Inopli Documentation
  • Getting Started
    • Understanding Inopli
    • First Access
    • Inopli's Features
  • System Settings
    • Configuring the MSS
      • Configuring the MSP's profile
      • Request Categories
      • Policies
      • Managing Integrations
        • ChatGPT
        • Slack
        • Telegram
        • Google Chat
        • E-mail
      • Data Sources
      • Roles
        • Creating a Role
    • Managing Companies
      • Configuring the Company's profile
      • Company's Roles
      • Managing Company's Integrations
      • Monitoring Systems
    • Managing User Access
      • Creating MSP's user accounts
      • Creating end user accounts
  • System Administration
    • Rules
      • Main
      • Monitoring Systems
      • Rule Details
      • Mitre Techniques
      • Playbooks
      • Companies
    • Knowledge Lists
    • Managing MITRE
  • User Guide
    • Dashboards
      • Operational Dashboard
      • Executive Dashboard
      • KPIs Dashboard
      • Alert Management Dashboard
        • Confusion Matrix
    • Incidents
      • Alerts
      • Messages
      • History
      • Rate
      • Playbooks
      • Rules
    • Requests
  • Resources
    • Inopli Correlator
Powered by GitBook
On this page
  • White List
  • Black List
  • Creating a List
  1. System Administration

Knowledge Lists

PreviousCompaniesNextManaging MITRE

Last updated 1 year ago

Knowledge Lists are essential for enhancing the processing of the alert engine, aiming to reduce false positives in an advanced and customized manner. In the user interface, it's possible to add, edit, filter, delete, and activate conditions as needed.

White List

Prioritized in the handling of alerts, its purpose is to filter the information contained in the alerts. If an alert triggers a mechanism defined in the White List, it will be processed, otherwise, it will be discarded. This helps in identifying legitimate events, reducing interruptions caused by false alerts.

Black List

Used to eliminate alerts that trigger any of its mechanisms. This list is effective in discarding alerts associated with events already known to be non-threatening or irrelevant, optimizing the efficiency of the monitoring system.

Creating a List

Both lists follow same creation process, with a form that includes a name, description, and a list of entries, which can be managed independently.

Each entry must contain:

  • Name: Identifies the entry.

  • Monitoring System: Defines which Security Information and Event Management (SIEM) system the rules will be applied to.

  • Check All: Enables the identification of the value in any field within the alert payload. If deactivated, the identification follows the key-value rule.

  • Regex: If activated, it detects patterns based on regular expressions in the alert payload; if deactivated, it can search for plain text.

  • It is possible to add key-value fields to create validation groups using logical operators (and/or), thus establishing a boolean rule scheme.

For the lists to be effective, This link ensures that the knowledge lists are applied appropriately.

they need to be linked to a correlation rule in the "Companies" tab during rule editing.
Overview Knowledge Lists
Creating a List
Creating an Entry