Skip to main content
Skip table of contents

LogRhythm Intelligence

LogRhythm Intelligence is the seamless integration of the LogRhythm SIEM and the Threat Center available on the Exabeam Security Operations Platform. This guide will help you to configure both products to effectively work together to monitor your threats, enabling complete integration of the diverse platforms and consolidating data from both sources.

The integration works by utilizing Log Distribution Services (LDS) to sending data from SIEM to an Exabeam Collector. The collector sends the logs to the Exabeam Security Operations Platform for analysis and threat detection. The Open Collector is then used to ingest actionable detections raised by Exabeam.

Deploy an Exabeam Collector

You will first need a site collector set up to receive logs from the SIEM and ship them to the Exabeam cloud. Refer to the Exabeam Site Collector Overview documentation for instructions on deploying site collectors.

Configure a LogRhythm Log Distribution Services Policy

Once the site collector is installed and configured, set up Log Distribution Services (LDS).

  1. Configure the Log Distribution Receiver. Below are suggested settings. Settings not listed below should use the default value.

Setting

Input

Remote Host IP

The IP address of the Exabeam Site Collector

Remote Port

1514

Network Protocol

TCP

Truncate message to 1024 bytes (RFC 3164)

Unchecked

  1. Configure the Log Distribution Policy.

    1. Use the filter options to select the individual log sources or log source types that will be forwarded to the Exabeam cloud. Below is a list of recommendations:

Required

Nice to Have

Can Be Excluded

  • Windows Security / Active Directory

  • OS logs: Linux / Unix etc.

  • VPN logs

  • Endpoint security: AV + EDR

  • Email: exchange + Email security

  • Proxy

  • Cloud: O365, AWS, etc.

  • Security tools: NDR, DLP

  • Database

  • IDS / IPS

  • Vulnerability Management

  • Internal firewall

  • NAC

  • Privileged Access Management

  • DNS / DHCP

  • VOIP / call manager

  • WAF

  • External firewall traffic logs

  • Routers and switches

  • Wireless controllers / AP’s

  • MDM

  • Web servers

Configure the Exabeam Case Beat

To ingest actionable detections raised by Exabeam, deploy an Open Collector host and configure the Exabeam Case Beat.

  1. An Open Collector is required to run the Beat and collect detection data from Exabeam. For details on deploying an Open Collector, see the Open Collector Installation and User Guide.

  2. Once an Open Collector is deployed, log into the Web Console to configure a beat.

    1. Follow the instructions to set up the Exabeam Case Beat.

Download and Import the Exabeam Dashboard

A dashboard is available on the Community and can be imported into the Web Console using the instructions found in the Import and Export Dashboards documentation.

Configure Advanced Intelligence Engine (AIE) Rules

When an actionable detection is raised, you may want to be notified, raise an alarm in the SIEM, or kick off a SmartResponse. To do this, we’ve made it easy with out-of-the-box AIE rules.

  1. Make sure you have synced the latest KB.
    For more information on downloading KB files, refer to Download the Knowledge Base File.

  2. Import the LogRhythm Intelligence module.
    For more information on managing KB modules, refer to Knowledge Base Manager.

  3. Configure Advanced Intelligence Engine (AIE) rules as needed.
    For more information on the LogRhythm AIE, refer to Advanced Intelligence Engine.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close