Dynamic Lists can be referenced in a Correlation Rule by using the Custom/Freeform option of the Correlation Rule Wizard. For example:
filter(e.<tagname> inlist <Dynamic List Name>)
where
e.<tagname> represents a metatag in the incoming event, such as e.shn (Source Host Name) or e.dip (Destination IP address)
<Dynamic List Name> is the name of an existing Dynamic List, such as CriticalServerList
The following instructions assume that a Dynamic List already exists.
To add a Dynamic List to correlation rule:
Open the Correlation Rules Manager window and select a folder from the drop-down list to which this rule is added.
Click Add button located on the top left corner of the screen. The Correlation Rule window displays. Select Custom/Freeform Rule.
In the Custom/Freeform Rule window, write the condition for the rule including the name of the dynamic list. For example, filter(e.sev inlist Severity) where Severity is the dynamic list name.
Click Validate to test the validity of the rule.
On successful validation of the rule, click Next, the Update Criteria window displays.
Update the criteria for the rule to fire and click Next.
Enter a name to this rule. You have an option to modify the rule folder.
Enter rule description and click Next.
You have an option to create another rule from this wizard. Select your option and click Next.
NOTE: Users must have the permission to Start/Stop Correlation Engine to perform these actions.
The two states of Correlation engine are Enable and Disable .
When the Correlation Engine is enabled, it processes active correlation Rules. When in a disabled state, all its in-memory data is preserved and no new correlation events are generated. Disabling the Correlation Engine does not affect other parts of the Sentinel system.
Correlation rules are stored in the Sentinel database. When you activate the Correlation Engine in Sentinel Control Center, it requests the deployment information and rules from the database. Changes to a rule are not reflected in the Correlation Engine until one of the following things happens:
The rule is undeployed, edited and redeployed.
The rule is freshly deployed