AI Engine Delivers Real-Time Visibility to Risks, Threats and Critical Operations Issues
With over 900 preconfigured, out-of-the-box correlation rule sets and a wizard-based drag-and-drop GUI for creating and customizing even complex rules, AI Engine enables organizations to predict, detect and swiftly respond to:
- Sophisticated intrusions
- Insider threats
- Fraud
- Behavioral anomalies with users, networks and endpoints
- Compliance violations
- Disruptions to IT services
- And many other critical actionable events
Comprehensive Advanced Correlation
AI Engine rules draw from over 70 different metadata fields that provide highly relevant data for analysis and correlation. This metadata includes the dynamic Risk Based Prioritization (RBP) value assigned to all machine data, enabling the AI Engine to build trends and expose statistical anomalies based on the risk level associated with specific activity on the network. Whether detected by out-of-the-box rules or user-created/modified rules, AI Engine identifies and alerts on actionable events with tremendous precision, supporting security, compliance and operations use cases. AI Engine can also be used to cast a wide net through generalized correlation rules for broader visibility that accommodates changes in event behavior.
Multi-Dimensional Analytics
Secure
- Malware is detected on a host, followed by multiple outbound attacks from that infected host
- Suspicious communication from an external IP Address is followed by data being transferred to the same IP Address
- A user logs in from one location, and then logs in from another city or country soon afterward
- RBP score assigned to firewall logs steadily increases from 50 to 90 over the course of an hour
Comply
Examples:
- Five failed authentication attempts followed by a successful login to a database containing ePHI, followed by a large data transfer to the user’s machine, all within 30 minutes
- A file containing credit card data is accessed, followed by an attempt to transfer information from the same host to a USB thumb drive within 10 minutes.
- Multiple new accounts are created, granted escalated privileges, and then access critical data in a short period of time
Optimize
- A backup process is started, but no log is generated, indicating that the backup completed
- Suspicious communication from an external IP Address is followed by data being transferred to the same IP Address
- A critical process stops and doesn’t start back up within a specific timeframe
- A large group of servers shuts down, followed by a smaller group of servers starting back up
- High I/O rates on a critical server, usually only observed after-hours during backup procedures, are observed during normal business hours
If you would like more information on LogRhythm, contact us today!