Skip to Content

List macro expressions

List type macros are a special form of macro, that can contain large numbers of items that are logically orred together. A List type macro can be used anywhere a regular macro is used, to create blacklists, whitelists, or other constructs. Unlike macros (that are limited to a small number of characters, such as 500 characters or less, on most systems) the List type macro can contain 1000's of different items. 

Lists are defined in the Correlation > Config > Lists screen, and contain items that are compared to each word in the incoming message. (This function uses a high-speed binary search, hence the correlation engine can quickly process hundreds or thousands of list items.) To match any item in the list, the operator simply specifies the macro @@name@@ as part of the expression. To exclude any item in the list, the operator simply specifies not @@name@@.

List macros can be used in conjunction with regular macros, or with other expressions.

Information
Example

The operator can specify a match expression such as @@list1@@ and @@list2@@ and not (@@list3@@ or discard). 

Warning

Note

Using this technique, lists can be joined, but lists cannot otherwise be nested.

Related topic

Correlating-messages-into-groups-and-patterns

 

Tip: For faster searching, add an asterisk to the end of your partial query. Example: cert*

BMC AMI Command Center for Security 6.2