> For the complete documentation index, see [llms.txt](https://docs.inopli.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.inopli.com/response/knowledge-lists.md).

# Knowledge Lists

Knowledge Lists are essential for <mark style="color:green;">enhancing the processing of the alert engine, aiming to reduce false positives in an advanced and customized manner.</mark> In the user interface, it's possible to add, edit, filter, delete, and activate conditions as needed.&#x20;

<figure><img src="/files/WldWvaNuOskavQfvr53Z" alt=""><figcaption><p>Overview Knowledge Lists</p></figcaption></figure>

***

### White List

Prioritized in the handling of alerts, its purpose is to filter the information contained in the alerts. I<mark style="color:green;">f an alert triggers a mechanism defined in the White List, it will be processed,</mark> otherwise, it will be discarded. This helps in identifying legitimate events, reducing interruptions caused by false alerts.

***

### Black List

Used to eliminate alerts that trigger any of its mechanisms. <mark style="color:green;">This list is effective in discarding alerts associated with events already known to be non-threatening or irrelevant,</mark> optimizing the efficiency of the monitoring system.

***

### Creating a List

Both lists follow same creation process, with a form that includes <mark style="color:green;">a name, description, and a list of entries</mark>, which can be managed independently.&#x20;

<figure><img src="/files/hpbUFLFGVfn4RubJEwaV" alt=""><figcaption><p>Creating a List</p></figcaption></figure>

Each entry must contain:

* Name: Identifies the entry.&#x20;
* Monitoring System: Defines which Security Information and Event Management (SIEM) system the rules will be applied to.&#x20;
* Check All: Enables the identification of the value in any field within the alert payload. If deactivated, the identification follows the key-value rule.&#x20;
* Regex: If activated, it detects patterns based on regular expressions in the alert payload; if deactivated, it can search for plain text.&#x20;
* It is possible to add key-value fields to create validation groups using logical operators (and/or), thus establishing a boolean rule scheme.

<figure><img src="/files/N1zb56RKbohcgT2JLtno" alt=""><figcaption><p>Creating an Entry</p></figcaption></figure>

For the lists to be effective, [<mark style="color:green;">they need to be linked to a correlation rule in the "Companies" tab during rule editing.</mark>](/response/rules/companies.md) This link ensures that the knowledge lists are applied appropriately.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.inopli.com/response/knowledge-lists.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.