PhishMe Object Collection

The LogRhythm Knowledge Base now includes the Object Collection: PhishMe List Module to take advantage of PhishMe Intelligence’s unique threat intelligence data. Before these lists can be leveraged, they need to be configured to automatically import text files created by the phishme_intelligence.py script, supplied and configured by PhishMe Support. Follow these steps for each list you wish to configure.

Configure Auto Import

Follow these steps for each PhishMe list you wish to configure.

1. In the LogRhythm Console, click Tools, click Knowledge, and then click List Manager.
   In the List Manager, you can see the new PhishMe lists that have been added to your deployment by the Object Collection: PhishMe List Module. These lists are empty until they have been configured to Auto Import the PhishMe text files.

2. To see only the PhishMe lists, type PhishMe in the List Manager Name filter field.

3. Double-click one of the PhishMe lists.
   The List Properties window appears.

4. On the Basic tab, under Auto Import, select the Enable check box, and enter the corresponding Import File Name from in the File name field.

5. In the TTL section, select the Expiring Items check box, and set for thirty days.

6. Click OK.

Associate Vendor Lists with LogRhythm Lists

The Advanced Intelligence Engine (AIE) rules in the Threat Intelligence Module utilize the LogRhythm Threat Lists. To tune the AIE rules to a vendor, you must associate the vendor lists with the LogRhythm lists. For details about the association between LogRhythm and PhishMe lists, see LogRhythm and PhishMe List Association LogRhythm and PhishMe List Association LogRhythm and PhishMe List Association.

1. In the LogRhythm Console, click Tools, click Knowledge, and then click List Manager.
   In the List Manager, you can see the threat lists that have been added to your deployment by the LogRhythm Knowledge Base. These lists are empty until you start the LogRhythm Threat Intelligence Service and collect some threat data. To see the LogRhythm Threat lists, type LR Threat in the List Manager Name filter field. The following LogRhythm lists appear:LR Threat List : Email Address : MalwareLR Threat List : Email Address : PhishingLR Threat List : Email Address : SuspiciousLR Threat List : Email Subject : PhishingLR Threat List : File Name : MalwareLR Threat List : File Path : MalwareLR Threat List : IP : AttackLR Threat List : IP : BotLR Threat List : IP : FraudLR Threat List : IP : MalwareLR Threat List : IP : PhishingLR Threat List : IP : SuspiciousLR Threat List : Process : MalwareLR Threat List : URL : AttackLR Threat List : URL : BotLR Threat List : URL : FraudLR Threat List : URL : MalwareLR Threat List : URL : PhishingLR Threat List : URL : SuspiciousLR Threat List : User Agent : Attack

2. Double-click one of the LR Threat lists.
   The List Properties window appears.

3. Click the List Items tab, and then click Add List.

4. Type the PhishMe in the Text Filter field, and then click Apply.

5. Select the corresponding Top list for each category.

   The Top lists contain the top 15,000 most risky identifiers, and the All lists contain 30,000 records maximum. All lists may be larger than the LogRhythm system supports, and we do not recommend that you enable them until you understand the size of the data set.

   
   

6. Click OK to close the List Selector, and then click OK to close the List Properties window.

7. Repeat steps 4 through 8 for each LogRhythm list you want to modify.

Enable Threat List AIE Rules

You must enable the Threat List AIE rules you want to use.

1. On the main toolbar, click Deployment Manager.

2. Click the AI Engine tab.

3. In the AI Engine Rule Name filter field, type Threat List.
   The following is a list of all AI Engine Threat List rules.Attack: Security Event After Threat List IPNetwork Anomaly: Multiple Threat List IPsAttack: Security Event Then Threat List IPNetwork Anomaly: Threat List Attack IPCompromise: Auth with Threat List IPNetwork Anomaly: Threat List Attack URLCompromise: Internal Threat List IP Config ChangeNetwork Anomaly: Threat List Fraud IPMalware: Threat List Bot IPNetwork Anomaly: Threat List Fraud URLMalware: Threat List Bot URLNetwork Anomaly: Threat List New SourceMalware: Threat List Malware File NameNetwork Anomaly: Threat List New Threat IPMalware: Threat List Malware File PathNetwork Anomaly: Threat List Phishing IPMalware: Threat List Malware IPNetwork Anomaly: Threat List Phishing RecipientMalware: Threat List Malware ProcessNetwork Anomaly: Threat List Phishing SourceMalware: Threat List Malware URLNetwork Anomaly: Threat List Phishing SubjectMalware: Threat List Malware User-AgentNetwork Anomaly: Threat List Phishing URLNetwork Anomaly: Communication with Threat List IPNetwork Anomaly: Threat List Suspicious IPNetwork Anomaly: Multiple Internal Hosts to Threat List IP

4. Select the AIE rule, right-click the rule, click Actions, and then click Enable.

5. In the Confirm Enable dialog box, click Yes.

6. When you have enabled all the rules you will use, restart the AI Engine servers by clicking Restart AI Engine Servers in the AI Engine tab.

LogRhythm and PhishMe List Association

The Vendor List column in the following table shows the empty PhishMe lists that are provided in the LogRhythm KB. The LogRhythm List column shows the LogRhythm Lists that you can potentially associate with the PhishMe lists. The vendor list is updated by the Threat Intelligence Service with data, usually malicious IPs. For instructions on the usage of lists in LogRhythm, see .