A Watch List is a smart container of similar items such as host names, IP addresses, or user names, that are of significant interest to an administrator and must be watched. Examples of watch lists that are already set up in FortiSIEM are:
- Frequent Account Lockouts - users who are frequently locked out
- Host Scanners - IP addresses that scan other devices
- Disk space issues - hosts with disks that are running out of capacity
- Denied countries - countries with an excessive number of access denials at the firewall
- Blacklisted WLAN endpoints - Endpoints that have been blacklisted by Wireless IPS systems
Items are added to a watch list dynamically when a rule is triggered, but you can also add items to a watch list manually. When you define a rule, you can also choose a watch list that will be populated with a specific incident attribute, and you can use watch lists as conditions while creating reports, as described in Using a Watch List. You can also define when an entry leaves a watch list - this is time based. For example, if the rule does not trigger for that attribute for defined time-period, then the entry is removed from the watch list. Watch lists are also multi-tenant aware, with organization IDs tracked in relation to watch list items.
The following section provides the procedures to use Watch Lists: