Skip to main content
Skip table of contents

Whitelist Page

To access the Whitelist page:

  1. Log in to LogRhythm NDR's new UI.
  2. Click Settings from the sidebar menu and then click Policy Management.
    There are 5 tabs available on the Policy Management page.
  3. Click the Whitelist tab.
    A list of Whitelist rules is presented in a table with details such as Occurred On, Entry UUID, Category, and Src.
    The user can delete or edit a whitelist based on requirements.
  4. To add or remove column headers, click the Show Columns icon.
  5. To bulk upload a whitelist, click Bulk Upload.
  6. To add a whitelist, click Add Whitelist and select from the various parameters available.

    SourceSource IP address of the security event
    Source HostSource host name of the security event
    Source UserSource user name of the security event
    DestinationDestination IP address of the security event
    Destination HostDestination host name of the security event
    Destination UserDestination user name of the security event
    Event CategoryEvent category of the security event
    Event AttributeEvent attribute of the security event
    Event Trigger IDEvent trigger ID of the security event
    Event TriggerEvent trigger of the security event
    ApplicationApplication used by the security event
    User AgentUser agent used by the security event
    Entry SourceEntry source of the security event
    Entry OriginEngine that has created this security event
    SiteThe website involved with logs and event.
    PathThe file path in case of smbfiles or IP addresses involved in transmission in case of smtp logs.
    QueryQuery to get the related logs of this security event
    IndicatorIntel event's indicator
    Indicator TypeIntel event's indicator type
    ProtocolProtocol used by the security event
    Threat LevelIndicates the threat level in green, orange, etc.
    Expires OnExpiry date for this whitelist rule
    Exclude InternalExcludes security events which are internal to a network
    URLURL of the security event
    ReasonReason for creating this whitelist rule
    xff_ipHTTP header used to track the original IP address of a user connecting to a web server through a proxy or load balancer.

New Fields

New fields such as Destination User, Event Trigger ID, Path, Site, and Query are added to the Update/Delete Whitelist page and in the Whitelist entry table. The user can more efficiently use the whitelist option with these additional fields. These fields can also be used while bulk whitelisting. The additional fields are available when we whitelist a case/incident in the Cases/Incidents page.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.