3 Replies Latest reply on Feb 1, 2014 4:59 PM by Scott Taschler

    What does the "Watchlists" actually do???

    john.nolan

      Hello all,

       

      Our company just got the SIEM system installed few weeks ago so it's new to everyone here. I have been flying blind pretty much from day one along with the network admins. I have 1 question. We found a system that had Adware-Bettersurf (Came through our ePO we added in SIEM) was easy to understand, navigate etc etc. I seen something called a watchlist so i added the Adware-Bettersurf. When i check the main watchlist page under System Information in SIEM i see the Name, Type and State.

       

      Now my question. Does the watchlist only watch for this certin type of Adware i added? Will it ever show again in the ePO?

        • 1. Re: What does the "Watchlists" actually do???
          acommons

          Until you reference a Watchlist in a filter they do nothing.

           

          cheers,

          Andrew

          • 2. Re: What does the "Watchlists" actually do???
            john.nolan

            Any PDF's on how to do that or links?

             

             

            Thanks for your reply buddy

            • 3. Re: What does the "Watchlists" actually do???
              Scott Taschler

              I'm not aware of any specific documents that talk about using watchlists in ESM.  It's one of those features that we take for granted.  Here is what the product guide has to say on watchlists for starters:

               

              =======

              A watchlist is a grouping of a specific type of information that can be used as a filter or as an alarm condition. It can be global or specific to a user or group and can be static or dynamic.

              • A static watchlist consists of specific values you enter or import;
              • a dynamic watchlist consists of values that result from a regular expression or string search criteria that you define.

               

              A watchlist can include a maximum of 1,000,000 values.

               

              You can set up the values on a watchlist to expire. Each value is time stamped and expires when the duration you specify is reached, unless it refreshes. Values refresh if an alarm triggers and adds them to the watchlist. You can refresh the values set to expire by appending them to the list using the Append to watchlist option on the menu of a view component.

              =========

               

              Watchlists, by themselves, are simply lists, and don't do anything.  However, they can be leveraged in many different use cases to accomplish very interesting things.  For example:

               

              • A watchlist can be used as a filter for a view or report.  When you select a filter, you will see a tab labeled "Watchlist".  If you select this tab, you will see the watchlsits you have defined that are relevant to the data element you're filtering.  For example, if you are filtering a source IP address, you will see the "IP Address" watchlists.

               

              • A watchlist can be used as a trigger for an alarm.  When properly configured, your alarm will trigger any time the ESM receives an event with a data field that matches the watchlist you've selected.  For example, you might create a list of critical user names, and then set an alarm to fire any time an event occurs for one of these users.
              • A watchlist can be used as a component in a correlation rule.  This gives you a great deal of flexibility in identifying specific conditions a rule triggers, or does not trigger.  As an example, you might have a watchlist that keeps track of your Vulnerability Scanner IP addresses.  You might have a correlation rule that identifies systems that are scanning your network, but incorporate exceptions into the rule by including a condition that ignores scans coming from IPs that are on the watchlist.

               

              Watchlists are key to many advanced use cases in ESM.  These are just a few ideas.  Hopefully this gives you a few ideas of your own.

               

              Scott