- Log in to the LogRhythm NDR UI.
- Point to the Settings tab, click Policy Management, and then click Whitelist.
The Whitelist page appears.
To create a Proactive Whitelist, enter your data into the relevant fields.
For a plain text match, enter your plain text in the field and leave the check box unchecked.
For a regular expression match, enter your regex in the field and click the check box.
Field Description Source Source IP address of the security event Expiry Date Expiry date for this whitelist rule Source Host Source host name of the security event Source User Source user name of the security event Destination Destination IP address of the security event Destination Host Destination host name of the security event Destination User Destination user name of the security event Entry Source Entry source of the security event Entry Origin Engine that has created this security event Indicator Intel event's indicator Indicator Type Intel event's indicator type Threat Level Indicates the threat level in green, orange, etc. Exclude Internal Excludes security events which are internal to a network URL URL of the security event Event Category Event category of the security event Event Attribute Event attribute of the security event Trigger Event trigger of the security event Trigger_id Event trigger id of the security event Path The file path in case of smbfiles or IP addresses involved in transmission in case of smtp logs. Site The website involved with logs and event. Query The DNS query involved in the security event. Status Code The status code returned to the request/response for a HTTP request. Dest_port The port number of the destination machine to which the data is routed. Src_port The port number of the source machine from where the data is sent. Event_extra_attributes The extra attributes related to an event. Application Application used by the security event User Agent User agent used by the security event Protocol Protocol used by the security event Reason
Reason for creating this whitelist rule
HTTP header used to track the original IP address of a user connecting to a web server through a proxy or load balancer.
- Click Add.
The message "Whitelist Inserted Successfully" appears.
- To confirm that the Whitelist is successfully added, check the whitelist list at the bottom of the page.