The Network Detection and Response Module (NDRM) is a collection of AI Engine rules designed to detect unusual or malicious user activity that is occurring within your organization’s network.

The Network Threat Detection Module contains licensed content that is available only to registered customers with a valid maintenance contract.

Prerequisites

This guide assumes the following:

  • The Network Detection and Response Module has been imported and the desired AI Engine rules are enabled following the steps in the Network Detection and Response Module Deployment Guide.
  • Appropriate log sources, such as LogRhythm Sysmon, Windows Security Events, Firewalls, Intrusion Detection Systems, Anti-Virus and others have been configured to work with LogRhythm. For more information, see the Device Configuration Guides available on the LogRhythm Community.
  • In order to identify internal and external sources for directional traffic, the network entity structure has been configured.
  • The LogRhythm Lists referenced by rules in this Module have been configured to the organization’s environment.

How to Use This Guide

This guide is meant to be used as a day-to-day reference for the Network Threat Detection Module content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.

  • Suppression Period. The Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
  • Environmental Dependence Factor. EDF is a high level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
  • False Positive Probability. FPP is a factor determining how likely it is that an event represents a real risk, as follows:
    • 0: The event represents a real risk less than 1 time out of 10.
    • 1: The event represents a real risk 1 time out of 10.
    • 9: The event represents a real risk 9 times out of 10.

This guide is divided into the following sections: