PhishMe Object Collection

The LogRhythm Knowledge Base now includes the Object Collection: PhishMe List Module to take advantage of PhishMe Intelligence’s unique threat intelligence data. Before these lists can be leveraged, they need to be configured to automatically import text files created by the phishme_intelligence.py script, supplied and configured by PhishMe Support. Follow these steps for each list you wish to configure.

Configure Auto Import

Follow these steps for each PhishMe list you wish to configure.

1. In the LogRhythm Console, click Tools, click Knowledge, and then click List Manager.
   In the List Manager, you can see the new PhishMe lists that have been added to your deployment by the Object Collection: PhishMe List Module. These lists are empty until they have been configured to Auto Import the PhishMe text files.
2. To see only the PhishMe lists, type PhishMe in the List Manager Name filter field.
3. Double-click one of the PhishMe lists.
   The List Properties window appears.
4. On the Basic tab, under Auto Import, select the Enable check box, and enter the corresponding 52808455 from_bookmark5in the File name field.
5. In the TTL section, select the Expiring Items check box, and set for thirty days.
6. Click OK.

Associate Vendor Lists with LogRhythm Lists

The Advanced Intelligence Engine (AIE) rules in the Threat Intelligence Module utilize the LogRhythm Threat Lists. To tune the AIE rules to a vendor, you must associate the vendor lists with the LogRhythm lists. For details about the association between LogRhythm and PhishMe lists, see LogRhythm and PhishMe List Association LogRhythm and PhishMe List Association LogRhythm and PhishMe List Association.

1. In the LogRhythm Console, click Tools, click Knowledge, and then click List Manager.
   In the List Manager, you can see the threat lists that have been added to your deployment by the LogRhythm Knowledge Base. These lists are empty until you start the LogRhythm Threat Intelligence Service and collect some threat data. To see the LogRhythm Threat lists, type LR Threat in the List Manager Name filter field. The following LogRhythm lists appear:
   • LR Threat List : Email Address : Malware
   • LR Threat List : Email Address : Phishing
   • LR Threat List : Email Address : Suspicious
   • LR Threat List : Email Subject : Phishing
   • LR Threat List : File Name : Malware
   • LR Threat List : File Path : Malware
   • LR Threat List : IP : Attack
   • LR Threat List : IP : Bot
   • LR Threat List : IP : Fraud
   • LR Threat List : IP : Malware
   • LR Threat List : IP : Phishing
   • LR Threat List : IP : Suspicious
   • LR Threat List : Process : Malware
   • LR Threat List : URL : Attack
   • LR Threat List : URL : Bot
   • LR Threat List : URL : Fraud
   • LR Threat List : URL : Malware
   • LR Threat List : URL : Phishing
   • LR Threat List : URL : Suspicious
   • LR Threat List : User Agent : Attack
2. Double-click one of the LR Threat lists.
   The List Properties window appears.
3. Click the List Items tab, and then click Add List.
4. Type the PhishMe in the Text Filter field, and then click Apply.

5. Select the corresponding Top list for each category.

   

   The Top lists contain the top 15,000 most risky identifiers, and the All lists contain 30,000 records maximum. All lists may be larger than the LogRhythm system supports, and we do not recommend that you enable them until you understand the size of the data set.

6. Click OK to close the List Selector, and then click OK to close the List Properties window.
7. Repeat steps 4 through 8 for each LogRhythm list you want to modify.

Enable Threat List AIE Rules

You must enable the Threat List AIE rules you want to use.

1. On the main toolbar, click Deployment Manager.
2. Click the AI Engine tab.
3. In the AI Engine Rule Name filter field, type Threat List.
   The following is a list of all AI Engine Threat List rules.
   • Attack: Security Event After Threat List IP
   • Network Anomaly: Multiple Threat List IPs
   • Attack: Security Event Then Threat List IP
   • Network Anomaly: Threat List Attack IP
   • Compromise: Auth with Threat List IP
   • Network Anomaly: Threat List Attack URL
   • Compromise: Internal Threat List IP Config Change
   • Network Anomaly: Threat List Fraud IP
   • Malware: Threat List Bot IP
   • Network Anomaly: Threat List Fraud URL
   • Malware: Threat List Bot URL
   • Network Anomaly: Threat List New Source
   • Malware: Threat List Malware File Name
   • Network Anomaly: Threat List New Threat IP
   • Malware: Threat List Malware File Path
   • Network Anomaly: Threat List Phishing IP
   • Malware: Threat List Malware IP
   • Network Anomaly: Threat List Phishing Recipient
   • Malware: Threat List Malware Process
   • Network Anomaly: Threat List Phishing Source
   • Malware: Threat List Malware URL
   • Network Anomaly: Threat List Phishing Subject
   • Malware: Threat List Malware User-Agent
   • Network Anomaly: Threat List Phishing URL
   • Network Anomaly: Communication with Threat List IP
   • Network Anomaly: Threat List Suspicious IP
   • Network Anomaly: Multiple Internal Hosts to Threat List IP
4. Select the AIE rule, right-click the rule, click Actions, and then click Enable.
5. In the Confirm Enable dialog box, click Yes.
6. When you have enabled all the rules you will use, restart the AI Engine servers by clicking Restart AI Engine Servers in the AI Engine tab.

LogRhythm and PhishMe List Association

The Vendor List column in the following table shows the empty PhishMe lists that are provided in the LogRhythm KB. The LogRhythm List column shows the LogRhythm Lists that you can potentially associate with the PhishMe lists. The vendor list is updated by the Threat Intelligence Service with data, usually malicious IPs. For instructions on the usage of lists in LogRhythm, see Lists in the Client Console.