Use SmartResponse
SmartResponse lets you execute preventative actions when threatening activity is observed. Actions may provide deeper forensic or operational data, automate operations tasks, or implement security controls in defense of an attack or intrusion, such as disabling a compromised user account or terminating a connection between attacker and target. You can enable SmartResponse in LogRhythm by importing SmartResponse plugins into the Client Console. For more information, see SmartResponse in the Client Console (Administrator's Guide).
After SmartResponse has been enabled in the Client Console, you can run SmartResponse actions from the Analyzer grid in the Web Console.
Update your Knowledge Base in the Client Console prior to using SmartResponse in the Web Console. This enables usage auditing for SmartResponse.
To run a SmartResponse action:
- On the lower-right side of the page, click the Logs tab.
- Click the Configuration icon in the cell that contains the metadata that requires a SmartResponse.
- In the Inspector panel, scroll down, if necessary, to the SmartResponse section.
- Click the arrow in the list to view the available SmartResponse actions. You are only able to see SmartResponse actions that your user profile has permissions for. Permissions are set in the SmartResponse Plugin Manager in the Client Console.
- Configure your SmartResponse parameters. The configuration options depend on the SmartResponse action you chose and not all parameters are configurable. To configure the parameter fields with data from the selected log, do one of the following:
- Click in a field and select a value from the list.
- Type in the data manually. The parameter fields include typeahead filters to enable you to quickly enter any metadata from the selected log.
You can also browse to another log and follow one of the steps to add metadata from the newly selected log to the SmartResponse action. When you browse to a new cell or log, any parameters you already configured persist until you run the SmartResponse.
- In the Command to Execute box, verify the command you created . Commands cannot be edited in this box.
- In the Execute from list, select a location from which to run the SmartResponse. You can run it from the Platform Manager, which is the default, or any System Monitor Agent within your entity.
- Click Run.
The SmartResponse action opens in a new tab in your browser. The SmartResponse page shows the action taken, the time required to run it, the status of the action, and the output results. In addition, the URL of the new tab shows the actionId so the SmartResponse action can be audited in the Client Console. To add the text of the SmartResponse action to the current case, click Add to Case.
You may need to adjust your pop-up blocker to allow the SmartResponse tab to open.