A State Tracker list format is created to group and aggregate multiple columns, and to use enrichment methods such as modifiers.
In the example above, the IP and MAC information is gathering. IP columns is matching and Source.MacAddress column is creating in firewall logs. Thus, the firewall logs is automatically enriching with the MAC Address information is obtaining from the DHCP server.
Basic/Advanced Mode: For detailed usage of lists you click for “Advanced Mode” Description: In terms of definition, you need to specify a name for the list.
Type: State Tracker
Severity: The part you are going to specify is what importance it has.
Context: You can tag the object, which enters this list, as Suspicious, Victim or Attacker for future events.
Tag: You can determine from this section which groups will have the authority to view the list that you are creating. (Click for directing Tag Feature)
Entry Conditions: It is the entry condition which includes logs for enriching. (DHCP Source in example).
Exit Conditions: It is the exit condition which excludes logs for enriching process.
Key Column: The column should match with the desired column you want to add.
Purge Period: The number of seconds after which the information to retrieve from the list will be given. By default, it is specified as three thousand (3000) seconds.
Index Events: If you tick the Index Events option, the list will be written to the Logsign Unified SecOps Platform Index system.
Match Conditions: In which specific objects you will make this enrichment.
Key Field: The column you desired to add the log and should be match Key Column.
Then you use the Save button to save settings.