To access the Whitelist page:
- Log in to LogRhythm NDR's new UI.
- Click Settings from the sidebar menu and then click Policy Management.
There are 5 tabs available on the Policy Management page.
- Click the Whitelist tab.
A list of Whitelist rules is presented in a table with details such as Occurred On, Entry UUID, Category, and Src.
The user can delete or edit a whitelist based on requirements.
- To add or remove column headers, click the Show Columns icon.
- To bulk upload a whitelist, click Bulk Upload.
To add a whitelist, click Add Whitelist and select from the various parameters available.
Field Description Source Source IP address of the security event Source Host Source host name of the security event Source User Source user name of the security event Destination Destination IP address of the security event Destination Host Destination host name of the security event Destination User Destination user name of the security event Event Category Event category of the security event Event Attribute Event attribute of the security event Event Trigger ID Event trigger ID of the security event Event Trigger Event trigger of the security event Application Application used by the security event User Agent User agent used by the security event Entry Source Entry source of the security event Entry Origin Engine that has created this security event Site The website involved with logs and event. Path The file path in case of smbfiles or IP addresses involved in transmission in case of smtp logs. Query Query to get the related logs of this security event Indicator Intel event's indicator Indicator Type Intel event's indicator type Protocol Protocol used by the security event Threat Level Indicates the threat level in green, orange, etc. Expires On Expiry date for this whitelist rule Exclude Internal Excludes security events which are internal to a network URL URL of the security event Reason Reason for creating this whitelist rule xff_ip HTTP header used to track the original IP address of a user connecting to a web server through a proxy or load balancer.
New fields such as Destination User, Event Trigger ID, Path, Site, and Query are added to the Update/Delete Whitelist page and in the Whitelist entry table. The user can more efficiently use the whitelist option with these additional fields. These fields can also be used while bulk whitelisting. The additional fields are available when we whitelist a case/incident in the Cases/Incidents page.