Posts on Security, Cloud, DevOps, Citrix, VMware and others.
Words and views are my own and do not reflect on my companies views.
Disclaimer: some of the links on this site are affiliate links, if you click on them and make a purchase, I make a commission.
Security analysts are constantly challenged to investigate security incidents and mitigate them quickly. But does your security operations center (SOC) have the full picture of what's occurring in the environment to remediate the impact of a false negative?
LogRhythm is excited to announce the much-anticipated general availability of LogRhythm 7.7. The latest release reinforces our focus to simplify and enhance the analyst workflow and builds upon the dashboard layouts and visualizations of LogRhythm 7.6. LogRhythm 7.7 features includes a new Detail Page with Timeline View that enhances the analyst experience and accelerates threat detection and response.
Telling a Security Story with Data
Part of your analysts' daily routine involves decision-making about threat hunting and alarms. More often than not, deciding what to do is complicated by trying to make sense of all the data your SIEM gathers. LogRhythm 7.7 simplifies the process by identifying what is important with Detail Page and the Timeline View widget.
With this release, your team has one view which they can use to examine host or user details, sequence associated activities or events, and learn whether a particular action or behavior is "normal." This insight speeds investigations and response to threats or suspicious behavior. With LogRhythm 7.7, you can also pair Timeline View with Node-Link Graph, a feature launched in LogRhythm 7.5, and other aggregate visualizations to investigate the progression and scope of a security event.
Discovering Insights with Detail Page
Embedded in the LogRhythm NextGen SIEM Platform, Detail Page gives your security operations center (SOC) a powerful investigative tool to organize and use all available data within LogRhythm. This includes log and activity data, contextual information, and unique insights to help you quickly resolve security incidents.
Detail Page creates a security narrative for user- and host-related events that helps analysts make sense of their data. Detail Page populates basic contextual information with TrueIdentity™ and TrueHost. LogRhythm TrueIdentity associates multiple account identifiers and account types to a single identity construct. TrueHost associates multiple host identifiers, such as IP address, hostname, and MAC address, to the same host to provide a more comprehensive understanding of activities from the same host.
If CloudAI is enabled, behavioral data will also appear showing score information and insight labels about the user or host. CloudAIis LogRhythm's user and entity behavior analytics (UEBA) solution that uses machine learning to detect insider threats, compromised accounts, administrator abuse and misuse, and other user-based threats.
Figure 1: Detail Page tells a story with all the data available within the LogRhythm NextGen SIEM Platform
Accelerating Threat Detection with Timeline View
Within Detail Page, Timeline View presents a chronological story of key events in user or host activity. Behavior data also appears if CloudAI is enabled, but each event is always tagged with a risk-based prioritization score out of the box, making it easy to help you spot important events. Events in the timeline emerge in simple language, alongside the risk-based prioritization (RBP) score and common classification, so you can quickly understand the activity and identify high-priority events.
Timeline View uniquely shows a case timeline alongside aggregate information and underlying raw data. With filtering and drill-down capabilities, this feature gives analysts a complete view into user or host activity, with multiple ways to display the data and quickly make decisions.
Figure 2: See a sequence of events with risk-based prioritization scores in the Timeline View widget
Simplifying Integration with the Alarm REST API
As part of LogRhythm 7.7, we launched an Alarm REST API, which simplifies integration with other workflow tools. Capabilities include listing alarms, pushing updates into alarms (e.g., changing the status or modifying RBP), and adding comments to alarms, among others features. This is a key integration for third-party ticketing systems, third-party security orchestration, automation, and response (SOAR) platforms, and other LogRhythm partner solutions. If you have integrations with the SOAP API, we encourage you to migrate to the REST API.
New Cloud Capabilities
LogRhythm 7.7 also introduces cloud to cloud collection for LogRhythm Cloud customers. All LogRhythm Cloud customers will receive one fixed size Open Collector upon request. This simplifies how LogRhythm Cloud users configure log sources. LogRhythm supports Azure EventHub as the first log source with others to follow.