The Knowledge Base Manager can only be accessed when all other windows in the Client Console are closed.
Knowledge Base Modules and Objects Overview
The Knowledge Base Module and Objects architecture provides administrators flexibility and ease in managing objects within their deployment, including:
- The flexibility to import and synchronize only those modules (and their associated objects) that are relevant to the organization. This is managed through the enable and disable functionality of the module.
- The flexibility for administrators to choose if the module should be updated based on the latest LogRhythm module and objects (import by default), or if the module should remain as it is in the current deployment (do not import by default).
- Ease in identifying which modules are out of sync with LogRhythm’s latest version by viewing the Latest and Loaded version values for the module.
- Ease in identifying the specific LogRhythm objects as well as providing others the list of objects for a given module.
- Ability to modify the modules that are enabled and imported and synchronized from within the Knowledge Base Importer before the import begins.
Knowledge Base Modules
Knowledge Base Modules are prepackaged, customizable content applicable to a specific regulation or need, such as reports, investigations, alerts, AI Engine rules, or other applicable product areas. For example, the module named Compliance: NERC CIP contains objects for Alarm Rules, Investigations, Lists, Reports, and Report Packages that are useful in providing information necessary to meet NERC CIP requirements.
The LogRhythm Required Objects module is a module that is required for every deployment to function properly. Required modules are always imported and synchronized with every Knowledge Base import and are not editable by administrators.
The Knowledge Base Modules grid allows you to review existing KB modules and modify their status and synchronization settings. In this grid, you can perform the following actions:
- View and edit properties for a module
- Enable or disable a module
- Export the grid information to a file, including:
- Primary objects in the module
- Dependent objects in the module
- Primary and dependent objects in the module
The Knowledge Base Modules grid contains the columns described in the following table.
|Name||The name of the module|
|Description||The description for the module|
|Latest Version||The latest version of the module from the last Knowledge Base that was imported|
|Loaded Version||The version that is loaded in the deployment|
|Enabled||The indicator if the module is enabled in the deployment. This means that the module's objects are in the deployment (available to users). The module was imported and synchronized at one point.|
|Intelligent Indexing||Reports, Report Packages, Tails, and Investigations will have their log data indexed (in other words, brought online) into the applicable data source (Data Processor, LogMart, or both). The Global Log Processing Rules supersede Intelligent Indexing settings and can be used to take specific data offline.|
|Required||The indicator if the module is required and must be enabled, and therefore must be imported and synchronized.|
|Sync by Default||The indicator that this module should be imported and synchronized by default for any new Knowledge Base imports. This should be set if you want future versions of the module to be updated in your deployment. Unchecking this value is useful when you don’t want to import a newer version of the module because you have your objects set up in a specific manner and do not want anything to be over written.|
|Date Updated||The date the module was last updated|
|Record Status||The status of the record (either Active or Retired)|
|KB Module ID||The unique identifier for the module|
Knowledge Base Module Objects
Knowledge Base Objects are the specific LogRhythm objects associated with a module. Any updated or new objects related to a module can be imported and synchronized at the next Knowledge Base import based on settings applied by an administrator.
The following objects can be contained within a module:
- AI Engine Rules
- Alarm Rules
- FIM Policies
- Report Packages
- Report Templates
A primary object is an object that is intentionally associated with a module.
A dependent object is an object that is part of a primary object, but is not a primary object for the module. This could be a list that is part of an Alarm Rule, or it could be a report template that is associated with a report.
From the Module Objects grid, you can view the list of objects for the selected module. The grid contains the fields described in the following table.
|Object Type||The type of object: AI Engine Rule, Alarm Rule, FIM Policy, GLPR, Investigation, List, Report, Report Package, Report Template, Tail|
|Name||The name of the object|
|Dependent Object||The indicator for an object that is a dependent object for the module. This column only appears if View > Dependent Objects is selected.|
|Description||The description for the object|
|Date Updated||The date last updated|
|Record Status||The record status is either active or retired|
|Object ID||The unique identifier for the object|
Knowledge Base Manager Options
The following options are available on the Knowledge Base Manager toolbar.
|Synchronization Settings||Set the Synchronization Mode, Schedule, and Synchronize Additional System Properties. For more information, see Configure Knowledge Base Synchronization Settings.|
|Check for Knowledge Base Updates||Manually check for updates before the next scheduled update.|
|Synchronize Stored Knowledge Base||Synchronize the current knowledge base with the newly downloaded one. For more information, see Migrate Common Events.|
|Common Event Change Manager||Assist in the migration of the Common Events in your affected objects. For more information, see Common Event Change Manager below.|
|View Synchronization History||View a history of Knowledge Base synchronization activity, including the date, account, and a description of activity.|
Knowledge Base File
The Knowledge Base file contains the modules and their associated objects.
When LogRhythm Labs sends out periodic updates or new content for the Knowledge Base, administrators can choose when or if a module should be updated. There is a step within the import process that permits changes to the modules prior to importing. For more information, see Import a Knowledge Base.
Common Event Change Manager
The Common Event Change Manager is a tool that enables you to make the appropriate updates based on user input for common events that have been modified. If custom objects reference a consolidated common event, that object may no longer function properly. Impacted custom objects include: Saved Investigations, Saved Tails, Personal Dashboard Filters, Reports, Alarm Rules, GLPRs, AI Engine Rules.
Pre-Knowledge Base Import Inspection
When you start to load a new Knowledge Base (KB), a migration inspection is performed to determine what objects contained within the user environment will be affected by importing the selected KB. If objects that will be affected are identified, the CE migration manager opens in a read-only mode and allows you to view the items that will be affected. At that point, you have the option to proceed with the Import a Knowledge Base (Version 7.3.x) or cancel.
Post-Knowledge Base Import and User Launches Migration Manager
The Common Event Change Manager runs automatically prior to a Knowledge Base import in which migration affected objects were detected during the pre-Knowledge Base Import Inspection. You are also prompted to open this tool each time the Deployment Manager is opened as long as affected objects remain in the database.
The Common Event Change Manager consists primarily of a grid which displays all analytic objects that are affected by migrated common events. The grid contains controls for the user to select migration options for the objects and commit the selected changes.
Common Event Change Preview
The preview appears prior to a Knowledge Base import. Normally, the Common Event Change Preview and the Common Event Change Manager display identical items. However, in some instances, the items in the Common Event Change Preview may be slightly different than the items shown in the Common Event Change Manager. Some items that are affected may not show up and some items that are not affected may show up. One case is when custom MPE rules use completely migrated common events.