Collections: Whitelist and Blacklist

A collection is a place to store a list of items that you can use to compare against. Example usages of collections are Employees that have administrative rights so you can filter out their alerts, process names that are considered normal on your network, or lists of known troublesome domains.

DarkLight allows the creation of two types of collections:

  1. Object Collections contain named individuals like ent:Employee-berg789 that were created during an ingest process. These are the values of Object Properties in an event.
  2. String Collections contain alphanumeric text strings, like "Program Files" or "192.168.5". These are the values of text Data Properties in an event.

Collections are created and edited in the Collection Manager view, which can be opened by choosing Window→Show View from the menu and then selecting Collection Manager.

To create a new collection from the Collection Manager, click the New Collection button in the bottom-left of the view. In the dialog that pops up, enter a name for the Collection, and choose which kind of items you will be adding to the collection.

Collections can also be created and edited inside a PRO Playbook, by using the Edit Collection step.

To add one or more items to a collection, use one of the following methods:

To add items to a collection, select the collection name from the sidebar list, then choose either the Upload File button or the Add Text button. In the dialog that pops up, either select a text file to upload (one item per line) or type/paste a list of items (one item per line).

Items can also be added to an existing or new collection from the Results Graph. Right-click on a value and choose Add to Collection. In the dialog that pops up, choose or create the collection and click OK. This currently only works for string collections, and the text can be edited before you add it to the collection.

For object collections, use the full name of the object and not its ID. Any spaces will be converted automatically. You will also need to specify which class of items you are entering. Classes can be mixed within a single collection. For example, to add the "Customer Service" department, add Customer Service and specify the ent:Department class. The collection will then have Department-Customer+Service in it. The easiest place to find the object name is in the Results Summary view with the contextual object selected. The name can be copied to your clipboard from the Results Summary view.

Inside a playbook, items can be added to a collection with Step: Edit Collection.

Items added to a collection cannot be edited directly. To remove an item from a collection, select it and click the red x icon. Standard selection keyboard modifiers (Control, Shift, etc.) can be used to select multiple items in the list.

Large Collection Note

Large collections will only show the first 5,000 items in the Collection Manager interface but all of the items are still available to use from any collection step.

To delete a collection, select it from the sidebar list on the left, and click the red x button at the bottom of the sidebar.

Compare values against those in a collection using one of the following steps:

  • help/collections
  • Last modified: 2019/08/15 15:59