Filters—Profile
The Profile tab appears on a Whitelist Profile linked data block only.
It is used to specify the collection interval for the whitelist, where it is stored, and provides a means of viewing and editing the resulting whitelist.
To complete the Whitelist Profile
- Enter the Collection Interval. The default collection interval is 48 hours from rule creation.
- To change the duration, change the End Time.
- To start the collection in the future, change the Start Time.
- Select a Storage Area:
- emdb. The default value while allows the whitelist to be stored in a table in the EMDB database. This allows the resulting whitelist to be viewed and edited via the View Data button.
baseline. Stores the data in a file on the AIE Server in the state\baseline folder—this option can be useful for very large profiles, or when you want to use a script or other means to refresh the file dynamically after the initial collection interval.
In some cases, when using the emdb storage option, edits to the learned data are not recognized. To avoid this issue, it is recommended that the baseline option be used in all cases. After the learning period, changes to the whitelist entries can be made in the CSV file saved to C:\ProgramFiles\LogRhythm\LogRhythm AI Engine\state\baseline.
- (Optional) Enter a Storage Name. A storage name is generated for you.
- Set the data Format. The default is Comma Separated Value.
To view data from the EMDB storage only, click View Data.
This is only available for EMDB storage, and only after the AI Engine starts building the corresponding whitelist. The file is read-only during the collection interval, but may be modified and saved after the rule goes from Learning to Enabled. If the file is edited and saved, the engine automatically picks up the changes in approximately 1 minute.