This guide describes how to deploy the LogRhythm Current Active Threat (CAT) Module, intended to help organizations detect and respond to known industry-focused events within the security industry at large, as well as emerging threats within the localized environment. This module incorporates an innovative method to integrate pre-tuned AIE rules for any environment, provide dynamic emerging threat severity ranking, and establish the base architecture for an IOC-based AIE ruleset designed to be auto-deployed within the organization’s environment to ensure the client can detect advanced threats.
This guide is for LogRhythm administrators who are responsible for the security of their organization’s infrastructure.
This guide assumes the following:
- The CAT Module has been imported and all CAT AIE rules are enabled.
- LogRhythm’s Threat Intelligence Service (TIS) has been installed, and the KB module has been enabled.
- Appropriate log sources have been enabled and configured properly.
- For additional information on which Log Sources are required for the CATmodule, please see the CAT Deployment Guide v2.
- The client is following Industry Best Practices and follows at least one of the following Compliance Frameworks:
- CIS CSC 7.0
- NIST 800-53 revision 4
- ISO 27001
- To properly identify internal and external sources for directional traffic, the LogRhythm Platform must have a trusted entity structure configured.
- The LogRhythm Lists referenced by rules in this Module have NOT been manipulated or altered in any fashion within the client’s environment.
How to Use This Guide
This guide is meant to be used as a day-to-day reference for the CAT Module content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.
- Suppression Period. The Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
- Environmental Dependence Factor. EDF is a high-level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
- False Positive Probability. FPP is a factor determining how likely it is that an event represents a real risk, as follows:
- 0: The event represents a real risk less than 1 time out of 10.
- 1: The event represents a real risk 1 time out of 10.
- 9: The event represents a real risk 9 times out of 10.