Breadcrumbs

Associate Vendor Lists with LogRhythm Lists

The Advanced Intelligence Engine (AIE) rules in the Threat Intelligence Module utilize the LogRhythm Threat lists. To tune the AIE rules to a vendor, you must associate the vendor lists with the LogRhythm lists. For more information about the association between LogRhythm and vendor lists, see Vendor Lists.

  1. In the LogRhythm Client Console, click Tools, click Knowledge, and then click List Manager.

  2. In the List Manager you can see the threat lists that have been added to your deployment by the LogRhythm Knowledge Base. For example, if you selected the Symantec module, type symantec in the List Manager Name filter field and to see all of the Symantec lists.

    These lists are empty until you start the LogRhythm Threat Intelligence Service and collect some threat data.


  3. To see the LogRhythm Threat lists, type LR Threat in the List Manager Name filter field. The following LogRhythm lists display:

    LR Threat List : Email Address : Malware

    LR Threat List : Email Address : Phishing

    LR Threat List : Email Address : Suspicious

    LR Threat List : Email Subject : Phishing

    LR Threat List : File Name : Malware

    LR Threat List : File Path : Malware

    LR Threat List : IP : Attack

    LR Threat List : IP : Bot

    LR Threat List : IP : Fraud

    LR Threat List : IP : Malware

    LR Threat List : IP : Phishing

    LR Threat List : IP : Suspicious

    LR Threat List : Process : Malware

    LR Threat List : URL : Attack

    LR Threat List : URL : Bot

    LR Threat List : URL : Fraud

    LR Threat List : URL : Malware

    LR Threat List : URL : Phishing

    LR Threat List : URL : Suspicious

    LR Threat List : User Agent : Attack


  4. Double-click one of the LR Threat lists.
    The List Properties dialog box appears.

  5. Click the List Items tab, then click Add List.

  6. Type the vendor name in the Text Filter field, then click Apply.

  7. Select the corresponding Top list for each category.

    The Top lists contain the top 15,000 most risky identifiers, and the All lists contain 30,000 records maximum. All lists may be larger than the LogRhythm system supports, and it is not recommended that you enable them until you understand the size of the data set.


  8. Click OK to close the List Selector, and then click OK to close the List Properties dialog box.

  9. Repeat steps 4 through 8 for each LogRhythm list you want to modify.