3.4 Dynamic Lists

Dynamic Lists are distributed list structures that can be used to store string elements, such as IP addresses, server names, or usernames. The lists are then used within a correlation rule for a quick lookup to see whether an incoming event includes an element from the Dynamic List. Some examples of Dynamic Lists include:

A Dynamic List can be built using the text values for any event metatag. Elements can be added to the list manually (by an administrator) or automatically whenever a correlation rule fires. Elements can be removed from a list if manually (by an administrator), automatically whenever a correlation rule fires, when their time limit expires, or when the maximum list size is reached.

IMPORTANT:The Time To Live (TTL) must be between 60 seconds and 90 days and the maximum list size is 100,000.

Regardless of how the values were added, they can be Persistent (active until manually removed or until the maximum list size is reached) or Transient (active only for a specified timeframe after being added to the list, also known as the Time to Live). The Time to Live can range from 60 seconds to 90 days.

NOTE:If the Time to Live period is updated on an active Dynamic List, the change is not retroactive to elements already on the list. Elements that are already added to the dynamic list retains their original Time to Live.

3.4.1 Adding a Dynamic List

To add Dynamic Lists:

  1. Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click Dynamic Lists button on the Tool Bar.

  2. Click Add button located on the top left corner of the screen. Dynamic List Properties window displays.

  3. Provide the Name of the List.

    NOTE:The name cannot contain special characters, such as quotations or hyphens. For MSSP customers, provide an intuitive name so that it can be easily identified as MSSP customer dynamic list.

  4. Click Add. The Add Element window displays:

  5. Provide name of the Element. To make the Element persistent, check Make Persistent Check box and Click OK.

    NOTE:To make an existing element persistent, select the checkbox before the element name in the Dynamic Properties window.

  6. Select Transient elements life span. It specify the time the persistent values are active in the list

  7. Specify the Maximum Number of Elements. The number defined here limits the number of elements in the list.

  8. Click OK.

    NOTE:Select a filter type from Quick Filter drop-down list and specify the name of the element, to filter the available elements.

3.4.2 Modifying a Dynamic List

To edit a Dynamic List:

  1. Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click Dynamic Lists button on the Tool Bar.

  2. Select a Dynamic List and click View/Edit link.

  3. The Dynamic List Properties window displays. Edit the options as required and click OK.

3.4.3 Deleting a Dynamic List

WARNING:Do not delete a Dynamic List that is part of a correlation rule or rules.

To delete a Dynamic List:

  1. Click Correlation on the Menu Bar and select Dynamic Lists. Alternatively, you can click the Dynamic Lists button on the Tool Bar.

  2. Select a Dynamic List and click Delete link against it. Confirmation message alert displays.

  3. Click Yes to delete.

3.4.4 Removing Dynamic List Elements

There are several ways an element can be removed from a Dynamic List.

  • A user can remove it manually

  • The element can be removed by a correlation rule action

  • The Transient elements life span can expire

  • If the maximum number of elements for a Dynamic List is reached, elements are removed from the list to keep the list at or below the maximum list size. The transient elements are removed (from oldest to newest) before any persistent elements are removed.

3.4.5 Using a Dynamic List in a Correlation Rule

Dynamic Lists can be referenced in a Correlation Rule by using the Custom/Freeform option of the Correlation Rule Wizard. For example:

filter(e.<tagname> inlist <Dynamic List Name>)

where 

e.<tagname> represents a metatag in the incoming event, such as e.shn (Source Host Name) or e.dip (Destination IP address) 
<Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList

The following instructions assume that a Dynamic List already exists.

To add a Dynamic List to correlation rule:

  1. Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.

  2. Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Custom/Freeform Rule.

  3. In the Custom/Freeform Rule window, write the condition for the rule including the name of the dynamic list. For example, filter(e.sev inlist Severity) where Severity is the dynamic list name.

  4. Click Validate to test the validity of the rule.

  5. After validation of the rule, click Next, the Update Criteria window displays.

  6. Update the criteria for the rule to fire and click Next.

  7. Provide a name to this rule. You have an option to modify the rule folder.

  8. Provide rule description and click Next.

  9. You have an option to create another rule from this wizard. Select your option and click Next.

NOTE:Users must have the permission to Start/Stop Correlation Engine to perform these actions.

The two states of Correlation engine are

Enable

Disable .

When the Correlation Engine is enabled, it processes active correlation Rules. When in a disabled state, all its in-memory data is preserved and no new correlation events are generated. Disabling the Correlation Engine does not affect other parts of the Sentinel system.

Correlation rules are stored in the Sentinel database. When you activate the Correlation Engine in Sentinel Control Center, it requests the deployment information and rules from the database. Changes to a rule are not reflected in the Correlation Engine until one of the following things happens:

  • The rule is undeployed, edited and redeployed.

  • The rule is freshly deployed