To access the Hunt Activity page:
- Log in to LogRhythm NDR's new UI.
- Click Hunt from the sidebar menu and then click Activity.
The Activity page displays the Activity Chart and the Activity Table.
The Activity Chart consists of the list of suspected activity mapped along the corresponding time period.
- To filter from the list of available activities, use the Anomaly and Threat Severity sliders.
- To filter further, click the Date Range/Time picker drop-down menu option available next to the Search field at the top-right of the page.
Different entry types are present in the legend of this chart and can be clicked for a filtered view.
When you hover over the chart on the different entries, a tooltip presents additional information such as date, type, and the number of instances.
The Activity Table presents data such as Occurred On, Event Info, Activity, and Entry UUID.
Click the column headers in the table to sort the table entries in ascending or descending order.
To export the activity details, click the Export icon.
To add or remove column headers, click the Show Columns icon.
- To expand and see more details such as Date, Community ID, and Destination ID, click on the entry.
- Click the Raw Data (JSON) tab to see more details in the JSON format.
- Click a particular User_UUID to activate the filter and only show entries pertaining to that particular User_UUID.
This can be done in both the chart and the table.
- To Enable/Disable an User_UUID and remove the filter, click the entry.
- Click the Alert Event drop-down option available in the Event Info column, corresponding to a particular entry, to choose one of the following:
- View Logs
- Create Case
While creating a case, you can either go over to the newly created case or stay in this page.
- In the Activity page, click Mitre Enterprise ATT&CK™.
The Mitre Enterprise window appears displaying the Mitre table with techniques and sub-techniques.
- Click the drop-down arrow in a technique entry to view the sub-technique.
A few of the technique entries also display the count/number of events related to the particular technique.
At the top of the window, the Mac, Windows, Linux, Matrix Coverage, Malicious Software, and Threat Group buttons are available.
- To see the malicious software techniques, click Malicious Software.
To toggle between enable and disable, click next to the particular technique.A tool tip appears with information about each technique when you hover over them.
- To see the various threat groups, click Threat Group.
To toggle between enable and disable, click next to the particular threat group.A tool tip appears with information about each threat group when you hover over them.