This website uses cookies. By clicking OK, you consent to the use of cookies. Click Here to learn more about how we use cookies.
OK
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

RSA enVision® Discussions

Browse the RSA enVision discussion board to get product help and collaborate with other users of RSA enVision.
RSAAdmin
Beginner
Beginner
‎2012-05-03 12:09 PM

Dynamic lists

Hi all, I need to use dynamic lists (like active lists in ArcSight) to use them on correlation alerts. I cannot modify watchlists as an output action, so I do not know how to do it. This kind of lists could be useful for monitoring. For example, if I want to know which users are currently logged in or which machines are currently updated. Does somebody try to define these correlation rules? Thank you. Best regards!
0 Likes
Reply
1 Reply
ScottPause
Beginner
Beginner
‎2012-05-14 12:49 PM

Getting output of alerts (like source IP) - not possible.  You could use task escalate, but that would be difficult (although possible).

 

For general watchlist updating:

You need to use the OS and db scripts to do this.  There is a batch file included with enVision ( I think) that can update it.  There is also a powershell that can perform the same thing.

 

It will take the contents of a file and import it into a watchlist (overwriting it)

 

db_updatewatchlist

 

I'm looking for the ps1 script now. -> http://rsaenvision.lithium.com/t5/Tools-and-Scripts/dbUpdate-watchlist-cmd-replacement/m-p/2339

0 Likes
Reply
© 2020 RSA Security LLC or its affiliates.
All rights reserved.