Associate Vendor Lists with LogRhythm Lists
The Advanced Intelligence Engine (AIE) rules in the Threat Intelligence Module utilize the LogRhythm Threat lists. To tune the AIE rules to a vendor, you must associate the vendor lists with the LogRhythm lists. For more information about the association between LogRhythm and vendor lists, see Vendor Lists.
- In the LogRhythm Client Console, click Tools, click Knowledge, and then click List Manager.
In the List Manager you can see the threat lists that have been added to your deployment by the LogRhythm Knowledge Base. For example, if you selected the Symantec module, type
symantec
in the List Manager Name filter field and to see all of the Symantec lists.These lists are empty until you start the LogRhythm Threat Intelligence Service and collect some threat data.
To see the LogRhythm Threat lists, type
LR Threat
in the List Manager Name filter field. The following LogRhythm lists display:LR Threat List : Email Address : Malware
LR Threat List : Email Address : Phishing LR Threat List : Email Address : Suspicious LR Threat List : Email Subject : Phishing LR Threat List : File Name : Malware LR Threat List : File Path : Malware LR Threat List : IP : Attack LR Threat List : IP : Bot LR Threat List : IP : Fraud LR Threat List : IP : Malware LR Threat List : IP : Phishing LR Threat List : IP : Suspicious LR Threat List : Process : Malware LR Threat List : URL : Attack LR Threat List : URL : Bot LR Threat List : URL : Fraud LR Threat List : URL : Malware LR Threat List : URL : Phishing LR Threat List : URL : Suspicious
LR Threat List : User Agent : Attack - Double-click one of the LR Threat lists.
The List Properties dialog box appears. - Click the List Items tab, then click Add List.
- Type the vendor name in the Text Filter field, then click Apply.
Select the corresponding Top list for each category.
The Top lists contain the top 15,000 most risky identifiers, and the All lists contain 30,000 records maximum. All lists may be larger than the LogRhythm system supports, and it is not recommended that you enable them until you understand the size of the data set.
- Click OK to close the List Selector, and then click OK to close the List Properties dialog box.
- Repeat steps 4 through 8 for each LogRhythm list you want to modify.