Nov 22, 2013 1:31 PM by kcole

    Dynamic Watchlist


      I am looking for a way to have ESM create a dynamic watchlist based upon traffic seen from a given data source.

      Scenario one would be, for a given data source (Web server logs) grab the source IP and add it to a watchlist.

      Secnario two would ref the watchlist created in step one, and if a new source IP is seen(not already in watchlist) then fire an alarm.

      Watchlists in Nitro seem to be geared towards static entry, i.e look for what I tell you to look for  vs  adding to a list that I can then do other things with.

          You can do this today.


          Depending on what you are looking for, you might want to create a correlation rule that results in an alarm or you can just start with an alarm.  Either way, you can create an alarm that looks for certain conditions to be met (like a source IP is contained (or not containted) in the specific watchlist.  Then you can set an action that will append the appropriate watchlist with the appropriate value.