Dynamic Lists help you store string elements, such as IP addresses, server names, or user names. You can use these lists within a correlation rule for a quick lookup to see whether an incoming event includes an element from the Dynamic List. Because Dynamic Lists are also the only way to share the state between multiple correlation rules, they are useful when you want to co-ordinate between different rules or the same rule at different times. For information about correlation rules, see Section 6.0, Correlating Event Data.
For example, you can use the following types of Dynamic Lists:
Terminated user lists
Suspicious user watchlist
Privileged user watchlist
Authorized ports and services list
Authorized server list
NOTE:You must have the Manage Correlation Engine and Rules permission to create and manage Dynamic Lists.