Tips & Tricks

Temporal Chain Normalization: The Unsung Hero of Event Correlation

When it comes to correlation capabilities, LogRhythm has you covered. With AI Engine you can perform a variety of activities, from observing a single activity to applying advanced behavior rules across multiple dimensions (entities, devices, log sources, metadata, etc.). In addition to some of the more obvious capabilities, I’m here to tell you about one not so known feature of AI Engine called Temporal Chain Normalization (TCN).

DPA-Powered Dashboards

With the proliferation of top-level domains, threat actors are using all sorts of DNS tricks to entice people to engage with malicious sites or to mask malicious traffic in the noise of normal traffic. So how do you sort through the noise to find abnormal top-level domains (TLDs)?

Who is Listening in on Your Network?

With the sheer volume of network traffic and the variety of applications that travel across a typical network these days, it is not surprising how easy it is to gather high-value artifacts using packet capturing software. The goal of an attacker that is using packet capturing software is to grab usernames, email addresses, passwords and other sensitive information traversing a network in plain/clear text for further exploitation.

Catching Beaconing Malware

When a computer becomes infected with malware, it will usually begin to beacon out to a command and control server. This is one of the ways that commodity malware checks in with its command and control infrastructure to await further instructions. But it can be difficult to detect this activity. The beaconing can take place at any time or frequency—from once every couple of seconds to once a week (or possibly even longer if you are dealing with an advanced adversary).