Knowledge Base
The Knowledge Base (KB) consists of a Core Base Module and individual KB modules. The KB Core Base Module must be installed and updated on all deployments. Then, each individual KB module must be updated to meet the organization's needs.
Each KB module is organized around a single theme or purpose. For example, KB modules are used in the following scenarios:
- Compliance Modules (FIM, PCI, NERC CIP, etc.)
- Operations Modules
- Security Modules
The Knowledge Base Wizard can be run in two cases:
- In a new deployment, as part of the New Deployment Wizard.
- From the Client Console, during periodic Knowledge Base updates.
Information and downloads for all Knowledge Base modules are available under Documentation & Downloads on the LogRhythm Community.
Common Event Change Manager
The Common Event (CE) Change Manager was introduced to consolidate Common Events to support easier search, reporting, and AI Engine rules. If custom objects reference a consolidated Common Event, that object may no longer function properly. Impacted custom objects include: Saved Investigations, Saved Tails, Personal Dashboard Filters, Reports, Alarm Rules, GLPRs, AI Engine Rules, MPE Rules, and Common Event Lists.
With the Common Event Change Manager, you can make the appropriate updates based on user input for common events that have been modified.
When the KB is updated, all the new Common Events are added to the CommonEvents table, and the original Common Events are left in place. The rules that assigned the old Common Events to a specific log have been changed to assign the new Common Events.
The Difference Between Common Event to Common Event or Common Event to MPE Rule
Here is a Common Event Filter containing two common events:
- VPN Authentication
- VPN-Authentication - Admin
In this example, the VPN Authentication and VPN Authentication – Admin Common Events were both migrated to User Logon.
- If you select Common Event to Common Event, the resulting list of Common Events in the filter are:
- VPN Authentication
- VPN-Authentication - Admin
- User Logon
The old Common Events are left in the filter so that an operation including historic logs would catch the logs with those Common Events. The new Common Events are added to the filter to catch current logs.
- If you select Common Event to MPE Rule, the Common Event filter is removed and an MPERule filter that contains all the rules that referred to the OLD Common Events is inserted in its place. The result would be an MPE Rule filter containing the following MPE Rules:
- MS-SysLog EVID 20142 : Successful VPN Auth
- MID 139 : VPN Client Authentication
- Login Packet
- MIA: ID 0406 MUVPN User Logged In
- ID 013299601: SSL Authentication
- ID 013299601: SSL Authentication
- SSL-VPN ID-1: User Login Successful
- %AUTH-6-41: VPN Authentication
- Login Succeeded : VPN Authentication
- ASA-6-716038 : WebVPN Authentication Success
- VMID 400 : VPN Authentication
- ID 013299601: SSL Authentication
- MID 235 : VPN Admin Login
- VMID 403 : Administrator Authentication
Migrating Items After Updating a Knowledge Base
Let’s say you already have a Common Event filter using the User Logon Common Event in a report, investigation, GLPR, or something else. In the 201 KB, there are 72 rules that have User Logon as a Common Event. In the 203 KB, there are 728 rules that have User Logon as a Common Event.
If you do not migrate any configuration items, you have 728 rules that assign a common event of User Logon instead of just 72. The potential to have many more items matching the Common Event filter of User Logon when performing Investigations, running Tails, or running Reports, is huge. This also affects GLPRs, as many more items will match the GLPR.
Here, 111 individual Common Events were migrated from their original value to User Logon. If you migrate using Common Event to Common Event, 111 old Common Events that were something else are now also User Logon, and therefore match the User Logon Common Event Filter. This is another case where performing operations no longer returns only the data you are looking for.
Because using the Common Event to MPE Rule option replaces the original common event with the MPE rule(s) that called it, all the rules that refer to the new Common Event are not included in the filter. In this example, 14 rules are called the VPN Authentication or VPN Authentication – Admin Common Events. Those same 14 rules now call the User Logon Common Event. Using those 14 rules as a filter retains the original intent of the filter and retrieves the OLD and NEW Common Events, whereas using the new Common Event for the filter does not.