1 Reply Latest reply on Feb 14, 2013 10:02 AM by Scott Taschler

    Applying/Viewing a Watchlist

      I am very new to the SIEM and all SIEM's in general, so please forgive me up front.

       

      I would like to know how to view or apply a watchlist that I created in the dashboard. For some this may be easy, but it is not as intuitive for me. I created the Project Blitzkrieg watchlist as outlined in this blog post:

      https://community.mcafee.com/community/business/siem/blog/2012/12/14/seeking-pro ject-blitzkrieg

       

      However, I cannot figure out a way to actually view the results of that watchlist. I would ultimately like to setup alarms off this watchlist, but I have not even gotten as far as viewing the data first. I am not be asking the question in the correct way, but any guidance would be appreciated.

       

      Thanks!

        • 1. Re: Applying/Viewing a Watchlist
          Scott Taschler

          On the right side of the ESM UI there is a pane called the Filter Panel.  This panel allows you to enter criteria that will filter your view.  For example, if you only wanted to see events from a single IP address, you'd enter that IP in the Source IP filter field, and refresh the view. 

           

          In order to apply a watchlist as a filter (as I discuss in the blog post you've referenced) you'll need to click on the funnel icon next to the field you'd like to filter on.  A tabbed dialog will appear, with one tab labeled "Watchlist".  If you select this tab, you'll get a list of all the appropriate watchlists you have defined, and you can select one or more of them to use as a filter.

           

          Hope this helps. Good luck!