Use LEFT and RIGHT arrow keys to navigate between flashcards;
Use UP and DOWN arrow keys to flip the card;
H to show hint;
A reads text to speech;
18 Cards in this Set
- Front
- Back
|
A log message that met the user-defined parameters was observed. It can be in any position in the rule. |
LOG Observed |
|
|
No log message that met the user-defined parameters was observed after a preceding rule block was satisfied.** It must follow another rule block and be the last block in the rule. |
LOG Not Observed Compound |
|
|
No log message that met the user-defined parameters was observed when expected based on a defined schedule. It must be the only block in the rule. |
LOG Not Observed Scheduled |
|
|
The defined threshold was reached across one or more log messages that met user-defined parameters. A threshold is quantitative such as number of bytes out. It can be in any position in the rule. |
THRESHOLD Observed |
|
|
The defined threshold was not reached across one or more log messages after a preceding rule block was satisfied. It must follow another rule block and be the last block in the rule. |
THRESHOLD Not Observed Compound |
|
|
The defined threshold was not reached across one or more log messages based on a defined schedule. It must be the only block in the rule. |
THRESHOLD Not Observed Scheduled |
|
|
Unique values were observed for a specified metadata field across two or more log messages having specific characteristics. Examples of unique values: 10 unique logins or 10 unique hosts. It can be in any position in the rule. |
UNIQUE VALUES Observed |
|
|
Unique values were not observed for a specified metadata field across two or more log messages after a preceding rule block was satisfied. Examples of unique values: 10 unique logins or 10 unique hosts. It must follow another rule block and be the last block in the rule. |
UNIQUE VALUES Not Observed Compound |
|
|
Unique values were not observed for a specified metadata field across two or more log messages based on a defined schedule. Examples of unique values: 10 unique logins or 10 unique hosts. It must be the only block in the rule. |
UNIQUE VALUES Not Observed Scheduled |
|
|
Similar to a Log Observed block, except that it only triggers when the selected Grouped By values of the Log are not found in the associated whitelist of the Whitelist Profile block to which it is linked. (The linked Whitelist Profile block is created automatically and cannot be separately deleted or created.) In this case, a log is observed in a metadata field that is not in the associated whitelist. |
BEHAVIORAL |
|
|
users to record almost any behavior from a source integrated with the LogRhythm Data Filters. By comparing current logs to historical behavior, a Whitelist can be used to send an alert when behavior from a user or a system changes. |
A Whitelist Rule Block enables |
|
|
Whitelist / Statistical / Trend? the user creates a rule that records all processes observed on production servers. The rule runs for a set amount of time called a learning period. After the learning period, any processes observed that are not on the whitelist trigger an alarm. The event triggering the alarm could be a web server that has been compromised launching a malicious process to allow attackers to gain shell access. |
Whitelist |
|
|
During runtime of the AIE Engine, a particular set of statistics will be collected. These statistics are collected within the AIE Runtime object the statistic observed. At a regular interval, a routine will be executed to collect the data from the various runtime engine components and send the information to the database for persistence. |
Behavioral Statistical |
|
|
Whitelist / Statistical / Trend? Look for an abnormal number of authentication failures. compare live data to live data. If I know that the number of successful logins to unsuccessful logins in a 10 to 1 ratio, I can create a statistical rule that looks for the ratio of successes to failures to drop below 10 to 1. For example, if the amount of unsuccessful logins increases to a 12 to 2 ratio, an alarm is triggered. |
Statistical |
|
|
The AIE Trending Rule Block provides for automatic base-lining of log and flow data against which various trends can be established. These trends can then be evaluated against current log and flow data to determine if a deviation has occurred. Deviations in a trend might be an indication of a security, compliance, or operations issue. In this case, a set of criteria is met comparing current log messages with recent log messages. |
Behavioral Trend |
|
|
The AIE Trending Rule Block provides for automatic base-lining of log and flow data against which various trends can be established. These trends can then be evaluated against current log and flow data to determine if a deviation has occurred. Deviations in a trend might be an indication of a security, compliance, or operations issue. In this case, a set of criteria is met comparing current log messages with recent log messages. |
Behavioral Trend |
|
|
Rule block compares prerecorded data to live data in an attempt to identify anomalies in behavior. Is able to add additional data to the baseline to accommodate changes in behavior over a period of time. |
Trend |
|
|
Whitelist / Statistical / Trend? Look for increased traffic on the network. You can build a baseline, over a week, measuring the amount of traffic your network receives through its ports. If the traffic increases by a predetermined percentage, an alarm is triggered. This is also how rogue host detection is implemented. In this case, the MAC addresses seen on the network are recorded over a 30 day period. When a MAC address is observed that does not exist in the baseline, this means a new host is on the network. This causes an alarm to trigger. |
Trend |
