Skip to main content
Skip table of contents

Associate Vendor Lists with LogRhythm Lists

The Advanced Intelligence Engine (AIE) rules in the Threat Intelligence Module utilize the LogRhythm Threat lists. To tune the AIE rules to a vendor, you must associate the vendor lists with the LogRhythm lists. For more information about the association between LogRhythm and vendor lists, see Vendor Lists.

  1. In the LogRhythm Client Console, click Tools, click Knowledge, and then click List Manager.

  2. In the List Manager you can see the threat lists that have been added to your deployment by the LogRhythm Knowledge Base. For example, if you selected the Symantec module, type symantec in the List Manager Name filter field and to see all of the Symantec lists.

    These lists are empty until you start the LogRhythm Threat Intelligence Service and collect some threat data.

  3. To see the LogRhythm Threat lists, type LR Threat in the List Manager Name filter field. The following LogRhythm lists display:

    LR Threat List : Email Address : Malware

    		LR Threat List : Email Address : Phishing
    LR Threat List : Email Address : SuspiciousLR Threat List : Email Subject : Phishing
    LR Threat List : File Name : MalwareLR Threat List : File Path : Malware
    LR Threat List : IP : AttackLR Threat List : IP : Bot
    LR Threat List : IP : FraudLR Threat List : IP : Malware
    LR Threat List : IP : PhishingLR Threat List : IP : Suspicious
    LR Threat List : Process : MalwareLR Threat List : URL : Attack
    LR Threat List : URL : BotLR Threat List : URL : Fraud
    LR Threat List : URL : MalwareLR Threat List : URL : Phishing

    LR Threat List : URL : Suspicious

    		LR Threat List : User Agent : Attack
  4. Double-click one of the LR Threat lists.
    The List Properties dialog box appears.
  5. Click the List Items tab, then click Add List.
  6. Type the vendor name in the Text Filter field, then click Apply.

  7. Select the corresponding Top list for each category.

    The Top lists contain the top 15,000 most risky identifiers, and the All lists contain 30,000 records maximum. All lists may be larger than the LogRhythm system supports, and it is not recommended that you enable them until you understand the size of the data set.

  8. Click OK to close the List Selector, and then click OK to close the List Properties dialog box.
  9. Repeat steps 4 through 8 for each LogRhythm list you want to modify.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close