NDR 2023.04 Release Notes
Welcome to the April 2023 release of LogRhythm NDR. We have many updates in this version, but first we want to highlight a few exciting recent developments for LogRhythm NDR.
- India Availability Zone - LogRhythm NDR now has an availability zone in India.
- Forrester Q1 2023 Landscape Report - LogRhythm NDR is one of the 25 vendors highlighted in Forrester's Network Analysis and Visibility Landscape, Q1 2023.
- LogRhythm NDR Analytics Engine - we have made multiple general enhancements to our analytics engine, so customers get more refined detections and less noise.
Customer Feedback Opportunities
We always welcome your feedback!
- If you have an idea for LogRhythm NDR, we encourage you to post on the LogRhythm NDR Community.
- If you are interested in speaking with our Product Team, you can schedule a LogRhythm NDR Customer Feedback Session.
Ubuntu 20.04 Upgrade
Since Ubuntu 18.04 LTS (Bionic Beaver) is reaching its End of Standard Support, LogRhythm is upgrading all customer probe nodes to Ubuntu 20.04 LTS (Focal Fassa).
- LogRhythm's SRE team will be contacting customers with more details on when their probe nodes will be upgraded.
NDR 2023.04 Updates
There are many updates in this version that we hope you'll like. Brief explanations of the updates are grouped into the following sections:
Key highlights include:
- New LogRhythm University NDR Course
- Documentation Updates
- Probe Node Status Email Alerts
- Whitelisting Enhancements
Training & Documentation
Training
LogRhythm University is now offering a new web-based class: What is NDR? It is designed as a first step for anyone new to Network Detection and Response (NDR). It describes what an NDR solution is, why it is helpful, and provides an overview of LogRhythm NDR's unique architecture.
- Access this free self-paced course by using your Community credentials to log in to LogRhythm University. You can also click the University link in the main header bar on Community, and then search for What is NDR.
Documentation
As a companion to the LogRhythm NDR 2023.04 release, we are publishing the initial draft of the user guide for our new UI. We will be building out the LogRhythm NDR User Guide incrementally with each subsequent release to keep pace with the functionality added to the new UI.
We also wanted to highlight some enhancements to our existing documentation:
- Integrations: CrowdStrike, Palo Alto, SentinelOne, and ServiceNow
- Whitelisting
- Data Processed by Node Chart
Analyst Experience
In the LogRhythm NDR 2023.04 release, the functionality of the new UI continues to increase. The new UI now includes the following pages and tables, along with companion documentation:
- Cases
- Feature Configuration
- Hosts
- Hunt Geo Activity
- IDS Rules
- Incidents
- MistWatcher
- Networks
- Probe Node Status Email Alerts
- Report
- Whitelist
Log in to the New LogRhythm NDR UI
- Log in to the Legacy LogRhythm NDR UI.
- In the top right of the page, place your cursor over your profile name and click Edit Profile.
The Edit Profile page appears. - To enable the Keycloak login, click the Enable Keycloak Login checkbox.
The Credentials for Keycloak login box appears. - Type a new password in the Password and Confirm Password fields.
- Click Create.
The message "Created Successfully" appears. - Click Ok.
- At the top of the screen, click Try New UI.
The new UI opens in a new tab. - Enter your legacy username and the new password you created.
- Click Sign In.
The Dashboard of the new UI appears.
Case Table Enhancements
The Cases page now displays a table with cases categorized by global time range and site. Users can modify the global time range and site, and the table updates the data to reflect the modified parameters.
Feature Configuration Page
The Feature Configuration page lets users enable or disable PCAP (Packet Capture) and Netflow services.
Host Page Enhancements
Users can click a timestamp in the History section of the Host Details page to immediately view the associated incident.
In the All Hosts tab of the Host page, users can view the total number of IOAs by clicking IOAs on the right side of the page.
The Host Details page includes the Host Activity Timeline Graph, and Host Activity Chart and Table. Users can adjust the time range of activity shown in the Host Activity Timeline Graph.
Users can also view the host activity in chart and table form.
Hunt Geo Activity Page Enhancements
The Hunt Geo Activity page displays a global map and table based on site, query, global time range, anomaly, and threat severity. Users can filter to view a specific activity by clicking on a row in the table.
Users can also click on any pin in the global map and view the Entry UUID. They can also click on the displayed Entry UUID to view associated case events.
IDS Rules Page Enhancements
Users can perform multiple actions on the IDS Rules page, including: add, delete, enable, and disable. They can also add or delete IDS Interface Configurations.
Incident Table Enhancements
The Incidents page now displays a table with incidents categorized by global time range and site. Users can modify the global time range and site, and the table updates the data to reflect the modified parameters.
MistWatcher Page Enhancements
Users can now add, edit, and delete MistWatcher Rules and MistWatcher Profiles.
Network Page Enhancements
Users can now select multiple networks to export or delete in bulk.
Probe Node Status Email Alerts
Users can now enable email notifications to receive alerts when a probe node goes down.
Report Page Addition
Users can now access our reporting feature in the new UI.
Whitelist Page Enhancements
Users can now upload new whitelisting rules. We've also added more whitelisting fields, including: Site, Query, Path, Destination User, and Event_trigger_id. There is also a bulk upload option for uploading multiple rules at once.
Resolved Issues
| Bug ID | Description |
|---|---|
| ENG-28150 | Users can now change the size of the Geo Activity chart on the Dashboard. |
| ENG-27047 | The legend text under the Hunt Activity chart now renders as expected. |
| ENG-26854 | Customers can now download a new user's certificate by entering the password and clicking Submit. |
| ENG-26852 | Filters on the Hunt Activity page now function as expected. |
| ENG-26703 | Clarification added for whitelisting check boxes to explain the difference between inputing plain text and regex into the fields. In the new UI, customers can now view a tooltip. For the legacy UI, we added clarification to the documentation on the Proactively Create and Allow Whitelist page. |
| ENG-25590 | The Src and Dest columns in Cases and Incidents tables are now populated with the correct data. |
| ENG-25582 | Host and User scores are now displayed correctly. |
| ENG-25580 | Case and Incident pages now include more context in their history sections to help users track progress and updates over time. |
| ENG-25579 | Users can now search for a range of IP addresses by creating queries in the following format: [IPaddress TO IPaddress] For more details, see Search Quick Reference. |
| ENG-25578 | The date displayed in the Expiry Date field for a whitelist item no longer persists when navigating to other whitelist items. |
| ENG-25572 | Users can now enter spaces when creating saved queries. |
ENG-9383 (DE15352) | A Notable User no longer disappears from the Dashboard after viewing the associated User Details page. |
ENG-9381 (DE15353) | Users can now edit the parameters for an existing network. |
ENG-9191 (DE13340) | Users no longer receive error codes when running queries against Rapid7 integrations. |
Resolved Issues - Security
Security-related issues resolved with this release are available for customers to view on the Community.