Watchlist - How to use it?

I’ve seen in documentation that there is a watchlist feature, but can’t find any documentation on how it should work

I can see the lookup tables, but no way to add values to it to watch for

We are currently running Graylog Enterprise 4.3. Does anyone have any more details on it?

Hello &7 welcome @robertnaylor

Really Good question, all I know about Watchlist is this here , and BTW the links are broken 404.

And what little description is on the Web UI. Im going to assume it maybe for audit logging, not sure.

The lookup table for the Watchlist. It contains three default keys for “ip”, “user” and “hash” values

@chris.black can you enighten us on Watchlist Data Adapters?

Thanks @gsmith, sorry for the late reply.

The watchlist feature was introduced in GL Security v4.2 and is a built-in lookup table intended to capture IPs, user names or hash values from collected logs.

The lookup table may be used in event definitions for alerts, in pipelines and in the search UI.

There are three watchlist functions that have been created.

These functions allow you to write rules that will add values that you wish to capture from incoming logs, or check the incoming values against previously seen addresses, or both. You can also remove values from the table.

You can also add entries from the search page.

Once added, any log that comes in and is on the watchlist will be displayed n the log message details.

Nice and thank you @chris.black