Using a Watch List
Adding Watch List to a Rule
You can now add your new watch list to a rule, so that when the rule is triggered, items will be added to the watch list.
- Go to RESOURCES > Rules.
- Select the rule where you want to add the watch list, and click Edit.
- Go to the Step 3: Define Action page.
- Click the edit icon for the Watch List.
- For Incident Attribute, select the incident information you want to add to the watch list.
Note: Watch List Attribute Type Must Match Incident Attribute- The Type that you set for the watch list must match the Incident Attribute Types for the rule. For example, if your watch list Type is IP, and the Incident Attribute Type for the rule is string, you will not be able to associate the watch list to the rule. - Move the watch list you want to add from Available to Selected list using the right arrow.
- Click Save.
The Watch Lists field value displays "Defined".
Using Watch Lists as Conditions in Rules and Reports
If you want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP listed in your DNS Violators watch list will trigger an incident.
- Go to RESOURCES > Reports or Rules and select the rule or report where you want to use the watch list.
- Click Edit.
- Go to the Step 2: Define Condition page.
- Under Conditions for the report in your rule sub-pattern, enter the watch list attribute you want to filter for in the Attribute field.
For example, Source IP. - For Operator, select IN.
- Click ... Select from CMDB under Value, and browse the folders to select the watch list using the right arrow.
For example, DNS Violators. - Click OK and continue creating your search criteria or rule sub pattern.