Add/Remove from List Dialog

The Add/Remove from List dialog allows you to add or remove an entity or meta value to an existing list or create a new list. For example, when you look up an IP address and you find it suspicious or interesting, you can add it to a relevant list, which has been added a data source. This improves the visibility of the suspicious IP addresses. You can also add entities or meta values to different lists. For example, you can add them to one list for suspected domains related to command and control connections and to another list for Trojan connections IP addresses related to remote access. If a list is not available, you can create a list. You can also remove the entity or meta value from a list.

Note: From the Add/Remove from List dialog, you can only add or remove entities or meta values from single column lists added as a datasource, not multi-column lists. And when you edit a list or a value in a list from the nodal view or the context lookup view, ensure to refresh the web page to view the updated data.

What do you want to do?

Role I want to ... Show me how
Incident Responders, Analysts Add an entity to a list.

From the Incident Details view, see Add an Entity to a Whitelist.

From the Alert Details view, Add an Entity to a Whitelist.

Incident Responders, Analysts

Create a whitelist, blacklist, or other list. Create a List

Administrators

Add a Context Hub list as a data source.

See "Configure Lists as a Data Source" in the Context Hub Configuration Guide.

Administrators Import or export a list for Context Hub. See "Import or Export Lists for Context Hub" in the Context Hub Configuration Guide.

Related Topics

Note: You cannot delete a list, but you can delete values within a list.

Quick Look

The following is an example of the Add/Remove from List dialog in the Respond view.
netwitness_addremovedialog_480x480.png

1 Entities or meta values to be added or removed.
2 Create a new list using the selected meta values.
3 Select any of the tabs: All, Selected, or Unselected.
4 Search using the list name or description.
5 Cancel the action.
6 Save to update lists or create a new list.

To access the Add/Remove from List dialog, in the Incident Details view or the Alert Details view, hover over the underlined entity that you would like to add or remove from a Context Hub list. A context tooltip appears showing the available actions.

netwitness_alertschtt5.png

In the Actions section of the tooltip, click Add/Remove from List. The Add/Remove From List dialog shows the available lists.

netwitness_addtolistdg2_480x482.png

The following table shows the options in the Add/Remove from List dialog.

Option Description
Meta Value Displays the selected entity or meta value that needs to be added to or removed from one or more lists. You can also a create a new list using the selected value.
Create New List When clicked, it displays a dialog to create a new list using the selected meta value.
All Shows all of the available Context Hub lists. The lists that contain the selected entity or meta value are selected. Select a checkbox to add an entity or meta value to a list. Clear a checkbox to remove it from the list.
Selected Shows only the lists that contain the selected entity or meta value. (All lists are selected.)
Unselected Shows only the lists that do not contain the selected entity or meta value. (All lists are unselected.)
Filter Results Enter the name or description of a specific list to search from multiple lists.
List Displays the name of all the lists.
Description Displays information about the selected list. The description that you provide when creating a list appears in this dialog. For example: This list contains all of the blacklisted IP addresses.
Cancel Cancels the operation.
Save Saves the changes.