MITRE ATT&CK® Deployment Guide – Configure the Module
Configure AI Engine Rules
This module contains a collection of AI Engine Rules. Some Rules require additional configuration to ensure that they will work properly. For more information on rule configuration, see the MITRE ATT&CK Module User Guide.
Enable AI Engine Rules
Enable the rules as follows
In the Client Console, click Deployment Manager on the main toolbar.
Click the AI Engine tab.
Filter in the Rule Group column to find the AI Engine Rule(s) you want. Select MITRE ATT&CK to find all MITRE ATT&CK rules.
On the left of each AI Engine rule you wish to enable, select the Action check box.
Right-click the selection, click Actions, and then click Enable.
If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules. Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not the appliance itself.)
You must select the AI Engine instance in the View field to see the Restart column.
Enable AI Engine Rule Alarming
By default, alarming is initially turned off for all MITRE ATT&CK AI Engine Rules. Even without alarms, events are generated when the rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard, and they can be seen by running an Investigation or Tail against the Platform Manager.
Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false positives. For information about tuning individual AI Engine Rules, see the MITRE ATT&CK Module User Guide. When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the monitoring team and allowing for notification and SmartResponse.
To enable alarming for AI Engine rules:
In the Client Console, click Deployment Manager on the main toolbar.
Click the AI Engine tab
Filter in the Rule Group column to find the AI Engine Rule(s) you want. Select MITRE ATT&CK to find all MITRE ATT&CK rules.
The value under Alarm Status indicates whether alarming is enabled for a rule.To the left of each rule that you want to configure, select the Action check box.
Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
Alarm settings are located on the Settings tab in each AI Engine Rule’s Properties.
Import the Web Console Dashboard Layouts
Web Console dashboard layouts cannot be imported as part of the KB. Instead, download each and apply manually.
Log in to LogRhythm Community.
In the menu on the top, click Shareables, and then click Dashboards.
Download the updated Dashboard layout (*.wdlt) file you want.
Start a supported Web browser and log in to the LogRhythm Web Console.
Click the Dashboard Layout icon on the upper-right side of the page.
Click New Dashboard.
Click Upload.
Browse and select the Dashboard file (*.wdlt) that you downloaded.
Click either Add Public or Add Private depending on the type of view that you want to create from the import.
Click Save.
The selected dashboard layout is imported into your dashboard layout menu.