- Log in to the LogRhythm NDR UI.
- Click the Incidents tab.
The Incidents page appears, displaying a list of incidents in the table.
- Click the timestamp for any incident in the table.
The Incidents / Details window page appears, displaying the Action drop-down menu in the upper-left corner.
- Click Action, and then click Whitelist.
The Add Whitelist Entry Page dialog box appears, populated based on the information from the incident.
Select the checkboxes for the entry items you want to add on the whitelist,You can use the CIDR notation if you want to whitelist a range of relevant values rather than whitelisting a single value.
The new items are added, then the Add Whitelist Entry Page dialog box closes and the Inserting Whitelist dialog go box appears.
- Click OK.
- To remove a whitelisted item, click Whitelist in the Action drop-down menu and uncheck that item.
- To remove all details from the screen without resetting the whitelist, click Reset.
- To close the Whitelist page at any point without making any changes, click X in the top-right corner.
- Close the Update/Delete Whitelist Entry page. You can now check the whitelisted case in the System/Whitelist page.
- To use regular expressions to include any future cases similar to this case and linked to the source, open the Update/Delete Whitelist Entry page and set the event as a whitelist.
- Select the Source Host checkbox and click Submit.
- In the inserting whitelist dialog box, click Ok.
All future cases linked to this host and events will be automatically whitelisted. You can also select the checkbox Dest Host in the Update/Delete Whitelist Entry page.