Network Detection and Response Deployment Guide – Configure the Module

Configure Lists

There are user-configurable lists included with the module. Use these lists to narrow the scope of AI Engine Rules and to filter events. Refer to the Description section of the List Properties to verify what should be added to the list.

1. Open the LogRhythm Console and click List Manager on the main toolbar.
2. Use the Name or List ID column filter to find the list you want.
3. To open the List Properties window, double-click the list.
4. Click on the List Items tab, and then click Add Item.
5. Use the Add Item dialogue to add items to the list individually, or click Import to import a text file or clipboard contents.
6. Click Apply and then click OK.

To identify which lists need to be configured in the environment, see the List matrix.

Configure Individual AI Engine Rules

This Module contains a collection of AI Engine Rules. Some rules require additional configuration to ensure that they will work properly. For configuration steps, see the AI Engine Rule matrix.

Enable AI Engine Rules

1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Network Detection and Response to find AI Engine rules tied to this module.
4. Select the Action check box of each rule you want to configure.
5. Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

6. If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules. Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not the appliance itself.)

   

   You must select the AI Engine instance in the View field to see the Restart column.

Enable AI Engine Rule Alarming

By default, alarming is initially turned off for all NDR AI Engine Rules. Progression rules, that are common to all threat-focused KB modules, are set to alarm by default. For more information on progression rules see Network Detection and Response—AI Engine Rules. Even without alarms, events are generated when the rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard and can be seen by running an Investigation or Tail against the Platform Manager.

Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false positives. For information about tuning individual AI Engine Rules, see the Network Detection and Response Module User Guide. When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the monitoring team and allowing for notification and SmartResponse.

1. Open the LogRhythm Console and click Deployment Manager.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Network Detection and Response to find AI Engine rules tied to this module.
   The value in the Alarm Status column indicates whether the alarm is enabled for a rule.
4. Select the Action checkbox of each rule you want to configure.

5. Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
   

   

   Alarm settings are located on the Settings tab in each AI Engine Rule’s Properties.

Import the Web Console Dashboard Layouts

Layouts currently cannot be imported as part of the KB. Instead, you must manually download and apply them.

1. Go to the LogRhythm Community.
2. On the top menu bar, click Sharables, and then click Dashboards.
3. Download the updated Dashboard layout (*.wdlt) file you want.
4. Start a supported Web browser and log in to the LogRhythm Web Console.
5. Click the Dashboard Layout icon on the upper-right side of the page.
6. Click New Dashboard.
7. Click Upload.
8. Browse and select the Dashboard file (*.wdlt) that you downloaded.
9. Click either Add Public or Add Private depending on the type of view that you want to create from the import.
10. Click Save.

The selected dashboard layout is imported into your dashboard layout menu.

Import the Kibana Layout

1. Go to the LogRhythm Community.
2. In the menu on the top, click Shareables, and then click Kibana.
3. Download the Network Detection and Response Kibana layout (*.json file) you want.

4. Open a supported Web browser and log in to the Kibana Console using https://<DXServer>:5601.

   

   If you do not have Kibana installed, instructions are available under Shareables, Kibana on the LogRhythm Community.
5. In the menu on the left, click Management.
6. In the menu on the top, click Saved Objects.
7. Click the Import button.
8. Select the JSON file you downloaded.

Intelligent Indexing

Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. See the Investigations, Reports, and Tails matrices for Intelligent Indexing-capable objects and their recommended settings.

Network Monitor

The Network Threat Detection Module is most effective when paired with the LogRhythm Network Monitor. Most of the content in this module can be used with a variety of network security and monitoring devices from a range of vendors. A portion of the content has been written specifically to take advantage of data collected by the LogRhythm Network Monitor, and without modification will not function unless LogRhythm Network Monitor data is being collected by the SIEM. To understand which objects require the LogRhythm Network Monitor, see the AIE Rules, Investigations, Reports, and Tails matrices. It is possible to use this content as a starting point to write a custom rule which works with data from other devices.