A Dynamic List can be built using the text values for any event ID. Elements can be added to the list manually or automatically whenever a Correlation rule fires.
Regardless of how the values were added, an element can be of the following types:
Persistent: The element is active until it is manually removed or until the maximum list size is reached.
Transient: The element is active only for a specified time after being added to the list.
Dynamic Lists can be created either in the Sentinel Control Center or in the Correlation Rule Builder:
Launch the Sentinel Control Center.
Log in to the Sentinel Web interface:
https://<IP_Address/DNS_Sentinel_server:8443>
IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
In the tool bar, click
.Click
.Click
to accept the security certificate.Specify a username and password of a user that has rights to access the SCC, then click
.Click
or to accept the security certificate and display the SCC.Launch the Dynamic Lists window:
(Conditional) If the
menu is not enabled, click the tab, then click the menu > or click the icon in the toolbar.(Conditional) If the
menu is enabled, click the menu > or click the icon in the toolbar.Click
.Specify a name for the Dynamic List.
The name must start with a character. The name can contain only letters, digits, or underscores. The name cannot be changed after you create the Dynamic List. Therefore, specify a descriptive name.
To add elements, click
.Specify a name for the list element.
To keep the element active until it is manually removed or until the maximum list size is reached, select
, then click .or
To keep the element active only for a specific time, use the
fields to specify how long the element remains active.The time period can range from 1 hour to 90 days.
Specify the maximum number of elements you want in the Dynamic List.
The maximum list size can be 100,000.
Click
.You can create Dynamic Lists while creating a Correlation rule. This option is provided in the Correlation Rule Builder to help you complete the rule creation process without switching to the Sentinel Control Center, and also if you want to just create an empty Dynamic List.
Log in to the Sentinel Web interface.
https://<IP_Address/DNS_Sentinel_server:8443>
IP_Address/DNS_Sentinel_server is the IP address or DNS name of the Sentinel server and 8443 is the default port for the Sentinel server.
Select
from the navigation panel.In the Subrule window, click
.In the
, select an appropriate event field from .In the
list, select or .In the
section, click .Specify the following information for the list:
List name: A descriptive name for the Dynamic List. The name must start with a character. The name can contain only letters, digits, or underscores.
Transient elements life span: The time for the element to remain active. The time can range from 1 hour to 90 days.
Maximum number of elements: The maximum number of elements the list should include.
Click
.The Dynamic List is created. However, you must launch the Sentinel Control Center to add elements to the list. You can complete the Correlation rule creation process, then add elements to the list. For more information on adding elements, see Section 6.1.1, Using the Sentinel Control Center to Create a Dynamic List.