RhythmWorld 2020

That's a Wrap! Thank You for Making RhythmWorld Security Conference A Success

Sign Up for for RhythmWorld 2021 Updates!

September 15–17, 2021 | Denver, Colorado, USA
Sign up to receive event updates, insider information, and special promotions.
RhythmWorld Security Conference

RhythmWorld Security Conference went virtual for the first time in 2020. Attendees were able to access the latest in security, LogRhythm best practices, and LogWars Capture the Flag (CTF) event for free — from anywhere across the globe.

About RhythmWorld Security Conference

RhythmWorld is the ultimate cybersecurity conference to access the tools and skills you need to grow as a security professional and enhance your security operations.
 Thank you for helping us make RhythmWorld 2020 one for the books. With nearly 2000 attendees from across the globe, this was our largest security conference to date.

Explore RhythmWorld 2020 Sessions On-demand​

Relive the digital experience or check out the content for the first time through our on-demand library of keynotes, content sessions, and partner videos. Watch our recommended sessions or explore all content at the link below. Enjoy!

By entering in RhythmWorld Security Conference you agree to the Event Registration Terms.

Why Attend?

Discover Security Trends and Best Practices

Stay on the forefront of security trends and topics with sessions lead by industry experts.

Gain New Skills and Participate in Interactive Sessions

Bring key insights back to your organization and have fun along the way.

Learn from LogRhythm Practitioners and Experts

Discover the latest LogRhythm capabilities and solutions designed to strengthen your security operations.

Share and Collect Insights from Peers

Hear how other industry experts are solving their business challenges with LogRhythm.

Connect with Your LogRhythm Community

Grow relationships with your LogRhythm peers and connect with like-minded security professionals.

RhythmWorld 2020 Speakers

RhythmWorld Security Conference brought cybersecurity leaders from across the industry to provide you with the latest perspectives and thought leadership to drive your security operations.

See the list of prestigious speakers that presented at RhythmWorld 2020 below!

Abid Adam Headshot

Abid Adam

Axiata Group, Chief Risk & Compliance Officer

Abid Adam

Axiata Group, Chief Risk & Compliance Officer

Brian Albrecht Headshot

Brian Albrecht

LogRhythm, Director, Sales Engineering

Brian Albrecht

Director, Sales Engineering, LogRhythm

Jinan Budge Headshot

Jinan Budge

Forrester, Principal Analyst

Jinan Budge

Principal Analyst, Forrester

James Carder Headshot

James Carder

LogRhythm, CISO

James Carder

CISO, LogRhythm

Rusty Carter Headshot

Rusty Carter

LogRhythm, Chief Product Officer

Rusty Carter

Chief Product Officer, LogRhythm

Andrew Costis Headshot

Andrew Costis

VMware Carbon Black, Senior Threat Researcher

Andrew Costis

Senior Threat Researcher, VMware Carbon Black

Gene Cupstid Headshot

Gene Cupstid

C.H. Robinson, Information Security Developer

Gene Cupstid

Information Security Developer, C.H. Robinson

Avani Desai Headshot

Avani Desai

Schellman & Company, Partner & President

Avani Desai

Partner & President, Schellman & Company

Stephen Dyson headshot

Stephen Dyson

Penn Medicine, Security Operations Analyst

Stephen Dyson

Security Operations Analyst, Penn Medicine

Andrew Hollister headshot

Andrew Hollister

LogRhythm Labs & Security Advisor to the CSO

Andrew Hollister

LogRhythm Labs & Security Advisor to the CSO

Karen Holmes headshot

Karen Holmes

TrueBlue Inc., Vice President & CISO

Karen Holmes

Vice President & CISO, TrueBlue Inc.

Curtis Huff Headshot

Curtis Huff

WCF Insurance, Security Analyst

Curtis Huff

Security Analyst, WCF Insurance

Kip James Headshot

Kip James

TTEC, CISO

Kip James

CISO, TTEC

Sam King Headshot

Sam King

Veracode, CEO

Sam King

CEO, Veracode

Rob Lee Headshot

Rob Lee

SANS Institute, Fellow

Rob Lee

Fellow, SANS Institute

Robert M. Lee Headshot

Robert M. Lee

Dragos, Chief Executive Officer

Robert M. Lee

CEO, Dragos

Mark Logan Headshot

Mark Logan

LogRhythm, CEO

Mark Logan

CEO, LogRhythm

Sam Masiello Headshot

Sam Masiello

Gates Corporation, CISO

Sam Masiello

CISO, Gates Corporation

Christopher Mitchell Headshot

Christopher Mitchell

City of Houston, CISO

Christopher Mitchell

CISO, City of Houston

Jason Miller Headshot

Jason Miller

BitLyft Cyber Security, Chief Executive Officer

Jason Miller

Chief Executive Officer, BitLyft Cyber Security

Randall Otto Headshot

Randall Otto

LogRhythm, Director, Global Recruiting

Randall Otto

Director, Global Recruiting, LogRhythm

Adam Saunders Headshot

Adam Saunders

Bourne Leisure, Information Security Manager

Adam Saunders

Information Security Manager, Bourne Leisure

Jeff Schmidt Headshot

Jeff Schmidt

Avertium, CEO

Jeff Schmidt

CEO, Avertium

Seth Shestack Headshot

Seth Shestack

Temple University, Deputy CISO

Seth Shestack

Deputy CISO, Temple University

Eric Shiflet Headshot

Eric Shiflet

LogRhythm, Director Product Management

Eric Shiflet

Director Product Management, LogRhythm

Dilip Singh Headshot

Dilip Singh

Sedara, Vice President Cyber Operations

Dilip Singh

Vice President Cyber Operations, Sedara

Christopher K. Stangl Headshot

Christopher K. Stangl

Federal Bureau of Investigation, Section Chief (Senior Executive Service) Cyber Division

Christopher K. Stangl

Section Chief, Cyber Division, FBI

Steve Surdu Headshot

Steve Surdu

Surdu Consulting, Principal

Steve Surdu

Principal, Surdu Consulting

Rob Sweeney Headshot

Rob Sweeney

Penn Medicine, Senior Information Security Engineer

Rob Sweeney

Senior Information Security Engineer, Penn Medicine

Jake Williams Headshot

Jake Williams

Rendition Infosec, Founder

Jake Williams

Founder, Rendition Infosec

Cindy Zhou Headshot

Cindy Zhou

LogRhythm, CMO

Cindy Zhou

CMO, LogRhythm

RhythmWorld Sponsors

Connect with our sponsors to find the right technology and services for your organization.

Platinum Sponsors

Avertium Logo

Sedara Logo

Gold Sponsors

WebRoot Logo

Siemplify Logo

LogWars Sponsors

NewCloud Networks Logo

Code42 Logo

Optiv Logo

Presidio Logo

Recorded Future Logo

Agenda

View, browse, and sort the growing list of keynotes, sessions, and breakouts by track and level.

Check back often, as we will be adding more sessions and speakers. Please note that session dates and times are subject to change.

Find Your Timezone

Mountain Time (MDT) Agenda

British Time (BST) Agenda

Singapore Time (SGT) Agenda

Explore RhythmWorld Sessions

Opening Keynote feat. Seth Shestack of Temple University

Mark Logan, President & CEO LogRhythm | Seth Shestack, Deputy CISO, Temple University

Digital transformation has accelerated in the world and cyber attacks have increased in parallel. Organizations are pivoting to adapt to these rapid changes and protect their community of customers, employees, and their interests. The work of security professionals is more important now than ever before. Join LogRhythm CEO Mark Logan and guests in this opening RhythmWorld keynote to learn what is happening in the cyber market, hear from industry luminaries, and an overview of the innovations the company has in store to empower security executives and professionals to do their best work.

8:00 AM – 9:30 AM MDT

The Modern and Evolving Security Leader: Security Executive Panel

James Carder, CSO, LogRhythm | Karen Holmes, CISO, True Blue Inc. | Kip James, VP, CISO, TTec | Chris Mitchell, CISO, City of Houston | Dilip Singh, VP of Cyber Operations, Sedara

The role of a security executive is not for the faint of heart. Once a purely technical role, the responsibilities of the security leader has grown, as have their importance to the business. Today you can find them developing an enterprise-wide IT security strategy and in the board room working towards reducing risks and empowering business outcomes. Learn from our panel of experienced Security Executives as they provide insights into their biggest challenges, key strategies to support organizational goals, ways security can enable and contribute to business, and ways their role has continuously evolved. Moderated by James Carder, LogRhythm Chief Security Officer. You’ll learn:
  • Advice to build and develop a security program
  • Actionable tips to build a partnership with your board
  • What the modern security executive looks like
  • Key metrics and KPIs to show the value of your security operations program
  • How your security program can enable business and become a point of differentiation

9:30 AM - 10:30 AM MDT

Women in Security Power Panel

Cindy Zhou, CMO, LogRhythm | Sam King, CEO, Veracode | Avani Desai, Founder & President, Schellman & Company

We’ve all seen the headlines, women make up 26% of all computing related jobs and for the cybersecurity industry, it’s even less at 20%. For women of color, it’s down to the single digits. The Women in Security power panel aims to inspire young women to build a career in cybersecurity, and discuss how men can help by mentoring and partnering with women. This distinguished panel features executives at the helm of leading cybersecurity companies including Sam King, CEO of Veracode, and Avani Desai, President of Schellman & Company. Moderated by LogRhythm CMO Cindy Zhou, the session will dive into the unique challenges women face in the industry, learn about the panelists’ career journey, and leadership philosophy.

10:30 AM - 11:30 AM MDT

Custom Log Source Onboarding

Adam Shackleford, Professional Services Senior Consultant, LogRhythm | Brian Albrecht, Director, Sales Engineering, LogRhythm

This session will cover the end-to-end process of how to add a custom log source to your LogRhythm deployment. Included are instructions for the process and a hands on lab to practice with before doing in your own environment.

11:30 AM - 12:30 PM MDT

SIEM

Purple Teaming

Brian Coulson, Principle Threat Research Engineer,  LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm

Security organizations must continually assess and improve the efficacy of their security program. They do so by identifying detection gaps and measuring response and remediation times to active threats. Purple team engagements, in which the red team and blue team collaborate to simulate threats, are a focused and structured means to assess detection capabilities and measure the speed of response. The MITRE ATT&CK framework is an invaluable resource towards planning purple team engagements. MITRE ATT&CK provides a knowledge base of adversarial behaviors that can be used for scenario planning and a set of techniques against which to determine completeness of coverage. Join this webinar to learn how get started with purple teaming in your organization and how to take full advantage of LogRhythm Case, Case Playbooks and Case Tags in orchestrating a successful purple team engagement.  LogRhythm Labs will demonstrate a purple team exercise based on MITRE ATT&CK techniques attributed to APT29. You’ll learn:
  • The theory, goals and requirements of purple team engagements
  • Planning a purple Team engagement around the MITRE ATT&CK framework
  • How to use LogRhythm Case, Case Tags and Playbooks to structure your purple team engagement
  • Using attack simulation tools such as Red Canary Atomic Red Team in your purple team engagement

11:30 AM - 12:30 PM MDT

SOC Excellence

SAM Service and Best Practices to Keep Your LogRhythm SIEM Healthy

Brian Stern, Administrative Co-Pilot Engineer, LogRhythm | Ashley Howard, Administrative Co-Pilot Engineer, LogRhythm

Cyber security departments and SOCs deal with numerous software tools and competing responsibilities, including the LogRhythm SIEM. The LogRhythm SIEM is a very valuable piece of software in any computer security environment, but must be maintained and monitored carefully for optimal performance and usefulness.

Attend this webinar to learn about the Support Account Manger (S.A.M.) service. This is a service that consists of SIEM platform experts whose focus is on SIEM administrative support, preventative care and support case monitoring. It is your dedicated point of contact to anything related to LogRhythm. Additionally, some quick preventative maintenance and administrative tips will be provided as a taste of what this service can do for you.

This session will be presented by Ashley Howard and Brian Stern from the Professional Services department who both have years of LogRhythm SIEM support experience which is currently being used to maintain LogRhythm environments across many different industries.

The presentation includes:
  • Description of the SAM service offering
  • Overview of the Diagnostic Tool used for quick health checks
  • Quick tips to look for issues in the Platform Manager, Data Processor, Data Indexer and AI Engine components so they can be dealt with proactively

12:30 PM - 1:30 PM MDT

SIEM

Beating the Pen Testers: Rules and Investigations to Plant the Blue Team Flag

Curtis Huff, Security Analyst, WCF Insurance

It is commonly reported that the average time to detect a data or network breach is around 200 days. That is over six months that an adversary might have to move around your network- planting backdoors and exfiltrating data along the way. It’s commonly said in security “It’s not if we get breached, but when, how bad, and how quickly we catch it.” Breach protection must be include not only detection, but early detection.

In this session, Curtis Huff, a security analyst for WCF Insurance will present a tale of two pen tests- the first taking place before LogRhythm was set up, and the second a year later, with alert detection fully in place. See the difference that one year on a SIEM- with the right alerts in place- can make.

You’ll learn:
  • How to move detection up the attach chain
  • Three common attacks you might see on Day One of a pen test
  • The ways to mitigate these attacks
  • Other tripwires to set up in your enterprise to facilitate early detection

12:30 PM - 1:30 PM MDT

SOC Excellence

Finance & Insurance Small Group Discussion

Join a conversation and share best practices with your peers in the Finance and Insurance industry. This discussion will be facilitated by Senior Professional Services Consultant, Matt Kirkland and Senior Customer Success Manager, Abby Shapiro.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:30 PM - 2:30 PM MDT

Retail Small Group Discussion

Join a conversation and share best practices with your peers in the Retail industry. This discussion will be facilitated by Senior Professional Services Consultant, Adam Shackleford and Senior Customer Success Manager, Ben Kanner.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:30 PM - 2:30 PM MDT

Government Small Group Discussion

Join a conversation and share best practices with your peers in the Government sector. This discussion will be facilitated by Senior Professional Services Consultant, Nathan Belk and Senior Customer Success Manager, Jim Ronan.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:30 PM - 2:30 PM MDT

Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

1:30 PM - 2:30 PM MDT

The Top 5 SmartResponse Plugins You Need Today

Jake Haldeman, Manager of Sales Engineering Operations, LogRhythm |  Sam Straka, Product Owner, LogRhythm

This presentation will demonstrate the power and flexibility of LogRhythm SmartResponse plugins by discussing 5(ish) popular plugins, including why they’re helpful, how they work, and how to get started. We won’t dive too deep into the nitty-gritty details, but you will see demos of some of most popular SmartResponses and learn how to get started using them.

Key takeaways:
  • Demos of 5(ish) popular SmartResponse Plugins
  • Insight into how SmartResponse Plugins are built, installed, and configured
  • Processes could be more efficient with SmartResponse automation

2:30 PM - 3:30 PM MDT

SOAR

Ransomware vs. Analytic Co-Pilot: Use Cases and Threat Hunting Panel

Jake Haldeman, Manager of Sales Engineering Operations, LogRhythm | Aaron Beardslee, Analytic Co-Pilot Consultant, LogRhythm | Tim Peck, Analytic Co-Pilot Consultant, LogRhythm

Maintaining the health of your LogRhythm deployment is critical to keep your security and operations program running smoothly. This can be a challenge to do correctly. The LogRhythm Analytic Co-Pilot team is here to help!

In this session will get to know two Analytic Co-Pilot Engineers and discuss war stories and how they stay on top of the latest threats. We’ll also get a chance to meet the WARMIND, a server used to test malware and ransomware to help ensure AI Engines rules are tuned properly.

In this session you’ll learn:
  • The definition on an Analytic Co-Pilot
  • Lessons learned from Analytic Co-Pilot Engineers
  • How to safely test and detonate Ransomware for research

2:30 PM - 3:30 PM MDT

SOC Excellence

Introducing: LogRhythm.Tools

Eric Hart, Technical Account Manager, LogRhythm |  Matt Willems, Product Manager, LogRhythm | Gene Cupstid, Information Security Developer, C.H. Robinson

Interacting and integrating services through REST APIs can be a challenge. LogRhythm.Tools, a Windows PowerShell module, has been developed to expand the accessibility of LogRhythm’s RESTful APIs. Through this session we will present the capabilities of this toolkit as a method to interact, integrate, and expand your use of LogRhythm. LogRhythm.Tools has been written with efficiency, flexibility, and reliability as its core principals.

Join in our session to learn the origins of LogRhythm.Tools, step through demonstrations that span from simple examples through to solving complex tasks, and learn how you can get started exploring this new resource. Presented by co-creators Eric Hart, Gene Cupstid, and  Matt Willems.

You’ll learn:
  • A new, easier, way to integrate with the LogRhythm APIs
  • Demonstrated examples based on real world use cases
  • Where to find additional information
  • How you can get started using LogRhythm.Tools

3:30 PM  - 4:30 PM MDT

SOAR

LogRhythm DX and You: Learn Troubleshooting Tips and Tricks for Your Linux DX

Heather Janelle, Principal Technical Support Engineer, LogRhythm

The LogRhythm Linux DX is one of the most powerful components of the LogRhythm SIEM, however administering and supporting the DX can be a challenge for those who do not have a strong Linux background.

Join this Webinar to learn how to support your Linux DX and get quicker resolutions when you need to go to LogRhythm Support when there is an issue.

You’ll learn:
  • Key log file locations and which logs to attach to a Support case
  • Helpful curl commands
  • Helpful Linux commands
  • How to use Grafana to evaluate the health of your DX

3:30 PM  - 4:30 PM MDT

SIEM

Opening Keynote feat. Abid Adam of Axiata Group

Mark Logan, President & CEO LogRhythm | Abid Adam, Group Chief Risk & Compliance Officer, Axiata Group Berhad

Digital transformation has accelerated in the world and cyber attacks have increased in parallel. Organizations are pivoting to adapt to these rapid changes and protect their community of customers, employees, and their interests. The work of security professionals is more important now than ever before. Join LogRhythm CEO Mark Logan in this opening RhythmWorld keynote to learn what is happening in the cyber market, hear from one of the world’s top CISO’s, Abid Adam of Axiata Group Berhad, and an overview of the innovations LogRhythm has in store to empower security executives and professionals to do their best work.

8:00 PM  - 9:30 PM  MDT

Cybersecurity Implications on Society – It’s Security’s Time to Shine feat. Forrester

Jinan Budge, Forrester

It is increasingly becoming clear that cybersecurity decisions have broader societal implications than ever before. In 2020 and beyond, technology promises to change our own experience and enhance our way of life, significantly. Society and humanity increasingly depend on tech to work, learn, and socialise. But that dependence is also making our technology, and us, targets. To be successful in this new era, CISOs, executives, and security professionals will need to double the efforts to navigate the maze of organizational politics and detractors, engage with the business and place people and culture at the heart of your security program to influence change. Jinan Budge shares insights to help you focus your vision and approach team, organizational and external security culture change as strategically as you would any other part of your security program.

9:30 PM  - 10:30 PM  MDT

Asia Pacific Regional Small Group Discussion

Join a conversation and share best practices with your peers in the Middle East, Turkey, and Africa regions. This discussion will be facilitated by Professional Services consultant, Brian Holt, and Customer Success Manager, Michael Hubbard.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

10:30 PM - 11:30 PM  MDT

Asia Pacific Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

11:30 PM - 12:30 AM  MDT

Overcoming the Skills Shortage for Modern and Effective Security Operations Panel

Andrew Hollister, LogRhythm Labs & Security Advisor to the CSO | Andrew Costis, Senior Threat Researcher, VMware Carbon Black | Randall Otto, Director, Global Recruiting, LogRhythm | Adam Saunders,
Information Security Manager, Bourne Leisure

In a perfect world, your organization would staff a 24×7 SOC with highly talented cybersecurity professionals to secure its IT environment. But the truth is, a seemingly endless stream of new and complex cyber-attacks has driven the demand for qualified professionals through the roof and the number of unfilled positions has soared.

While there is no one-size-fits-all approach to solving the cybersecurity skill gap, our panel of experts will provide practical advice for finding and building a team with the right set of skill. Panelists will also discuss critical skill sets and outline resources to help you grow in your cybersecurity career. Moderated by Andrew Hollister, Senior Director of LogRhythm Labs.

You’ll learn:

  • Global state of cybersecurity and recruiting
  • Approaches to overcome the cybersecurity skill gap
  • Tips to build experience and diversity in your security team
  • Ways to grow your career

2:00 AM - 3:00 AM MDT


Gh0st Hunting with Netmon DPA Rules (And Other Cool Stuff)

Dan Crossley, Manager, Enterprise Sales Engineering, LogRhythm

Most customers use LogRhythm NetMon for network traffic visibility, but the NetMon Deep Packet Analytics (DPA) engine takes network analytics to a whole new level. DPA rules can detect malware communications such as C2 traffic & Domain Generation Algorithms (DGA’s), SMB & DNS vulnerabilities, ICMP tunneling and more! The intention of this technical deep dive is to provide practical solutions to common network threat detection problems.

In this talk, I will introduce NetMon Deep Packet Analytics rules by using them to solve five example use-cases:

  • Detecting Gh0st Rat communications
  • Detecting a vulnerability to EternalBlue
  • Detecting a DNS exploit to Windows Domain Controllers known as ‘SIGRed’
  • Detecting a possible malware DGA activity
  • Detecting ICMP tunneling



This talk is accompanied by a hands-on lab ‘NetMon DPA Rules’; attendees are encouraged to take part to reinforce the lessons from this session. Lastly, it is encouraged for attendees of this talk to also listen to the ‘Malware Analysis 101’ session which expands on some of the core topics within this session.

3:00 AM - 4:00 AM MDT

NetMon


Threat Intelligence Platform and LogRhythm

Oliver Gheorghe, Enterprise Sales Engineer, LogRhythm |  Sander Bakker, Enterprise Sales Manager, LogRhythm

The goal of Cyber Threat Intelligence is (CTI) to take a proactive approach to InfoSec. Threat Intelligence works to aggregate external indicators of compromise (IOCs) and integrate with a unified workflow to mature security operations.

Join this webinar to learn about the current CTI space, technologies, use-cases, best practices and how your existing tools can leverage cyber threat intelligence.Presenters include Sander Bakker, a veteran in the cyber security space, and Oliver Gheorghe, a former CTI consultant and Oasis member.


You’ll learn:

  • The current state of CTI
  • Benefits of CTI use in daily workflows
  • Common practices and use-cases within the security space
  • Examples of how to use CTI within the LogRhythm Platform to drive valuable investigations

3:00 AM - 4:00 AM MDT

SIEM


Effective Ways to Leverage NetworkXDR in Your Environment

Ramy Ahmad, Manager, Enterprise Sales Engineering, LogRhythm

There’s nothing like having visibility into the internal activity of endpoints for detecting threats; but you can’t always deploy an agent on every system or get logs from them. The beauty of network monitoring is the wide visibility it provides into the interactions between endpoints, servers and the Internet at large, all with a relatively few points of observation throughout your network, and without touching any endpoints.

In this real training session, join Ramy Ahmad, LogRhythm sales engineer, as he discusses different real-life use cases to increase visibility into your network.

These scenarios including:

  • Tracking Operational Technology (OT) and Internet of Things (IoT): OT has historically received little attention from IT and IoT is still perceived to be emerging. However, both of these areas deserve vigilance and you might be very surprised when you start analyzing it on your network DNS – The bad guys depend on DNS for finding their infrastructure (e.g. command & control) and they exploit it as a communications. If you aren’t analyzing DNS queries on your network, you’re missing out.
  • Database Traffic: At the end of the day, data is the number one thing you are trying to protect and said data lives on databases (DB). The reality is that few DB admins will permit a SIEM agent on their delicately tuned database servers. The network is a non-intrusive way of getting visibility to that plane of activity. Ramy will show you database traffic flows you didn’t even know were present. In fact, the whole Equifax breach could have been detected much sooner if they’d been monitoring DB traffic.
  • Detecting Ransomware and Clear Text Passwords: Stay tuned on this one – it’s interesting!


Please join us for this hands-on and technical event where we get down and dirty with packets.

4:00 AM - 5:00 AM MDT

NetMon


Automating Adversarial Emulation with LogRhythm Echo

Daniel Crossley, Manager, Enterprise Sales Engineering, LogRhythm | Imran Hafeez, Analytic Co-Pilot Consultant, LogRhythm

Control testing is critical to maintaining a good security posture and ensure the security of your digital assets. This testing also does not need to be limited to technical controls. In this talk, you will learn how to implement a control testing schedule by ’emulating an adversary’. This means targeting your tests using relevant adversarial activity based on MITRE research and using tools such as LogRhythm Echo and Caldera to test your LogRhythm AI Engine rules and SOC processes, such as response time and response procedures.

4:00 AM - 5:00 AM MDT

SOC Excellence


Europe Regional Small Group Discussion

Join a conversation and share best practices with your peers in European Region. This discussion will be facilitated by Professional Services consultant, Simon McDowell and Senior Customer Success Manager, Amar Kaila.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

5:00 AM - 6:00 AM MDT


Middle East, Turkey & Africa Regional Small Group Discussion

Join a conversation and share best practices with your peers in the Middle East, Turkey, and Africa regions. This discussion will be facilitated by Professional Services consultant, Haitham Ali Bushara and Customer Success Manager, Majid Dohaji.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

5:00 AM - 6:00 AM MDT


European Hands-on Labs Help


Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

6:00 AM - 7:00 AM MDT


The State of Cybersecurity Panel

James Carder, CSO, LogRhythm |  Steve Surdu, Principal, Surdu Consulting | Rob Lee, Head of Faculty and Curriculum Executive Director at SANS | Jake Williams, SANS Sr. Instructor, Founder, Rendition InfoSec | Chris Stangl, Section Chief, FBI

2020 is proving to be another year of front-page ransomware attacks, state-sponsored hacking campaigns, and waves of data breaches. On top of direct attacks, security teams are facing natural disasters, a complicated geo-political environment, and changing workplace. Considering the continuously evolving threat landscape, what is the state of cybersecurity today?


In this panel, industry leaders will discuss the security industry as it stands today and their insights into the future. They’ll also cover the biggest threats, latest innovations, and their visions for the industry.


This panel is moderated by James Carder, LogRhythm Chief Security Officer. James is joined by several information security titans, including:

  • Rob Lee, Head of Faculty and Curriculum Executive Director at SANS (Former member of the US Air Force Office of Special Investigations (AFOSI) and Director at Mandiant)
  • Steve Surdu, Principal, Surdu Consulting (Former Vice President of Services and Incident Response at Mandiant)
  • Jake Willems, Founder, Rendition Infosec (IANS Faculty Member and industry thought leader @MalwareJake)
  • Chris Stangl, Station Chief, FBI

8:00 AM – 9:00 AM MDT


Cybersecurity Implications On Society – It’s Security’s Time To Shine

Jinan Budge, Principal Analyst Forrester

It is increasingly becoming clear that cybersecurity decisions have broader societal implications than ever before. In 2020 and beyond, technology promises to change our own experience and enhance our way of life, significantly. Society and humanity increasingly depend on tech to work, learn, and socialise. But that dependence is also making our technology, and us, targets. To be successful in this new era, CISOs, executives, and security professionals will need to double the efforts to navigate the maze of organizational politics and detractors, engage with the business and place people and culture at the heart of your security program to influence change. Jinan Budge shares insights to help you focus your vision and approach team, organizational and external security culture change as strategically as you would any other part of your security program.

9:00 AM - 10:00 AM PM MDT


Managing Security and Operational Risk in Critical Infrastructure Panel

James Carder, CSO, LogRhythm | Jeff Schmidt, CEO, Avertium | Rob Sweeney, Senior Information Security Engineer, Penn Medicine | Stephen Dyson, Sr. Security Operations Analyst, Penn Medicine | Robert M. Lee, CEO, Dragos | Sam Masiello, CSO, Gates Corporation

Attacks on operational technology (OT) have been on the rise the for decades. The rise began with the Stuxnet worm that attacked Programmable Logic Controllers (PLCs) in SCADA systems and has increased sharply in the last few years. Not only do these attacks threaten national interests, but as OT continues to be vital in day to day operations, overall business continuity is also endangered. As such, detecting OT threats has become a top priority as governments and organizations around the world implement programs and deliver mandates to protect critical infrastructure and business operations, across all sectors and verticals. ‘


While limiting security and operational risk is a crucial issue, sometimes it’s easier said than done. Join this panel to hear security experts from across industries discuss business challenges, ways to evaluate risk, and strategies to reduce business risk with operational technology.


Moderated by James Carder, LogRhythm Chief Security Officer.


You’ll learn:

  • Overview of operational risk and technologies associated with different critical industry
  • How security plays a role in operations and achieving business continuity
  • Ways your peers have effectively met business challenges
  • Recommendations to manage security and operational Risk

10:00 AM - 11:00 AM MDT


LogRhythm Troubleshooting

Justin Henning, Solutions Engineer , LogRhythm | Joseph Mastromarino, Manager, Sales Engineering , LogRhythm

Maintaining the health of your LogRhythm deployment is critical to keep your security and operations program running smoothly. In this session, experts from LogRhythm will take an in-depth look at Diagnosing and resolving root causes for three different common issues, using proven methodology from the field.


You’ll learn:

  • Troubleshooting best practices
  • Where to find additional troubleshooting resources
  • Tips to working with Support to help quickly resolve tickets

11:00 AM - 12:00 PM MDT

SIEM


Malware Analysis 101

Dan Crossley, Manager, Enterprise Sales Engineering, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm

PA malware analyst is made up of two parts, one-part reverse-engineer and one-part detective. The of a goal of these White Hats are to understand how a piece of malware works in order to ultimately help detect and defend against it. This exciting area of cybersecurity is not limited to specialized engineers with formal education, as many resources are available for those willing to learn.

In this webinar, cybersecurity veterans Daniel Crossley and Sally Vincent will give an overview of malware analysis. Additionally, the pair will provide the tools and techniques to start your own malware analysis lab.

Key takeaways:

  • How to build a malware analysis lab
  • Static analysis techniques
  • Dynamic analysis techniques
  • Introduction to disassembly

11:00 AM - 12:00 PM MDT

Threat Hunting


Improving Threat Hunting With LogRhythm

Marcos Schejtman, Principle Sales Engineer, LogRhythm | Luis Castaneda, Enterprise Sales Representative, LogRhythm

Cybercriminals can compromise systems in just a matter of minutes. However, it could take weeks or even months to detect a possible threat. To reduce your mean time to detect (MTTD) and your mean time to respond (MTTR) to cyberthreats, you need to find a solution to automate your threat hunting capabilities.


This session will cover best practices to improve your threat hunting using LogRhythm.


You’ll learn:

  • Threat Hunting Techniques
  • Risk-Based Priority and Dashboard Cache
  • Configuring LogRhythm Dashboards
  • AI Engine Tuning
  • Playbooks and SmartResponse Plugin Best Practices

11:00 AM - 12:00 PM MDT

Threat Hunting


Designing a Resilient Enterprise Logging Architecture

Andrew Pettet, Enterprise Sales Engineer | Jake Haldeman, Manager, Sales Engineering Operations, LogRhythm

Every organization is unique, with a different set of operational circumstances governing specific requirements and the scope of implementation. A network might be highly segmented due to security policies or geographic distribution, mandating specific collection capabilities. Or an organization might be constrained by budget and staffing limitations, requiring an incremental approach to rolling out a deployment. No matter the circumstances, architecture plays an important role in determining the long-term success of any SIEM implementation.

In this session learn the different architectural components of LogRhythm and outline the benefits of a proper configuration. Using real world examples taken from the field, presenters will outline the advantages of the LogRhythm Unified License Program (ULP) and how you can add resilience to your LogRhythm deployment.

You’ll learn:

  • LogRhythm architecture basics
  • Ways to thoughtfully expand your existing environment and how to structure entities
  • The benefits of ULP
  • Key metrics to measure your security maturity

12:00 PM - 1:00 PM MDT

SIEM


The Power of NetMon

Soren Frederiksen, Professional Services Consultant, LogRhythm

The LogRhythm Network Monitor is an extremely powerful tool, that can really enhance your security posture. The standalone Netmon appliance will give you the ability to closely monitor activity on the network looking for suspicious or excessive traffic and alert you to potential security issues. Integrating the system with the LogRhythm SIEM will enhance this ability and allow you to correlate suspicious activity observed on individual computers with suspicious network activity. This presentation will show examples of suspicious network activity. It will demonstrate how the Network Monitor is able to capture and alert on this behavior.

12:00 PM - 1:00 PM MDT

NetMon


LogRhythm and Jupyter Notebook

Brian Coulson, Principal Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm | Dan Kaiser, Threat Research Sr. Engineer, LogRhythm

Based on an article from John Lambert, “The Githubification of InfoSec”, John presents “If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization.” We will explore how Jupyter Notebook can be used with LogRhythm in ways that will champion the concept of what John wrote.


Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will demonstrate three distinct projects using the Jupyter Notebook, and integrations with LogRhythm. You will see how Jupyter Notebook uses the LogRhythm Rest API, work with Case, and Search, query MITRE ATT&CK, and perform threat hunting in a shareable manner.


You’ll learn:

  • What is Jupyter Notebook, and how to install it
  • Integration with LogRhythm Rest API
  • Jupyter Notebook and LogRhythm Use Cases
  • Shareable LogRhythm Jupyter Notebooks created by LogRhythm Labs

12:00 PM - 1:00 PM MDT

Threat Hunting


Media/Technology Small Group Discussion

Join a conversation and share best practices with your peers in the Media and Technology Industry. This discussion will be facilitated by Professional Services Consultant, Connor Lutz and Senior Customer Success Manager, Brandon Fox.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:00 PM - 2:00 PM MDT


Healthcare Small Group Discussion


Join a conversation and share best practices with your peers in the Healthcare industry. This discussion will be facilitated by Senior Professional Services Consultant, Derek Dalby and Senior Customer Success Manager, Amanda Wills.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:00 PM - 2:00 PM MDT


Education Small Group Discussion

Join a conversation and share best practices with your peers in the Education space. This discussion will be facilitated by Senior Professional Services Consultant, Scott McDonough and Customer Success Manager, Amy Johnson.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:00 PM - 2:00 PM MDT


LATAM Small Group Discussion

Join a conversation and share best practices with your peers in the Latin America region. This discussion will be facilitated by our Sales Engineers in the region, Marcos Schejtman, Carlos Alcocer, and Luis Rico and Customer Success Manager, Neri Perez.


Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

1:00 PM - 2:00 PM MDT


Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

1:00 PM - 2:00 PM MDT


Using LogRhythm to Defend Your Organization Against Ransomware

Sean Heffley, Senior Sales Engineer, LogRhythm | Aaron Beardslee, Analytic Co-Pilot Consultant, LogRhythm

As ransomware attacks continue to hit the headlines around the globe they pose a major threat to businesses of all sizes. How do you protect your organization against ransomware effectively to reduce risk?

This session will discuss how to use LogRhythm to defend your organization against ransomware.

You’ll learn:

  • Updates on the most recent attacks
  • Deep technical analysis on what happens on an endpoint that is infected by Ransomware
  • How to defend your organization against Ransomware
  • Using LogRhythm to quickly identify and remediate a ransomware attack.

2:00 PM - 3:00 PM MDT

SIEM


Threat Hunting with NetworkXDR

Eric Brown, Sr. Security Analyst, LogRhythm | Brian Coulson, Principle Threat Research Engineer, LogRhythm

Getting to know your network data is difficult in a DevOps environment. How do you know what’s a threat, a bad practice, misconfiguration, etc. How do you focus on finding threats and weeding out the other observations? Through threat hunting and using the tools available in the LogRhythm SOC, we’ll demonstrate how to use NetMon, and the LogRhythm SIEM to hunt for network threats based on real use cases observed at LogRhythm.

2:00 PM - 3:00 PM MDT

NetMon


Threat Hunting With ATT&CK Technique “X”

Brian Coulson, Principle Threat Research Engineer, LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm

Threat hunting with MITRE ATT&CK techniques can be approached in several ways. Join members of the LogRhythm Labs team as they take you on a journey of how to use MITRE ATT&CK techniques and LogRhythm to make your threat hunting activities more valuable and effective. They will start the journey using the known techniques of MITRE ATT&CK Group APT 29, also known as the Russian threat actor group The Dukes or Cozy Bear. The team will describe the known Indicators of Compromise (IOCs) like file hashes, IP addresses, etc., and how IOCs play into MITRE ATT&CK technique searches, and dashboards. Finally, the team will dig into more unknown, or suspicious activity based on the techniques by focusing on encoded PowerShell.

You’ll Learn:

  • Threat hunting made easy using MITRE ATT&CK techniques
  • How to create custom LogRhythm dashboards and searches.
  • Moving from known, to unknown, and back to known to increase your detection capabilities

2:00 PM - 3:00 PM MDT

Threat Hunting


Unleash the Power of Analyze

Travis Holland, Sr. Professional Services Consultant, LogRhythm

The LogRhythm NextGen SIEM Platform is undeniably a powerful tool, unfortunately some customers aren’t using the product to it’s full potential. This session will discuss features and best practices that can help make you more efficient in your day-to-day activities. Specifically, the presenter will cover the basics for managing a healthy events database and tips for managing the LogRhythm Web Console. Additionally, he’ll discuss standard and new features found in the Web Console, such as Tail, that can improve your effectiveness as an analyst.

You’ll learn:

  • How to leverage analyze dashboards to glean powerful insights from your data
  • Best practices when working with the events database
  • Web Console features and functionality

3:00 PM - 4:00 PM MDT

SIEM


Educational Partnerships Panel

Joe Murdock, Faculty, UC Denver | Jim Kowatch, CEO, InfoSec Learning | Barry Krauss, Director of Training, LogRhythm | Jordan Kent, LogRhythm

LogRhythm and the University of Colorado Denver partnered in 2019 to develop an online graduate course in IT Risk Management. Delivered in the Spring of 2020, this course provided students with the fundamentals of security analysis in the commercial enterprise and featured hands-on labs using the LogRhythm NextGen SIEM. This course culminated in the LogRhythm Security Analyst certification exam which not only provided students an understanding of how to detect and respond to a real-world cyber threat but offered instant career marketability with an industry recognized certification.


Since then, LogRhythm has partnered with numerous other higher education institutions to provide real-world, hands on training to the security analysts of tomorrow. This panel features a conversation between LogRhythm, CU Denver, and InfoSec Learning on their goals, challenges, outcomes, lessons learned, and future plans. If you’re a customer from an institute of higher learning, or a partner with EDU customers, this is a session you don’t want to miss.

3:00 PM - 4:00 PM MDT

General


Lessons Learned in the First Year of Creating AI Engine Detection Rules

Brian Coulson, Principle Threat Research Engineer, LogRhythm | Dan Kaiser, Sr. Threat Research Engineer, LogRhythm | Sally Vincent, Threat Research Engineer, LogRhythm

On April 9th, 2019, LogRhythm Labs released the MITRE ATT&CK Module, with a focus on high efficacy technique detections. Since our initial release, we’ve learned a lot regarding what techniques are the most valuable to detect, how to optimally threat hunt using the techniques, and where we should focus next in our MITRE ATT&CK technique detections.


Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will focus heavily on MITRE ATT&CK Technique: PowerShell, ID: T1059.001. Microsoft PowerShell is a modular shell native in Windows, and with PowerShell 7, also works on Linux and Mac. PowerShell enables users, and administrators to do tasks in a very efficient way. It also is heavily abused by adversaries performing malicious actions. How does LogRhythm Labs design a detection for a technique that can be used for good, and bad? We will present our challenges from additional logging requirements, detecting PowerShell usage, testing PowerShell detections, and how you can take detections that event heavily and create actionable alarms.


Key takeaways

  • MITRE ATT&CK Technique development process
  • Tips and Tricks on tuning techniques to become actionable alarms in your environment
  • Focus on many ways PowerShell can be detected

3:00 PM - 4:00 PM MDT

Threat Hunting


Asia Pacific Regional Small Group Discussion

Join a conversation and share best practices with your peers in Asia Pacific Region. This discussion will be facilitated by Professional Services consultant, Brian Holt and Customer Success Manager, Michael Hubbard.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

9:00 PM - 10:00 PM MDT


Asia Pacific Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

10:00 PM - 11:00 PM MDT

 

Europe Regional Small Group Discussion

Join a conversation and share best practices with your peers in European Region. This discussion will be facilitated by Professional Services consultant, Joshua Wallace and Customer Success Manager, Lukas Appenzeller.

Attendance is capped at 30 customer attendees and will be managed on a first come, first serve basis.

3:00 AM - 4:00 AM MDT

European Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

4:00 AM - 5:00 AM MDT

LogWars Capture the Flag (CTF) Challenge

LogWars is back with more questions and advanced exercises. Compete against your peers in this Jeopardy-style CTF to find answers to a series of questions using the LogRhythm Web UI, alarms, and investigations. The player with the most points wins prizes and bragging rights. This year’s event is brought to you by our partners; Code42, NewCloud Networks, Optiv, Presidio, and Recorded Future.

8:00 AM – 9:30 AM MDT

Hands-on Labs Help

Please join LogRhythm technical experts in a live session intended to address questions and provide assistance related to Hands-on Labs.

10:00 AM - 11:00 AM MDT

Tail in Web and Search Improvements

In this lab, you will explore two new LogRhythm Web Console features that will be available in LogRhythm 7.5, Tail and Search.

Basic Threat Hunting – Using FIM to Detect Unauthorized Access

Your company is concerned about unauthorized access to financial files. To help combat the potential threat, your SOC team created a LogRhythm File Integrity Monitoring (FIM) policy to monitor for unauthorized access. With the FIM policy in place you now must continue to monitor activity and investigate users attempting to access unauthorized areas.

In this lab, you will:

  • Investigate activity related to a FIM policy
  • Determine who maliciously accessed documents monitored
  • Create a Case to document your findings
  • Uncover all actions the nefarious user took and preserve evidence in the case

Life of a Case – SOC 101

In this lab, you will live the life of a SOC analyst in a mature SOC. This lab will lead you through the case lifecycle, including opening a case, adding evidence, assigning collaborators, closing the case and reviewing case metrics.

An AI Engine alarm has been triggered for multiple password changes by an admin. These events these could potentially be used as future backdoors or to prevent the affected users from logging in to systems.


In this lab you will:
  • Review the alarm and details
  • Open a case
  • Add associated evidence to case
  • Assign a collaborator
  • Close case
  • Review case metrics

Building Dashboards and Drilldown Layouts

In this lab, you will practice optimizing the web console for your role in the SOC. You will gain hands on experience creating a dashboard, adding widgets, using the Lucene filter and setting up targeted drill-downs.

Set up a new dashboard based around data classifications, separate data by Audit, Security & Operations through widgets. Use 3 x 3 approach with the widgets and also build a targeted drill down widget.


In this lab you will:
  • Build a dashboard
  • Set up and customize widgets
  • Set up a targeted drilldown through a custom widget

Building AI Engine Rules

In this lab, you will learn how to develop effective AI Engine rules. Starting with the basic building blocks of filters and rule blocks, you will also learn best practices for performance, including when to create an event vs creating an alarm.

Getting Started with and Building Kibana Dashboards

Kibana allows you to visualize data in any form you wish, to build custom visualizations, custom dashboards and to run your own searches and investigations against data held in LogRhythm’s DX.

In this lab, you will:

  • Perform Basic Search in Kibana
  • Search using Lucene Syntax
  • Build Visualizations
  • Build a Dashboard

Add Kibana to Your LogRhythm XM

Follow the installation process for adding Kibana to your LogRhythm instance. At the end of the lab, you will be able to setup Kibana and create your first “it’s working” dashboard.

In this lab you will:

  • Download the correct Kibana version
  • Install and configure Kibana
  • View LogRhythm data in Kibana

Open Collector Labs: 101, 202, 303

This lab is made of three different parts:

Open Collector 101 – Deploy an Open Collector

In this section, you’ll deploy the LogRhythm Open Collector and connect it to your SIEM environment.

Open Collector 202 – Import Community Device Support

In this section, you’ll use your setup from Lab 1 to import device support created by the LogRhythm Community into your Open Collector.

Open Collector 303 – Create Device Support

In this section, you’ll use your setup from Open Collector 101 and 202 to configure FileBeat, then write your own JSON Parsing with “JQ” to get normalized logs into the SIEM.

Building and Using Contextualization Actions

A security analyst uses many tools to triage alarms and perform research. Contextualize Actions speed up the process of performing looking up metadata from LogRhythm in third party tools. Learn how to create, deploy and configure new web contextualization actions.

In this lab you will:

  • Create a Contextualize Action to look up IP Addresses in ARIN (American Registry for Internet Numbers)
  • Create a Contextualize Action to look up Windows Event IDs in Ultimate Windows Security
  • Understand the settings available in Contextualize Actions

Building SmartResponse Plugins

As an SOC team member, you are concerned with responding to threats promptly so that damage can be prevented or minimized. You want to create a SmartResponse that will log off users from a host. Learn how to create a simple SmartResponse plugin (SRP) from scratch. You will practice writing the wrapper, creating the payload, and deploying the plugin.

In this lab you will:

  • Review the PowerShell script
  • Create the Smart Response (SRP) XML wrapper
  • Import your SmartResponse
  • Test your SmartResponse

LogRhythm API 101

This lab will guide you through connecting to the LogRhythm API, performing some test requests, and creating a script to interface with the API.

This is achieved through the following steps:

  • Install Postman
  • Postman Setup
  • Setup LogRhythm for API Access
  • Test Requests in Postman
  • Generate a Python code sample using Postman
  • Create a custom Python script using the code sample

Getting Started with ECHO

Ever set up a new AI Engine alarm and wondered if it will fire? In this lab, learn how to use the LogRhythm Echo tool to generate logs that can be used to validate a functional SIEM as well as test alarms.

In this lab you will:

  • Log into Echo
  • Browse for use cases
  • Fire the use case
  • Check out the alarm in the Web Console

Basic Log Source Lifecycle

Log source management is a key administrative task in any LogRhythm environment. As an administrator, you will spend a lot of time managing your log sources. In this lab, you will practice the key tasks necessary to get data flowing into LogRhythm!

Specifically you will:

  • Configure a new log source
  • Accept the log source and verify that data is being received
  • Upgrade the agent used to collect the log source
  • Retire the log source

Log Source Troubleshooting and Tuning

It is important for an administrator to know if certain critical Log Sources have stopped collecting i.e. Firewall logs or Active Directory Security logs, and how to troubleshoot Log Sources that aren’t collecting.In addition, the lab will look at log source tuning using Global Log Processing Rules and Classification Based Data Management Settings.


In this lab you will:
  • Set up Silent Log Source Detection
  • Troubleshoot a Log that’s not collecting
  • Create a GLPR from Investigation Results
  • Adjust Classification Based Data Management Settings

Advanced Log Source Data Management

An essential part of tuning the SIEM involves overriding the default behavior of the Message Processing Engine. LogRhythm provides several tools to Administrators to achieve desired results. The most common are Global Log Processing Rules (GLPR’s) and the Classification Based Data Management System.

In this lab you will:

  • Create a GLPR
  • Create a GLPR from Investigation Results
  • Adjust Classification Based Data Management Settings
  • Tune Events
  • Filter Logs at the System Monitor Agent

Getting Started with LogRhythm Phishing Intelligence Engine (PIE)

How does a SOC respond to a phishing message? By monitoring message tracking logs in Exchange or O365 getting Phishing Email reports into LogRhythm can be quick and fully automated. Creating an Alarm for an Analyst to know when this occurs and kick-off a corresponding investigation in LogRhythm.

In this lab, you will import an Office 365 Dashboard, Simulate Office 365 Log Ingestion and create an alarm when a Phishing Email is reported

How to Utilize Playbooks

Playbooks are a powerful tool to further enable your SOC. In this lab, you will empower your SOC analysts by creating a playbook. You will also configure the Case SmartResponse Plugin to automatically attach the playbook to specific types of cases. Finally, you will set up a dashboard to monitor metrics around case statuses.


In this lab you will:

  • Create a playbook
  • Attach a playbook to a case
  • Use SmartResponse to automatically add a playbook to a case
  • Set up a case metrics dashboard

Tuning AI Engine Rules

In this lab, you will start by examining basic performance stats for AI Engine in order to identify poorly behaving rules. You will practice techniques for improving rule performance by understanding AI Engine rule filter considerations and tuning out false positives or false negatives.

Monitoring Your Deployment

LogRhythm has multiple built-in reports and monitoring tools that can help an Administrator determine the overall utilization of the platform and whether it is healthy. This lab will demonstrate how to utilize these tools to maintain overall health and get the most out of your LogRhythm deployment.

In this lab you will:

  • Set up built-in automated reports using Report Center
  • Using the Deployment Monitor
  • Using the LogRhythm Diagnostics Tool

Getting Started with the LogRhythm.Tools PowerShell Module

Interacting and integrating services through REST APIs can be a challenge.  LogRhythm.Tools, a Windows PowerShell module, has been developed to expand the accessibility of LogRhythm’s RESTful APIs.  Through this lab you will step through some of the capabilities of this toolkit to learn how you can interact, integrate, and expand your use of LogRhythm.

In this lab you will:

  • Use a new, easier, way to integrate with the LogRhythm APIs
  • Create, modify, and customize LogRhythm Lists
  • Trigger LogRhythm Echo Use Case
  • Initiate a LogRhythm SmartResponse that utilizes LogRhythm.Tools

Onboarding a New Log Source

You have been asked to bring on a log source that is not currently supported in LogRhythm’s Knowledgebase (i.e., a custom, proprietary log source, a new product that’s not yet supported, etc.). In this lab, you will live the life of a LogRhythm administrator that is tasked with bringing on a new, unsupported log source.

In this lab you will:

  • Create a new log source
  • Write a quick MPE rule to begin parsing the data
  • Create a new log processing policy
  • Add the new MPE rule to the new processing policy
  • Assign the new policy to the new log source
  • Begin parsing the data

Intro to Threat Hunting – SOC 202

Your SOC team is concerned the company’s financial information may be at risk. You create a LogRhythm File Integrity Monitoring (FIM) policy that monitors files in the F:\Finance directory on a honeypot server. The FIM policy name is FinanceDataFIM.


In this lab, you will gain hands on experience in many of the techniques used by the best LogRhythm threat hunters. You will explore how to identify, qualify and investigate potential threats using the Web Console.


In this lab you will:

  • Review the results of your financial data file monitoring
  • Determine who was accessing the documents
  • Find other actions the nefarious user took
  • Find where the documents were sent
  • Create a Case to document your findings

SmartResponse Plugin VirusTotal v2.1

As an Administrator, you are monitoring the LogRhythm Web Console and observe that a number of Alarms are triggering on specific IP’s, URL’s, and Domains. You want to be able to determine where this malicious content is coming from within the LogRhythm Web Console UI for follow-up action.


In this lab you will, install, configure, and execute, the VirusTotal SRP to create the following reports.

  • Get Domain Report
  • Get IP Report
  • Get URL Report

Frequently Asked Questions (FAQs)

We are facing a truly unprecedented situation. The coronavirus pandemic has affected all our families, our businesses, our communities, and our way of life. To ensure the safety of our customers, partners, and employees we have chosen to move RhythmWorld to a virtual event. We hope that a free virtual experience will provide opportunities for our global network to learn, grow, and engage.

RhythmWorld Security Conference is a completely free virtual experience for LogRhythm customers, partners, and members of our security community.

The digital security conference will be web-based. All you need to participate is your computer and a reliable internet connection.

If you already registered for RhythmWorld 2020, you will receive a full refund for the price of admission. Our events team will be contacting you shortly with details.
LogRhythm will not refund customers and partners for lost travel and accommodation costs. If you booked a hotel room, please contact your hotel directly, The Hyatt Regency Denver Convention Center can be contacted at 877-803-7534 or click here to find contact information by region.

We are planning to host an epic virtual LogWars CTF as part of RhythmWorld 2020. Details about how to register and participate will be provided closer to the event.

We’re excited to offer a unique sponsor experience for RhythmWorld 2020. To learn more about the sponsorship packages available, please reach out to [email protected].

Sign Up for for RhythmWorld 2021 Updates!