Configure SmartResponse as Part of an Alarm
There are many ways to configure a SmartResponse Plugin to act on an alarm. You have the following options:
- Determine what events trigger the SmartResponse.
- Determine if there is an approval workflow.
- Determine which alarm values are passed into the SmartResponse Plugin.
- Configure any parameters that are environment specific.
Because of the number of options and variety of use cases, see the SmartResponse Plugin installer guides for more details on configuring the SmartResponse Plugin.
Additionally, many of the Threat Detection module user guides contain recommended actions sections for linking LogRhythm published SmartResponse Plugins to specific Advanced Intelligence Engine (AIE) rules. Review these guides for ideas about possible use cases for SmartResponse Plugins.
Executing a SmartResponse Plugin for Context Enrichment
As of LogRhythm 7.2.3, you can execute an SRP from the context of the Analyzer grid in the Web Console. Any output from the SRP displays in a window inside the Web Console. This allows a new opportunity to use SRPs for context enrichment when hunting or analyzing a log, event, or alarm.
To run SmartResponse in the Web Console, you much first enable SmartResponse in LogRhythm by importing SmartResponse plugins in the Client Console. For more information, see Import SmartResponse Plugins.
Security Considerations for Running SmartResponse Plugins
SmartResponse Plugins use the credentials of the System Monitor Agent Service Account on hosts, or with the credentials of the ARM Service Account if launched from the Platform Manager.
Often these services use the LocalSystem Service Account.
Best Practices for Service Accounts
- The System Monitor Agent Service and ARM Service should be configured to run under a specific service account, rather than LocalSystem.
- Use the Least Privilege User Guide to limit the privileges of the account running the System Monitor Agent or ARM Service.
SmartResponse actions may be highly privileged, or subject to attack, and should therefore be monitored. Signed PowerShell scripts can be logged by the CAPI2 Event Logging in Windows, and thus it may be validated that a LogRhythm signed script was in fact executed.
SmartResponse Plugins are delivered to System Monitor Agents and saved to the C:\Program Files\LogRhythm folder structure, in LogRhythm System Monitor\State\SmartResponse. This folder should be monitored by File Integrity Monitoring (FIM) and an AIE alarm should be created to monitor for any activity in that folder not originating with the scsm.exe process.