Most customers use LogRhythm NetMon for network traffic visibility, but the NetMon Deep Packet Analytics (DPA) engine takes network analytics to a whole new level. DPA rules can detect malware communications such as C2 traffic & Domain Generation Algorithms (DGA’s), SMB & DNS vulnerabilities, ICMP tunneling and more! The intention of this technical deep dive is to provide practical solutions to common network threat detection problems.

In this talk, I will introduce NetMon Deep Packet Analytics rules by using them to solve five example use-cases:

• Detecting Gh0st Rat communications
• Detecting a vulnerability to EternalBlue
• Detecting a DNS exploit to Windows Domain Controllers known as ‘SIGRed’
• Detecting a possible malware DGA activity
• Detecting ICMP tunneling

This talk is accompanied by a hands-on lab ‘NetMon DPA Rules’; attendees are encouraged to take part to reinforce the lessons from this session. Lastly, it is encouraged for attendees of this talk to also listen to the ‘Malware Analysis 101’ session which expands on some of the core topics within this session.

The goal of Cyber Threat Intelligence is (CTI) to take a proactive approach to InfoSec. Threat Intelligence works to aggregate external indicators of compromise (IOCs) and integrate with a unified workflow to mature security operations.

Join this webinar to learn about the current CTI space, technologies, use-cases, best practices and how your existing tools can leverage cyber threat intelligence.Presenters include Sander Bakker, a veteran in the cyber security space, and Oliver Gheorghe, a former CTI consultant and Oasis member.


You’ll learn:

• The current state of CTI
• Benefits of CTI use in daily workflows
• Common practices and use-cases within the security space
• Examples of how to use CTI within the LogRhythm Platform to drive valuable investigations

There’s nothing like having visibility into the internal activity of endpoints for detecting threats; but you can’t always deploy an agent on every system or get logs from them. The beauty of network monitoring is the wide visibility it provides into the interactions between endpoints, servers and the Internet at large, all with a relatively few points of observation throughout your network, and without touching any endpoints.

In this real training session, join Ramy Ahmad, LogRhythm sales engineer, as he discusses different real-life use cases to increase visibility into your network.

These scenarios including:

• Tracking Operational Technology (OT) and Internet of Things (IoT): OT has historically received little attention from IT and IoT is still perceived to be emerging. However, both of these areas deserve vigilance and you might be very surprised when you start analyzing it on your network DNS – The bad guys depend on DNS for finding their infrastructure (e.g. command & control) and they exploit it as a communications. If you aren’t analyzing DNS queries on your network, you’re missing out.
• Database Traffic: At the end of the day, data is the number one thing you are trying to protect and said data lives on databases (DB). The reality is that few DB admins will permit a SIEM agent on their delicately tuned database servers. The network is a non-intrusive way of getting visibility to that plane of activity. Ramy will show you database traffic flows you didn’t even know were present. In fact, the whole Equifax breach could have been detected much sooner if they’d been monitoring DB traffic.
• Detecting Ransomware and Clear Text Passwords: Stay tuned on this one – it’s interesting!

Please join us for this hands-on and technical event where we get down and dirty with packets.

Maintaining the health of your LogRhythm deployment is critical to keep your security and operations program running smoothly. In this session, experts from LogRhythm will take an in-depth look at Diagnosing and resolving root causes for three different common issues, using proven methodology from the field.


You’ll learn:

• Troubleshooting best practices
• Where to find additional troubleshooting resources
• Tips to working with Support to help quickly resolve tickets

PA malware analyst is made up of two parts, one-part reverse-engineer and one-part detective. The of a goal of these White Hats are to understand how a piece of malware works in order to ultimately help detect and defend against it. This exciting area of cybersecurity is not limited to specialized engineers with formal education, as many resources are available for those willing to learn.

In this webinar, cybersecurity veterans Daniel Crossley and Sally Vincent will give an overview of malware analysis. Additionally, the pair will provide the tools and techniques to start your own malware analysis lab.

Key takeaways:

• How to build a malware analysis lab
• Static analysis techniques
• Dynamic analysis techniques
• Introduction to disassembly

Cybercriminals can compromise systems in just a matter of minutes. However, it could take weeks or even months to detect a possible threat. To reduce your mean time to detect (MTTD) and your mean time to respond (MTTR) to cyberthreats, you need to find a solution to automate your threat hunting capabilities.


This session will cover best practices to improve your threat hunting using LogRhythm.


You’ll learn:

• Threat Hunting Techniques
• Risk-Based Priority and Dashboard Cache
• Configuring LogRhythm Dashboards
• AI Engine Tuning
• Playbooks and SmartResponse Plugin Best Practices

Every organization is unique, with a different set of operational circumstances governing specific requirements and the scope of implementation. A network might be highly segmented due to security policies or geographic distribution, mandating specific collection capabilities. Or an organization might be constrained by budget and staffing limitations, requiring an incremental approach to rolling out a deployment. No matter the circumstances, architecture plays an important role in determining the long-term success of any SIEM implementation.

In this session learn the different architectural components of LogRhythm and outline the benefits of a proper configuration. Using real world examples taken from the field, presenters will outline the advantages of the LogRhythm Unified License Program (ULP) and how you can add resilience to your LogRhythm deployment.

You’ll learn:

• LogRhythm architecture basics
• Ways to thoughtfully expand your existing environment and how to structure entities
• The benefits of ULP
• Key metrics to measure your security maturity

Based on an article from John Lambert, “The Githubification of InfoSec”, John presents “If organizations were to contribute and share their unique expertise using these frameworks, and organizations were in this way to build on the expertise of others, defenders in every organization would benefit from the best defense in any organization.” We will explore how Jupyter Notebook can be used with LogRhythm in ways that will champion the concept of what John wrote.


Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will demonstrate three distinct projects using the Jupyter Notebook, and integrations with LogRhythm. You will see how Jupyter Notebook uses the LogRhythm Rest API, work with Case, and Search, query MITRE ATT&CK, and perform threat hunting in a shareable manner.


You’ll learn:

• What is Jupyter Notebook, and how to install it
• Integration with LogRhythm Rest API
• Jupyter Notebook and LogRhythm Use Cases
• Shareable LogRhythm Jupyter Notebooks created by LogRhythm Labs

As ransomware attacks continue to hit the headlines around the globe they pose a major threat to businesses of all sizes. How do you protect your organization against ransomware effectively to reduce risk?

This session will discuss how to use LogRhythm to defend your organization against ransomware.

You’ll learn:

• Updates on the most recent attacks
• Deep technical analysis on what happens on an endpoint that is infected by Ransomware
• How to defend your organization against Ransomware
• Using LogRhythm to quickly identify and remediate a ransomware attack.

Threat hunting with MITRE ATT&CK techniques can be approached in several ways. Join members of the LogRhythm Labs team as they take you on a journey of how to use MITRE ATT&CK techniques and LogRhythm to make your threat hunting activities more valuable and effective. They will start the journey using the known techniques of MITRE ATT&CK Group APT 29, also known as the Russian threat actor group The Dukes or Cozy Bear. The team will describe the known Indicators of Compromise (IOCs) like file hashes, IP addresses, etc., and how IOCs play into MITRE ATT&CK technique searches, and dashboards. Finally, the team will dig into more unknown, or suspicious activity based on the techniques by focusing on encoded PowerShell.

You’ll Learn:

• Threat hunting made easy using MITRE ATT&CK techniques
• How to create custom LogRhythm dashboards and searches.
• Moving from known, to unknown, and back to known to increase your detection capabilities

The LogRhythm NextGen SIEM Platform is undeniably a powerful tool, unfortunately some customers aren’t using the product to it’s full potential. This session will discuss features and best practices that can help make you more efficient in your day-to-day activities. Specifically, the presenter will cover the basics for managing a healthy events database and tips for managing the LogRhythm Web Console. Additionally, he’ll discuss standard and new features found in the Web Console, such as Tail, that can improve your effectiveness as an analyst.

You’ll learn:

• How to leverage analyze dashboards to glean powerful insights from your data
• Best practices when working with the events database
• Web Console features and functionality

LogRhythm and the University of Colorado Denver partnered in 2019 to develop an online graduate course in IT Risk Management. Delivered in the Spring of 2020, this course provided students with the fundamentals of security analysis in the commercial enterprise and featured hands-on labs using the LogRhythm NextGen SIEM. This course culminated in the LogRhythm Security Analyst certification exam which not only provided students an understanding of how to detect and respond to a real-world cyber threat but offered instant career marketability with an industry recognized certification.


Since then, LogRhythm has partnered with numerous other higher education institutions to provide real-world, hands on training to the security analysts of tomorrow. This panel features a conversation between LogRhythm, CU Denver, and InfoSec Learning on their goals, challenges, outcomes, lessons learned, and future plans. If you’re a customer from an institute of higher learning, or a partner with EDU customers, this is a session you don’t want to miss.

On April 9th, 2019, LogRhythm Labs released the MITRE ATT&CK Module, with a focus on high efficacy technique detections. Since our initial release, we’ve learned a lot regarding what techniques are the most valuable to detect, how to optimally threat hunt using the techniques, and where we should focus next in our MITRE ATT&CK technique detections.


Dan Kaiser, threat research senior engineer, Sally Vincent, threat research engineer, and Brian Coulson, principal threat research engineer, will focus heavily on MITRE ATT&CK Technique: PowerShell, ID: T1059.001. Microsoft PowerShell is a modular shell native in Windows, and with PowerShell 7, also works on Linux and Mac. PowerShell enables users, and administrators to do tasks in a very efficient way. It also is heavily abused by adversaries performing malicious actions. How does LogRhythm Labs design a detection for a technique that can be used for good, and bad? We will present our challenges from additional logging requirements, detecting PowerShell usage, testing PowerShell detections, and how you can take detections that event heavily and create actionable alarms.


Key takeaways

• MITRE ATT&CK Technique development process
• Tips and Tricks on tuning techniques to become actionable alarms in your environment
• Focus on many ways PowerShell can be detected