LogRhythm
What can you edit in the Inspector Window of the Alarms page? 1. Collaborators 2. Comments describing alarm activity 3. Tags
Comments describing alarm activity.
Which threat actor is described as Free, or for purchase, malware.
Commodity Malware
What must happen first to enable Detection?
Data collection
What is the AI Engine?
Detect known threats with deterministic threat models Baseline behaviors across weeks Detect threats in real time with stream-based analytics
In which phase of the Threat Lifecycle Management or TLM does Holistic Threat Detection take place?
Discovery Phase
Current Processing Rate widget
Displays the current rate of data processed by LogRhythm.
What is Cloud AI?
Is an add-on service delivered via the cloud with no on-premise hardware Machine Learning-based anomaly detection system Baseline behavior across weeks to months Achieve real-time threat recognition Provide high-fidelity
What is the LR Warm Data Indexer (DXW)?
Is an optional appliance that provides: 1) A multi-tier storage option 2) Supports searchable, indexed TTL up to 365 days 3) 1-10 DXWs can be added to a cluster of DXs to reduce the number of servers required for longer TTL
What happens with higher value log messages?
These messages are forwarded as Events to the Platform Manager and indexed into the Events database.
Every log message is assigned a classification and common event based on the metadata extracted. What are the three classifications?
1) Audit: eg- Authentication Success 2) Operations: eg- Network Traffic 3) Security: eg- Reconnaissance
What are three principle types of 'data' enterprises should focus?
1. Security Event and Alarm 2. Log and Machine 3. Forensic Sensor
Name the 8 major components for the LR Platform
1. System Monitors Agents 2. Open Collector and LR Authored Beats 3. Data Processor 4. Data Indexer 5. AI Engine 6. Platform Manager 7. Web Console 8. Client Console
Name two analysis tools within the console used to review forensic data.
1. The Analyzer Grid 2. The Dashboards
Name two advantages of the Grid view over the Card view on the Alarms page.
1. This view can load more Alarms onto the page 2. This view's format is better suited for performing batch updates to Alarms.
What are the 5 sub-categories for MTTD and MTTR?
1. Time to Qualify 2. Time to Investigate 3. Time to Triage 4.Time to Detect 5. Time to Respond
Name the two administrative consoles available in the LR platform.
1. Web Console 2. Client Console
Contextualization allows users to perform what three common queries for additional data about a host or IP address?
1. Whois 2. Trace 3. Ping
What are two ways to view basic AI Engine Rule information in the Inspector panel?
1. via an event on the Dashboards page in the Analyzer Grid 2. via an Alarm Drilldown.
What is the maximum number of attachments per playbook?
10 attachments
What is the min and max number of nodes in a Indexing cluster?
3 min and 10 max
Out of the box, about how many devices does LogRhythm support across key segments within the security space?
800 devices
What kind of investigation should you use to identify suspicious user failed login activity?
A Drill Down investigation
What three tabs are available in the Details & Actions panel?
!. Event & Actions 2. Log Message 3. Inferred (now True) Identity
How many procedures can be added per Playbook.
!00 procedures can be added.
What are the three methods for creating a case?
1) Alarm card 2) Inspection Tab 3) Case Tool Tab
Give three Windows Application Log examples:
1) Application crashes and hangs 2) SSL Certificate loaded 3) Installation failure
Name 4 Forensically sound SIEM data storage principle:
1) Archives 2)Storage Integrity 3) Accuracy 4) Retention
What are the three categories that data is placed, which allows identification at a high level?
1) Audit 2) Operation 3) Security
What are the three Classification Types?
1) Audit: Account Created, Authentication Success, Startup & Shutdown 2) Operations: Error, Warning, Network Deny 3) Security: Attack, DoS, Reconnaissance
What is the function of the System Monitor?
This collects raw log data from log sources and then delivers the raw logs to the Data Processor.
System Monitors Agents component
This component Collects log data about the behavior of users, files, applications, and the system; generates real-time forensic data to support analytics and incident response.
AI Engine
This component is a rule-based and adaptive advanced analytics engine that evaluates real-time log data to detect attacks, complex operations issues, changes in systems behavior, and more.
True or False: The Max Processing Rate is defined as the max rate at which logs can be collected, archived, and processed by a component while achieving the max indexing rate.
True
True or False: The UEBA module in the knowledge database and CloudAI are both part of the LogRhythm UEBA Solution
True
True or False: The megagrid updates with the dashboard.
True
True or False: The primary objective for security analytics solutions is to improve the ability to detect, contain, and remediate advanced attacks and insider threats.
True
True or False: To assist in both analyst and administrative efforts, the Web Console provides the option to add an item to a list directly from a dashboard.
True
True or False: With LR Forensic Analytics there is no new search syntax required, which means there is a quick learning curve.
True
By default how long is a report viewable in the Web Console?
Viewable for 7 days.
Appliances: Naming Convention LR-XM4510
XM= Role & Type (Configuration) 4= Level 5= Generation 10= License Level
Data Processor
This component performs log processing and forwarding functions; archives data and distributes both original and structured copies of data to other components for indexing, machine-based analytics, and alarming.
Platform Manager
This component provides alarming, notifications, case and security management, workflow automation, and centralized administration.
Data Indexer
This component provides highly scalable indexing and searching of machine and forensic data.
Open Collector and LR Authored Beats component
This component was created to solve the problem of how to ingest modern JSON logs by transforming them to match LR's Enterprise SIEM's Schema.
Client Console
This console is a user interface for administrators to configure the LR platform, perform log management activities, manage reports, alarms, user profiles, and monitor the health of the LR environment.
Web Console
This console provides analysts with information in an easy-to-use web front-end. It is built on modern web technology, including Elasticsearch, Lucene, HTML5 and more. Like other LR components, it is a stand-alone component that can be installed on a dedicated appliance or alongside the Platform Manager in smaller scale deployments.
For what does forensically sound data allow?
This data allows for the production of reliable electronic evidence before a court of law.
SIOS or Software for Innovative Open Solutions
This delivers automatic failover and replication capabilities.
Web Console: What's the Rate Chart?
This displays the messages per second being processed by the LogRhythm Data Processor. This chart should be reviewed periodically to understand the current volume of data in your environment. This will help you recognize abnormal volumes more easily.
What is the concept of a 'Tail' function?
This function is similar to a 'Search', but this returns log message results in a live and ongoing format, meaning the results will populate in real time as new log messages arrive.
How does LogRhythm's CloudAI function?
This functions by applying large scale machine learning against environmental data to detect previously hidden anomalies and threats.
What are some customer benefits of using a SIEM?
This helps decrease the amount of time to detect threats as well as the time to get rid of the threat.
What does LR's Machine Data Intelligence (MDI) Fabric do?
This helps processes and enriches data so it is optimally prepared for analysis.
Name the primary responsibility of the Administrator.
Setup and Configuration
What provides automated remediation actions?
SmartResponse
What does the status of a case need to be, when considered 'Closed'?
Status of the case needs to be either 'Completed' or 'Resolved'.
What is the default status for new cases?
Status: 'Created'
Where do the logs that are over the subscription rate go?
Temporarily go to a processing que until the rate decreases.
log message
This is a record of activity on a network. It may include a user logon, system shutdown, application installation, authentication failure, and more.
True or False: LR appliances utilize a building block approach to architecture to maximize flexibility.
True
True or False: LR's licenses are sold based on average MPS or Messages Per Second over 24 hours.
True
True or False: Learned and static whitelists and blacklists are established to create rules that trigger or corroborate alarms.
True
True or False: Log processing is performed by the Mediator's Message Processing Engine on the Data Processor or DP.
True
True or False: LogRhythm can monitor activities that may not be logged like network connections opening and closing on a host, processes starting and stopping and can perform File Integrity Monitoring (FIM) to understand who accesses, modifies, or changes permissions on a file.
True
What is the maximum size per attachment to a playbook?
1 GB in size is the maximum
In the Web Console under 'User Options' icom name 6 configuration options available which allow you to customize your experience in the console.
1. Display: Night/DAy mode 2. Drilldown: Drilldown information displayed in new browser tab or in the same page 3. Password: PW change here, also, updates it in the Client Console 4. Date Time Format 5. Navigation Warning 6. Query Locations.
The Details & Action tab on the Analyzer Grid shows what type of data?
1. Event and Actions 2. Log Message 3. Inferred Identity
Name 5 profile types in LogRhythm
1. Global Administrators 2. Restricted Administrators 3. Global Analysts 4. Restricted Analysts 5. Notification Only
In the Analyzer Grid each row displays what?
An Event or log message
What is essential to Threat Hunting?
An understanding of the security environment that allows you to continually move between hosts, users, and networks.
Recognizing multiple related AIE Events within a short period of time as a potential threat is an example of what UEBA technique?
Behavioral profiling
Where do LR offices reside?
Boulder London Singapore Dubai
Give some examples of Quantitative Metadata:
Bytes in/out Items in/out Duration Size Quantity Amount Rate
This allows users to link cases together when duplicate cases are accidentally created or when cases are determined to be related to the same threat. When a case is associated with another case, it is displayed in the Associated Cases section of both cases.
Case Association allows this.
What can analysts use to track an investigation and the eventual resolution of an incident.
Case Management
What tasks can be performed in the Web Console, but not in the Client Console?
Case collaboration and management
What are added to individual cases to help users categorize, organize, and analyze cases.
Case tags
How do you link cases together that ae related to each other?
Cases are linked together by associating them together directly in the log data.
Web Console: How do you open the Analyzer Grid?
Click the "logs" tab in the bottom right-hand corner.
Risk Based Monitoring
Each event generated through LogRhythm is assigned a priority. This priority is based on a weighted score. This weighted score is determined by combining a risk score, a threat score, and a confidence score.
What is considered a concerted effort between Enterprise LogRhythm, Analysts, and Administrators.
Event Discovery
A SIEM adds context to logs through what?
Event correlation
1. Classifications 2. Common Events
Every log message processed y LR will be assigned what two attributes.
Oversubscription
Exceeding the Peak or Sustained Rate for DCs, DPs, DXs, LogMart, and Events database.
True or False: HA is available in Public Cloud.
False
True or False: If an organization exceeds their license, LR will drop message rates and log data.
False
What is an important action that security analysts can complete from the dashboards tab in the WebUI?
From this tab you are able to set a timeframe allowing you to manipulate data on the fly.
Which two profiles have the ability to create tags?
Global Administrators and Global Analysts have this ability.
Who manages the physical security of CloudAI?
Google Cloud Platform (GCP)
Which threat actor's goal is promoting a social or political cause?
Hacktivist
Web Console: The Alarms page allows what functionality?
Helps to perform drilldowns, add to a case, and more. Alarms can be easily managed with Smart Response integration.
What are the two timeline details pages in the web console?
Host Details and User Details
How do you add a comment to a case?
Hover over the Add Comment or add a comment through the Inspector Tab. Once a comment is added, the comment icon appears in the Card view.
Where does the majority of breach evidence reside?
In log data
Where can a SOC 1 Analyst begin looking for indicators of compromise?
In the Alarms tab
Where can an Administrator create a report?
In the Client console
Explain the SOC 1 Analyst work flow.
In this work flow the analyst will look for indicators of compromise using Alarms.
Which threat actor comes from within an organization?
Insiders
Peak Rate?
Is 150% of the max rate for one minute
LADD or LR Architectural Discovery Document
Is a locked Excel spreadsheet application used to capture a potential customers requirements to appropriately size a LR solution. It provides a workflow to cover pertinent questions that should be asked during the sizing.
Computer requirements for using the LADD
Requires Office 2013 or greater on Win or Mac OSX Is not supported on Open Office, Libre Office, Office365, Google Sheets
LR recommends what kind of sizing for new deployments?
LR recommends ~50% more than the average MPS and Licensing should be ~20% more than the average MPS
What is the function of lists?
Lists provide a method for organizing assets and information stored in LogRhythm Enterprise, as well as granting permissions within LogRhythm.
Describe the data flow of a LR platform.
Log data originates from an environment and is collected by System Monitor Agents before being delivered to the Data Processor. The Data Processor delivers processed logs to AI Engine, processed Events to the Platform Manager, and raw logs and metadata to the Data Indexer. AI Engine can also deliver Events (AIE Events) to the Platform Manager based on the AIE Rule Event generation. Alarms and Event information are accessible in the LogRhythm Web and Client Consoles.
Give some examples of Contextual Metadata:
Login Account Vendor Message ID Sender Recipient Subject Object
For what does statistical analysis primarily look?
Looks for increases in the percentage of log data for a particular host.
In the Metrics Dialogue box, what is visibly tracked and reported?
MTTD & MTTR
Recovery Time Objective or RTO
Max duration to recovery before unacceptable consequences occur.
Recovery Point Objective or RPO
Max tolerable period that data can be lost
For performance reason, what is the maximum duration of a 'Tail'?
Maximum duration of this search is 15 minutes.
How should a Lucene query be structured?
Metadata field name, colon, open quotation mark, search item, close quotation mark
In the Analyzer Grid each column displays what?
Metadata that is parsed from the log message.
What are the only types of reports that can be run as a search?
Only custom reports based on Events or Log Messages can do this.
In the Threat Activity map what color represents Impacted locations?
Orange
Give some examples of Derived Metadata:
Origin Network impacted Network Origin Known Host Impacted Known Host Origin Zone Impacted Zone Direction
Storage Arrays?
Provide longer data storage time in archives Provide increased storage
Classifications
This attribute of a log message defines the broad range of activity.
Function of the Platform Manager
This is where users interact. It is the brains and is where the Web Consoles and Client Consoles communicate. It handles all communication with users. It manages alarming, notifications, case and security incident management, enabling distributed search, forensic analysis, reporting and real-time dashboards.
What is Precision Search?
This mechanism powered by Elaticsearch provides the LogRhythm customer with the ability to perform a structured search on top of the Machine Data Intelligence fabric, in addition to the unstructured search capabilities of Elasticsearch. These two features combine to deliver very precise search results.
Show Appliance Acronyms
XM: All-in-One appliance DP: Data Processor DX: Data Indexer DN: Data Node PM: Platform Manager DC: Data Collector AIE: Advanced Intelligence Engine WS: Web Services NM: Network Monitor SA: Direct Attached Storage
SOC Manager
responsible for overall management of the SOC
Name 2 critical skills that a LogRhythm Analyst should ideally possess
1) A general understanding of security principals 2) Ability to comprehend network and system logging data
What are the two segments of UEBA?
1) AI Engine (for Scenario Analytics using Real-time threat detection) 2) CloudAI (for Behavior Analytics using Anomaly detection via deep behavioral profiling)
Name some common KB Modules Objects.
1) AIE rules 2) Alarm rules 3) Investigation
Name 4 services the LogRhythm Security Intelligence Platform provides the customer?
1) Ability to accept the broadest set of collection interfaces 2) Capability to support over 800 devices 3) Separate processing from the collection layer to ensure no loss of data 4) Utilize processing rules that do not require a product release, which allows for an expedited release schedule.
Give three Windows Security Log examples:
1) Account logon 2) Account management 3) Directory service access
Name the two areas of LogRhythm Output.
1) Actionable Intelligence 2) Incident Response
On what threats is the LR KB module focused?
1) Adversaries 2) Attackers 3) Exploits 4) Compromise 5) IR
Name 5 obstacles for security teams to accomplish their goal of decreased MTTD.
1) Alarm Fatigue 2) Swivel Chair Analysis 3) Forensic Data Silos 4) Fragmented Workflows 5) Lack of Automation
Give an example of the sequence of description for the three Classification types down to the Common Event
1) Audit> Authentication Success> User Logoff/ Logon, Computer Logoff/Logon 2) Operations> Network Traffic> Connection Attempt, Connection Closed, Connection Lost, Connection Request 3) Security> Reconnaissance> Ping Sweep, Port Scan, Traceroute Activity, Vulnerability Scan
Name some LR Appliance Benefits
1) Building block architecture to maximize deployment flexibility and scalability. 2) Quickly and simply add additional appliances 3) Expandable storage options with any size model 4) Centralized management 5) Flexible high availability options with automatic failover 6) Dedicated high-performance collectors
Give two reasons for the creation of a report.
1) Compliance & Audits 2) Internal Optimization
Give the steps needed to set up CloudAI.
1) Configure TrueIdenties 2) Configure Monitored Identities List 3) Connect CloudAI to LR SIEM and CloudAI on configuration manager 4) Enable KnowledgeBase module UEBA 5) Configure CloudAI as a new SIEM log source 6) Grant user access to CloudAI 7) Make sure SIEM log sources are passing valuable logs to CloudAI
In a Co-Managed scenario what are the responsibilities of the MSSP staff?
1) Configures LR Platform w/ information provided by customer 2) Responsible for management of LR Platform 3) Addition of new Log Sources 4) Creating custom Alarm Rules 5) User accounts and permissions 6) All other desired customizations
Name 9 duties an Administrator performs.
1) Configuring LogRhythm Enterprise 2) Entity management 3) Setting up and defining Lists 4) Installing and configuring System Monitor Agents 5) Collecting, configuring, and managing Log sources 6) Creating Notification Policies 7) Defining and configuring user profiles 8) Working with Security Analysts 9) Troubleshooting of LogRhythm
What are the LADD's three main sections?
1) Contact Information 2) Solution Requirements 3) LR Platform Features
What are three types of Metadata?
1) Contextual: Parsed directly from the log message. It is text-based and descriptive. 2) Quantitative: Parsed directly from the log message and can be used for numeric comparisons. 3) Derived: Using parsed metadata and relating it to the LogRhythm configuration information. It adds additional context.
In the WebUI name the tabs on the page.
1) Dashboard 2) Alarms 3) CloudAI 4) Cases 5) Searches 6) Reports
What are the three components of UEBA?
1) Data Integration- Collecting user data from multiple sources 2) Data Analytics- Establishing baseline behaviors and patterns. 3) Data Visualization- Analytic results are presented in a visual format.
What components are included in the XM appliance?
1) Data Processor 2) Data Indexer 3) AI Engine 4) Platform Manager 5) Client Console 6) Web Console
LR Clustering Advantages
1) Data replication 2) Faster search performance by pulling from least busy node 3) Allows for more simultaneous users 4) Increased data TTL
Splunk Implementation Details
1) Dedicated SysMon for Splunk logs 2) SysMon installed on XM 3) API Log sources connect directly through SysMon 4) Heavy forwarder sends Syslog over TCP/UDP 514 5) Configure the Syslog Relay regex or use Log Source Virtualization to split Log Sources for Windows Event Logs
Give 6 CloudAI capabilities.
1) Detects advanced threats with artificial intelligence and machine learning. 2) Uncovers previously unknown attacks and methods. 3) Detects insider threats, compromised accounts, admin abuse, and other user-based threats. 4) Qualifies and investigates threats with powerful data visualizations. 5) Empowers analysts with efficient work flows and tight integration with the LogRhythm platform. 6) Achieves rapid time-to-value with cloud delivery, automated data processing, and tuneless analytics.
What are some ways Smart Response technology can mitigate a threat?
1) Disabling an account 2) Killing a process 3) Blocking an IP 4) Initiating a packet-capture
Give some benefits of LR's Behavior Analytics
1) Discover threats that evade signature-based detection methods 2) Automate as many simple SOC tasks as possible 3) Get smarter over time through supervised machine learning and by injecting organizational context 4) Detect subtle changes in behavior with tuneless learning by arming analysts with user-based visualizations and workflows 5) Achieve rapid time to value with Analytics-as-a-Service
Give three Windows System Log examples:
1) Driver Failure 2) IP Address Conflicts 3) System Shutdown and Start-up
Each metric measures the time it takes to move from one Threat Milestone to another. What are the 5 Threat Milestones:
1) Earliest Evidence 2) Case Created 3) Case Elevated to an Incident 4) Incident Mitigated 5) Incident Closed
Name multiple sources from where user data that is collected can come.
1) Existing SIEM & prevention-centric devices 2) LDAP & HRMS 3) Network flow data and packet capture data
What are some of the regulatory frameworks that LogRhythm helps in a user staying compliant?
1) FISMA 2) HIPAA 3) SOX 4) GDPR 5) Other
What logs are almost always the busiest and typically in every deployment?
1) FW logs 2) Domain Controller Security Logs
Name three aspect of Endpoint Monitoring.
1) File/Registry Integrity 2) Process Activity 3) Network Communication
With what does LR's HA solutions meet the requirements of organizations that need access to log and event data at all times?
1) Flexible architecture options to help customers meet their specific compliance and budget requirements 2) Automatic failover 3) HA at every layer for collection, accessibility, and retention of all log and event data.
What are the 6 stages of detection and response?
1) Gathering Forensic Data 2) Discovering Events 3) Qualifying Events 4) Investigating Events 5) Neutralizing Threats 6) Recovering from Events
LR Labs team performs what duties.
1) Research to continually enhance the platform with threat detection and incident response. 2) Automated compliance assurance 3) Strategic integrations 4) machine data intelligence
Name 6 duties of an Analyst role.
1) Gathering forensic data using incoming Event Data 2) Discovering Events through data analysis via dashboards, charts, and reports in the Web Console 3) Qualifying Events and assessing risk levels 4) Investigating Events by gathering additional evidence and data 5) Neutralizing Threats using tools such as SmartResponse 6) Recovering from Events
What does a LR UEBA solution subscription entail?
1) Hardware 2) System Monitor Agents 3) A CloudAI Subscription, appropriate to the number of User Licenses 4) Standard Maintenance contract
Give some Key HA Requirements
1) Identical systems 2) Shared IP or Stretch VLAN 3) High bandwidth, low latency less than 15 milliseconds 4) Many ports open
What are three advantages of a Cloud Solution?
1) Innovation Acceleration 2) Machine Learning 3) Streamlined Adoption
What are the three segments of the LogRhythm Security Intelligence Platform?
1) Input 2) Analytics 3) Output
What does the CloudAI detect?
1) Insider Threats 2) Compromised accounts 3) Admin abuse and misuse 4) Other user-based threats
ArcSight Implementation Details
1) Installed on XM appliance, non-intrusive to customer environment 2) SmartConnector sends CEF over Syslog 3) Active lists can be imported as a flat file 4) Asset models can be imported to populate
What are the two types of SysMon licenses?
1) Lite 2) Pro
What does the KB or Knowledge Base module include:
1) Log processing rules 2) Processing policies 3) Classifications 4) Common Events It is available out-of-the-box at no additional cost. Requires minimal configuration. Helps with compliance and industry specific problems. Is customizable.
Name the Rule Block Types for AI Engine rules.
1) Log- configured to monitor for activity observed or not observed in logs 2) Threshold- Configured to monitor for a specific number of identical logs over a given period of time 3) Unique Values- Configured to monitor for a specific number of unique values found in certain log messages, over a give time period. Specific metadata field that contains a different entry in each log message 4) Behavioral- Configured to detect variations from an established Whitelist. Statistically compare two different but related metadata fields. Analyze deviations from a calculated baseline or trend.
Name the databases included in the Platform Manager.
1) LogMart 2) Alarms 3) Events 4) Case Manager Database 5) Events Manager Database
What are the two indicators that measue the effectiveness of the SOC?
1) MTTD 2) MTTR
What are the 5 Documentation Metrics?
1) MTTT- Mean Time to Triage (Triage: Parse security data and generate an Alert) 2) MTTD- Mean Time to Detect (Detect: Discover a potential security Incident) 3) MTTQ- Mean Time to Qualify (Qualify: Determine that a security Alert is a true positive and requires mitigation) 4) MTTI- Mean Time to Investigate (Investigate: Study and understand a threat to determine mitigation steps) 5) MTTR- Mean Time to Respond (Respond: Shut down an attack)
What are the 5 key differentiators of the Threat Lifecycle Management?
1) Machine Data Intelligence (MDI) Fabric 2) Precision Search 3) Holistic Threat Detection 4) Risk-Based Monitoring 5) Security Automation and Orchestration
Name three tools used by CloudAI in LR's UEBA that helps detect advanced threats.
1) Machine Learning (ML) 2) Artificial Intelligence (AI) 3) Statistical Analysis
Give 4 examples of common alerts:
1) Malware 2) Botnet Beaconing 3) Suspicious Network Traffic 4) Unusual User Activity
Name two types of SIEM responses.
1) Manual response- requires human interaction 2) Automated response- are more rare.
The Analyzer Grid allows for review and analysis of what two ypes of information?
1) Metadata: Data parsed from the raw log message, such as the Account, Sender, Object, IP Address, Origin Host, Direction and Classification. 2) Log Messages: Raw log data generated by the log source and collected by LogRhythm's System Monitor Agents.
What are the most critical segments of the LogRhythm ecosystem?
1) NGFW 2) IPS/Malware 3) Vulnerability Management 4) Endpoint Security 5) Network Packet Brokers 6) Identity and Access Management Vendors
Give some key Disaster Recovery Requirements
1) Only the key persistence components are replicated. EMDB at a min; optionally Alarms, events, Cases, and LogMart 2) Single replication port 3) The customer is responsible for replicating Archives 4) A common DNS infrastructure between the sites 5) Identical systems
Give 6 Features/ Benefits of the LR UEBA solution.
1) Optimally Prepared Data 2) TrueIdentity Contextualization 3) Scenario Analytics 4) Behavior Analytics 5) Threat Hunting Visualizations 6) Security Automation & Orchestration Integration
What are three organization types that might utilize multiple AI Engines?
1) Organizations with multiple locations 2) MSSPs who support multiple customers 3) Organizations who need increased performance
What are the LogRhythm SIEM analysis tools?
1) Platform manager- for sending alarms 2) Web console- for viewing reports and forensic investigation 3) Data Indexer- for forensic investigation
Name the 3 areas of LogRhythm's Analytics.
1) Processing 2) Machine Analytics 3) Forensic Analytics
Give some benefits of LR's Scenario Analytics.
1) Quick implementation from LR Labs 2) Detect TTPs via analysis aligned to specific scenarios such as statistical, peer groups, learned lists, rates, trends, and histograms. 3) Corroboration and prioritization of events to align security team resources with true business risk. 4) Customize analytics for users with an intuitive user interface
Name the two areas of LogRhythm Input
1) Real-Time Forensic Data Collection 2) Real-Time Forensic Data Generation
What are the 6 phases of LogRhythm's Cyber Attack Lifecycle?
1) Reconnaissance 2) Initial Compromise 3) Command & Control 4) Lateral Movement 5) Target Attainment 6) Exfiltration, Corruption, and Disruption
What does the LogRhythm Unified Platform for Threat Lifecycle Management include?
1) SIEM 2) Security Analytics 3) UEBA or User and Entity Behavior Analytics 4) Cloud Security 5) Security Automation & Orchestration 6) Network Traffic & Behavior Analytics 7) Network Forensics 8) Log Management 9) FIM or File Integrity Monitoring 10) Compliance
Why should a customer choose LogRhythm
1) Security focus 2) Innovation track record 3) Platform scalability and flexibility 4) Broad regulatory compliance 5) Customer success
Give some benefits of LR's Threat Hunting Visualizations
1) Spot organization wide issues quickly 2) Start small, pursuing top use cases (contractors and administrators) and grow 3) Quickly preserve details with integrated Case Management
What are the three support levels offered by LR?
1) Standard: 11x5 Support during business hours 2) Enhanced: 24x7 Support 3) Premium: 24x7 Support provided by designated engineers
LogRhythm labs concentrates on four main areas.
1) Strategic Integration 2) Machine Data Intelligence (MDI) 3) Threat Research 4) Compliance Research
What mechanisms in LogRhythm are considered Data Collectors?
1) System Monitor Agents 2) Network Monitors
What are the components of the LogRhythm Platform?
1) System Monitor- Log data collector 2) Data Processor- Processing component for all logs collected from SysMons 3) AIE- 4) Data Indexer 5) Client Console 6) Platform Manager 7) Web console 8) Network Monitor 9) Cloud AI
What are the LogRhythm SIEM detection tools?
1) System Monitor- data collection 2) Data Processor- for parsing and data normalization 3) AI Engine- Event correlation
What are 4 types of normalization and SIEM can perform?
1) Time 2) Metadata 3) Modern log 4) Identity
For what are Message Processing Engine's (MPEs) responsible?
1) Time Normalization 2) Uniform Data Classification: Classification Names, Common Event Names 3)Metadata Extraction and Tagging 4) Threat and risk Contextualization
Name 2 critical skills that a LogRhythm Enterprise Administrator ideally possesses.
1) Understanding of network and computer systems 2) A general understanding of computer and computing log files
Machine learning learns and creates profiles for what three areas?
1) User 2) Hosts 3) Network Traffic
Give three Linux Critical Log examples:
1) Var/log/message 2) Var/log/auth.log 3) Var/log/secure
LR's NextGen SIEM Platform is architected for both vertical and horizontal scaling using multiple appliances to handle what aspects of data?
1) Volume of data 2) Variety of data 3) Velocity of data
What are some questions for an analyst to answer with documentation?
1) What happened? 2) When did it happen? 3) Who did I talk to? 4) What did I see? 5) What did I do? 6) What is the evidence?
What are some function of the Web Console?
1. Alarm Management 2. Analysis Tools 3. Reports 4. Case management 5. Administration 6. Search Tools
Name the 4 databases the Database Usage widget tracks.
1. Alarms 2. Events 3. Platform Manager Database 4. case Management Database
How can an Analyst view AI Engine Rule information?
1. As an vent with a dashboard 2. Through a drilldown of an AI Engine alarm
What are the three top-level Classification types for log messages?
1. Audit 2. Operations 3. Security
From what three locations can a user create a case?
1. Cases page 2. Alarms page 3. Analyzer Grid
From what two locations can a user add evidence to a case?
1. Cases page 2. Opening the current case through the Cases tab
What are the six different stages of detection and response in the TLM workflow?
1. Collect 2. Discover 3. Qualify 4. Investigate 5. Neutralize (Mitigation) 6. Recover
Name xxxx types of bad actors
1. Commodity Malware 2. Insiders 3. Hacktivist 4. Terrorists 5. Organized Crime 7. State Sponsored 8. Script Kiddies 9. Software and Hardware Failures 10. User Errors 11. Natural Disasters
What are the three types of metadata in LR?
1. Contextual 2. Quantitative 3. Derived
Name 4 widgets in LR.
1. Current Processing Rate 2. Data Processing Trend 3. TopX 4. Database Usage
What three areas is the Lucene Helper available?
1. Dashboards 2. Widgets 3. Direct Lucene searches
Name 6 metadata fields of the Analyzer Grid that are supported for Contextualize actions.
1. Host (Origin or Impacted) 2. Hostname (Origin or Impacted) 3. IP Address (Origin or Impacted) 4. Known Host (Origin or Impacted) 5. User (Origin) 6. TCP/UDP Port (Origin or Impacted)
What are the two types of Forensic sensors that could be employed to collect Forensic Data?
1. Network forensic sensors 2. Endpoint forensic sensors
Give some examples of Derived metadata.
1. Origin Entity 2. Impacted Known Host 3. Direction
What are some functions of the Security Operations Maturity Model?
1. Provide a graduated path for maturing security operations capabilities 2. Describes different maturity model levels 3. Measure the effectiveness of a security operations program 4. A maturity model assesses the current effectiveness of Security
Name the 6 stages in the lifecycle of an attack.
1. Reconnaissance 2. Initial Compromise 3. Command and Control 4. Lateral Movement 5. Target Attainment 6. Exfiltration, Corruption, and Disruption
Name 3 items visualized in the Node Link graph widget
1. Relationships 2. Patterns 3. Abnormalities
Discovery of potential threats is accomplished through a blend of what two types of analytics?
1. Search analytics (performed by people) 2. Machine analytics. (performed by software)
Appliances: All-in-One (XM)
A combined platform that includes the functionality of the PM, DP, DX, and AIE appliances.
What component evaluates data using complex pattern-matching and behavioral analysis to correlate data across logs?
AI Engine
Explain a Structured Search
Ability to search against contextualized metadata fields Easily search all authentication failures no matter the source
What search would you use in order to determine who is creating accounts in an environment?
Account Provisioning
What are "alerts" referred to in LogRhythm?
Alarms
Classification: Security
This classification describes Reconnaissance, Suspicious, Malware, etc
Classification: Operations
This classification describes Warning, Error, Critical, Network Traffic, etc
Explain a Precision Search
Combine both structured and unstructured searches for a more precise search that can return results that are more impactful.
Once an incident occurs, what are the most critical next steps?
Detecting and Responding
TopX widget
Displays the top or bottom 'X' number of results for the metadata specified.
Data Processing Trend widget
Displays the trend of data processed by LR over time.
True or False: Predefined searches, such as compliance searches, cost extra.
False
True or False: The UEBA module in the knowledge database does not use CloudAI logs.
False
True or False: The number of identities monitored does not have to be equal to or less than the number of identities purchased
False
True or False: There can be multiple active Platform Manager appliances in a LR deployment.
False
True or False: TrueIdentify is not needed for CloudAI.
False
True or False: User access does not have to be granted when setting up CloudAI
False
True of False: Case associations are not bi-directional.
False: Case associations are bi-directional. When a case is associated with another case, it is displayed in the Associated Cases section of both cases.
True or False: 'Query Timeout Periods' are set by LR and unchangeable?
False: Each user can configure their own Query Timeout
True or False: Restricted Admins can see all Alarms in the Web Console.
False: Global Administrators and Global Analysts can see all Alarms in the Web Console. Restricted Analysts and Restricted Admins can only see Alarms for which they are included in the notification list.
True or False: Audit and Compliance reports can be run as a search.
False: Only reports based on Events or Log Messages can do this.
True or False: All widgets are available on all pages.
False: Only some widgets are available on certain pages.
True of False: 'Tail' searches always start 2 minutes before a selected start time.
False: They start 1 minute before start time
True or False: Files of any format, except audio and video, that are 1GB or less in size can be uploaded and added to cases as evidence.
False: This includes audio and video files.
True or False: LR SIEM allows a user to create a Playbook on the fly while they are doing an investigation?
False: This is not allowed.
True or False: The Analyzer Grid refreshes constantly with any new Events every 30 seconds.
False: This occurs every 15 seconds.
True or False: The 'Save' icon will turn green when changes are made reminding you to save.
False: the 'Save' icon will actually turn blue
What are required log sources with LR UEBA?
Required: AD Domain Controller (Security Logs) Recommended: VPN Events, Process Activity, Security Events
Identify a market differentiator of the LogRhythm UEBA solution.
The LogRhythm UEBA Solution uses machine learning technologies to continuously improve your team's time to detect and respond to threats.
Which filter is used to do an unstructured search?
The Log Message filter
Holistic Threat Detection
The AI Engine is a technology that sees a real-time stream of all data that is collected and processed by LogRhythm and then enriched by Machine Data Intelligence. The AI Engine provides real-time visibility across the entire attack surface, as well as visibility of threats throughout the attack life cycle.
In the WebUI which tab gives you access to a subset of the metadata for monitored identities?
The Cloud AI tab
What appliance is responsible for Case and Event management, Alarming, Reporting, notifications, scheduled jobs, and the configuration of the LogRhythm Platform?
The Platform Manager or PM
What is the amount of time a search is allowed to run before timing out called?
The Query Timeout Period
Web Console: What may need to be adjusted if you notice too many logs are being forwarded as events and causing unnecessary noise in your dashboard?
The RBP or Risk Base Priority may need to be adjusted.
In LR what allows analysts to see what risk is most important to an organization.
The Risk Prioritization on Alarm Cards
Which Tab in WebUI is mainly used for compliance purposes?
The Searches Tab
Which widget allows you to investigate details of events impacting a specific area?
The Threat Activity Map
This is performed by the System Monitor
The Time Normalization is a process performed by which component?
What is the LogRhythm Siem response tool?
The Web Console- for manual and automated response
What is the main benefit of a precision search?
The ability to define a search to provide an exact result.
What is the main goal of both Threat Hunters and SOC 1 Analysts?
The main goal of both is to reduce the MTTD and MTTR to security incidents.
In the metrics tab of a Case, what does the Time to Qualify (TTQ) represent?
The time between the earliest evidence and time the case was created.
What can a user do to make the most important case evidence more visible and easier to access?
The user can pin evidence items to the top of the Evidence Locker.
What is the primary focus behind any and all decisions made at LogRhythm?
Their commitment to their customers
Where can Playbooks be viewed, imported, and created?
These actions can be done in the Web Console.
Web Console: Dashboards allow what functionality?
These allow you to switch between pages.
Appliances: Dedicated AI Engine (AIE)
These appliances deliver highly-scalable, patented machine analytics for advanced correlation and behavioral analysis. Multiple nodes can be deployed in support of distributed analysis and workload scaling.
Appliances: Network Monitor (NM)
These appliances offer full visibility into network traffic, identifying applications via deep packet inspection, providing real-time unstructured search access to all metadata and packet captures.
Appliances: Dedicated Platform Manager (PM)
These appliances provide alarms, notifications, case and security incident management, workflow automation, and centralized administration. Each LR deployment has a single PM
Appliances: Dedicated Data Indexer (DX)
These appliances provide high performance, distributed and highly scalable indexing of machine and forensic data. They can be clustered to enable HA and improved performance. They store original raw data as well as structured data to enable structured and unstructured search-based analytics.
Web Console: Data Processing Trend does what?
This chart show the number of logs, events and alarms over the past 30 days.
Classification: Audit
This classification describes Account Created, Access Success, Authentication Success, etc
Appliances: Dedicated Data Processor (DP)
These appliances provide processing of machine and forensic data. They receive machine and forensic data from Collectors and Forensic Sensors, leveraging MDI to transform data into a structured and contextualized form. They archive data and distribute both original and structured copies to other LR components to achieve indexing, machine-based analytics, and alarming
By whom and where can SmartResponses be configured?
These are configured by the Administrator in the Client Console.
What are widgets?
These are mini-applications that can be added or modified for easy access to the data important to your specific role.
Web Console: What is the functionality of Widgets?
These can be found on the dashboard, analyze and cases pages allowing you to quickly review real-time data.
How are SAO or Security Automation and Orchestration capabilities delivered?
These capabilities are delivered through Case Management and SmartResponse Automation.
Web Console: Topics Charts?
These charts should be reviewed as often as possible to become familiar with what's normal and abnormal in your environment.
Common Events
These describers are assigned to each log message for further describe the activity. Where classifications describe the broad range of activity, common events provide more descriptive context.
What are parsing and data normalization all about?
These functions are for creating a consistent language translating the various languages the different log sources speak, allowing you to compare "apples to apples"
Metadata Groups
These groupings allow a view of the metadata by category. You can click through each of the groupings to see the information presented in different ways based on the category.
raw logs
These logs are filled with unorganized data that is time-consuming for an analyst to locate and read making them very impractical.
Appliances: Data Collector (DC)
These optional appliances collect log, flow, and machine data for secure transport from remote locations to LR DP appliances. They can encrypt and compress data prior to transport.
Function of Network Monitors
These perform deep packet inspection of network traffic for application identification, extraction of searchable metadata, and full packet capture
What does each column in the Analyzer Grid represent?
These represent a metadata field
Case Trend Priority and Case Trend Status Widgets
These widgets deliver increased visibility into overall trends to help managers ensure Cases are being addressed and prioritized effectively.
How is LogRhythm able to perform Data Acquisition?
They are able to capture and record any activity in the enterprise using a multitude of data acquisition formats.
What does each row in the Analyzer Grid represent?
They represent an event or log message
Case Management Dashboard
This Dashboard provides a higher-level overview of case activity across an environment. From this dashboard, case trend visualizations for status, priority, and incidents across all cases are available for view. The Case Management Dashboard offers centralized visibility to case information from a SOC perspective.
Case Dashboard
This Dashboard provides an Analyst's overview of cases currently assigned to the Analyst, any open or closed cases, case history, and any cases marked as Open Incidents. It is meant to focus on case information applicable to the Analyst.
Web Console: Name three functions of the Analyzer Grid.
This allows a quick, detailed view for timeline analysis. It can be used to: 1) Display event or log metadata so that it can easily be viewed, sorted, and used for further discovery 2) show events in chronological order to allow an analyst to see event timelines 3) quickly see the underlying metadata of a dashboard display to allow for the further analysis and investigation of suspicious or abnormal data.
What does the Tail feature in the Web Console provide?
This allows you to monitor logs for a particular log source in real-time, without having to repeatedly run a search. This function starts 1 minute before a selected start time, and can run up to 15 minutes.
Common Events
This attribute of a log message provides a more descriptive context for the activity described in a log message.
Where can you updated teh priority of a case?
This can be performed in the Inspector Window of a case.
What is an Incident Timeline and its function?
This is a complete real-time record of an incident or activity. It is there to keep the team on the same page, get new team members up to speed quickly, and simplify the process of incident postmortems.
Web Console: Threat Activity Map?
This is a geographic visualization of origin and impacted hosts. Note: Your admin must enable the Geolocation IP resolver on all data processors for this widget to display any data.
What is the purpose of cases?
This is a mechanism for tracking an investigation and the eventual resolution of an incident. They allow Analysts to fully document an incident and to collaborate with other Analysts, security team members, and Administrators.
What is an event?
This is a more important log that may require action.
What is LogRhythm's True Time?
This is a patented technology for normalizing time for time zone deltas and time offsets between systems. The technology uses the actual time the event occurred, instead of the time when the event was processed or received.
Dark Spare unit
This is a redundant unit hardware appliance available in event of hardware failure. There is no automation or data replication and are typically stored of site.
What is the Client Console?
This is a single pane-of-glass user interface that provides access to LogRhythm Enterprise. It can be accessed from a Windows platform, either directly on a workstation or through remote connection.
The LogRhythm Threat Intelligence Service (TIS)
This is a standalone Windows service (generally installed on the Platform Manager), that operates alongside the SIEM and allows for 3rd party threat data feeds to be easily integrated into any LogRhythm deployment.
What is a report?
This is a summary of log source activity based on a set of criteria.
Docker
This is a tool for creating and deploying applications in what are referred to as "containers."
Detection
This is all about using the SIEM to detect a problem in your environment.
Log Source
This is any system (application, device, etc) that can communicate with the network and provides log messages (data).
Metadata
This is data about the data (log message).
Event correlation
This is the flagging of important logs as events, once detected.
Sustained Rate
This is the max rate for one hour.
Max Processing Rate?
This is the max rate to collect, archive, and process logs at max indexing rate.
Web Console: What is it mean to search with Lucene?
This is the open source text retrieval library (released under the Apache Software License) behind any search you perform in the Web console. Dashboard widgets are also filtered using Lucene syntax
Data collection
This is the process of collecting raw log messages from log sources.
What is parsing?
This is the process of extracting metadata from a raw log message.
What is an alert?
This is the real-time notification that allows you to know about and take immediate action on a problem in your environment.
Threat Lifecycle Management workflow
This is the recommended workflow for minimizing MTTD and MTTR.
What is Threat Lifecycle Management workflow and its purpose?
This is the recommended workflow on LogRhythm. It is aimed at minimizing Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) to security threats.
Purpose of the SIEM
This operates as your team's central nervous system to alert and enact countermeasures in the event of a threat.
Web Console: What is the functionality of Cases?
This page allows the creation of cases for managing investigations and resolving incidents.
What is the function of the Data Processor?
This parses and normalizes metadata from raw logs. It then identifies single-log events and sends them to the Platform manager. Sends metadata to AI Engine. Sends metadata and raw logs to the Data Indexer and lastly sends raw logs to the Archive.
What is the function of the Advanced Intelligence Engine (AI Engine)?
This performs event correlation and identifies AI Engine events. It sends AI Engine events to the Platform Manager
Function of User & Entity Behavior Analytics
This performs profiling and anomaly detection using a wide rage of analytics approaches against diverse environmental data. This provides the customer with extensive visibility into insider threats, compromised accounts, and privilege abuse.
When a case is first created, only the "Earliest Evidence in Case" and "Case Created" metrics are displayed. What is the time between the Earliest Evidence and Case Created called? .
This period of time is considered the Time to Qualify (TTQ).
What is Machine Data Intelligence?
This provides a deep structuring of the data, while classifying and contextualizing it in a uniform fashion. The result is a uniform view of the data that is now optimized for downstream analytics.
How does a LogRhythm File Integrity Monitoring solution enhance a security operations center?
This solution detects changes to critical files, wherever they are stored. Additionally, alerts are raised on malware-related registry changes, improper access of confidential files, and theft of sensitive data.
Explain a HA solution?
This solution is used to ensure data is always accessible. There is a redundant hardware appliance utilized in the same location as the primary appliance to minimize the delay in failover. Full data replication occurs between active and passive appliances and failover is automated using an IP address that is shared between the two units.
Explain a Disaster Recovery or DR solution.
This solution is used to restore access to data quickly in event of a disaster. There is redundant hardware in a remote location. Failover is triggered manually.
Database Usage widget
This widget allows users to easily monitor database levels by showing the percentage of each database that is currently being used. I provides a visual indicator when database usage is high. The default setting for each databse is 75%.
Node Link Graph widget
This widget allows you to visualize relationships, patterns, and abnormalities present in log data.
Case Lists widget
This widget displays Case Cards showing the priority, status, age, owner, due dates, and any tags assigned to the Case.
Case History widget
This widget displays a record of actions taken in descending order, with the most recent activity showing at the top. This is an audit trail of work performed in the Cases. All activity is tracked in the History, including any edits, changes in the Case, and additions or removals of Evidence.
Case Metrics Trend widget
This widget displays an environment's average MTTD and MTTR over time as a trend.
Explain the Threat Hunter work flow.
This workflow has a baseline idea of what information is coming through their networks, as well as a good awareness of their environment.
What does TLM mean?
Threat Lifecycle Management
What is the importance of creating a Case?
To build evidence lockers for incidences.
True or False: : If you modify and save a public layout, all other users will see your changes.
True
True or False: A single virtual data collector is capable of collecting and transmitting up to 10,000 messages per second from thousands of devices and cloud services.
True
True or False: Collecting key logs for CloudAI is an important step for best practice.
True
True or False: Concerning alarm management, Visibility to information is based upon assigned RBAC permissions.
True
True or False: Data access complies with SOC 2 standard.
True
True or False: If you have a User Profile in the LogRhythm Client Console, you can login to the Web Console using those same credentials.
True
True or False: LogRhythm contains pre-configured Alarm Rules, which can be enabled to monitor for security issues, system health, and items related to compliance such as PCI, GDPR or NIST.
True
True or False: LogRhythm is able to extract and tag log messages.
True
True or False: Reports can be configured within the Client Console.
True
True or False: Some widgets are only available on certain pages, and for certain users.
True
Security Architect
Understands the needs of a SOC
What are some unique data features that enable effective analytics?
Uniform Data Schema Common Classification TrueIdentity TrueHost TrueGeo TrueTime
How long is data retained on the Data Indexer or DX?
Until the drive is 80% utilized or up to the default TTL of 30 days, whichever comes first.
What is the most vulnerable aspect of the Security Landscape?
Users
Dashboards
What feature/tool provides an at-a-glance view of Event data, platform components, and environments attributes through a series of widgets?
The Risk Based Priority (RBP) criteria value.
What value can be adjusted to reduce the Events displayed in the Dashboards?
Give a scenario when you would us a Structured Search?
When you have well defined parameters like a time frame.
Data Processor handles these functions.
Which component handles Metadata Extraction & Tagging and Risk & Threat Contextualization?
What is an example of why a user could be listed on 'HR Watchlist'?
You previously identified suspicious activity on their account.
Beats
is a technology made available by Elasticsearch, and are essentially lightweight agents that acquire data and then feed this data to the Data Indexer component, which utilizes Elasticsearch.
CISO (chief information security officer)
manages security for the organization's information systems and information. Reports to the CIO.
