This guide describes how to deploy the LogRhythm Network Detection and Response module (NDRM), designed to help organizations detect and respond to network-based security events. This module utilizes deep forensic visibility into network traffic to detect a wide variety of advanced threats. The Network Detection and Response module performs best when paired with LogRhythm’s network forensics solution, LogRhythm NetMon. The NDRM replaces the Network Threat Detection module. No further modifications will be performed on the NTD module.

Module Contents

This module adds to an existing LogRhythm deployment, as follows:

  • 77 AI Engine Rules (15 Progression Rules)
  • 5 Investigations
  • 1 Tail
  • 22 Lists
  • 8 Reports

Prerequisites

The deployment of this module assumes the following:

  1. The overall LogRhythm deployment is in a fully-deployed and healthy state.
  2. LogRhythm version 7.1 or later is installed. Version 7.2 or higher is recommended to fully populate the Web Console dashboards associated with this module. 
  3. The entity structure is appropriately configured to identify DMZ and Internal networks.

Data Collection Requirements

A limited number of the included AI Engine Rules can operate using firewall or network flow data. However, these log sources don’t provide rich contextual and forensic detail, especially when investigating alarms. It is recommended that Network Monitor be deployed to monitor all gateway and core switch network traffic. This ensures visibility into both internal traffic and traffic crossing the perimeter. For more information, see Network Detection and Response—AI Engine Rules.

Required Information

The following information should be gathered prior to implementing the Network Detection and Response Module. This information is needed when populating lists and configuring individual AI Engine Rules.  

  • Company owned Public IP addresses/ranges
  • IP/Hostnames of internal and DMZ web servers
  • IP/Hostnames of internal and DMZ mail servers
  • IP/Hostnames of vulnerability scanners
  • IP Ranges or Entities of SCADA devices
  • Unauthorized applications or applications deemed risky
  • Authorized Applications
  • TCP/IP ports of authorized web applications
  • Allowed ingress ports
  • Allowed egress ports
  • Whitelisted countries
  • Blacklisted countries

Overview of Steps

This guide is divided into the following sections:

Network Detection and Response Deployment Guide—Import and Synchronize the ModuleNetwork Detection and Response Deployment Guide—Configure the Module