Using Watch Lists as Conditions in Rules and Reports
You may want to create a rule that refers to the attributes in a watch list, for example if you want to create a condition in which a Source IP listed in your DNS Violators watch list will trigger an incident.
- Go to the rule or report where you want to use the watch list.
- Under Conditions for the report, or under Filters in your rule subpattern, enter the watch list attribute you want to filter for in the Attribut e
For example, Source IP.
- For Operator, select IN.
- Click … next to Value, and use the CMDB Browser to find and select the watch list you want to use.
For example, DNS Violators.
- Click Folder >> to select the watch list, and then click OK.
- Continue with creating your search criteria or rule sub pattern as you normally would.