Glossary of LogRhythm Products and Components
The place to find the meaning of terms found in LogRhythm user guides, training materials, and other documents.
A | |
---|---|
Active Directory (AD) Browsers | Grids access from the Knowledge tools menu that display active directory user or group information for the domains that were previously synchronized via the manager. |
Active Directory (AD) Domain Manager | A tool used to setup, manage, and synchronize active directory domains. It is found within the Platform Manager tab of the Deployment Manager. Synchronization can be triggered from the manager or the domains can be left enabled for the Job Manager to pick it up on its schedule synchronization process. |
Admin API | A REST API that communicates over HTTPS and uses JSON. The API’s available routes and methods are used primarily for performing administrative functions in the Client Console, such as modifying lists, creating entities, adding people to notification groups, and searching identities. |
Advanced Intelligence Engine | The LogRhythm component that performs high-level, real-time analysis of log messages forwarded by the Data Processor. The AI Engine can elevate logs using a complex pattern matching rule-set, which correlates and detects sophisticated intrusions, insider threats, operational issues, and audit or compliance issues. |
Advanced Intelligence Engine Rule | A Knowledge Base object that contains specific configuration to analyze if logs meet specific criteria. The Rule contains settings for Common Events, Event Suppression, Alarm/Notification settings, Expiration, and other rule properties. A rule can have up to 3 rule blocks. |
Advanced Intelligence Engine Rule Block | A sub component of an AI Engine Rule that defines configuration parameters for logs to meet in order for the log to be considered satisfied by the rule block. A rule can have up to 3 rule blocks. There are 9 distinct variations of rule blocks. |
Advanced Intelligence Engine Rule Manager | A tool that allows users to manage AI Engine rules and rule blocks. It is accessed via the administration tools menu within Deployment Manager. |
AIE Cache Drilldown | A service that caches the results of an AIE Drill down when an alarm is triggered from the ARM to provide faster access to data. It provides a summary on the drill down logs for both the group-by and primary inspection fields. |
Agents (LogRhythm SIEM) | LogRhythm Agents, also called System Monitors, collect and forward log data to Data Processors. Agents can be installed on both Windows and UNIX platforms. They are also integrated into Site Log Forwarder (SLF) appliances and can perform file integrity monitoring. |
Agents (NetMon) | A software component that receives data from the appliance and then sends it to LogRhythm SIEM for further processing. |
Alarm | A record indicating that an alarm rule has been triggered by an event. |
Alarm Aggregation | A setting to restrict similar events from incurring alarms unless a specified number of them occur within a specified time span. The user can define what makes them similar by indicating which fields must have matching values. |
Alarm Card | An Alarm record that shows Alarm details. |
Alarm Notifications | A notification of an alarm via a notification policy: SMTP (email), SNMP, or Text Files. The person, role, or group to notify is set on the Alarm Rule Properties Notify tab. The Alarm Notification Policies are set via the Notification Policy Manager which is a distribution tool option within Deployment Manager. |
Alarm Suppression | A setting to suppress identical alarms based on the events triggering the alarm within a given time span. |
Alarming and Response Manager (ARM) | Alarming and Response Manager. A Windows service installed in the Event Manager, which is responsible for processing Alarm rules and taking the appropriate response. |
Alert | An event requiring immediate notification and response. Can be a single event or a combination of events (correlated events). |
Anomaly | User or entity behavior that deviates from an established behavioral baseline for that user or entity and could indicate a security risk to your network. |
Appliance | See LogRhythm Appliance |
Application (LogRhythm SIEM) | A record that defines an application and its ports and protocols so that the MPE rules can identify a log origin. Applications are managed via the Application Manager accessed from the Knowledge Tools menu within Deployment Manager. |
Application (NetMon) | Network protocols or web applications that NetMon identified using pattern matching and heuristic modeling, as well as signatures. |
Archive Log | A log that has been archived and therefore no longer available online via the Data Processor database. |
Automated Decision Making | The predictive processing or strategic analysis of personal data to anticipate subject behavior (profiling). |
Automatic Log Source Configuration | A function that identifies devices on the network using SNMP (v1, v2c, and v3). It identifies virtual sources for Syslog, Netflow, sFlow, and SNMP Trap. It is configured from the Data Processor Properties within Deployment Manager. |
Automatic Remediation | A feature that provides the ability to perform remediation actions (such as killing a process) based on information received from an alarm and its first event. Remediation actions can be performed automatically or require approval at the Alarm record. It uses a plug-in architecture that executes scripts on a windows system in a scripting language such as power shell. |
B | |
Base Rule | Part of the MPE Rule that contains a tagged regular expression—the regex—used to identify the pattern of a log and isolate interesting pieces of metadata. Using a tagging system, these metadata strings can be directed to special fields used by LogRhythm to better interpret a log or specifically identify it. In general, base-rules identify log messages by matching the fields to a specific log format or pattern. |
Baseline Period | The period of time used to measure user or entity behavior in order to build Behavior Models in CloudAI. The maximum length of the Baseline Period is 29 days, but shorter lengths are used in cases of limited data. |
Beat | Elastic Beats grab log data from devices and pass it along to the LogRhythm Open Collector. |
Behavior Feature | One of many network or host activities exhibited by a user or entity. In CloudAI, Behavior Models are built from Behavior Features observed during the Baseline Period and are used to score Behavior Features observed during the Scored Period. |
Behavior Model | In CloudAI, a model of expected user or entity behavior derived from the combined activity across a specific subset of Behavior Features. |
Behavior Model Anomaly Score | A number from 1 to 100, used by CloudAI, that indicates how anomalous a user or entity’s behavior was during the Scored Period when compared to the Baseline Period within a given Behavior Model. |
Binding Corporate Rules | Personal data protection policies to be adhered to by Data Controllers or Processors that are established by the Member State around the transfer of personal data. |
Breach Notification | The specific requirements of a breach without undue delay, but no later than 72 hours after becoming aware of the breach to Supervisory Authority. Communication of the breach to the Data Subject is required if anticipated impacts may result in high-risk to rights and freedoms of the natural person. This should also include required breach information and appropriate remediation actions to be taken. |
C | |
Case Card | An interface component, visible on the Cases page and Cases panel, that displays basic details about a case. It contains the controls for opening and closing cases and managing their incident statuses. |
Case Management | A forensic tool for tracking and documenting suspicious logs and alarms that are believed to be related to the same threat. |
Centralized Service Metrics | A service that gathers metrics on resource utilization and performance counters from each LogRhythm host. The data is collected in the Platform Manager and is viewable in Grafana. |
Classification | A second tier group used to categorize logs and events. There is one or more Classification associated to a Classification Type. A Classification can have one or more Common Events, which are associated to an MPE Rule. |
Classification Type | A first tier group used to categorize logs and events. There are three types: Audit, Security, and Operations. Classifications are grouped into one of these three types. There is one classification type for one or more classifications. |
Client | Initiator of a session, such as a workstation or laptop. |
Common Criteria | An international standard (ISO/IEC 15408) for computer security certification. |
Common Event | A short, plain-language description of the log that is associated to a specific classification. There is one Classification for one or more Common Events. A Common Event is created and managed through the Knowledge Tools Common Platform Manager. Common Events are associated with MPE rules (base and sub) located within the Knowledge Tools MPE Rule Builder. There is a one to one relationship between a MPE rule and a Common Event. |
Common Event Migration Manager | An administration tool within Deployment Manager used to manage the changes to existing custom common event filters (such as report and investigation filters) within the users deployment which reference common events that have changed in the master LogRhythm Knowledge Base. |
Components | See LogRhythm Components. |
Consolidated Compliance Framework | The CCF Compliance Automation Suite provides pre-bundled Investigations, Correlation Rules, Alarms, and Reports that are designed to support a minimum set of security requirements across multiple frameworks, regulations, legislation, and industry best practices. |
Contextualization | An action one can perform on a log to gather more information about specific fields within the log including host, port, and user. |
Coordinated Universal Time | The primary time standard by which the world regulates clocks and time. Time zones around the world are expressed as positive or negative offsets from UTC. The hours, minutes, and seconds that UTC expresses is kept close to the mean solar time at the Earth's prime meridian (zero degrees longitude) located near Greenwich, England. |
Core LogRhythm Software | Software installed by LR Deploy. This includes: Mediator, AIE, Platform Manager, Data Processor, Data Indexer, Web Console, and others. This does not include collection agents. |
Correlation | An action one can perform on a log to perform an additional search based on field values within the log. For example, a user can select a log and choose to correlate on the value within the Common Event field or the values within all fields in the log. Correlation works with the Quick Search Toolbar. |
D | |
Dashboard | A layout that contains graphs and charts in easy-to-read formats, which allows you to view high-level Events and also drill down on the data for further investigation. |
Data Controller | An organization the defines the scope, purpose, and methods of processing personal data. |
Data Indexer | LogRhythm Data Indexers (Indexer) provide persistence and search capabilities, as well as high-performance, distributed, and highly scalable indexing of machine and forensic data. Indexers can be clustered in a replicated configuration to enable high-availability, improved search performance, and support for a greater number of simultaneous users. Indexers store both the original and structured copy of data to enable search-based analytics. The DX runs Elasticsearch and is supported on Windows and Linux. |
Data Loss Defender | An Endpoint Monitoring tool that independently monitors and logs the connection and dis-connection of external data devices to the host computer where the Agent is running. It is managed from the System Monitor Agent properties within Deployment Manager. |
Data Processor | LogRhythm Data Processor (DP) are Windows Server systems running SQL Server and a single server process, the LogRhythm Mediator Server. There can be one, or many, DPs in a deployment. In medium to large deployments, Data Processors should be dedicated systems. However, in small deployments, a Data Processor can coexist on the same system as the Platform Manager. The Mediator Server takes in log messages, processes them against rules which identify the log message and determine if it will be forwarded to the EM as an Event. |
Data Protection Authority | The national authorities tasked with the protection of data and privacy through monitoring and enforcement of regulations established within the EU. |
Data Protection Impact Assessment | A risk-based assessment methodology to determine an organization’s systems and business processing that may be exposed to risk in the absence of mitigating controls. |
Data Protection Office | A new position created for an individual appointed within the organization to independently ensure adherence to policies and procedures set forth by General Data Protection Regulation in the European Union. |
Data Subject | A natural person whose data is being processed by a data controller or processor. |
Deduplication | A process that recognizes and consolidates duplicate event data from log sources into a single, aggregate record. All raw log data is captured and archived for accuracy and compliance, while the deduplication process eliminates redundant online data and optimizes forensic search capabilities and storage utilization. Deduplication is a Log Processing Setting that can be set at the log source or log processing policy and can be overridden using a Global Log Processing Rule (GLPR). |
Deep Packet Analytics | Allows users to write rules that will interact with network traffic as it is being processed. |
Deep Packet Analytics Rules | Custom rules that enable users to determine flow state, access and set metadata, trigger alarms, enable capture, write log messages. |
Deep Packet Inspection | A process whereby NetMon analyzes network data using a variety of methods, including pattern matching, heuristic modeling, signatures for session identification, application identification, and metadata extraction. |
Deployment Manager | A utility window in the LogRhythm Console. People with LogRhythm administrator credentials use it to configure and manage LogRhythm components and functionality such as alarming and reporting. |
Deployment Monitor | A window in the console that provides administrators with a near-real-time view of the per-formance of LogRhythm including host status, host performance metrics, database utilization, Data Processor metrics, and Data Processor volume. |
Deployment Tool | The LogRhythm software installation tool to which the user adds each host IP in a deployment. |
E | |
Endpoint Monitoring | A client/server information security (IS) methodology used to audit log files generated by endpoint devices, such as laptops, smartphones, and routers. |
Entity | A record that represents a logical grouping of LogRhythm SIEM components. It organizes the deployment in host records, network records, and the LogRhythm components. Small deployments may contain one Entity record, while large deployments that span many sites require multiple Entity records. |
Entity Host | A record that represents a computer on a network. It is contained within an Entity. As part of log processing, hosts are identified as impacted or origin and may be represented as a Known Host if it exists as an Entity Host record. Entity Hosts are displayed in the Entities tab within Deployment Manager. |
Entity Network | A record that represents a range of IP addresses that can have a host zone, host location, threat level and network risk level associated. It is contained within an Entity. Entity Networks are dis-played in the Entities tab within Deployment Manager. |
Event | A Syslog message to LogRhythm SIEM that has more immediate operational, security, or compliance relevance. Typically logs classified as errors, failures, or attacks are considered events. |
Event False Alarm Rating | A rate set at the Rule level via the MPE Rule and the MPE Policy Rule Editor. It is used in the RBP calculation. |
Event Risk Rating | A rate set at the Rule level via the MPE Policy Rule Editor. It is used in the RBP calculation. |
F | |
File Integrity Monitoring | An Endpoint Monitoring tool that monitors files and directories for modifications. There are two modes: Standard and Realtime. |
Flow | A collection of activity by a single user on a single application. The flow contains source and destination information, bytes and packet counts transferred in both directions, application identification, and many other metadata fields. Long-running flows send updates every 10 minutes by default, but you can change that value. Each flow has a unique identifier that links multiple intermediate flows together. |
G | |
Global Data Management Settings | The global settings for the deployment including configuration options for event forwarding, log processing, log deduplication, and LogMart settings; maintenance settings for compression, indexing, partition, backup paths, and Time to Live (TTL) values; as well as Classification Based Data Management (CBDM) settings and Global Classification Settings (GCS). It is found within the Platform Manager tab of the Deployment Manager. |
Global Log Processing Rule | A Knowledge Base object used to provide a way to override settings defined in the Classification Based Data Management (CBDM) or standard Data Management settings (log message source and log processing policy). It provides a way to apply data management settings across all Data Processors, Log Sources, and Log Processing Policies to logs that meet specific criteria. The manager is accessed via the administration tools menu within Deployment Manager. |
H | |
Half Session | A session is a bi-directional flow of packets between one client and one server. A "half session" defines one direction of that flow, on either the sender or receiver side. |
Host | A single machine that has Core LogRhythm Software installed on it. |
I | |
Icon | A small graphic on the page, which you can select to open a dialog box or window. |
Identifier | An account name, a badge number, an ID, or any other piece of data that belongs uniquely to one user. |
Identity | A unified user. It contains a display name, email address, photo, job title, and any other identifier that belongs to that user. |
Intelligent Indexing | Part of the Mediator/Message Processing Engine that prevents logs, events, and LogMart data that do not conform to the TTL values set in Global Maintenance Settings from being added to the online databases. |
Intermediate Flow | An update of the communications between the client and server. |
Investigator | A search analysis tool that is used to query the Platform Manager, Data Processor, or LogMart databases for a given date range and with specified criteria for log source and field filters, among other settings. The results are displayed in a layout that can be configured and saved and includes various grids, charts, and graphs, including Network Visualization. The data results can be drilled into to provide more detailed information. |
IPv6 | The LogRhythm 6.0 services will support running on pure IPv6 networks as well as dual-stack (IPv4 and IPv6) networks. The LogRhythm services (Mediator, ARM, Job Manager, Agents, SQL Server) can be configured to use IPv6 address when communicating with each other. |
J | No terms available |
K | |
Knowledge Base | A LogRhythm Package that consists of a mixture of content both required and optional that is shared across a LogRhythm Deployment. It consists of the core Knowledge Base as well as modules. The core Knowledge Base includes content applicable to all deployments, such as log processing rules and policies, classifications, and common. The Knowledge Base is imported using the Knowledge Base Import Wizard accessed from the Knowledge tools menu within the console. |
Knowledge Base Module | Pre-packaged, customizable content applicable to a specific regulation or need, such as reports, investigations, alerts, or AI Engine rules, to name a few. An example is a compliance module for PCI which would include reports, investigations, and AI Engine rules that provide data relevant in meeting PCI requirements. Modules are managed using the Knowledge Base Manager accessed from the Knowledge tools menu within the Console. Modules are imported with a Knowledge Base depending on their settings. |
Knowledge Base Object | Defined LogRhythm items such as Alarm Rules, AI Engine Rules, Lists, Report Packages, Packaged Reports, Report Templates, FIM Policies, Investigations, Tails, and GLPRs that can be associated with a KB Module. |
L | |
License Limited | In the NetMon Data Rate chart, indicates the rate in megabits per second at which packets are being throttled/discarded according to your licensed capture rate. |
List Manager | A tool that is used to manage lists. A list is a record of data for a given type to allow for grouping similar values together in one location that can then be used with all LogRhythm tools that allow filtering. For example, a list may include all PCI compliance related log sources or suspicious hosts or privileged users. These lists can then be used in filters within Investigator, Personal Dashboard, and Reports (to name a few) while allowing it to be created/modified from one location. |
Local Host | Standard hostname given to the address of the loopback network interface. Localhost is spe-cified where one would otherwise use the hostname of a computer. |
Log | Individual log data collected by LogRhythm. |
Log Distribution Services | A policy based solution that allows users to forward specific syslog and non-syslog log messages to an external syslog receiver over TCP or UDP. It consists of a Receiver Manager and a Policy Manager both access via the distribution tools menu within Deployment Manager. |
Log Manager | The central processing engine for logs sent from the Agents. The Log Manager contains the Mediator service, which is responsible for log identification and classification. A Log Manager can be installed on the Event Manager appliance or it can be a separate appliance in the SIEM deployment. Large environments may need more than one Log Manager in the deployment. |
Log Message | A raw log displayed in the Web Console's Analyzer grid. Also called a raw log. |
Log Message Source | A record that represents a single source of log data that is collected from a host. It is associated with a log source host, collection agent, and log message source type. It has specific data management and log processing settings and can have a MPE policy applied. An example source is Host 123 Microsoft Application Log. |
Log Message Source Type | A record that represents a common data format for logs. It has a specific log format such as syslog, netflow, text file, windows event log, UDLA, Checkpoint firewall, Cisco SDEE, SNMP Trap, QualysGaurd, Nessus, or sFlow. They have MPE Rules written for them so that logs run against them will be optimally parsed. An example type is Microsoft Windows Event Log Application. They are managed via the Knowledge Tools Log Message Source Type Manager. |
Log Miner | A summary overview and trending tool that is opened after you perform a LogMart Search with Investigator. |
Log Processing Policy | A collection of MPE Rules designed for a specific Log Source Type such as Cisco PIX or Windows 2005 Security Event Log. Only Logs that are generated from Log Sources that have an assigned MPE Policy are processed by the MPE. There can be multiple policies for a single log source type to allow for flexibility in assigning the policy to various log sources. |
Log Rotate | The Agent can follow log rotations while collecting from files but cannot finish reading a log file that is compressed. The result of reading a compressed file are unpredictable. Disable compression of the log sources that Agent is monitoring. Most Linux systems use the logrotate utility and its corresponding config file logrotate.conf to control this compression. |
Log Source | See Log Message Source. |
Log Source Type | See Log Message Source Type. |
Logger | The NetMon Flow Output component that processes the metadata into "flows." |
LogLevel | Determines the amount of information logged to scarm.log. The number of logs you see depends on the LogLevel that is set in the Agent Advanced Properties. The log files that can be reviewed for success, error, and general log messages. |
LogListener | Network Connection Monitor logging option to generate logs for listening TCP/UDP sockets when NetworkConnectionMonitor is enabled. |
LogMart | A LogRhythm Database that stores log metadata rather than raw log data. |
LogRhythm Appliance | A LogRhythm Appliance is a turn-key LogRhythm Server on custom hardware, designed and offered by LogRhythm. LogRhythm Appliances are available in PM, DP, XM (PM + DP), and SLF (Agent-only log collection machine) configurations. They are also offered in a number of sizes to meet varying collection-volume needs. |
LogRhythm Client Console | The LogRhythm Client Console provides deployment administration and user interaction with LogRhythm with a Graphical User Interface (GUI). |
LogRhythm CloudAI | A LogRhythm User and Entity Behavior Analytics (UEBA) service that provides visibility into insider threats, compromised accounts, and privilege abuse. |
LogRhythm Common Components | LogRhythm Services that form the core of the deployment and need to be running on each host. These are the LogRhythm API Gateway, the LogRhythm Service Registry, and the LogRhythm Windows Authentication Service. |
LogRhythm Components | The software and associated databases required to run the LogRhythm Solution. This includes the Platform Manager (PM), Data Processor (DP), Advanced Intelligence (AI) Engine, LogRhythm SysMon Agents, and the Client and Web Consoles. |
LogRhythm Deployment | The collection of all hosts on a network. |
LogRhythm Diagnostics Tool | A standalone application that consolidates collected log files, performance metrics, oversubscription information, and other data from a LogRhythm deployment into a local .zip file for immediate review, analysis, and troubleshooting. |
LogRhythm ECHO | A standalone Windows application with web and command line interfaces that simulates a LogRhythm System Monitor Agent and allows users to replay native raw logs and PCAPs into LogRhythm for demonstration, validation, and verification purposes. |
LogRhythm SIEM | The core LogRhythm Solution set, including Data Collection, Processing (MDI), Persistence, and AI Engine but not including LogRhythm NetMon or LogRhythm SysMon. |
LogRhythm Metadata | Includes the fields that LogRhythm parses, derives, and calculates from collected log data. For the full list of fields and their descriptions, see the LogRhythm Schema Dictionary and Guide, available under Documentation & Downloads on the LogRhythm Community. |
LogRhythm Metrics App | A standalone application that extracts LogRhythm LogMart, Case, and Alarm SQL Server database data to a standalone Elasticsearch instance for analysis and presentation. |
LogRhythm NetMon | An add-on product for network monitor functionality. |
LogRhythm NetMon Freemium | The free version of LogRhythm NetMon with reduced functionality. |
LogRhythm Open Collector | The Open Collector brings modern logs, usually in JSON format, from cloud log sources, flat file, or other formats, into the LogRhythm SIEM. It was designed for easy mapping of those JSON fields to the LogRhythm Schema. The Open Collector uses Elastic Beats to grab the data from the device and pass it along to the Open Collector, where the normalization takes place. |
LogRhythm Platform | The set of LogRhythm products including LogRhythm SIEM, LogRhythm XM, LogRhythm CloudAI, LogRhythm SysMon, LogRhythm NetMon, and LogRhythm NetMon Freemium. Also called the LogRhythm Threat Lifecycle Management Platform. |
LogRhythm Platform Manager | The LogRhythm Platform Manager (PM) server is a Windows Server system running SQL Server and the LogRhythm Alarming and Response Manager (ARM) service. There is only one PM per deployment. The PM is sent logs that are determined to be important or interesting, called Events, which it maintains. The PM also contains the deployment's configuration data. The ARM is a windows service responsible for processing alarm rules and taking the appropriate response, such as sending e-mails to people on a notification list. |
LogRhythm Server | A LogRhythm Server is a Windows Server running as an EM, DP, or both. Customers typically build a Server when they have purchased a software-only solution from LogRhythm. |
LogRhythm Solution | A fully integrated Security Information and Event Management (SIEM) solution providing log management, advanced log analysis, event management, network and user monitoring, and reporting. The LogRhythm Solution is the collection of LogRhythm components that work together to bring log management, advanced log analysis, event management, monitoring, and reporting into one integrated solution. |
LogRhythm SysMon | An add-on product for system monitor functionality. |
LogRhythm Threat Lifecycle Management Platform | The set of LogRhythm products including LogRhythm SIEM, LogRhythm XM, LogRhythm CloudAI, LogRhythm SysMon, LogRhythm NetMon, and LogRhythm NetMon Freemium. Also called the LogRhythm Platform. |
LogRhythm Web Console | The LogRhythm Web Console allows you to monitor network log activity from supported browsers on desktop computers and laptops. |
LogRhythm XM | A LogRhythm Appliance which includes an Platform Manager (PM) and Data Processor (DP). An XM can also include the Data Indexer, SysMon, and AI Engine. It is targeted for small and mid-market. |
LR Deploy | The LogRhythm all-in-one installation service that contains the individual installers for all LogRhythm components except the database and individual system monitor agents. |
Lua | A lightweight multi-paradigm programming language designed as a scripting language with extensible semantics as a primary goal. |
Lucene Search | An open source text retrieval library released under the Apache Software License. |
M | |
MAC Address | A Media Access Control address (MAC address), which is a unique identifier assigned to network interfaces for communications on the physical network segment. |
Manifest File | A working list of user-inputted hosts in a LogRhythm Deployment. |
Mean Time to Detect | The average time it takes to recognize a threat that requires further analysis and response efforts. |
Mean Time to Respond | The average time it takes to respond to and ultimately resolve an incident. |
Mediator Service | A service running on the Log Manager, which is responsible for log identification and classification. |
Memory Pool | Pre-allocated memory space with a fixed size. Pools allow for dynamic memory allocation and can help improve performance. |
Message Processing Engine | As part of the Log Manager's Mediator service, the Message Processing Engine is responsible for log identification and classification, Event processing, and metadata processing. |
Message Processing Engine Policy | See Log Processing Policy |
Message Processing Engine Rule | A record associated to a specific log message source type with a common event, base rule regular expression, sub rules and other processing and policy settings that is used for processing logs. |
Message Processing Engine Rule Builder | A record associated to a specific log message source type with a common event, base rule regular expression, sub rules and other processing and policy settings that is used for processing logs. |
Metadata | Details of a log message in a simple format within the LogRhythm databases. Metadata is parsed directly from a log message (explicit) of can be inferred from a log message (implicit). |
Multi-host Deployment | A deployment in which any two or more hosts have LogRhythm software installed and communicating. This includes hosts with a standalone Web Console or AIE Engine. |
My LogRhythm | A menu in the console for users to manage preferences and properties specific to their login. This includes general preferences for personal dashboard, investigator and tail, regional settings, and color themes as well as settings for personal alarms, notification policies, person properties and password changes. |
N | |
Navigation Bar | The selections at the top of the page that allow you to move between Web Console pages. The currently active page is shown in blue letters. |
NetMon Engine | The NetMon Packet Processing component that classifies data during Deep Packet Inspection. |
Network Connection Monitor | An Endpoint Monitoring tool that independently monitors when network connections are opened and closed on a Windows or UNIX host where a LogRhythm Agent is running and NCM is configured. It is managed from the System Monitor Agent properties within Deployment Manager. |
Network Time Protocol | A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. |
O | |
Online Log | A log that is stored within the Data Processor database and available for immediate search. |
P | |
Packaged Report | A single report built from a template that has specific log source and filter criteria that is then configured and displayed in a specified report format such as Adobe Acrobat, Crystal Reports, or Microsoft Excel. The packaged report can be run ad-hoc and viewed via the console or stored for later viewing. |
Packet | A unit of data carried by a packet-switched network. |
PCAP | A file format used for saving raw flow data. |
PCAP File | An industry-standard format for containing packet capture data. PCAP data includes the raw packets for a flow. NetMon stores the raw packets from the network tap in PCAP files. |
Personal Dashboard | A monitoring analysis tool that is used to view data including alarms, events, statistics and various charts and graphs. It is highly configurable and allows for saving multiple layouts for view by various end users. Users can apply filters against the returned data for further refinement. The data within the tool can be drilled into to provide more detailed information. |
Plan File | The plan.yml file produced by the Deployment Tool that contains all information needed for each host in a LogRhythm Deployment to be configured correctly. |
Platform | See LogRhythm Platform. |
Platform Manager | See LogRhythm Platform Manager. |
Playbook | A way to store and manage standard procedures, including documentation of those procedures. |
Privacy Impact Assessment | An analysis tool of an organization’s exposure to privacy risks based on processing of personal data and the policies put in place to protect personal data. |
Process Monitor | An Endpoint Monitoring tool that independently monitors when processes start and end on a Windows or UNIX host where a LogRhythm Agent is running and PM is configured on the agent. It is managed from the System Monitor Agent properties within Deployment Manager. |
Processed Log | A log after it has been processed through the Message Processing Engine (MPE) of the Mediator Server. |
Pseudonymization | A procedure in which most identifying fields within a data record are replaced by one or more artificial identifiers. |
Q | |
Quick Search Toolbar | A toolbar located at the bottom of the console window. It provides a quick and easy means of running ad-hoc investigations when the full search capabilities of Investigator aren’t required. |
R | |
Raw Log | A log in its original form as it was received by the LogRhythm System Monitor Agent. |
RBP Calculator | A calculator application that helps determine the RBP values for MPE and AIE Events by allowing users to experiment with different RBP settings without impacting the LogRhythm deployment. |
Report Center | An analysis tool in the console that provides users the ability to manage report templates, packaged reports, and report packages. |
Report Package | A mixture of packaged reports combined into one package that has specific log source criteria. The report package can be run ad-hoc and viewed via the console or stored for later viewing. It can also be scheduled via the Scheduled Report Job Wizard. |
Report Template | A template that can be used to build a packaged report in a detail or summary form. |
Right to Access | A data subject’s rights to access or receive information about their personal data that a data controller or processor is utilizing. Also called Subject Access Rights. |
Right to Erasure | A data subject’s rights to request from data controller and processors to remove of all personal data from private and/or public avenues, including online sources, copies, links, or replications. |
Right to Object | A data subject’s rights to deny consent of processing, profiling, or automatic decision making based on their personal data by a data controller or processor. |
Right to Rectify | A data subject’s rights to have inaccurate personal data corrected without undue delay by the data controller or processor. |
Risk Based Priority | A calculation that results in a number between 1 and 100. It is used to determine how critical an event is based on a number of other rating and probability factors. |
Rule | See Message Processing Engine Rule. |
Rule Base | The collection of all rules developed to identify and normalize log data collected from a single log source type. Rule bases consist of multiple base rules and sub rules. |
S | |
Scheduled Report Job Manager | A Report tool used to schedule report packages to run for a specified period on a specified date and time. The job can be set to email an existing person and/or export to a UNC path. |
Scored Period | The period of time used to measure user or entity behavior that is then compared to the Behavior Models built during the Baseline Period in CloudAI. The default length of the Scored Period is 24 hours. Data is analyzed in one-hour intervals, and the final hour shown includes data through the end of that hour. |
SecondLook | A search analysis tool that is used to restore archived logs. The logs are reprocessed through the MPE using current settings. The logs are restored to the Online Archive Data Processor. |
Session | A bi-directional flow of packets between one client and one server. A "half session" defines one direction of that flow, on either the client or server side. |
SIEM | Security Information and Event Management. |
Single-host Deployment | An XM that does not have additional servers for the Web Console or AI Engine. |
Smart Connect | The ability to connect to a Mediator either within or outside network and have configurable connection paths. Agents need to be able to connect to a Mediator using more than one IP address. If a laptop has an Agent on it, the Agent connects to the Mediator using a particular IP address. That IP address may only be accessible from in the office and on the network. When the laptop moves to a remote location, the Agent will have to connect to the using a different IP address. The secondary IP address can be the external IP address for the Mediator (Agent communications get sent to the secondary IP and get routed internally to the Mediator’s IP. |
SmartResponse | A form of LogRhythm incident response that can be configured to automatically trigger with specific alarms or be set to trigger after passing through a chain of approvals. It reduces the need to perform common incident and investigation mitigation steps. |
SNMP Trap Receiver | A tool that supports the collection of SNMP Traps (v1, v2c, or v3) sent from third-party network devices and systems. It collects the traps and translates them into LogRhythm logs. It is managed from the System Monitor Agent properties within Deployment Manager. |
SOAR | Security Orchestration, Automation, and Response. SOAR automates workflows and accelerates threat qualification, investigation, and response. |
SQL Server Trace File Converter | A LogRhythm Windows service that converts Microsoft trace files (.trc) into UTF-8 encoded text files for archival and subsequent collection by a LogRhythm System Monitor. |
Sub Rule | Part of the MPE Rule that differentiates log messages that match the same base rule using values in the log. Sub-rule tags can include a regex that only applies to the string in a specific field to identify information such as a log / event identification number, a message string, or even a user or group name. |
Supervisory Authority | An independent public authority established by Member States within the EU to monitor the application of regulations. |
Syslog | Syslog is a standard for logging program messages. It allows separation of the software that generates messages from the system that stores them and the software that reports and analyzes them. It also provides devices which would otherwise be unable to communicate a means to notify administrators of problems or performance. NetMon transfers data to the LogRhythm SIEM (or to a third-party system) using the Syslog protocol. |
T | |
Tail | A monitoring analysis tool that provides real-time monitoring of log and event activity. It is an easy means of monitoring any activity based on device, log classification, or metadata contained in the log. |
Threat Event | A potentially harmful situation for an information system that can have unwanted consequences. CloudAI classifies observations with a score of 70 or higher as threat events. |
Threat Intelligence Service | A service that works with the LogRhythm Threat Intelligence Module to collect and analyze data published by subscription-based and open source threat data providers to alert users to threats in their environments. |
Threat Lifecycle Management | The framework that defines security workflows addressed by LogRhythm products. |
Transfer of Data | The transfer of personal data between entities or third-countries for strictly valid business purposes and where consent from the data subject has been obtained. |
TrueHost | A higher-level construct of the actual server, endpoint, and device of a parsed host identifier. |
TrueIdentity | A representation of a collection of identifiers, such as logins and email addresses, that comprise a single identity. |
TrueTime | LogRhythm's best possible determination of the actual time a log message was originally written. TrueTime is recorded in Coordinated Universal Time (UTC) down to millisecond resolution. |
U | |
Unidentified Log | A log that has been sent through the Message Processing Engine (MPE) that was not identified against any of the MPE Rules. |
User Activity Monitoring | An Endpoint Monitoring tool that is used in conjunction with FIM, DLD, Process Monitor and Network Connection Monitor to include the user information related to the log activity. It is man-aged from the System Monitor Agent properties within Deployment Manager. |
User Anomaly Score | A number from 1 to 100 that indicates how anomalous a user or entity’s behavior was during the Scored Period when compared to the Baseline Period in CloudAI. The User Anomaly Score is a function of all Behavior Model Anomaly Scores for that user or entity. |
User Profile Manager | An administration tool within Deployment Manager used to manage User Profiles. A User Profile is a configuration that defines the security role, Data Processor access and log source access for one or more user accounts. |
V | No terms available |
W | |
Widget | A mini-application, such as a chart or graph, that provides content for dashboards. Widgets can be resized and repositioned in page layouts to modify existing dashboards or create new ones. |
Windows Host Wizard | A tool that allows users to configure LogRhythm to collect Windows Event Logs. It has the ability to scan domains and allows users to import computers. It is accessed via the administration tools menu within Deployment Manager. |
X | No terms available |
Y | No terms available |
Z | No terms available |