Skip to main content
Skip table of contents

Proactively Create and Allow Whitelist

  1. Log in to the LogRhythm NDR UI.
  2. Point to the Settings tab, click Policy Management, and then click Whitelist.
    The Whitelist page appears.
  3. To create a Proactive Whitelist, enter your data into the relevant fields.

    For a plain text match, enter your plain text in the field and leave the check box unchecked.

    For a regular expression match, enter your regex in the field and click the check box.

    SourceSource IP address of the security event
    Expiry DateExpiry date for this whitelist rule
    Source HostSource host name of the security event
    Source UserSource user name of the security event
    DestinationDestination IP address of the security event
    Destination HostDestination host name of the security event
    Destination UserDestination user name of the security event
    Entry SourceEntry source of the security event
    Entry OriginEngine that has created this security event
    IndicatorIntel event's indicator
    Indicator TypeIntel event's indicator type
    Threat LevelIndicates the threat level in green, orange, etc.
    Exclude InternalExcludes security events which are internal to a network
    URLURL of the security event
    Event CategoryEvent category of the security event
    Event AttributeEvent attribute of the security event
    TriggerEvent trigger of the security event
    Trigger_idEvent trigger id of the security event
    PathThe file path in case of smbfiles or IP addresses involved in transmission in case of smtp logs.
    SiteThe website involved with logs and event.
    QueryThe DNS query involved in the security event.
    Status CodeThe status code returned to the request/response for a HTTP request.
    Dest_portThe port number of the destination machine to which the data is routed. 
    Src_portThe port number of the source machine from where the data is sent.
    Event_extra_attributesThe extra attributes related to an event.
    ApplicationApplication used by the security event
    User AgentUser agent used by the security event
    ProtocolProtocol used by the security event

    Reason for creating this whitelist rule


    HTTP header used to track the original IP address of a user connecting to a web server through a proxy or load balancer.

  4. Click Add.
    The message "Whitelist Inserted Successfully" appears.
  5. To confirm that the Whitelist is successfully added, check the whitelist list at the bottom of the page.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.