Hi
There is a Python script that receives data from an external resource, processes this data and saves it in the appropriate files. From these files, the flex connector regex file receives processed information in CEF format and sends it to ArcSight. There is a rule that tracks this data and stores it in the active list.
The first question is related to lists. Maybe I'm wrong, but I read somewhere that the maximum amount of elements in the list is 10,000. Is this true or not? Most likely, there will be cases when the list will have to store up to 50,000 or even 100,000 items. If the content of the lists is limited, then what is the alternative and what will it look like, for example, the rule that will filter data and distribute them to 2, 3 or 4 lists? Tell me what settings for the list will be practical in my case.
The second question concerns correlation rules, namely the use of information from lists.
I need all future connectors and their events that contain fields such as deviceAddress or attackerAddress to be compared with the contents of the Indicator Value column in active list. Is it possible to do this and what will this rule look like?? Is my train of thought correct at all, and perhaps there is some other method of implementation?
Thank you in advance
Bohdan