You can create Dynamic Lists either in the correlation rule Expression Builder while creating correlation rules or in the All Dynamic Lists user interface. To create and manage Dynamic Lists, in the Sentinel Main interface, click Correlation. In the Dynamic Lists section, click All Dynamic Lists.
NOTE:Specify an appropriate name for the Dynamic List and list item. Since the Dynamic Lists are associated to several correlation rules, you cannot modify the list name and the list item name later.
When creating Dynamic Lists, you can specify the default life span for the list items. The life span of the list items is considered from the date and time you create or modify them. If you want to be notified when an item expires, you can configure Sentinel to generate events when a list item expires. For more information, see Generating an Audit Event when a List Item Expires From a Dynamic List. If you do not want the list items to be deleted, you can set the list item to never expire while adding them.
You can add list items in any of the following ways:
In the All Dynamic Lists page, open the dynamic list to which you want to add list items. Click Items > Add. Add Item screen appears.
Enter the item value in the Value field and an optional item description in the Description field. When you double-click the Description field, it becomes editable. Once the description is added, you can update it by clicking the Update button. The description should not exceed 255 characters. Click Add.
Import from a CSV or a TXT file. Consider the following when importing list items:
The file can be in <value, expiration_date, description> format. Expiration date and description are optional. The value of expiration date must be either 0 or 1. 0 indicates that the list item will expire and 1 indicates that the list item will never expire. The default value of expiration date is 0, however there is no default value of description.
NOTE:When you import from a CSV or a TXT file, and you select Append items, the description of the item with the same value is replaced, as only a single item with a specific name can exist.
The number of list items do not exceed the list items limit for the dynamic list. If the limit exceeds, Sentinel does not import the list items.
If the list items being imported already exist in the dynamic list, Sentinel updates the life span of the list items with the value specified in the file.
Set the correlation rule action to Add to Dynamic List. The correlation rule adds a list item to the selected dynamic list when the rule fires. For more information, see Associating Actions to a Rule.
If you have multiple Sentinel servers, you do not need to manually create list items on each server. You can reuse existing list items in other Sentinel servers by using the Export option as needed.
The Export option exports all the list items of a dynamic list. You cannot export only selected list items.