By default, it's not possible to use an AL in a query based on a trend ( box is greyed ). But there is a workaround to this. Let's imagine a simple case. You want to run a report based on a trend to list all traffic coming from a list of Suspicious IP contained in an AL.
1) You create your AL like that :
- field based
- 1st column : IPAddr : key field
- 2nd column : constant : fixed value ( 1 for instance ) : can be created via a variable ( add 0 + 1 for instance ) : key value
2) in your query, you use a variable foo to retrieve values from this AL. In the field mapping tab, choose Attacker Address
3) in the condition tab you should now see foo.IPAddr and foo.constant
4) include a condition always matching the key value. Something like : foo.constant > 0
It should do the trick
I found it was possible to use the same trick in a filter that you use with an Active Channel. It's pretty interesting but it has some limitations. In my understanding, the reason why you cannot use AL in AC by default is that your AC would have to reload events continuously each time there is an entry added/removed in your AL which could quickly lead to issues for big or very dynamic AL. That being said, I like the idea to be able to use my AL "statically" in an AC. I mean you can create your AC in such a way that it will use entries in the AL but won't update itself when the AL changes. It gives you the flexibility of the AL but not the problem related to AC continuously updating.
To do that, I suggest you to :
* use an AL with a small amount of entries
* choose evaluate once at attach time
* restart your active channel if you want it to use the latest version of your AL
Even with those limitations, I found it to be useful when you want to monitor a special activity and want your filter to be updated automatically based on your AL instead of having to update manually your filter for each change.