Core Threat Detection Deployment Guide – Configure the Module
Configure Lists
There are user-configurable lists included with the module. Use these lists to narrow the scope of AI Engine Rules and to filter events. Refer to the Description section of the List Properties to verify what should be added to the list.
- Open the LogRhythm Console and click List Manager on the main toolbar.
- Use the Name or List ID column filter to find the list you want.
- To open the List Properties window, double-click the list.
- Click on the List Items tab, and then click Add Item.
- Use the Add Item dialogue to add items to the list individually, or click Import to import a text file or clipboard contents.
- Click Apply and then click OK.
To identify which lists need to be configured in the environment, see the List matrix.
Configure Individual AI Engine Rules
This module contains a collection of AI Engine Rules. Some rules require additional configuration to ensure that they will work properly. For configuration steps, see the AI Engine Rule matrix.
Enable AI Engine Rules
- Open the LogRhythm Console and click Deployment Manager on the main toolbar.
- Click the AI Engine tab.
- Filter in the Rule Group column for Core Threat Detection to find AI Engine rules tied to this module.
- Select the Action checkbox of each rule you want to configure.
- Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules. Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not the appliance itself.)
You must select the AI Engine instance in the View field to see the Restart column.
To view tuning and configuration notes for a rule, right-click the rule, click Properties, and then click the Information tab.
Your LogRhythm Professional Services Engineer can also provide assistance with tuning AI Engine Rules for your environment.
Enable AI Engine Rule Alarming
By default, alarming is initially turned off for all AI Engine Rules. Even without alarms, events are generated when the rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard and they can be seen by running an Investigation or Tail against the Platform Manager.
Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false positives. Refer to the Core Threat Detection Module User Guide for information about tuning individual AI Engine Rules. When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the monitoring team and allowing for notification and SmartResponse.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Filter in the Rule Group column for Network Threat Detection to find AI Engine rules tied to this module.
The value in the Alarm Status column indicates whether the alarm is enabled for a rule. - Select the Action checkbox of each rule you want to configure.
Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
Alarm settings are located on the Settings tab of the Alarm Properties dialogue box.