You can create Dynamic Lists either in the correlation rule Expression Builder while creating correlation rules or in the All Dynamic Lists user interface. To create and manage Dynamic Lists, in the Sentinel Main interface, click Correlation. In the Dynamic Lists section, click All Dynamic Lists.
NOTE:Specify an appropriate name for the Dynamic List and list item. Since the Dynamic Lists are associated to several correlation rules, you cannot modify the list name and the list item name later.
When creating Dynamic Lists, you can specify the default life span for the list items. The life span of the list items is considered from the date and time you create or modify them. If you do not want the list items to be deleted, you can set the list item to never expire while adding them.
You can add list items in any of the following ways:
In the All Dynamic Lists page, open the dynamic list to which you want to add list items. Click Items > Add.
Import from a CSV or a TXT file. Consider the following when importing list items:
The file can be in <value, expiration_date> format. Expiration date is optional and it must be either 0 or 1. 0 indicates that the list item will expire and 1 indicates that the list item will never expire. The default value is 0.
The number of list items do not exceed the list items limit for the dynamic list. If the limit exceeds, Sentinel does not import the list items.
If the list items being imported already exist in the dynamic list, Sentinel updates the life span of the list items with the value specified in the file.
Set the correlation rule action to Add to Dynamic List. The correlation rule adds a list item to the selected dynamic list when the rule fires. For more information, see Associating Actions to a Rule.
If you have multiple Sentinel servers, you do not need to manually create list items on each server. You can reuse existing list items in other Sentinel servers by using the Export option as needed.
The Export option exports all the list items of a dynamic list. You cannot export only selected list items.