Lists
Administrator permissions are required to access this feature.
Lists can be used to store, gather, and upload information into the Axon client. For example, lists of terminated users, threatening IP addresses, and banned applications can be stored using the Lists feature.
View Lists
To access and view the contents of a list in Axon:
- In the lower-left corner of the main screen, click the Administration cog icon.
The Administration menu appears on the left side. Under Integrations, click Lists.
The Lists table appears and shows the following information for each list:Column Description List Name The name of the list with a link to its details page. Data Type Displays the type(s) of data contained within the list (for example, IP or INTEGER). Author The author of the list. Last Updated The date and time when the list was last modified. Date Created The date and time when the list was created. Entries The number of entries included in the list. For information on filtering columns in the table, see Filters.
List Overview
To see more information about a single list, from the Lists page:
- Select the name of the list from the List Name column.
The list opens to the List Items tab, which displays each item in the list. - Select the Overview tab to see more details of the list. The following fields appear on the Overview tab:
| Field | Description | |
|---|---|---|
| List Name | The name of the list with a link to its details page. | |
| Description | Displays an optional description of the list. | |
| Number of Items in List | Displays the number of rows in the list. | |
| Configuration Details | This section displays information about each column included within the list. | |
| Column | Displays the name of each column | |
| Data Type | Displays the type(s) of data contained within each column of the list (for example, IP or INTEGER). | |
| ID | Displays a unique GUID for each list column. This GUID can be copied and used in searches. For more information on using list GUIDs in search, see the List Search section of Build a Search Query. | |
| Copy | Click to copy the list and column GUID, which are needed to construct list searches as described above. | |
| Last Updated | The date and time when the list was last modified. | |
| Date Created | The date and time when the list was created. | |
| Author | The author of the list. | |
LogRhythm System Lists
LogRhythm publishes lists to customer tenants that can be referenced in analytics rules and search criteria. System lists are published without any list items so that you can populate them with values that apply to your organization. Follow the Edit Lists workflow to populate a system list with values.
To identify system lists in the Lists grid, reference the Author column. Any list that reflects ‘logrhythm’ in the Author column is a system list that was created by LogRhythm and published to your tenant.
Inventory of LogRhythm System Lists
LogRhythm System List Name | List Description | Referenced By |
|---|---|---|
MA:Cloud Accounts | Cloud accounts are created and configured by an organization to be used by users, remote support, and services. They are also used in the administration of resources within a cloud service provider or SaaS application. For more information, see MITRE ATT&CK technique T1078.004. | Analytics Rule T1078.004:Cloud Accounts For more information, refer to the T1078.004:Cloud Accounts section of the Axon MITRE ATT&CK Streaming Analytics User Guide. |
| MA:Third Party Accounts | Third Party Accounts are created and configured by an organization to allow external providers access to corporate resources. For more information, see MITRE ATT&CK technique T1199. | Analytics Rule T1199:Trusted Relationship For more information, refer to the T1199:Trusted Relationship section of the Axon MITRE ATT&CK Streaming Analytics User Guide. |
| MA:Default Accounts | Default Accounts are default accounts that are typically included with operating systems, network appliances, cloud infrastructure, etc. For more information, see MITRE ATT&CK technique T1078.001. | Analytics Rule T1078.001:Default Accounts For more information, refer to the T1078.001:Default Accounts section of the Axon MITRE ATT&CK Streaming Analytics User Guide. |
| Safelisted Regions | Safelisted Regions are global regions with known network traffic. For more information, see MITRE ATT&CK technique T1621. | Analytics Rule T1621:MFA Request Generation:Okta Push from Non-Safelisted Location For more information, refer to the T1078.001:Default Accounts section of the Axon MITRE ATT&CK Streaming Analytics User Guide. |
| MA:Local Accounts | Local Accounts are accounts created and configured by an organization to be used in certain circumstances. For more information, see MITRE ATT&CK technique T1078.003. | Analytics Rule T1078.003:Local Accounts For more information, refer to the T1078.001:Default Accounts section of the Axon MITRE ATT&CK Streaming Analytics User Guide. |
PCI - Cardholder Data Systems | Information Systems that store, process, or transmit cardholder data or sensitive authentication data. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Authentication Failures PCI - Cardholder Data Environment Access PCI - Cardholder Data Environment Activity PCI - Common Event Health For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - Physical Security Systems | Systems that control access to facilities, equipment, and resources such as badge readers and door access. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Physical Security Activity PCI - Common Event Health For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - Network Security Systems | Systems that protect network security such as firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Firewall Configuration Changes PCI - Firewall Activity PCI - Anti-Malware Audit Activity PCI - Network Security Control Access PCI - Common Event Health For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - Privileged Users | Accounts that have elevated or increased privileges granted in order for that account to manage systems, networks and/or applications. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Privileged Account Activity PCI - Privileged Account Modification For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - Third-Party Users | Third Party Accounts are created and configured by an organization to allow external providers access to corporate resources. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Third-Party Activity For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - Shared Accounts | Shared accounts can be accessed by multiple individuals to accomplish a single shared function, such as supporting the functionality of a process, system, device or application. These accounts should only be used on a limited, exception basis. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - Shared Account Activity For more information, refer to the Searches section of the PCI DSS User Guide. |
PCI - System & Service Accounts | System and Service accounts are non-human privileged account usually located within operating systems and used to run applications or services. For more information, see PCI DSS Compliance Bundle. | Linked Searches: PCI - System and Service Account Activity For more information, refer to the Searches section of the PCI DSS User Guide. |
ISO 27001 - In-Scope Data Systems | Information Systems that are in-scope within your ISO 27001 environment. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Authentication Failures ISO 27001 - In-Scope Environment Access ISO 27001 - In-Scope Environment Activity ISO 27001 - Common Event Health For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - Physical Security Systems | Systems that control access to facilities, equipment, and resources such as badge readers and door access. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Physical Security Activity ISO 27001 - Common Event Health For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - Network Security Systems | Systems that protect network security such as firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Firewall Configuration Changes ISO 27001 - Firewall Activity ISO 27001 - Anti-Malware Audit Activity ISO 27001 - Network Security Control Access ISO 27001 - Common Event Health For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - Privileged Users | Accounts that have elevated or increased privileges granted in order for that account to manage systems, networks and/or applications. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Privileged Account Activity ISO 27001 - Privileged Account Modification For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - Third-Party Users | Third Party Accounts are created and configured by an organization to allow external providers access to corporate resources. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Third-Party Activity For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - Shared Accounts | Shared accounts can be accessed by multiple individuals to accomplish a single shared function, such as supporting the functionality of a process, system, device or application. These accounts should only be used on a limited, exception basis. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - Shared Account Activity For more information, refer to the Searches section of the ISO 27001 User Guide. |
ISO 27001 - System & Service Accounts | System and Service accounts are non-human privileged account usually located within operating systems and used to run applications or services. For more information, see ISO 27001 Compliance Bundle. | Linked Searches: ISO 27001 - System and Service Account Activity For more information, refer to the Searches section of the ISO 27001 User Guide. |
NIST 800-53 - In-Scope Data Systems | Information Systems that are in-scope within your NIST 800-53 environment. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Authentication Failures NIST 800-53 - In-Scope Data Environment Access NIST 800-53 - In-Scope Data Environment Activity NIST 800-53 - Common Event Health For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - Physical Security Systems | Systems that control access to facilities, equipment, and resources such as badge readers and door access. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Physical Security Activity NIST 800-53 - Common Event Health For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - Network Security Systems | Systems that protect network security such as firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Firewall Configuration Changes NIST 800-53 - Firewall Activity NIST 800-53 - Anti-Malware Audit Activity NIST 800-53 - Network Security Control Access NIST 800-53 - Common Event Health For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - Privileged Users | Accounts that have elevated or increased privileges granted in order for that account to manage systems, networks and/or applications. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Privileged Account Activity NIST 800-53 - Privileged Account Modification For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - Third-Party Users | Third Party Accounts are created and configured by an organization to allow external providers access to corporate resources. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Third-Party Activity For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - Shared Accounts | Shared accounts can be accessed by multiple individuals to accomplish a single shared function, such as supporting the functionality of a process, system, device or application. These accounts should only be used on a limited, exception basis. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - Shared Account Activity For more information, refer to the Searches section of the NIST 800-53 User Guide. |
NIST 800-53 - System & Service Accounts | System and Service accounts are non-human privileged account usually located within operating systems and used to run applications or services. For more information, see NIST 800-53 Compliance Bundle. | Linked Searches: NIST 800-53 - System and Service Account Activity For more information, refer to the Searches section of the NIST 800-53 User Guide. |