Current Active Threat Detection Deployment Guide – Configure the Module

Configure Lists

Traditionally, lists within the LogRhythm Platform were all user-configurable. While the lists are technically still eligible for update by the client, it is not recommended. Both the Canary and Metadata Field lists are not recommended to be altered or manipulated by clients. These lists have very specific criteria, which if manipulated could negatively affect the CAT Modules' performance.

To see the CAT lists, see the List matrix.

Configure Individual AI Engine Rules

All CAT Module AIE Rule alarms are enabled by default, except for the Canary List AIE Rules which should never have alarming enabled as it could cause alarm fatigue for analysts. Due to the threat of events and the IOC basis of CAT Module rules, every AIE Rule within the CAT Module has alarmingly enabled automatically. This also includes all new AIE Rules that are developed by LogRhythm Labs in relation to new threat IOCs. Additionally, the Canary List focus of the Progression Rules also has alarming enabled by default.

AIE Rules within the CAT Module do not need to be configured or tuned. See the CAT Module: User Guide for additional information if you feel additional configuration requirements are required or reach out to LogRhythm Support.

To see the CAT AIE Rules, see the AIE Rules matrix.

Import the Web Console Dashboard Layout

Web Console dashboard layouts cannot be imported as part of the KB sync process. Instead, download all Web UI Dashboards you want from outside sources, such as LogRhythm Community, LogRhythm’s Professional Services, or LogRhythm Support.