Dynamic Lists are distributed list structures that can be used to store string elements, such as IP addresses, server names, or usernames. The lists are then used within a correlation rule for a quick lookup to see whether an incoming event includes an element from the Dynamic List. Some examples of Dynamic Lists include:
Terminated user lists
Suspicious user watchlist
Privileged user watchlist
Authorized ports and services list
Authorized server list
A Dynamic List can be built using the text values for any event metatag. Elements may be added to the list manually (by an administrator) or automatically whenever a correlation rule fires. Elements may be removed from a list if manually (by an administrator), automatically whenever a correlation rule fires, when their time limit expires, or when the maximum list size is reached.
IMPORTANT:
The Time To Live (TTL) must be between 60 seconds and 90 days and the maximum list size is 100,000.
Regardless of how the values were added, they may be Persistent (active until manually removed or until the maximum list size is reached) or Transient (active only for a specified timeframe after being added to the list, also known as the Time to Live). The Time to Live can range from 60 seconds to 90 days.
NOTE: If the Time to Live period is updated on an active Dynamic List, the change is not retroactive to elements already on the list. Elements that have already been added to the dynamic list will retain their original Time to Live.