Current Active Threat Module Deployment Guide
Due to the dynamic threat landscape today’s organizations operate are reflected within the CAT module through the use of Threat Intel AIE Rules. These rules are part of the dynamic module framework which are continually in flux. With any given CAT module KB release, content within the module may be added or subtracted from the module in the next KB release. To keep this Deployment Guide relevant over a longer period, this guide will only address the basic framework supplied by the CAT module, and will only be representative of contents which is not designed to be altered or adjusted with each KB release. These items include:
- CAT: Metadata Field Lists
- CAT: Canary Lists
- CAT: Canary List Rules
- CAT: Severity Increase Rules
This guide is for LogRhythm administrators who handle the security of their organization’s infrastructure and for anyone installing and configuring the SIEM.
Module Contents
This module adds to an existing LogRhythm deployment, as follows:
- 16 Core Advanced Intelligence Engine Rules
- 7 Canary Lists
- 64 Metadata Lists
- 1 Web Console Dashboard
Prerequisites
The deployment of the CAT Module assumes the following:
- The overall LogRhythm Deployment is in a fully developed state and is healthy.
- Minimum LogRhythm software version 7.3.1 deployed.
- Log sources have been vetted to ensure log source parsing is being performed properly.
Overview of Steps
This guide is divided into the following sections: