Enhancing the User Experience and Expanding Log Collection with LogRhythm 7.12

LogRhythm SIEM

At LogRhythm, innovation is at our very core. While we enhance our product portfolio, we continue to invest in LogRhythm SIEM  with our latest release of  version 7.12. 

LogRhythm 7.12, which is now available, streamlines the process for collecting and monitoring new security data sources and automates log source onboarding, giving analysts a simplified experience and shifting more of their focus from administration to detecting, investigating, and responding to threats. This marks our fourth consecutive quarterly release innovating our products and keeping promises to you. 

Enhancing the Admin API  

To build off LogRhythm’s initial work in LogRhythm SIEM version 7.11 introducing new endpoints to the LogRhythm Admin API, LogRhythm 7.12 includes additional endpoints needed to configure log source virtualization settings. With this addition, admins on your team can fully automate the creation of log source virtualization templates and virtual log source items. 

With the latest version, LogRhythm is also introducing two new administrative functions in the API — Management of Log Source Types and Log Processing policies. This enables your admins to fully automate the management of Log Source Types and Log Processing Policies. The latest improvement enhances the level of automation that LogRhythm performs, helping you reduce mundane tasks and automate log source onboarding. 

This feature updates the API to better support the configuration of more advanced and customized log source types. It also lays the foundation to bring additional log source administration functionality into the Web Console. Look for additional capabilities in the next release in June. 

Introducing Log Sources to the Web Console 

LogRhythm is on a journey to enhance and modernize your experience. With LogRhythm version 7.12, LogRhythm made it possible for you to view and search through log sources through the web console, as well as see the last log message for each log source. Previously, log sources and the last log message timestamp could only be viewed from the client console, prompting you to use both the client console and the web console to accomplish tasks. 

Under the Admin menu, you can navigate to the Log Source administration page to view and perform the following: 

  • View active and retired log source grids. Displayed columns include: 
    • Name 
    • Entity 
    • Log Source Type 
    • Log Source Host 
    • Collection Agent 
    • Silent Log Source 
    • Last Log Message 
    • Filter and sort in each column 
    • User visibility into log sources will adhere to user profiles and permissions

This is LogRhythm’s first step to bring log source management into the web console. This feature unifies administration consoles, saving you time by performing fewer clicks and keeping information in a central location. Look out for future updates next quarter when we plan to announce further improvements. 

Log source grid
Figure 1: Customers can see and search through their log sources through the web console

SecondLook features improved administration and workflow 

Following the January launch of SecondLook, a tool that enables users to query data and search it in the archives, to LogRhythm Cloud customers, LogRhythm made further updates to improve the workflow. 

In response to customer requests, SecondLook now features a quick search function for completed SecondLook restores. Users can quickly search for restored archives with a single click, preventing them from re-entering search filters. This saves LogRhythm Cloud customers time when searching for restored archives. 

SecondLook Interactive search icon
Figure 2: An inactive search icon is now displayed in the actions column of each restore; when the restore status moves from In Progress to Completed, the icon activates


Run a search in SecondLook
Figure 3: Select the icon to quickly run a search for the logs restored by SecondLook


SecondLook filter criteria
Figure 4: Each search is pre-populated with the filter criteria used in the corresponding saved SecondLook restore settings, and it works like all other searches

As part of the SecondLook improvements, LogRhythm version 7.12 offers self-hosted customers automatic maintenance of archive indices. With this function, logs that are in the data indexers are automatically deleted based on a time limit parameters customer set. Customers who enable the feature can modify specific settings to indicate how long they want to keep the logs. 

This feature lets customers analyze and interrogate historical data more easily. It also reduces administration, saving users time from performing manual clean-up on their own. 

SecondLook automatic maintenance of restored archives
Figure 5: SecondLook now features automatic maintenance of archive indices for self-hosted customers

SecondLook Role-based Access Controls (RBAC)

For LogRhythm Cloud customers, role-based access controls now offers more granular options for allowing access to SecondLook. Within a user profile, administrators can grant a user access to the SecondLook tool in the Client Console, in the Web Console, or in both consoles.

Figure 6: Role-based access controls now have more options to allow access to SecondLook
Figure 6: Role-based access controls now have more options to allow access to SecondLook

Enhancing Log Collection with LogRhythm OC Admin 

Building off the introduction of OC Admin in LogRhythm SIEM version 7.11, LogRhythm made additional improvements in the latest release to enhance the workflow and make it even easier for customers to onboard log sources. With LogRhythm SIEM version 7.12, customers can now access a simple interface to parse data and centrally manage deployed Open Collectors, allowing for greater automation of the technology. 

A new Action icon in the Open Collectors page/list
Figure 7: A new Action icon is accessible in the Open Collectors page/list

Additionally, LogRhythm 7.12 enables customers to ingest data from a variety of API sources using OC Admin. LogRhythm expanded its log collection to include the following: 

  • Prisma  
  • Symantec Web Secure Service (WSS) 
  • Microsoft Graph API 
  • Carbon Black Cloud 
  • Cisco AMP 
  • DUO 
  • Proofpoint 

To improve technical support issues with Open Collector, version 7.12 also introduces light administration capabilities within OC Admin.  Customers often are challenged with configuring Open Collector or they lack the know-how to fix an issue when something goes wrong. As part of the Open Collector Manage page, customers can perform a series of actions such as starting and stopping, importing, and exporting full configuration, viewing high level configuration, exporting logs as files, and viewing real-time logs in the UI. 

View real time logs in the UI
Figure 8: LogRhythm added support for exporting and tracking Open Collector and Beats internal logs in real time

For more on OC Admin improvements, visit the blog post here.

Ongoing log source support 

LogRhythm is committed to providing customers with greater value. As part of that mission, the team revisits supported log sources and updates them to enable better correlation and analysis. Our new and enhanced methods of ingestion include:  

  • Prisma Cloud API: Allows users to monitor everything that is occurring in the Prisma Cloud suite.  
  • SalesForce eCommerce Auditing: Allows users to see what client(s) created a Promocode or altered the price of an item, with what server and user 
  • Open Collector behind Squid Proxy: acts as an additional data security boundary to protect users from malicious activity on the internet. 
  • Open Collector: Oracle Version Update offers support between Oracle operating systems and Open Collector 
  • System Monitor (SysMon) Agent: Support for the latest version of RHEL   
  • System Monitor Agent: Support between Oracle operating systems and SysMon 

We’ve also updated LogRhythm’s Machine Data Intelligence (MDI) Fabric capabilities to enhance multiple MPE rules and signature IDs across Cisco Secure Email, Cisco Umbrella, FireEye, Imperva, Tanium, ForcePoint, MS Windows Event Logging, MS Exchange Management, Symantec DLP, and among others. 

New LogRhythm SmartResponse™   

We’re continuing to add to our growing library of LogRhythm SmartResponses™, our prebuilt automated actions for third-party integrations. These actions enable you to execute preventative actions, accelerate your response, and shorten your workflow. With the LogRhythm 7.12 release, our Netskope 2.0 SmartResponse is now available. Through Netskope’s REST API, customers can add URLs, files, or SHA-256 hashes to the application blacklist in Netskope. 

What’s new in LogRhythm UEBA 

LogRhythm continues to enhance its advanced analytics capabilities with updates to LogRhythm UEBA, an add-on to LogRhythm SIEM. Recently, LogRhythm Labs, our dedicated team of threat intelligence experts, developed additional out-of-the-box use cases for LogRhythm UEBA to enable you to use anomaly outputs with other findings in your environment. The new uses cases include the following:

User anomaly + password modified 

A user’s password is modified, and the user has a high anomaly score. This is a highly suspicious activity that is worth investigating. While a password change by itself is not suspicious enough, this is the direct added value of LogRhythm UEBA. This use case uses the following: 

A new LogRhythm UEBA use case identifies when a password is modified
Figure 9: A new LogRhythm UEBA use case identifies when a password is modified

User anomaly + file downloaded 

A user downloads numerous files and the user has a high anomaly score. This is a suspicious activity that you should investigate. Simply downloading files by itself is not suspicious enough, but LogRhythm UEBA deems it necessary for further review with the combination of the file downloads and the high anomaly score. This use case features the following: 

A new LogRhythm UEBA use case identifies when a file has been downloaded
Figure 10: A new LogRhythm UEBA use case identifies when a file has been downloaded

User anomaly + file deleted first stage recycle bin 

A user deletes numerous files, and the same user has a high anomaly score. This activity should immediately raise a red flag as it shows signs of highly questionable behavior. LogRhythm UEBA alerts you to this anomalous activity. This use case is as follows: 

A new LogRhythm UEBA use case identifies when a file has been deleted and added to the first stage recycle bin
Figure 11: A new LogRhythm UEBA use case identifies when a file has been deleted and added to the first stage recycle bin

User anomaly + file deleted second stage recycle bin 

An admin user deletes many files from the second stage recycle bin, and the user has a high anomaly score. As mentioned above, this activity is highly suspect and is worth investigating. When a file is deleted, it first goes into the first stage recycle bin. If a file is deleted from the first stage recycle bin, it moves into the second stage recycle bin, to which only admins have access. Merely deleting files is not necessarily cause for alarm, but LogRhythm UEBA shows you the direct value in associating these two user activities. With this information, you can minimize further damage. This use case includes the following: 

A new LogRhythm UEBA use case identifies when a file has been deleted and added to the second stage recycle bin
Figure 12: A new LogRhythm UEBA use case identifies when a file has been deleted and added to the second stage recycle bin

Stay in the know with the latest updates on LogRhythm UEBA in Community.  

Upgrading to LogRhythm 7.12 and influencing the future 

LogRhythm remains committed to our customers. Our latest product enhancements come, in part, from customer feedback. To stay updated on the latest LogRhythm product news and help influence what’s coming next, visit LogRhythm’s Innovation Portal. 

Take advantage of the latest features of LogRhythm SIEM version 7.12 by letting our team of experts perform the upgrade for you with our Unlimited Upgrades Service. Our Professional Services team is available to enable you to upgrade to every quarterly SIEM release with ease. Existing customers can request a license here and download LogRhythm 7.12 from Community 

For further details about our other product releases, register for our April 2023 Quarterly Launch webinar.