Active Lists
You can use active lists to create a configurable data store that can hold information derived from events, or other sources.
Active lists can monitor activity based on any rule-driven combination of event attributes or set of custom fields. For example, active lists are very useful for tracking suspicious or hostile IP addresses as well as targets of attacks that may be compromised.
You can populate active lists manually when necessary (adding entries from grid views or the Active List Editor), or use active lists in conjunction with rules specifically tailored to work with them. Rules can dynamically add and remove entries on active lists, thereby making them a flexible information-gathering tool.
You can now open and edit active lists in grid views.
Active lists function differently than active channels. Active lists are not continuously re-evaluated and are not time-window constrained. Active lists draw from the event stream on the basis of their event or field/rule definitions and any rules designed to affect them.
You can use active lists as filters in other resources that are not based on active channels, such as reports.
In addition to their integral definitions, you can apply temporary (not saved) filters to active list grid views. Click the status description in the Filter line in the view header to use the Common Condition Editor.
Use the default items in the Active Lists resource tree for templates or for operational monitoring with minor modifications. For example, use the Trusted List to watch activity from known-to-be-safe IP sources and the Untrusted List to do the same for known unsafe sources.
If you have Administrator access you can have another group named All Active Lists that contains all active list groups and lists.
Note: For procedural information about working with active lists (including how to create, edit, delete, import, and export them), see List Authoring.