Been given a flat file of employee identifiers to be used as one of our watchlists; requirements are for new idenitifiers to be added to the watchlist on an ad-hoc basis.

The watchlist will then be used from a policy to identify risky behavior by any members.

What is best way to incorporate a file-based watchlist?

Extra credit would be to track when each record was added, and either delete or ignore any record added more than X days ago.

asked 17 Oct '14, 14:53

JasonBlue's gravatar image

JasonBlue
17129
accept rate: 0%

edited 17 Oct '14, 17:49


Watch lists are currently added as result of 'watchlist' based polices.

But again watch list based on flat file is a good feature which will be helpful. Let us get more thoughts around this along with the audits

link

answered 20 Oct '14, 13:54

anjan's gravatar image

anjan ♦♦
1112311
accept rate: 22%

Anjan, thank for reply.

Question started as watchlist, the issue is all 1st-party (company's) intel that isn't defined within the identity, access, or activity data, and which is needed within more than one policy. E.g., the names of nDLP/firewall rules within scope for exfil policies, list of domains to whitelist, employees who recently travelled, geolocations of concerns, etc.

Feel free to reach out to me to learn more on these, Meanwhile I've hard-coded the watchlist into a policy.

Thanks again Anjan, Jason

(20 Oct '14, 16:16) JasonBlue

I suggest that you use the TPI feature within 4.6 to get the intel data in. In 4.6, you have the capability to create a new TPI source and add any data to it. The data is indexed and can be utilized within policies. I will provide a write up on how to create a new TPI source add data to it on the community site. Will post the link to it shortly.

link

answered 23 Oct '14, 00:07

tgulati's gravatar image

tgulati ♦♦
2061411
accept rate: 14%

Thanks again jason for the feedback!

link

answered 20 Oct '14, 17:06

anjan's gravatar image

anjan ♦♦
1112311
accept rate: 22%

Tanuj, only link I found on community site is following, which provides some insight but doesn't mention using TPI for watchlists.

http://community.securonix.com/index.php/4.6_GetDatain/Chapter_27:Get_Threat_Intelligence_Data

link

answered 12 Mar '15, 17:59

JasonBlue's gravatar image

JasonBlue
17129
accept rate: 0%

edited 12 Mar '15, 18:05

It would be nice if additional directions were given, as the built-in tpi source, catagories, and field types don't include support for creating a watchlist of users.

link

answered 12 Mar '15, 18:45

JasonBlue's gravatar image

JasonBlue
17129
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×11
×2
×2
×1

Asked: 17 Oct '14, 14:53

Seen: 1,856 times

Last updated: 12 Mar '15, 18:45