Dynamic Lists

Dynamic lists are distributed list structures that can be used to store string elements, such as IP addresses, server names, or usernames. The lists are then used within a Correlation rule for a quick lookup to see whether an incoming event includes an element from the dynamic list. Some examples of dynamic list include:

A dynamic list can be built by using the text values for any event meta tag. Elements can be added to the list manually (by an administrator) or automatically whenever a Correlation rule fires. Elements can be removed from a list manually (by an administrator), automatically whenever a correlation rule fires, when their time limit expires, or when the maximum list size is reached.

IMPORTANT:The Time To Live (TTL) must be between 60 seconds and 90 days and the maximum list size is 100,000.

Regardless of how the values were added, they can be persistent (active until manually removed or until the maximum list size is reached) or transient (active only for a specified time frame after being added to the list, also known as the Time to Live). The Time to Live can range from 60 seconds to 90 days.

NOTE:If the Time to Live period is updated on an active dynamic list, the change is not retroactive to elements already on the list. Elements that are already added to the dynamic list retain their original Time to Live.

For trademark and copyright information, see Legal Notices.