The CAT Module is currently at Version 2.0 and is intended for LogRhythm Customers with LogRhythm Enterprise version 7.3.1 or newer. This module incorporates a set of 7 Canary Lists, which encompass a curated listing of Opensource and Commercial IOCs supplied by LogRhythm’s Threat Intelligence Service (TIS) as well as the capability for the client to integrate their own Threat Intelligence List which could potentially identify suspicious events known to the industry at large. The CAT Module also includes 64 Log Source Type Lists called CAT: Metadata Field Lists. The lists are a compilation of all LogRhythm-supported log sources which populate a given metadata field. Additionally, the CAT Module makes use of a Web Console Dashboard designed to give clients a visual representation of CAT events.
Canary List: The CAT Module uses several lists detailing curated IOCs which could represent a suspicious event. A single canary event may result in a false positive event. However, if a single system generates 2 or more canary list events within a short period of time, the likelihood of that event being a false positive event diminishes. Following this train of thought, if three or more canary list events occur from the same system, the chance of the incident being a false positive is practically zero. With each additional unique canary event, the event trends toward a True Positive classification, and thus the RBP value also increases.
Metadata Field List: The CAT Module introduces the concept of Pre-Tuned AIE Rule Building. The usage of a Metadata Field Log Source Type List provides the capability to limit the Log Source Types feeding a rule to only the sources that could trigger that rule’s criteria. These lists are populated with all supported Log Source Types that populate a given metadata field. For example, if a Log Source Type can populate the Command metadata field, that Log Source Type will be listed within the CAT: Metadata Field: Command list. If the client is using supported Log Source Types with its official Log Source Type Parser, that client is assured an AIE Rule that requires that Log Source Type data will be tuned to receive the data.
Two-Step Upgrade Process
If you have never downloaded or activated the CAT Module, you will automatically have all the current CAT rules and lists as of the latest release of the KB version.
The CAT Module could potentially update with each KB Module Update. Given this, it is unlikely the CAT module contents will be the same for any two clients starting at different points in time.
If you have previously downloaded the CAT module, and require the contents to be updated to the latest versioning, perform one of the following actions:
- Use the Advanced Sync Settings to update the module in its entirety.
- Await the deployment of a feature called Dynamic Sync Settings.
- Dynamic Sync will allow LogRhythm Labs to deactivate CAT module content as it ages out of relevance, or if specific rules require tuning.
- Dynamic Sync is still in development and will be released in a future Platform version.
- Without Dynamic Sync, LogRhythm clients are required to manually retire AIE Rules that are no longer applicable.
Advanced Sync Settings
When you synchronize a module, you can deploy some or all the recommended settings across the Global Platform. By default, the KB synchronization only updates the system fields that cannot change, such as the name and common event. Other editable settings, such as include/exclude filters do not reset or update.
Because of rule merging properties, custom modifications to an existing CAT Rule may conflict with the default CAT Module Rules developed by Labs. Should an existing rule be modified, the resulting rules may not operate as expected due to contradictory filter settings. For example, if a rule with primary criteria of CAT: Metadata Field: Command is tuned by the client with the addition of an exclude filter containing specific Commands values, then a KB sync occurs and changes the rule’s primary criteria from Command to CAT: Metadata Field: Object. The values within the added exclude file may result in a mismatch and prevent the rule from operating as expected.
Use of the Advanced Sync Setting will overwrite ALL KB material across the entire deployment. The overwrite returns ALL KB items within the local deployment to their default settings. This affects any entity which contains the same entity ID number as its counterpart within the KB. If any customized alterations have been applied to any AIE Rules or Lists, those custom settings are erased and restored to a default setting. If you have created custom AIE Rules or lists that are not contained within the KB, those rules and lists are not altered with the use of Advanced Sync.
Dynamic Sync Settings
Dynamic Sync Settings is a setting introduced for the CAT Module. This setting is essentially a mirror of Advanced Sync Settings, except it is only focused towards a single module instead of the Global Deployment.
Unlike Advanced Sync, Dynamic Sync does not revert content outside of the single module in which it is configured. However, Dynamic Sync still reverts all content within the Module to that of the default configuration. This is the intended functionality for the CAT Module due to the heavy focus on IOC-related content, which typically has a short shelf life.