Our company just got the SIEM system installed few weeks ago so it's new to everyone here. I have been flying blind pretty much from day one along with the network admins. I have 1 question. We found a system that had Adware-Bettersurf (Came through our ePO we added in SIEM) was easy to understand, navigate etc etc. I seen something called a watchlist so i added the Adware-Bettersurf. When i check the main watchlist page under System Information in SIEM i see the Name, Type and State.
Now my question. Does the watchlist only watch for this certin type of Adware i added? Will it ever show again in the ePO?
I'm not aware of any specific documents that talk about using watchlists in ESM. It's one of those features that we take for granted. Here is what the product guide has to say on watchlists for starters:
A watchlist is a grouping of a specific type of information that can be used as a filter or as an alarm condition. It can be global or specific to a user or group and can be static or dynamic.
A watchlist can include a maximum of 1,000,000 values.
You can set up the values on a watchlist to expire. Each value is time stamped and expires when the duration you specify is reached, unless it refreshes. Values refresh if an alarm triggers and adds them to the watchlist. You can refresh the values set to expire by appending them to the list using the Append to watchlist option on the menu of a view component.
Watchlists, by themselves, are simply lists, and don't do anything. However, they can be leveraged in many different use cases to accomplish very interesting things. For example:
Watchlists are key to many advanced use cases in ESM. These are just a few ideas. Hopefully this gives you a few ideas of your own.
From your response I understand that a watch-list could have maximum up-to 1,000,000 values.
Is there any limit like how many watch-lists can we created i.e. 50,75,100...?