Core Threat Detection Module User Guide
The Core Threat Detection Module is a collection of AI Engine rules designed to detect unusual or malicious activity that is occurring on an organization’s network. This guide is for LogRhythm administrators who are responsible for the security of their organization’s infrastructure. Other security suite documentation can be used when upgraded to more advanced rule sets. LogRhythm publications and Support contact information are available on the LogRhythm Support Portal, and additional information can be found in the LogRhythm Community.
This guide assumes the following:
- The Core Threat Detection Module has been imported and the AI Engine rules you want are enabled following the steps in the Core Threat Detection Module Deployment Guide.
- Appropriate log sources, such as LogRhythm System Monitor Agents, Windows Security Events, Firewalls, Intrusion Detection Systems, Anti Virus, and others have been configured to work with LogRhythm.
- In order to identify internal and external sources for directional traffic, the network entity structure has been configured.
- The LogRhythm Lists referenced by rules in this suite have been configured to the organization’s environment.
How to Use This Guide
This guide is meant to be used as a day-to-day reference for the Core Threat Detection Module content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.
- Suppression Period. The Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
- Environmental Dependence Factor. EDF is a high level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
- False Positive Probability. FPP is a factor determining how likely it is that an event represents a real risk, as follows:
- 0: The event represents a real risk less than 1 time out of 10.
- 1: The event represents a real risk 1 time out of 10.
- 9: The event represents a real risk 9 times out of 10.
This guide is divided into the following sections: