Using a Watch list

Adding Watch List to a Rule

You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch list.

  1. Go to RESOURCES > Rules.
  2. Select the rule where you want to add the watch list, and click Edit.
  3. Click the edit icon for the Watch List field.
  4. For Incident Attribute, select the incident information you want to add to the watch list.
    Note: Watch List Attribute Type Must Match Incident Attribute- The Type that you set for the watch list must match the Incident Attribute Types for the rule. For example, if your watch list Type is IP, and the Incident Attribute Type for the rule is string, you will not be able to associate the watch list to the rule.
  5. Move the watch list you want to add from Available to Selected list using the right arrow.
  6. Click Save
    The Watch Lists field value displays 'Defined'.

Using Watch Lists as Conditions in Rules and Reports

If you want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP listed in your DNS Violators watch list will trigger an incident. 

  1. Go to RESOURCES > Reports or Rules and select the rule or report where you want to use the watch list.
  2. Click Edit.
  3. Under Conditions for the report in your rule sub-pattern, enter the watch list attribute you want to filter for in the Attribute field.
    For example, Source IP.
  4. For Operator, select IN.
  5. Click ... Select from CMDB under Value, and browse the folders to select the watch list using the right arrow.
    For example, DNS Violators.
  6. Click OK and continue creating your search criteria or rule sub pattern.