Whitelist Page

To access the Whitelist page:

1. Log in to LogRhythm NDR's new UI.
2. Click Settings from the sidebar menu and then click Policy Management.
   There are 5 tabs available on the Policy Management page.
3. Click the Whitelist tab.
   A list of Whitelist rules is presented in a table with details such as Occurred On, Entry UUID, Category, and Src.
   The user can delete or edit a whitelist based on requirements.
4. To add or remove column headers, click the Show Columns icon.
5. To bulk upload a whitelist, click Bulk Upload.

6. To add a whitelist, click Add Whitelist and select from the various parameters available.

   Field	Description
   Source	Source IP address of the security event
   Source Host	Source host name of the security event
   Source User	Source user name of the security event
   Destination	Destination IP address of the security event
   Destination Host	Destination host name of the security event
   Destination User	Destination user name of the security event
   Event Category	Event category of the security event
   Event Attribute	Event attribute of the security event
   Event Trigger ID	Event trigger ID of the security event
   Event Trigger	Event trigger of the security event
   Application	Application used by the security event
   User Agent	User agent used by the security event
   Entry Source	Entry source of the security event
   Entry Origin	Engine that has created this security event
   Site	The website involved with logs and event.
   Path	The file path in case of smbfiles or IP addresses involved in transmission in case of smtp logs.
   Query	Query to get the related logs of this security event
   Indicator	Intel event's indicator
   Indicator Type	Intel event's indicator type
   Protocol	Protocol used by the security event
   Threat Level	Indicates the threat level in green, orange, etc.
   Expires On	Expiry date for this whitelist rule
   Exclude Internal	Excludes security events which are internal to a network
   URL	URL of the security event
   Reason	Reason for creating this whitelist rule
   xff_ip	HTTP header used to track the original IP address of a user connecting to a web server through a proxy or load balancer.

New Fields

New fields such as Destination User, Event Trigger ID, Path, Site, and Query are added to the Update/Delete Whitelist page and in the Whitelist entry table. The user can more efficiently use the whitelist option with these additional fields. These fields can also be used while bulk whitelisting. The additional fields are available when we whitelist a case/incident in the Cases/Incidents page.