The Network Detection and Response Module (NDRM) is a collection of AI Engine rules designed to detect unusual or malicious user activity that is occurring within your organization’s network.
This guide assumes the following:
- The Network Detection and Response Module has been imported and the desired AI Engine rules are enabled following the steps in the Network Detection and Response Module Deployment Guide.
- Appropriate log sources, such as LogRhythm Sysmon, Windows Security Events, Firewalls, Intrusion Detection Systems, Anti-Virus and others have been configured to work with LogRhythm. For more information, see the Device Configuration Guides available on the LogRhythm Community.
- To identify internal and external sources for directional traffic, the network entity structure has been configured.
- The LogRhythm Lists referenced by rules in this Module have been configured to the organization’s environment.
How to Use This Guide
This guide is meant to be used as a day-to-day reference for the Network Threat Detection Module content. All the content included in this module is listed here along with a detailed explanation, suggested response, and configuration and tuning notes.
- Suppression Period. The Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
- Environmental Dependence Factor. EDF is a high-level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
- False Positive Probability. FPP is a factor determining how likely it is that an event represents a real risk, as follows:
- 0: The event represents a real risk less than 1 time out of 10.
- 1: The event represents a real risk 1 time out of 10.
- 9: The event represents a real risk 9 times out of 10.
This guide is divided into the following sections: