Reference Lists

A reference list is a generic list of values which can be used to analyze your data. The behavior of a list depends on the "List Type", which must be configured at list creation time, and can not be changed. For example, whitelisting the domains from malicious threats using a combination of rules and putting them in a list to use it for future detections. These lists can be shared to your tenants and organizations in order to minimize effort and save their time to define the same combination of rules when they encounter similar malicious domains or IP addresses. 

The following list of entities are generally used for referencing detection rules.

• Domain
• Email Id
• File Hashes
• File Path
• Host Name
• IP Address
• Network Subnet
• Port 
• URL
• Username

Configuring Reference Lists

User Permissions Required: A Creator from these categories such as Domain, Organization and Tenant can configure reference list.

To configure a reference list,

1. Navigate to Configurations --> Chronicle CMS at left menu.
2. Click Reference Lists tile.
3. From the Reference listing page, click +Add List Manager in the top right corner of screen.
   A New List Manager editable page appears on the screen.
4. Enter Title and Description for your reference list.
5. Select an Entity Type from the dropdown menu.
   • Email ID (or)
   • Domain
6. Enter Entity List.
7. Company is a default field which is filled automatically based on the type of user that logged on.
8. Click Save. It will be saved as a Draft.

Note 1: The significance of Entity list is when you reference a list to a rule, it notifies the users about any signal based on the email address that you have added in the Entity list which is enabled based on the Entity Type that you have selected.

Note 2: Title and Description are not editable once a reference list is published, and you can not delete a reference list after publishing it.