The current release (version 4) of the Core Threat Detection Module (CTDM) includes a substantial number of changes since the last release (version 3). This section should help you understand the implications of updating to the latest version of CTDM, based on your current deployment.
Existing. Refers to the original state of CTDM (v3 or lower) prior to upgrading to the current version (v4).
Upgrade. Refers to importing the KB that includes updates to CTDM.
Three-Step Upgrade Process
If you have never downloaded or activated the Core Threat Detection Module, you will automatically have all the CTDM v4 rules and settings. This scenario requires no special considerations. You can enable CTDM via the KB Manager, and enable rules and objects according to the suggestions outlined in the CTDM User Guide.
If you have previously downloaded and used the CTDM, you need to follow a three-step process:
- Decide whether to use Advanced Synchronization to pull down filter changes and other internal settings.
- Manually update the Risk Rating, FPP, Runtime Priority, Suppression Period, and Alarm on Event values.
- Manually retire obsolete, deleted, or outdated rules. Each of these steps is discussed in detail below.
Step 1 - Use the Advanced Synchronization Settings and Reset the Module
When you synchronize a module, you can deploy some or all the recommended settings. By default, the KB synchronization will only update the system fields that cannot be changed, such as the name and common event. Other editable settings, such as include/exclude filters or risk rating will not be updated. In the default synchronization, new filters will be added, but existing filters will not be reset or updated.
You may choose to synchronize more settings by using the Advanced Synchronization function. Some LogRhythm SIEM versions have advanced settings that allow you to synchronize values like Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event automatically, whereas, with other LogRhythm versions, you may need to update these values manually.
To use Advanced Synchronization
- In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.
- Under AI Engine Rule Properties, select the Enable Advanced Synchronization Settings check box.
- In the Knowledge Base Manager, click Synchronization Settings, and then click the Synchronize Additional System Properties tab.
This setting synchronizes user editable rule settings for all system AI Engine rules, including rule block time limit settings, unique value rule block occurrences, and threshold rule block values.
- Select the Only sync additional properties for disabled rules check box.
This only synchronizes advanced settings when the AI Engine rule has been disabled, preventing unexpected changes to currently active rules.
- Click OK and proceed with the KB synchronization.
Step 2 – Manually Update the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values
After the rules are synchronized, the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values will not be updated to the current values recommended by LogRhythm Labs.
To update the values, open each rule and change the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values according to the AIE Rules table. If you have tuned these values for your environment, you can retain your custom values instead of accepting the values suggested by LogRhythm.
Step 3 – Retire Old Content
CTDM v4 declared several previous rules obsolete or redundant. These rules are no longer part of the module. However, if you previously deployed CTDM v3, these obsolete rules will not be removed as part of the upgrade. The old rules are left behind so you can gradually move to the new CTDM content and clear up any process you may have that depends on the old rules.
You can manually retire obsolete rules by looking at the module revisions for any rule that has been removed. Optionally, you can look at the naming structure, as all current rule names were updated to match the attack life cycle, and obsolete rules will have inconsistent names.