LogRhythm released Case Management in its most recent update, and while I could wax lyrical about the merits of why you should be using this feature, I won’t. Instead, I’ll show you a brief video demonstration of the new feature in action. In this demo you’ll see the entire end-to-end analyst workflow, all the way from an Alarm being generated, through validation, and finally escalation and remediation.
So, without further ado! Roll the 20th Century Fox fanfare. Grab some jalapeño cheese popcorn and enjoy:
Case Management Demonstration in LogRhythm Web UI Video
Wasn’t that better than me writing a small essay on the topic? In case you’re short on time here, is a quick recap of the video:
- An alarm was triggered notifying necessary personnel of something bad happening on the network; in this case, a DNS query matching a user defined Threat List.
- LogRhythm was used to seamlessly drilldown and pivot between search results to quickly find out “what else happened?”
- A case was created around the event and all relevant information was brought together into a single place: the Forensic Evidence Locker.
- Finally (and perhaps most important of all) after investigation, the event priority was escalated to an incident and assigned to another colleague for remediation (the art of delegation!)
If you watch carefully, there are other features at play in this demonstration:
This presentation is a great demo to show the use of Threat Lists. In this example, a user-defined Threat List matches specific URLs being queried by endpoints via DNS (again please note, there’s nothing wrong with BMW’s website. They make great cars). If you’re not collecting endpoint DNS logging already I highly recommend you have a look into it. This method of looking for malicious activity can help detect threats that would otherwise not be seen, think fastflux, command and control channels, shared HTTPS servers, etc. Threat Lists within LogRhythm can contain a wide variety of things to look for such as processes, email subjects (phishing attacks), hashes, or as in this case, URLs. Threat Intelligence feeds are a great way to leverage the power of collective and shared knowledge. If you’re not already using Threat Lists with your LogRhythm solution then enable the KB module and give them a whirl. Learn more about our Threat Intelligence Ecosystem here.
Another feature used in this presentation is Data Masking. What’s Data Masking? Well, it’s a LogRhythm feature that provides the ability to format Log Data. The predominant use case is masking or obfuscating sensitive data, such as social security numbers or PAN data. We can also format logs that may have inconsistent formats (MAC address for example: some have colons or even dashes) in the above example, I removed redundant characters. Let’s look at another quick example. A standard Microsoft DNS log looks like this:
Now for the keen-eyed, you may have noticed there are extra characters in the URL. If one wanted to compare all the internal DNS queries made by endpoints against a Threat List then they’re not going to match in their default log format. That’s where Data Masking comes in. We can simply replace the erroneous characters and end up with a valid URL for comparing against our Threat List:
Finally, the last point I’d like to make you aware of is the Web Pivot feature. This feature is located in the Web Console and enables effortless drill down searching of meta-data fields. In this use case, we find an Alarm against Host-X and want to see all the activity carried out by that host in a surrounding time frame. With Web Pivot, we simply click the metadata field of interest (the hostname) and specify a time period we want to search around (1 minute either side of the Alarm.) And, that’s it!
And there we are. One of my favourite takeaways from demo’ing or training customers in Case Management is The Gru Moment when folks see how easy Case Management is and the benefits the feature can provide them. Case Management neatly ties together the end-to-end analyst workflow, providing a great way to not only advance through the Security Operations Maturity Model, but also offering a way to improve the return on security investment across your organization.