Until you reference a Watchlist in a filter they do nothing.
Any PDF's on how to do that or links?
Thanks for your reply buddy
I'm not aware of any specific documents that talk about using watchlists in ESM. It's one of those features that we take for granted. Here is what the product guide has to say on watchlists for starters:
A watchlist is a grouping of a specific type of information that can be used as a filter or as an alarm condition. It can be global or specific to a user or group and can be static or dynamic.
- A static watchlist consists of specific values you enter or import;
- a dynamic watchlist consists of values that result from a regular expression or string search criteria that you define.
A watchlist can include a maximum of 1,000,000 values.
You can set up the values on a watchlist to expire. Each value is time stamped and expires when the duration you specify is reached, unless it refreshes. Values refresh if an alarm triggers and adds them to the watchlist. You can refresh the values set to expire by appending them to the list using the Append to watchlist option on the menu of a view component.
Watchlists, by themselves, are simply lists, and don't do anything. However, they can be leveraged in many different use cases to accomplish very interesting things. For example:
- A watchlist can be used as a filter for a view or report. When you select a filter, you will see a tab labeled "Watchlist". If you select this tab, you will see the watchlsits you have defined that are relevant to the data element you're filtering. For example, if you are filtering a source IP address, you will see the "IP Address" watchlists.
- A watchlist can be used as a trigger for an alarm. When properly configured, your alarm will trigger any time the ESM receives an event with a data field that matches the watchlist you've selected. For example, you might create a list of critical user names, and then set an alarm to fire any time an event occurs for one of these users.
- A watchlist can be used as a component in a correlation rule. This gives you a great deal of flexibility in identifying specific conditions a rule triggers, or does not trigger. As an example, you might have a watchlist that keeps track of your Vulnerability Scanner IP addresses. You might have a correlation rule that identifies systems that are scanning your network, but incorporate exceptions into the rule by including a condition that ignores scans coming from IPs that are on the watchlist.
Watchlists are key to many advanced use cases in ESM. These are just a few ideas. Hopefully this gives you a few ideas of your own.
From your response I understand that a watch-list could have maximum up-to 1,000,000 values.
Is there any limit like how many watch-lists can we created i.e. 50,75,100...?