Skip to main content
Skip table of contents

Network Detection and Response Module Deployment Guide

This guide describes how to deploy the LogRhythm Network Detection and Response module (NDRM), designed to help organizations detect and respond to network-based security events. This module utilizes deep forensic visibility into network traffic to detect a wide variety of advanced threats. The Network Detection and Response module performs best when paired with LogRhythm’s network forensics solution, LogRhythm NetMon. The NDRM replaces the Network Threat Detection module. No further modifications will be performed on the NTD module.

Module Contents

This module adds to an existing LogRhythm deployment, as follows:

  • 77 AI Engine Rules (15 Progression Rules)
  • 5 Investigations
  • 1 Tail
  • 22 Lists
  • 8 Reports


The deployment of this module assumes the following:

  1. The overall LogRhythm deployment is in a fully-deployed and healthy state.
  2. LogRhythm version 7.1 or later is installed. Version 7.2 or higher is recommended to fully populate the Web Console dashboards associated with this module. 
  3. The entity structure is appropriately configured to identify DMZ and Internal networks.

Data Collection Requirements

A limited number of the included AI Engine Rules can operate using firewall or network flow data. However, these log sources don’t provide rich contextual and forensic detail, especially when investigating alarms. It is recommended that Network Monitor be deployed to monitor all gateway and core switch network traffic. This ensures visibility into both internal traffic and traffic crossing the perimeter. For more information, see Network Detection and Response—AI Engine Rules.

Required Information

The following information should be gathered prior to implementing the Network Detection and Response Module. This information is needed when populating lists and configuring individual AI Engine Rules.  

  • Company owned Public IP addresses/ranges
  • IP/Hostnames of internal and DMZ web servers
  • IP/Hostnames of internal and DMZ mail servers
  • IP/Hostnames of vulnerability scanners
  • IP Ranges or Entities of SCADA devices
  • Unauthorized applications or applications deemed risky
  • Authorized Applications
  • TCP/IP ports of authorized web applications
  • Allowed ingress ports
  • Allowed egress ports
  • Whitelisted countries
  • Blacklisted countries

Overview of Steps

This guide is divided into the following sections:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.