Endpoint Monitoring
Endpoint Monitoring is a client/server information security (IS) methodology used to audit log files generated by endpoint devices, such as laptops, smartphones, and routers. Endpoint monitoring collects the generated log files and sends them to the Data Processor for analysis. If unusual behavior is detected, an alarm is generated.
LogRhythm endpoint monitoring has six features. Each feature is used to monitor a different type of endpoint.
- File Integrity Monitor (FIM). Monitors critical database and application files for unauthorized changes. FIM provides independent auditing of access to and modification of files and directories. When FIM detects a change, a System Monitor Agent generates a log and sends it to the Data Processor where you can manage it like any other log. Logs can be forwarded to LogMart and the Platform Manager, can generate alarms, and can be included in reports.
- Registry Integrity Monitor (RIM). Provides independent, realtime auditing of modifications to Windows registries. When RIM detects a change, the System Monitor Agent generates a log and sends it to the Data Processor where it can manage it like any other log. The logs can be forwarded to LogMart and to the Platform Manager so alarms can be generated and included in reports.
- Data Loss Defender (DLD). Independently monitors and logs the connection and disconnection of external data devices to the host computer where the Agent is running. It also monitors and logs the transmission of files to an external storage device. You can configure DLD to protect against external data device connections by ejecting specified devices upon detection. External USB drive storage devices include Flash/RAM drives and CD/DVD drives.
- Process Monitor. Independently monitors when processes start and end on a Windows or UNIX host where the Agent is running. The Agent generates one log when a process starts on the host (log includes process name, owner name, and start time, duration, etc.) and another log when the Agent detects the process has stopped. If enabled, the Process Monitor logs contain UAM information to log what users were connected to the host at the time the process was started/stopped.
- Network Connection Monitor (NCM). Independently monitors when network connections are opened and closed on a Windows or UNIX host where a LogRhythm Agent is running and configured to do so. The Agent generates a log when a connection opens on the host (log includes protocol, local IP address and port, remote IP address and port, open time, close time, duration, etc.) and another log when the Agent detects the connection has been closed. If enabled, the Network Connection Monitor logs contain UAM information to log what users were connected to the host at the time the connection was opened/closed.
- User Activity Monitor (UAM). Used in conjunction with File Integrity Monitor. The UAM tracks when a user logs on to and off a Windows or UNIX host. The login time can then be compared to any FIM activities that occur.