Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. While many lists are provided by LogRhythm Labs, you can create custom lists for public or private use, and you can publish lists without displaying their contents.

Use Cases for Lists

  • You can create a list of SuperUsers and publish it without displaying the contents of the list. An analyst can use the list in an investigation to see if any SuperUser accounts were utilized within a specified time period on specified hosts.
  • You can create a list of unauthorized software processes. This list can be applied to servers and workstations where LogRhythm Process Monitoring is enabled to detect unauthorized software use.
  • You can create a list of countries to which inbound network communications should never be allowed. This list can be used in an AI Engine rule to detect inbound connections through the firewall from suspicious locations.

List Types

List Types are associated with field filters in alarms, searches, and reports. To add a list to a filter, the list type must match the field filter. The table below includes a summary of:

  • List Types. The metadata field for the list.
  • Item Types. The field values that can be used for that type of list.
  • Filter Types Supported. The fields within the filter selection that are supported for the list type. This means that if you select a field within the filter drop down, any lists with the associated list type appear.
  • Import Supported. Whether the list type can have values imported.
List TypeItem TypesFilter Types SupportedImport Supported?
Application

Known Service

Port

Port Range

Protocol

Application List

ApplicationN
Classification

Classification

Classification List

ClassificationN
Common Event

Common Event

Common Event List

Common EventN
Entity

Entity

Root Entity

EntityN
General Value

String Pattern

String General

Value list

Account

Address (Sender or Recipient)

Domain

Group

Hostname (I, O/I, O)

Message Text

Object

Origin Login

Process

Sender, Recipient

Session

Subject

URL

User (Login or Account)

Vender Msg ID

Y
Host

Known Host

IP

IP Range

Host Name

Host List

 Y (with some restrictions)
IdentityIdentities N
IP AddressIP address

Host (I, O/I, O)

IP (I, O/I, O)

Y
IP RangeIP address range

Host (I, O/I, O)

IP Range (I, O/I, O)

Y
Location

Location

Location List

Location (I, O/I, O)N
Log Source Type

Log Source Type

Log Source Type List

Log Source TypeN
MPE Rule

MPE Rule

MPE Rule List

MPE RuleN
Network

Network

Network List

Network (I, O/I, O)N
Root Entity

Entity

Root Entity

EntityN
User

String

Pattern String

AD Group

User List

Account

User (Login or Account)

Origin Login

Y (users only, no AD groups)

Use Contexts

Use contexts are used specifically with the General Value list type. They provide the system with the filter types supported for the General Value list created. This allows the filtering within the Analysis Tools to know what lists should appear for the selected field.

This table shows the Use Context types and associated Filter Types that are supported.

Use Context TypesFilter Types Supported
AddressAddress, Sender or Recipient
DomainDomain
GroupGroup
Host NameHostname, SHostName, DHostName
MessageMessage
ObjectObject
ProcessProcess
SessionSession
SubjectSubject
URLURL
UserAccount, Login, or User
Vendor Message IDVendor Message ID

For example, if you select the Process Use Context type for a General Value list, when you perform a filter using the Process field, the General Value list created appears in the list selector.

Multi-Type Lists

Some List Types allow for multi-type lists including Application, Hosts, and Users. These list types allow the user to add values for multiple fields related to its type. When these fields are selected for filtering from within an Analysis Tool, any lists associated with their type can be selected.

Application. The following fields can be used to add values to an Application list:

  • Impacted Known Application
  • TCP/UDP Port (Impacted)
  • TCP/UDP Port Range (Impacted)
  • Protocol

Host. The following fields can be used to add values to a Host list:

  • Known Host
  • IP Address
  • IP Address Range
  • Hostname

Users. The following fields can be used to add values to a User list. This includes values that are associated with the Account and Origin Login fields.

  • Username
  • Active Directory Group

You can add a list of specific users by typing in values or you can add a list of users associated with an active directory group.

Lists Within Lists

Lists are flexible enough to allow you to add a list to another list of a compatible type. The added list is called a sub list. This enables you to create sub lists with elements that are to be shared by other lists,

rather than having to manage the duplicated items across several lists.

Lists that can contain other lists raise the possibility of “loops” wherein a nested sub list could ultimately reference an outer containing list. The system makes certain that when lists are processed (such as in creating filters) that each list is only processed once.

The following are not checked:

  • For nested lists, permission and visibility compatibility is not checked. So, for example, it is possible to add a Private list to a Public list.
  • For nested General Value lists, compatibility of the Use Contexts is not checked.

Permissions

All users have access to lists. The permissions can be set to limit access to specific lists.

There are two types of Security Permissions, Custom and System. Custom Security Permissions are created by users. System Permissions are created by LogRhythm and come in two flavors, Private and Public. System Lists are imported with the Knowledge Base. The Knowledge Base Module must be enabled and the module synchronized to see the system list in the list manager. For details on modules, see Knowledge Base Manager.

The Security Permissions are described in the following table.

Security PermissionDescription
CustomCreated by users.
System: PrivateThis is provided by LogRhythm. The list items and properties are controlled by LogRhythm and synced during a Knowledge Base import. Except for controlling Read Access (visibility), these lists are locked for users.
System: PublicThis is provided by LogRhythm. The list items and some properties can be edited by users. The initial Knowledge Base import initializes the properties. Legacy Log Source Lists are of this type. Some properties, particularly the Items, can be re-synchronized on a Knowledge Base Import.

List Security is controlled by Read, Write, and Restricted Read attributes, which are described in the following table.

PermissionDescription
Read Permissions

This controls who can see and use a List, and indirectly controls other permissions. Everyone can create Private lists (the default.)

A Global Administrator can assign any permission.

A Restricted Administrator can assign Public Analyst permissions

A Global Analyst can assign Public or Global Analyst.

Restricted Analysts can only assign Public.

System Lists cannot be Private.

Write PermissionsThis controls who can edit a List. This is always at least as permissive as the visibility, but never more (example: A List cannot be set to "read" for Admins and "write" for Public.)

Only the list owner or an Admin can change this value.

This can be set to any value consistent with the Read Permissions.

For System: Private Lists this value is Private and cannot be changed.

For System: Public Lists this value is Admins and cannot be changed.

Restricted ReadRestricted Read is used to prevent users who do not have Write Permissions to the list from viewing the items on the list; such users can only use the List (such as using it in a Filter).

List Manager

The List Manager lets you view and manage lists in LogRhythm, including the ability to add and retire lists. Lists are available (with appropriate security permissions) to all users. The menu buttons on the List Manager, from left to right, include Properties, Refresh, and New. The file menu options related to lists include Properties, New, and Clone. The following table describes the columns in the grid of the List Manager.

FieldDescription
ActionThe check box used in conjunction with the Actions context menu to indicate which lists to include in the action.
List TypeThe type of list, such as Log Source, General Value, and Host.
NameThe name of the list.
Entry Count

The total number of items and lists that the list contains. If a list contains 10 items and two lists, the Entry Count for the list is 12. The Entry Count value appears for all lists, even if a list is used as a sub-list elsewhere in the system.

The List Manager highlights system lists that do not contain any items, indicating that the system list has not been populated. Empty custom lists are not highlighted.

Use ContextThe associated use contexts for the list, such as log source, process, host, and user. It is the same as the type for all but General Values, in which case one or more values appear based on what is selected in the properties.

Auto Import
An indicator of whether the import occurs automatically.
Import OptionsThe options selected for importing the list.
Import FilenameThe name of the file to be imported when the list is used.
Restricted ReadThe indicator for Restricted Read permissions.
DescriptionThe description of the list.
StatusThe status of the list, Active or Retired.
Last UpdatedThe date the list was last updated.
Read AccessThe Read permissions for the list.
Write AccessThe Write permissions for the list.
EntityThe Entity with which the list is associated.
OwnerThe user who created the list. For System lists, the owner appears as N/A.
List IDThe unique ID for the list.

Automated File Import

Lists can be imported by the Job Manager using an automated protocol. The lists follow the same rules as the List Properties Editor and File/Clipboard Import (for details on the rules, see Create Lists in the Client Console). The Job Manager List Import task runs continuously, polling at frequent intervals for List file changes. If a file with the correct name appears, the task imports the list. The task waits on a writer to the file. It requires exclusive access to the file. After a file has been successfully imported, it is deleted. If an error occurs during import, it is renamed with a suffix of .bad. The status of each list import attempt is written to the log file and event log. The following default rules apply:

  • The default import directory is config\list_import, relative to the path specified in the Configuration File Parent Directory field in the Job Manager Configuration Manager.
  • The default processing interval is 60 seconds.
  • The defaults cannot be changed.

Expiration of List Items

Under certain circumstances, list items are only needed on a temporary basis. For example, when an employee leaves the company, the IT department might want to monitor the employee's account for 90 days for any activity. Instead of having to manually remove the list item, it can be configured to be automatically removed in 90 days. The time span configured for expiring list items is counted from the time of the list's creation into the future. For example, if a Terminated User Account list was created on March 2nd at 12:00 PM with an expiration time of 10 days, all of the list items entered in the list expire at the same time. The last configured time span is saved when the list is saved. If new items are added to the list 5 days after it was saved, the new list items expire in 10 days from the current day. If the intention was to add more items to the list that needed to expire on the same day as the original items, the day field and the hours and minutes field have to be adjusted before the new items are added to the list.