand, navigate etc etc. I seen something called a watchlist so i added the Adware-Bettersurf. When i check the main watchlist page under System Information in SIEM i see the Name, Type and State.

Now my question. Does the watchlist only watch for this certin type of Adware i added? Will it ever show again in the ePO?

4 Replies

Re: What does the "Watchlists" actually do???

Until you reference a Watchlist in a filter they do nothing.



Re: What does the "Watchlists" actually do???

Any PDF's on how to do that or links?

Thanks for your reply buddy


Re: What does the "Watchlists" actually do???

I'm not aware of any specific documents that talk about using watchlists in ESM.  It's one of those features that we take for granted.  Here is what the product guide has to say on watchlists for starters:


A watchlist is a grouping of a specific type of information that can be used as a filter or as an alarm condition. It can be global or specific to a user or group and can be static or dynamic.

  • A static watchlist consists of specific values you enter or import;
  • a dynamic watchlist consists of values that result from a regular expression or string search criteria that you define.

A watchlist can include a maximum of 1,000,000 values.

You can set up the values on a watchlist to expire. Each value is time stamped and expires when the duration you specify is reached, unless it refreshes. Values refresh if an alarm triggers and adds them to the watchlist. You can refresh the values set to expire by appending them to the list using the Append to watchlist option on the menu of a view component.


Watchlists, by themselves, are simply lists, and don't do anything.  However, they can be leveraged in many different use cases to accomplish very interesting things.  For example:

  • A watchlist can be used as a filter for a view or report.  When you select a filter, you will see a tab labeled "Watchlist".  If you select this tab, you will see the watchlsits you have defined that are relevant to the data element you're filtering.  For example, if you are filtering a source IP address, you will see the "IP Address" watchlists.

  • A watchlist can be used as a trigger for an alarm.  When properly configured, your alarm will trigger any time the ESM receives an event with a data field that matches the watchlist you've selected.  For example, you might create a list of critical user names, and then set an alarm to fire any time an event occurs for one of these users.
  • A watchlist can be used as a component in a correlation rule.  This gives you a great deal of flexibility in identifying specific conditions a rule triggers, or does not trigger.  As an example, you might have a watchlist that keeps track of your Vulnerability Scanner IP addresses.  You might have a correlation rule that identifies systems that are scanning your network, but incorporate exceptions into the rule by including a condition that ignores scans coming from IPs that are on the watchlist.

Watchlists are key to many advanced use cases in ESM.  These are just a few ideas.  Hopefully this gives you a few ideas of your own.


Level 9
Report Inappropriate Content
Message 5 of 5

Re: What does the "Watchlists" actually do???

Hi Scott,

From your response I understand that a watch-list could have maximum up-to 1,000,000 values.

Is there any limit like how many watch-lists can we created i.e. 50,75,100...?

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator
  • Community Help Hub

      New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

    • Find Forum FAQs
    • Learn How to Earn Badges
    • Ask for Help
    Go to Community Help

    Join the Community

      Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

    • Get helpful solutions from McAfee experts.
    • Stay connected to product conversations that matter to you.
    • Participate in product groups led by McAfee employees.
    Join the Community
    Join the Community