Skip to main content
Skip table of contents

Core Threat Detection Deployment Guide – Upgrade Considerations

The current release (version 4) of the Core Threat Detection Module (CTDM) includes a substantial number of changes since the last release (version 3). This section should help you understand the implications of updating to the latest version of CTDM, based on your current deployment.

Definitions

Existing. Refers to the original state of CTDM (v3 or lower) prior to upgrading to the current version (v4).

Upgrade. Refers to importing the KB that includes updates to CTDM.

Three-Step Upgrade Process

If you have never downloaded or activated the Core Threat Detection Module, you will automatically have all the CTDM v4 rules and settings. This scenario requires no special considerations. You can  enable CTDM via the KB Manager, and enable rules and objects according to the suggestions outlined in the CTDM User Guide.

If you have previously downloaded and used the CTDM, you need to follow a three-step process:

  1. Decide whether to use Advanced Synchronization to pull down filter changes and other internal settings.
  2. Manually update the Risk Rating, FPP, Runtime Priority, Suppression Period, and Alarm on Event values.
  3. Manually retire obsolete, deleted, or outdated rules. Each of these steps is discussed in detail below.

Step 1 - Use the Advanced Synchronization Settings and Reset the Module

When you synchronize a module, you can deploy some or all the recommended settings. By default, the KB synchronization will only update the system fields that cannot be changed, such as the name and common event. Other editable settings, such as include/exclude filters or risk rating will not be updated. In the default synchronization, new filters will be added, but existing filters will not be reset or updated.

Because of the rule merge, it is possible that custom modifications may conflict with the CTDM v4 changes, resulting in a rule that will not fire because the filter settings are contradictory. For example, if a rule with primary criteria of Network Allow or Network Deny has been tuned by adding an exclude filter for the classification Network Deny, the KB sync could modify the rule’s primary criteria to the classification of Network Deny. This results in a rule with system primary criteria and custom exclude filter which conflict. The rule will never fire.

You may choose to synchronize more settings by using the Advanced Synchronization function. Some LogRhythm SIEM versions have advanced settings that allow you to synchronize values like Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event automatically, whereas, with other LogRhythm versions, you may need to update these values manually.

To use Advanced Synchronization

  1. In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.
  2. Under AI Engine Rule Properties, select the Enable Advanced Synchronization Settings check box.
  3. In the Knowledge Base Manager, click Synchronization Settings, and then click the Synchronize Additional System Properties tab.
    This setting synchronizes user editable rule settings for all system AI Engine rules, including rule block time limit settings, unique value rule block occurrences, and threshold rule block values.
  4. Select the Only sync additional properties for disabled rules check box.
    This only synchronizes advanced settings when the AI Engine rule has been disabled, preventing unexpected changes to currently active rules.
  5. Click OK and proceed with the KB synchronization.
After the KB synchronization, revert these changes to prevent accidental overwrites of other modules when synchronizing the KB in the future. For more details on KB synchronization settings, see Configure Knowledge Base Synchronization Settings.

Step 2 – Manually Update the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values

After the rules are synchronized, the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values will not be updated to the current values recommended by LogRhythm Labs.

To update the values, open each rule and change the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on Event values according to the AIE Rules table. If you have tuned these values for your environment, you can retain your custom values instead of accepting the values suggested by LogRhythm.

Step 3 – Retire Old Content

CTDM v4 declared several previous rules obsolete or redundant. These rules are no longer part of the module. However, if you previously deployed CTDM v3, these obsolete rules will not be removed as part of the upgrade. The old rules are left behind so you can gradually move to the new CTDM content and clear up any process you may have that depends on the old rules.

You can manually retire obsolete rules by looking at the module revisions for any rule that has been removed. Optionally, you can look at the naming structure, as all current rule names were updated to match the attack life cycle, and obsolete rules will have inconsistent names.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.