Use Case: Detect and Respond to Malware Traffic with NDR

As malicious actors continue to use a variety of techniques to evade detection, it’s paramount to protect your organization’s network activity. You need a solution that can detect and prevent malicious network activity.

One solution is network detection and response (NDR), a security tool that gives you full visibility to a known threat, such as top-level domain, and an unknown threat, including advanced persistent threats (APTs), that cross your network. In this blog post, I’ll explore a real-world scenario of how a security analyst detected malware using LogRhythm’s NDR solution, LogRhythm NetworkXDR, which other security controls missed.

How NDR Works

How exactly does NDR work? NDR offers a centralized, machine-based analysis of network traffic, and response solutions, including efficient workflows and automation. It helps you uncover known and unknown threats that might impact your network.

NDR provides the following capabilities, which we’ve explained in closer detail:

Detection: An NDR solution gathers data across your environments and uses machine analytics to quickly expose threats. The most effective NDR solution incorporates multiple machine analytics approaches, such as scenario-based modeling for known tactics, techniques, and procedures (TTPs) and deep inspection of network packets, along with comparison traffic of metadata against known indicators, to detect threats.

Investigation: NDR gives your team real-time network insights and analytics and gathers data from your environment, adding relevant, contextual information to help you streamline your investigations. An NDR solution can generate network-based evidence for threat analysis, policy enforcement, audit support, and legal action. NDR also eases threat hunting because it helps your team quickly and easily spot suspicious activity.

Response: An effective NDR solution can boost and automate your security workflows with security operations automation and response (SOAR) capabilities. This is critical to help your team automate routine actions to respond to these threats, allowing you to focus on more important matters. For example, you can automatically disable an account or block an IP address if an attack occurs, without manual intervention.

Use Case: Detect and Respond to Malware Traffic

Malicious actors use several techniques to evade detection with point solutions such as endpoint protection platforms and IDS/IPS. Because NDR covers the entire network, it can detect malware that other security controls might otherwise miss. Let’s explore how you can detect malware using LogRhythm NetworkXDR.

The Problem: Suspicious Top-Level Domain Alert

In this example, an analyst discovered an endpoint on his organization’s network that caused a built-in NetworkXDR Deep Packet Analytics rule for a suspicious top-level domain to fire an alert. Initially, the analyst believed this was a false positive because the organization’s other security tools showed the endpoint was clean.

To dig deeper, the analyst pulled additional information from the endpoint using a LogRhythm SysMon agent and determined which process was responsible for outbound communications. It was “svchost.exe” communicating over HTTP outbound to the suspicious domain.

The Solution: Automated Response for Fast Resolution

After determining there was a malware threat, the analyst used automation to remove the endpoint from the network and ran follow-up scans to confirm the endpoint was infected.

By using built-in rules in NetworkXDR, the analyst identified suspicious network activity that existing security systems missed. By using deep packet analysis, the analyst quickly identified, remediated, and contained the malware.

The Benefits of LogRhythm NetworkXDR: Pervasive Visibility for Rapid Detection and Response to Network-Borne Threats

In this use case, the analyst used LogRhythm NetworkXDR to identify and contain the threat. LogRhythm NetworkXDR is an NDR solution that provides full coverage against known and unknown threats. It addresses a wide variety of network-borne threats use cases.

Specifically, LogRhythm NetworkXDR provides an integrated set of capabilities and aligned workflows to help you detect, qualify, investigate, and respond to advanced threats through a centralized analysis of network traffic data. LogRhythm NetworkXDR recognizes applications at Layer 7, enabling you to see applications across your network.

Figure 1: The LogRhythm NextGen SIEM Platform and NetworkXDR give you greater network visibility


When network-borne threats strike, time is of the essence. You need to respond quickly with the right solution. LogRhythm NetworkXDR can help. LogRhythm NetworkXDR helps you detect and act on threats to protect your organization’s data before serious damage occurs to your network.

Read the white paper, “Network Detection and Response: Making the Impossible, Possible” to learn more about LogRhythm NetworkXDR and how it can provide full visibility against malware and other network-borne threats to your organization.