Core Threat Detection Deployment Guide – Import and Synchronize the Module

The following information should be gathered before implementing the Core Threat Detection Module. This information is required when populating Lists and configuring individual AI Engine Rules:

• Privileged groups
• Critical Network Devices
• Vulnerability scanners

The Core Threat Detection Module is part of the LogRhythm Knowledge Base (KB). Updating the KB automatically creates the proper Lists and AI Engine Rules.

1. In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.

   

   To open the Knowledge Base Manager, the Deployment Manager must be closed.

2. Under Knowledge Base Modules, find the Core Threat Detection module.
   If the module is available, you will see Core Threat Detection in the grid. If the module name does not appear, update the Knowledge Base by doing either of the following:
   • Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
   • Manual Download. For manual download instructions, see Import a Knowledge Base.
3. Locate the Enabled column in the grid. If the box is checked, the module is already enabled and available to users in the SIEM deployment. If the Enabled box is not checked, enable the module by selecting its Action check box, right-clicking the module name, clicking Actions, and then clicking Enable Module.
   A dialogue box appears to enable the selected module(s).
4. Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this setting. For more information, see the Use Intelligent Indexing topic in the SIEM Reference Guide.