Skip to main content
Skip table of contents

Network Detection and Response User Guide – Investigations


The Network Detection and Response Module contains preset investigations to help an analyst quickly gain visibility into any suspicious or malicious activity in their environment, as well as policy violations and operations info. This section details all of the investigations included in the module, including any additional configuration notes.

Network: Unauthorized/Risky Application Usage

Investigation ID: 205

An organization can decide if certain network applications should not be used within its network. This could cover both misuse and security concerns.

Minimum Log Sources

LogRhythm Network Monitor

Recommended Log Sources

LogRhythm Network Monitor

Configuration

Populate the Network: Unauthorized/Risky Applications list with applications that are disallowed.

Actions

    • Analyze the application traffic to determine if its usage stems from misuse or a possible infection.
    • Investigate the host for additional information.


Network: Blacklisted Country Activity

Investigation ID: 206

Although many organizations are multinational and regularly have connections to external countries, connections from countries that don't have an organizational presence should be suspicious. An Organization can predefine these countries in a blacklist. This investigation will show network communication with countries in this list.

Minimum Log Sources

Firewall or Flow data

Recommended Log Sources

    • LogRhythm Network Monitor
    • Next-Generation Firewall

Configuration

Populate the Network: Blacklisted Countries list with the set of countries that should not have communication with your organization.

Actions

    • Investigate the connections and traffic going to the blacklisted country. Certain hosts and protocols, such as a typical user on web traffic to port 80, are probably not a major concern. Others, like SSH from a web server, will be more significant.
    • If the connection and host pair seem suspicious, investigate the host to determine if it has been compromised.


Network: Non-Whitelisted Country Activity

Investigation ID: 207

Although many organizations are multinational and regularly have connections to external countries, connections from countries that don't have an organizational presence should be suspicious. An Organization can predefine acceptable countries in a whitelist. This investigation will show network communication with countries that aren’t in this list.

Minimum Log Sources

Firewall or Flow data

Recommended Log Sources

    • LogRhythm Network Monitor
    • Next-Generation Firewall

Configuration

Populate the Network: Whitelisted Countries list with the set of countries with which the organization should exclusively communicate.

Actions

    • Investigate the connections and traffic going to the non-whitelist country. Certain protocols, such as web traffic to port 80 are probably not a major concern. Others, like SSH, will be more significant.
    • If the connection and host pair seem suspicious, investigate the host to determine if it has been compromised.

Network: Non-HTTP Traffic Over Port 80

Investigation ID: 208

To hide command and control communication among legitimate traffic, malicious implants may use standard protocol ports even if their covert channels don't conform to protocol standards. This could also be an attempt to circumvent a firewall. Because LogRhythm Network Monitor can accurately identify protocols without relying solely on ports, it is able to detect port misuse by such malware.

Minimum Log Sources

Firewall or Flow data

Recommended Log Sources

LogRhythm Network Monitor, Next Generation Firewall

Tuning

If a legitimate application is found, add it to the Network: Search: HTTP list to eliminate future false positives.

Actions

    • Using Network Monitor, analyze the traffic to see if it is malicious. It might just be an application that happens to use port 80 to get around a firewall.
    • If the traffic appears suspicious, investigate the host for other indicators of compromise.


Network: Network Monitor Activity Past 30 Minutes

Investigation ID: 209

When investigating a host for signs of suspicious activity, it can be useful to see all network traffic for that host. Customize this Investigation by adding New Field Filters for specific hosts. This Investigation can also be customized by included filters based on any additional LogRhythm field. For example, find all network traffic for an application, user, or country.

Minimum Log Sources

LogRhythm Network Monitor

Recommended Log Sources

LogRhythm Network Monitor

Configuration

In the Investigation selection window, single-click this Investigation and then Next. Once on the Specify Event Selection window, use the Add New Field Filter dropdown box to select additional query criteria.

Actions

Using this Investigation is dependent on what additional filters were used.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close