Active lists
Active list resources are dynamically updated data containers used by the KUMA correlators to read and write information when analyzing events according to correlation rules.
Available active list resource settings:
- ID—identifier selected Active list. This setting is displayed for active lists that have been created. You can copy this value by using the
button. - Name (required)—a unique name for this type of resource. Must contain from 1 to 128 Unicode characters.
- Tenant (required)—name of the tenant that owns the resource.
- TTL—time to live parameter of entries stored in the Active list, in seconds. The default value is
0. The maximum time to live is31536000(one year). When the time to live expires, the entry is deleted, and an event is generated for deleting the entry from the active list (see below). - Description—you can add up to 256 Unicode characters describing the resource.
During the correlation process, when entries are deleted from active lists, service events are generated in the correlators. These events only exist in the correlators, and they are not redirected to other destinations. Correlation rules can be configured to track these events so that they can be used to identify threats. Service event fields for deleting an entry from the active list are described below.
Event field |
Value or comment |
|
Event identifier |
|
Time when the expired entry was deleted |
|
|
|
|
|
|
|
Correlator ID |
|
Correlator name |
|
Active list ID |
|
Key of the expired entry |
|
Number of deleted entry updates increased by one |