6.1 Creating a Dynamic List

A Dynamic List can be built using the text values for any event ID. Elements can be added to the list manually or automatically whenever a Correlation rule fires.

Regardless of how the values were added, an element can be of the following types:

Dynamic Lists can be created either in the Sentinel Control Center or in the Correlation Rule Builder:

6.1.1 Using the Sentinel Control Center to Create a Dynamic List

  1. Launch the Sentinel Control Center.

    1. Log in to the Sentinel Web interface:

      https://<IP_Address/DNS_Sentinel_server:8443>

      IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

    2. In the tool bar, click Applications.

    3. Click Launch Control Center.

    4. Click Yes to accept the security certificate.

    5. Specify a username and password of a user that has rights to access the SCC, then click Login.

    6. Click Accept or Accept Permanently to accept the security certificate and display the SCC.

  2. Launch the Dynamic Lists window:

    • (Conditional) If the Configuration menu is not enabled, click the Configuration tab, then click the Configuration menu > Dynamic Lists or click the icon in the toolbar.

    • (Conditional) If the Configuration menu is enabled, click the Configuration menu > Dynamic Lists or click the icon in the toolbar.

  3. Click Add.

  4. Specify a name for the Dynamic List.

    The name must start with a character. The name can contain only letters, digits, or underscores. The name cannot be changed after you create the Dynamic List. Therefore, specify a descriptive name.

  5. To add elements, click Add.

  6. Specify a name for the list element.

  7. To keep the element active until it is manually removed or until the maximum list size is reached, select Make Persistent, then click OK.

    or

    To keep the element active only for a specific time, use the Transient elements life span fields to specify how long the element remains active.

    The time period can range from 1 hour to 90 days.

  8. Specify the maximum number of elements you want in the Dynamic List.

    The maximum list size can be 100,000.

  9. Click OK.

6.1.2 Using the Correlation Rule Builder to Create a Dynamic List

You can create Dynamic Lists while creating a Correlation rule. This option is provided in the Correlation Rule Builder to help you complete the rule creation process without switching to the Sentinel Control Center, and also if you want to just create an empty Dynamic List.

  1. Log in to the Sentinel Web interface.

    https://<IP_Address/DNS_Sentinel_server:8443>

    IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.

  2. Select Correlation from the navigation panel.

  3. In the Subrule window, click Create a new expression.

  4. In the Expression Builder, select an appropriate event field from Attributes.

  5. In the Operator list, select inlist or not inlist.

  6. In the Value section, click Create.

  7. Specify the following information for the list:

    • List name: A descriptive name for the Dynamic List. The name must start with a character. The name can contain only letters, digits, or underscores.

    • Transient elements life span: The time for the element to remain active. The time can range from 1 hour to 90 days.

    • Maximum number of elements: The maximum number of elements the list should include.

  8. Click OK.

The Dynamic List is created. However, you must launch the Sentinel Control Center to add elements to the list. You can complete the Correlation rule creation process, then add elements to the list. For more information on adding elements, see Section 6.1.1, Using the Sentinel Control Center to Create a Dynamic List.