Lists in the Client Console
Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application, such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. While many lists are provided by LogRhythm Labs, you can create custom lists for public or private use, and you can publish lists without displaying their contents.
Use Cases for Lists
- You can create a list of SuperUsers and publish it without displaying the contents of the list. An analyst can use the list in an investigation to see if any SuperUser accounts were utilized within a specified time period on specified hosts.
- You can create a list of unauthorized software processes. This list can be applied to servers and workstations where LogRhythm Process Monitoring is enabled to detect unauthorized software use.
- You can create a list of countries to which inbound network communications should never be allowed. This list can be used in an AI Engine rule to detect inbound connections through the firewall from suspicious locations.
List Types
List Types are associated with field filters in alarms, searches, and reports. To add a list to a filter, the list type must match the field filter. The following table includes a summary of:
- List Types. The metadata field for the list.
- Item Types. The field values that can be used for that type of list.
- Filter Types Supported. The fields within the filter selection that are supported for the list type. This means that if you select a field within the filter drop down, any lists with the associated list type appear.
- Import Supported. Whether the list type can have values imported.
| List Type | Item Types | Filter Types Supported | Import Supported? |
|---|---|---|---|
| Application | Known Service Port Port Range Protocol Application List | Application | N |
| Classification | Classification Classification List | Classification | N |
| Common Event | Common Event Common Event List | Common Event | N |
| Entity | Entity Root Entity | Entity | N |
| General Value | String Pattern String General Value list | Account Address (Sender or Recipient) Domain Group Hostname (I, O/I, O) Message Text Object Origin Login Process Sender, Recipient Session Subject URL User (Login or Account) Vender Msg ID | Y |
| Host | Known Host IP IP Range Host Name Host List | Y (with some restrictions) | |
| Identity | Identities | N | |
| IP Address | IP address | Host (I, O/I, O) IP (I, O/I, O) | Y |
| IP Range | IP address range | Host (I, O/I, O) IP Range (I, O/I, O) | Y |
| Location | Location Location List | Location (I, O/I, O) | N |
| Log Source | Log Source Log Source List | N/A | N |
| Log Source Type | Log Source Type Log Source Type List | Log Source Type | N |
| MPE Rule | MPE Rule MPE Rule List | MPE Rule | N |
| Network | Network Network List | Network (I, O/I, O) | N |
| Root Entity | Entity Root Entity | Entity | N |
| User | String Pattern String AD Group User List | Account User (Login or Account) Origin Login | Y (users only, no AD groups) |
Use Contexts
Use contexts are used specifically with the General Value list type. They provide the system with the filter types supported for the General Value list created. This allows the filtering within the Analysis Tools to know what lists should appear for the selected field.
This table shows the Use Context types and associated Filter Types that are supported.
| Use Context Types | Filter Types Supported |
|---|---|
| Action | Action |
| Address | Address, Sender or Recipient |
| Command | Command |
| CVE | CVE |
| Domain Impacted | Domain Impacted |
| Domain Origin | Domain Origin |
| Group | Group |
| Hash | Hash |
| Host Name | Hostname, SHostName, DHostName |
| MAC Address | mac, smac, dmac |
| Message | Message |
| Object | Object |
| Object Name | Object Name |
| Process | Process |
| Parent Process Id | Parent Process Id |
| Parent Process Name | Parent Process Name |
| Parent Process Path | Parent Process Path |
| Policy | Policy |
| Process | Process |
| Reason | Reason |
| Response Code | Response Code |
| Result | Result |
| Serial Number | Serial Number |
| Session | Session |
| Session Type | Session Type |
| Status | Status |
| Subject | Subject |
| Threat Id | Threat Id |
| Threat Name | Threat Name |
| URL | URL |
| User | Account, Login, or User |
| User Agent | User Agent |
| Vendor Info | Vendor Info |
| Vendor Message ID | Vendor Message ID |
For example, if you select the Process Use Context type for a General Value list, when you perform a filter using the Process field, the General Value list created appears in the list selector.
Multi-Type Lists
Some list types allow for multi-type lists including Application, Hosts, and Users. These list types allow the user to add values for multiple fields related to its type. When these fields are selected for filtering from within an Analysis Tool, any lists associated with their type can be selected.
Application. The following fields can be used to add values to an Application list:
- Impacted Known Application
- TCP/UDP Port (Impacted)
- TCP/UDP Port Range (Impacted)
- Protocol
Host. The following fields can be used to add values to a Host list:
- Known Host
- IP Address
- IP Address Range
- Hostname
User. The following fields can be used to add values to a User list. This includes values that are associated with the Account and Origin Login fields.
- Username
- Active Directory Group
You can add a list of specific users by typing in values or you can add a list of users associated with an active directory group.
Lists Within Lists
Lists are flexible enough to allow you to add a list to another list of a compatible type. The added list is called a sub list. This enables you to create sub lists with elements that are to be shared by other lists, rather than having to manage the duplicated items across several lists.
Lists that can contain other lists raise the possibility of loops, where a nested sub list could ultimately reference an outer containing list. The system makes certain that when lists are processed (such as in creating filters) that each list is only processed once.
The following are not checked:
- For nested lists, permission and visibility compatibility is not checked. So, for example, it is possible to add a Private list to a Public list.
- For nested General Value lists, compatibility of the Use Contexts is not checked.
Permissions
All users have access to lists. The permissions can be set to limit access to specific lists.
There are two types of Security Permissions: Custom and System. Custom Security Permissions are created by users. System Permissions are created by LogRhythm and come in two flavors, Private and Public. System Lists are imported with the Knowledge Base. The Knowledge Base Module must be enabled and the module synchronized to see the system list in the list manager. For details on modules, see Knowledge Base Manager.
The Security Permissions are described in the following table.
| Security Permission | Description |
|---|---|
| Custom | Created by users. |
| System: Private | This is provided by LogRhythm. The list items and properties are controlled by LogRhythm and synced during a Knowledge Base import. Except for controlling Read Access (visibility), these lists are locked for users. |
| System: Public | This is provided by LogRhythm. The list items and some properties can be edited by users. The initial Knowledge Base import initializes the properties. Legacy Log Source Lists are of this type. Some properties, particularly the Items, can be re-synchronized on a Knowledge Base Import. |
List Security is controlled by Read, Write, and Restricted Read attributes, which are described in the following table.
| Permission | Description |
|---|---|
| Read Permissions | This controls who can see and use a List, and indirectly controls other permissions. Everyone can create Private lists (the default.) A Global Administrator can assign any permission. A Restricted Administrator can assign Public Analyst permissions A Global Analyst can assign Public or Global Analyst. Restricted Analysts can only assign Public. System Lists cannot be Private. |
| Write Permissions | This controls who can edit a List. This is always at least as permissive as the visibility, but never more (example: A List cannot be set to "read" for Admins and "write" for Public.) Only the list owner or an Admin can change this value. This can be set to any value consistent with the Read Permissions. For System: Private Lists this value is Private and cannot be changed. For System: Public Lists this value is Admins and cannot be changed. |
| Restricted Read | Restricted Read is used to prevent users who do not have Write Permissions to the list from viewing the items on the list; such users can only use the List (such as using it in a Filter). |
List Manager
The List Manager lets you view and manage lists in LogRhythm, including the ability to add and retire lists. Lists are available (with appropriate security permissions) to all users. The menu buttons on the List Manager, from left to right, include Properties, Refresh, and New. The file menu options related to lists include Properties, New, and Clone. The following table describes the columns in the grid of the List Manager.
| Field | Description |
|---|---|
| Action | The check box used in conjunction with the Actions context menu to indicate which lists to include in the action. |
| List Type | The type of list, such as Log Source, General Value, and Host. |
| Name | The name of the list. |
| Entry Count | The total number of items and lists that the list contains. If a list contains 10 items and two lists and the Entry Count for the list is 12. The Entry Count value appears for all lists, even if a list is used as a sub list elsewhere in the system. The List Manager highlights system lists that do not contain any items, indicating that the system list has not been populated. Empty custom lists are not highlighted. |
| Use Context | The associated use contexts for the list, such as log source, process, host, and user. It is the same as the type for all but General Values, in which case one or more values appear based on what is selected in the properties. |
| Auto Import | An indicator of whether the import occurs automatically. |
| Import Options | The options selected for importing the list. |
| Import Filename | The name of the file to be imported when the list is used. |
| Restricted Read | The indicator for Restricted Read permissions. |
| Description | The description of the list. |
| Status | The status of the list: Active or Retired. |
| Last Updated | The date the list was last updated. |
| Read Access | The Read permissions for the list. |
| Write Access | The Write permissions for the list. |
| Entity | The Entity with which the list is associated. |
| Owner | The user who created the list. For System lists, the owner appears as N/A. |
| List ID | The unique ID for the list. |
Automated File Import
Lists can be imported by the Job Manager using an automated protocol. The lists follow the same rules as the List Properties Editor and File/Clipboard Import (for details on the rules, see Create Lists in the Client Console). The Job Manager List Import task runs continuously, polling at frequent intervals for List file changes. If a file with the correct name appears, the task imports the list. The task waits on a writer to the file. It requires exclusive access to the file. After a file has been successfully imported, it is deleted. If an error occurs during import, it is renamed with a suffix of .bad. The status of each list import attempt is written to the log file and event log. The following default rules apply:
- The default import directory is config\list_import, relative to the path specified in the Configuration File Parent Directory field in the Job Manager Configuration Manager.
- The default processing interval is 60 seconds.
- The defaults cannot be changed.
Expiration of List Items
Under certain circumstances, list items are only needed on a temporary basis. For example, when an employee leaves the company, the IT department might want to monitor the employee's account for 90 days for any activity. Instead of having to manually remove the list item, it can be configured to be automatically removed in 90 days. The time span configured for expiring list items is counted from the time of the list's creation into the future. For example, if a Terminated User Account list was created on March 2nd at 12:00 PM with an expiration time of 10 days, all of the list items entered in the list expire at the same time. The last configured time span is saved when the list is saved. If new items are added to the list 5 days after it was saved, the new list items expire in 10 days from the current day. If the intention was to add more items to the list that needed to expire on the same day as the original items, the day field and the hours and minutes field have to be adjusted before the new items are added to the list.