Correlation output to modify watchlist
Just wonder if we can configure correlation output to modify a watchlist to add an item (with different attributes) and the time. It would be even better if the system can time out these items or can we write rule to time them out.
What I have read so far does not indicate that enVision has these capabilities.
You are correct, it does not. That would be cool though. About the closest thing you can do is configure your corelation alert to triger a command execution as the desired output. That command execution could be script that modifies watchlist content files (adding content, removing content, whatever) followed by the db_updatewatchlist to force the watchlist to update.
Depening on exactly what you want to do, it may be possible.
Modifiable-on-the-fly watchlist is very handy to capture historical activities and use it to correlate current event. For example, a rule can be written to run in the background to keep track of scanning activities. The identified source IP/name doing the reconn can be put into a watchlist. A new attack detected can be correlated back the watch list. Attack after an initial reconn is more likely an targeted attack than a drive-by attack. It should be consider more risky attack.
Of course, the entries in the watchlist must be able to be timed out individually with different time settings. It would be nice if this is a system function. If not, rule should be designed to allow user to do that.
This is just one example. There're other applications too.
So let's get back to current moment. If enVison is not able to do this now(hope this is heard and built into the product in the future), is there ways that we can doing this with the current product features.