To learn more about the metadata of individual events:
- On the lower-right side of the page, click the Logs tab.
- On the right side of the Analyzer grid, click Details & Actions.
The Details & Actions panel appears. To adjust the width of the Details & Actions panel, click the handle on the left and hold down your mouse button, then drag the handle to either side and release the mouse button when you are satisfied with the width.
- Select an event by clicking its row in the Analyzer grid.
Events & Actions
The Event & Actions tab displays specific metadata and actions associated with an event.
When AI Engine events are viewed in the Events & Actions panel, a blue AIE Drill Down button appears at the bottom of the panel.
To view the logs that meet the criteria of an AI Engine event's rule blocks:
- Click AIE Drill Down.
A search task appears and floats to the bottom of the browser, indicating that the search is processing.
- When the search is completed, click the search task to view the log results on the Analyze page.
The Log Message tab displays the raw log data. Any date and time settings you may have applied in User Settings are not applied to the information on this tab in order to preserve the integrity of the raw log data.
Use Identity Inference
You can use Identity Inference to determine which user might be responsible for an event. For example, a hacking attempt on a network PC could trigger an event, but the event log might not include metadata that points to a specific user. With Identity Inference, the Web Console can look for such metadata as impacted host, origin login, and email recipient. Based on that information, it displays a list of users who were logged in to the network around the time of the event. From the list, you can drill down on user data for further investigation.
To use Identity Inference:
- Select the log you want from the grid.
Select the Inferred Identity tab.
If the Web Console can infer identity information, it displays the following:
- IP or host name of the Origin Host and Impacted Host (if available from metadata).
- List of possible users associated with the activity.
- Offset time in minutes (plus or minus the time of the event). The time is displayed in gradients of blue to show confidence levels. A glowing blue represents the highest confidence that the user is associated with an event. Lighter shades of blue are shown for 90% and 75%. Confidence levels below 50% are displayed in gray.
To start a Search on the user information, do the following:
Select the check box for one or more users.
Select a time frame (plus or minus hours and minutes) in the Before and After fields.
When the search completes, select the Results status in the taskbar.
The Analyze page opens in a new browser tab with information related to the selected users.
Integrate with Network Monitor
The LogRhythm Network Monitor interfaces with the Client Console and sends information to the Web Console based on the configuration in the Client Console. For Configuration information, see the Network Monitor information in the LogRhythm SIEM Help.
The timeout for the integration between a Network Monitor to the Web Console API can be configured in the Configuration Manager. Select the Advanced view, scroll down to the Web Console API section, and enter the time you want in the NetMon Integration Timeout field. For more information on the Configuration Manager, see the Use the LogRhythm Configuration Manager topic in the LogRhythm SIEM Help.
If Network Monitor is configured to integrate with the Web Console and you select an event from the Network Monitor in your log viewer, the Web Console checks your configured Network Monitor(s) for the corresponding PCAP. If the Network Monitor's API information is not configured in the Client Console, the button with the option to download the PCAP does not appear in the Details & Actions panel.
Not all logs generated from Network Monitor have PCAPs associated with them.
If the associated PCAP is available from the Network Monitor, the Download PCAP button appears in the Details & Actions panel under the Events & Actions tab. If associated files are available from the Network Monitor, the Download Files button appears.
PCAP files do not remain on the server indefinitely. Other messages appear in the Details & Actions panel when Network Monitor is configured but the packet capture file is not ready to be downloaded or when the file is no longer on the server.
|Network Monitor Message||Details|
|Checking for PCAP...||The Web Console is looking for the packet capture file in the Network Monitor.|
Network Monitor connection not configured
The Network Monitor has not been configured in the Network Monitor tab of the Client Console. For configuration information, see Network Monitor.
|PCAP not on disk||The packet capture file does not exist.|
|PCAP unavailable||The system is unable to log in to the Network Monitor using the configured settings. Check the settings, IP address, and login information.|