10.0 Configuring Dynamic Lists

Dynamic Lists help you store string elements, such as IP addresses, server names, or user names. You can use these lists within a correlation rule for a quick lookup to see whether an incoming event includes an element from the Dynamic List. Because Dynamic Lists are also the only way to share the state between multiple correlation rules, they are useful when you want to co-ordinate between different rules or the same rule at different times. For information about correlation rules, see Section 6.0, Correlating Event Data.

For example, you can use the following types of Dynamic Lists:

  • Terminated user lists

  • Suspicious user watchlist

  • Privileged user watchlist

  • Authorized ports and services list

  • Authorized server list

NOTE:You must have the Manage Correlation Engine and Rules permission to create and manage Dynamic Lists.