SmartResponse lets you execute preventative actions when threatening activity is observed. Actions may provide deeper forensic or operational data, automate operations tasks, or implement security controls in defense of an attack or intrusion, such as disabling a compromised user account or terminating a connection between attacker and target. Based on the change management controls of an organization, SmartResponse actions can be executed immediately or after a quorum-based approval process.
SmartResponse is managed in the Client Console and processed through the Advanced Intelligence (AI) Engine and the Platform Manager's Alarming and Response Manager (ARM).
- Some examples of SmartResponse use cases are listed below:
- After an alarm is generated from a compromised system, a SmartResponse can initiate a vulnerability scan or packet capture on the target host.
- After observing near concurrent successful logins using the same account from two different countries, a SmartResponse can disable the account.
- After a critical operations issue is observed on a network device, a SmartResponse can automatically set the device to debug-level logging.
- When an inappropriate process is detected on a server, such as BitTorrent or a Peer2Peer application, a SmartResponse can kill the process.
You can enable SmartResponse in LogRhythm by importing SmartResponse plugins. Plugins are self-contained binary files (*.lpi) containing one or more actions. Actions can leverage custom or commercial programs and scripts, and they can be executed when an assigned Alarm Rule or AI Engine Rule is triggered.
LogRhythm provides plugins that contain the most commonly requested actions. For all currently available SmartResponse Plugins, see Download SmartResponse Shareables. Users can develop their own SmartResponse plugins for custom needs. For information on how to develop them, see the Develop SmartResponse Plugins.
Creating a SmartResponse plugin is an advanced procedure. You must be familiar with XML and with writing executable scripts. For help creating a SmartResponse plugin, please contact your Customer Relationship Manager (CRM) or Professional Services Engineer.
Quorum-Based Approval for SmartResponse Actions
LogRhythm supports a quorum-based approval process where up to three levels of approval can be required before an action is executed. Individuals or groups can be assigned to each level. When multiple individuals are assigned to the same level, only one needs to provide approval. If any individual rejects the action, the action is immediately aborted prior to execution.
You should carefully consider SmartResponse approvals when more than one SmartResponse is assigned to an Alarm or AI Engine Rule. If an action requires approval, no subsequent actions can be executed until approval is granted.
- Manage plugins with the SmartResponse Plugin Manager.
- Configure plugin actions in an AI Engine Rule or Alarm Rule actions.
- If AI Engine Rule actions or Alarm Rule actions require approval, one of the following must be completed:
Approval of the Action
Denial of the Action
The SmartResponse Plugin Manager
The SmartResponse Plugin Manager window has four options within the menu bar. From left to right they include:
- Refresh. Refreshes the grid.
- Actions. Provides a menu to Activate, Retire, Import, or Export SmartResponse Plugins.
- Create Plugin. Opens the Create SmartResponse Plugin window to browse to the location of an existing configuration file and its executables to create the SmartResponse Plugin.
- Properties. Allows you to set Execution Access permissions. In order for users to view and run SmartResponse actions from the Web Console, their user profile must correspond to the Execution Access permission set here. The default Write Access permission is Public Global Administrator and the default entity is Global Entity. These are not configurable settings. To prevent all ad hoc execution of a SmartResponse from the Web Console, select the Disable ad hoc execution check box.
The SmartResponse Plugin Manager contains two grids. The top grid lists all plugins. If no plugins have been imported, both grids are empty.
The top grid displays the following details for each plugin:
|Action||A check box that is used to select rows for performing batch actions.|
|Name||The name of the plugin as defined in the configuration file.|
|Status||The plugin status, active or retired.|
|Version||The version of the plugin as defined in the configuration file.|
|Last Updated On||The date and time when the plugin was last modified.|
|Plugin ID||The database assigned ID for the plugin.|
|Plugin GUID||The unique ID for the plugin as specified by the creator in the plugin configuration file.|
|AIE Count||The number of AIE rules in which the plugin is used.|
|Alarm Count||The number of Alarms in which the plugin is used.|
|Actions||The number of actions available in the plugin.|
|Read Access||The Read permissions for the list.|
|Write Access||The Write permissions for the list. The default is Public Global Administrator.|
|Entity||The Entity with which the plugin is associated. The default is Global Entity.|
|Owner||The user who created the plugin. The default is LogRhythmAdmin.|
The SmartResponse Plugin Manager context menu, access by right-clicking the top grid, allows the user to select and clear plugin records, clear filters, take actions, set properties, and toggle the view of retired plugins.
The bottom grid lists the available actions for each of the selected plugins and the number of parameters taken by the action.
You can download SmartResponse plugins by going to the LogRhythm Community and clicking on the Shareables link on menu at the top of the page. The filters allow you to choose from supported and unsupported plugins, as well as ones created by LogRhythm or by other users.