The watchlist feature was introduced in GL Security v4.2 and is a built-in lookup table intended to capture IPs, user names or hash values from collected logs.
The lookup table may be used in event definitions for alerts, in pipelines and in the search UI.
There are three watchlist functions that have been created.
These functions allow you to write rules that will add values that you wish to capture from incoming logs, or check the incoming values against previously seen addresses, or both. You can also remove values from the table.