Current Active Threat Detection Guide – Import and Synchronize the Module
Prerequisites
Log Sources Requirements
Every industry-specific class of system must be addressed within the environment: servers, both internal and external facing, security perimeter, IDS/IPS, AV, Vulnerability Management, Endpoints, Windows, *NIX, etc. Ideally, a redundant setup for log source data is applied to ensure that the best opportunities for collecting and analyzing each type of data an environment can support is collected. The CAT module is designed to address each aspect of an organization’s architecture including, network devices, end-point systems, and user behaviors. Each of the log sources used to feed LogRhythm must be configured properly and vetted to ensure that the LogRhythm Mediator is properly parsing each Log Source Type.
To assist the organization, the following tables can be used as a guide to determine which Log Source Types are recommended to be collected.
Not every Log Source Type within the tables must be collected, but each table family should at least be addressed, and have at least 2 or 3 types under active collection. The more Log Source Types available, the more likely all-important data can be identified.
| Network Devices | |||
|---|---|---|---|
| Firewalls | Yes | No | |
| Routers / Switches | Yes | No | |
| Load Balancers | Yes | No | |
| Proxies / Reverse Proxies | Yes | No | |
| Active Directory Logs | Yes | No | |
| VPN Systems | Yes | No | |
| External Facing Systems | |||
| Web Servers | Yes | No | |
| DNS Servers | Yes | No | |
| Email Proxy Systems | Yes | No | |
| Application Services | Yes | No | |
| Windows Systems | |||
| System Logs | Yes | No | |
| Application Logs | Yes | No | |
| Security Logs | Yes | No | |
| PowerShell Logs | Yes | No | |
| Sysmon Logs | Yes | No | |
| File Integrity Monitoring | Yes | No | |
| Registry Integrity Monitoring | Yes | No | |
| Security Perimeter | |||
| Intrusion Detection / Prevention Systems | Yes | No | |
| Endpoint Security Suite | Yes | No | |
| Anti-Virus Management | Yes | No | |
| Email Management | Yes | No | |
| Vulnerability Scanner | Yes | No | |
| Internal Systems | |||
| File Servers | Yes | No | |
| Print Servers | Yes | No | |
| Email Servers | Yes | No | |
| Database Appliances | Yes | No | |
| Production Applications | Yes | No | |
| File Integrity Monitoring | Yes | No | |
| Registry Integrity Monitoring | Yes | No | |
| Linux Systems | |||
| /var/log/messages | Yes | No | |
| Audit Logs | Yes | No | |
| Host Logs | Yes | No | |
| Application Logs | Yes | No | |
Log Source Tuning
The CAT Module deviates from the traditional method of tuning AIE Rules. Under the traditional method of tuning AIE Rules, the client isolates which log source within the environment delivers the type of log required to trigger the alarm within the AIE Rule tab Log Source Criteria. See the following screenshot for an example.
This is the most effective method for tuning an AIE Rule within that unique environment, but it does not scale to other environments unless those environments mirror the same Log Source Types. Essentially, when you tune the AIE Rule, that AIE Rule only functions within that one environment. If that AIE Rule were exported and added to another deployment, the AIE Rule would not maintain the tuned settings because the Log Source Criteria tab is not a value that is maintained when exporting or updating an AIE Rule. The CAT Module introduces a method to tune an AIE Rule, to maintain the highly efficient functionality explained above. This functionality is fulfilled with the use of CAT: Metadata Field Lists and the Primary Criteria Tab. See the following screenshot for an example.
Each metadata field list is populated with every supported Log Source Type that can populate that given metadata field. For example, the metadata field Command is used to represent any command-line input from a monitoring command-line log source tool, for example, powershell.exe or cmd.exe command prompts. Additionally, Carbon Black, MS SysInternal’s Sysmon, Windows Event Log Security (if properly configured), Linux ‘~/.bash_history’ log, and several other Log Source Types also populate this type of data with the Command metadata field. The CAT Module eases the use in identifying which Log Source Types supply the AI Engine with the appropriate logs to trigger the alarm by pre-populating the Metadata Field list with any and every Log Source Type supported by the LogRhythm Platform. This allows a single AIE Rule to be exported from any deployment and imported into any other deployment, and the rule will perform in a tuned manner.
Information to Gather Before Deploying the Module
Because the CAT Module is highly reliant upon a LogRhythm-supported Log Source Type environment, only the Log Source Types that are officially supported by LogRhythm Labs and the MDI team can officially be used to confirm CAT module efficiency. In other words, if a LogRhythm Deployment is operating within an environment that uses highly customized or proprietary Log Source Types are used solely within that environment, LogRhythm cannot fully support the use of the CAT Module within that architecture.
Ensure that all log source feeds to the LogRhythm Platform are supported log source types, that is, they are used with the default log source parser capabilities that are shipped with the default LogRhythm deployment. Additionally, it is important to ensure that the LogRhythm MPE Parser is properly parsing all log sources completely and to the appropriate metadata fields.
Import and Synchronize the Module
The CAT Module is provided as part of the LogRhythm Knowledge Base (KB). Updating the KB automatically creates the proper Lists and AI Engine Rules. The CAT Module does not require that the client has or maintains a specific license in which to use the CAT Module feature set. If you cannot enable the CAT Module, contact LogRhythm Support.
In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.
To open the Knowledge Base Manager, the Deployment Manager must be closed.
- Under Knowledge Base Modules, find the CAT Detection module.
If the module is available, you will see Current Active Threat (CAT) Module in the grid. If the module name does not appear, update the Knowledge Base by doing either of the following:- Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
- Manual Download. For manual download instructions, see Import a Knowledge Base.
- Locate the Enabled column in the grid. If the box is checked, the module is already enabled and available to users in the SIEM deployment. If the Enabled box is not checked, enable the module by selecting its Action check box, right-clicking the module name, clicking Actions, and then clicking Enable Module.
A dialogue box appears to enable the selected module(s). - Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this setting, and then click OK.