what's new logrhythm 5.1 data sheet

•

What’s New in

LogRhythm® Version 5.1

What’s New in LogRhythm® Version 5.1

Dear LogRhythm Customers,

I am pleased to introduce LogRhythm 5.1, the latest version of our award winning software. I think you will be

very happy with the extensive list of new features, capabilities, and improvements introduced. As I think you‟ll

come to appreciate, LogRhythm 5.1 is far from a typical minor release.

I think this release provides a great balance between core “blocking and tackling” capabilities with leading edge

innovation. We have long felt our log data collection and management infrastructure is second-to-none. We

continue to invest in this area by adding significant new log collection capabilities including native support for

SNMP traps and the latest version of Netflow. We have invested in improving our reporting infrastructure by

providing you the ability to create your own templates for determining exactly how you want a report to look.

In addition, you can select to use your company logo instead of ours for presentation in a report. We have

introduced new meta-data fields and significantly enhanced how some derived meta-data values are determined.

We also introduced a variety of new capabilities and improvements for easing the administration of your

LogRhythm deployment.

On more of the leading-edge innovation front, we have introduced a number of new features that I am

personally very excited about. We‟ve added Geolocation, the ability to see where hosts contained in log

messages physically reside. While some of our competitors have capabilities in this area, what excites me is

that we introduce Geolocation at the log and event layer whereas others have only focused at the event layer.

This provides great forensic context for every log message, context that provides a wealth of capabilities today

and more in the future. One of those capabilities is leveraged in another new feature called Network

Visualization. This is a very powerful visual analysis tool that provides a visual depiction of host-to-host

relationships across boundaries such as location.

One thing I feel has always differentiated us is our focus on filling the “visibility gaps”. While logs do provide

tremendous visibility on their own, often they don‟t provide the complete story. A core capability of the

LogRhythm System Monitor is to fill in these gaps at the endpoint. Two new powerful forensic visibility

capabilities have been introduced in 5.1. Process Monitor provides independent monitoring of processes

running on a host, when they start, and when they stop. Network Monitor provides independent monitoring of

listening services, inbound connections, and outbound connections to/from a host. These capabilities, combined

with existing endpoint monitoring features (i.e., File Integrity Monitor, DataLoss Defender), provide powerful

and unequaled forensic awareness and visibility at the host.

I hope you find LogRhythm 5.1 as exciting as we do. The LogRhythm engineering team has worked hard to

bring you another quality software release we are very proud of.

Sincerely,

Chris Petersen

CTO, VP Engineering, Co-founder


Overview This document provides a brief description of new features and the most significant improvements introduced in

LogRhythm 5.1. Please refer to the Release Notes for the complete list of new features, improvements, modifications, and

known issues found in LogRhythm 5.1.

System Monitor Features and Improvements

New Operating System Support We have added support for the following operating systems and Linux distributions:

HP-UX

Linux Debian

Linux Ubuntu

New Collection Interfaces, Capabilities, and Improvements SNMP Trap Listener

The Windows System Monitor now includes an integrated SNMP Trap Listener. SNMP versions 1, 2 and 3 are

supported.

Netflow v9

The Windows System Monitor now supports Netflow v9 in addition to version 1 and 5. This provides support for the

latest version of Netflow shipping with Cisco products. Netflow v9 is also compatible with a variety of non-Cisco

products.

Recursive Flat File Collection

This capability allows for the collection of flat files matching a specific file name pattern that reside in root or child

directories. This is ideal for applications (i.e., web servers) that generate new directories containing log files on a daily or

weekly basis.

Integrated Syslog Server for UNIX and Linux System Monitor

The Windows System Monitor has always had an integrated Syslog Listener for receiving UDP and TCP based Syslog.

This same capability has been added in UNIX and Linux versions of the System Monitor. This is ideal for extending the

collection infrastructure in *NIX-centric environments where a single agent can collect and forward Syslog from the

entire environment.

Checkpoint Firewall/VPN Secure Configuration Verification (SCV) Support

The Windows System Monitor now supports collection of logs generated via Checkpoint‟s Secure Configuration

Verification module.

Windows Remote Event Log Connection Optimization

The number and frequency of new connections required to collect Event Logs remotely has been significantly reduced.

This results in overall performance improvements and reduces the number of logs written to the Windows Security Event

log as a result of remote collection activity.


Windows 1252 Codepage Extended ASCII support

Log messages containing Extended ASCII characters for languages included in the Windows 1252 codepage will be

collected and presented in native language. This includes the following languages:

Afrikaans Finnish Malay

Basque French Norwegian

Catalan Galician Portuguese

Danish German Spanish

Dutch Icelandic Swahili

English Indonesian Swedish

Faroese Italian

New Forensic Visibility and Awareness Features A tenet of LogRhythm‟s vision is to provide profound visibility into the operating environment. We do this to help our

customers better understand the environment as it affects or is impacted by security, operations, and compliance/audit

events. In LogRhythm 5.1, we have introduced two significant features that provide forensic awareness into the activity

of a host.

Network Connection Monitor

This feature provides an audit trail of connections to and from the host on which the System Monitor is installed. We also

detect and log listening services. This is an optional capability available in System Monitor Lite that can provide constant

or on-demand visibility into how a host is interacting on the LAN, WAN and Internet.

Use Case

Deploy System Monitors and enable Network Connection Monitor on servers in a DMZ and alert on unauthorized

connections from DMZ hosts to hosts on the Internet or inside the trusted network.

Use Case

Deploy System Monitors and enable Network Connection Monitor on key servers and alert if observe network

connection initiating directly from the Internet or other unauthorized networks.

Process Monitor

This feature provides an audit trail of processes running on a host. Logs are generated whenever a new process or

program starts or a previously running process or program stops. This is an optional capability available in System

Monitor Lite that can provide constant or on-demand visibility into what processes and applications a host is running.

Use Case

Deploy System Monitors and enable Process Monitor on key servers. Create a whitelist of authorized programs

and alert if any program is observed not in the approved whitelist.

Use Case

Deploy System Monitors and enable Process Monitor on user desktops. Create a blacklist of high-risk

unauthorized programs (i.e., BitTorrent) and alert if such programs are observed on monitored hosts.


System Monitor Feature Matrix

System Monitor

Lite

System Monitor

Pro

Windows UNIX Windows UNIX

Timestamp Normalization X X X X

Collection Scheduling X X X X

Compressed Data Transmission X X X X

Encrypted Data Transmission X X X X

Flat File Log Collection X X X X

Recursive Flat File Log Collection New! 5.1 New! 5.1 New! 5.1 New! 5.1

Windows Event Log Collection X X

Remote Windows Event Log Collection X X

Integrated UDP Syslog Server X New! 5.1 X New! 5.1

Integrated TCP Syslog Server X New! 5.1 X New! 5.1

Integrated Netflow Server v1 and v5 X

Integrated Netflow Server v9 New! 5.1

Integrated SNMP Trap Receiver New! 5.1

Remote Checkpoint Firewall Log Collection (via LEA) X

Remote Cisco IDS Log Collection (via (SDEE) X

Remote Database Log Collection (UDLA) X

System Performance Monitoring X X X X

Data Loss Defender X X

File Integrity Monitoring X X

Process Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1

Network Connection Monitor New! 5.1 New! 5.1 New! 5.1 New! 5.1

User Activity Monitoring X X X X

New Meta-data Fields and Resolution Enhancements In 5.1, new meta-data fields have been introduced. We also improve how some derived values are determined. These are

very significant changes in terms of what information is presented for every log message and event. These new fields and

enhancements provide immediate value from an analysis, reporting, and alerting standpoint. They have also been

implemented to prepare for additional automated and visual analysis capabilities planned in future releases.

NOTE: It is very important the Administrator of LogRhythm understands how the configuration of your

deployment affects how these fields are determined and as a result, their usefulness throughout the product.

Please refer to online help to learn more or contact support for additional information.

New Meta-Data Fields Origin & Impacted Entity

The Origin Entity is the Entity to which the Origin Host is associated. The Impacted Entity is the Entity to which the

Impacted Host is associated. Because Entities typically map to physical operating locations or classes of systems, these

two fields provide very useful context in terms of understanding the Entity from which the action (i.e., attack, logon)

originated and the Entity impacted by the action. The introduction of these fields enable analysis, reporting and alerting

based on the Entity in which the Origin or Impacted Host resides.


Use Case

Report and alert on authentication activity across Entity boundaries. For instance if each entity were a separate

business unit, this report would be of authentications between business units.

Origin & Impacted Network

The Origin Network is the network to which the Origin Host is associated. The Impacted Network is the Network to

which the Impacted Host is associated. These two fields provide very useful context when analyzing Host-to-Network

and Network-to-Network relationships. The introduction of these fields enable analysis, reporting and alerting based on

the Network in which the Origin or Impacted Host resides.

Use Case

Report and alert on network traffic between untrusted and trusted networks. For instance, if you had created a

DMZ Network and a Production Servers Network, you could alert on any activity originating from the DMZ

Network targeting any host in the Production Servers network.

Origin & Impacted Zone

The Origin Zone is the Zone (Internal, External, DMZ) in which the Origin Host resides. The Impacted Zone is the Zone

in which the Impacted Host resides. The introduction of these fields enable analysis and reporting based on the Zone in

which the Origin or Impacted Host resides.

Origin & Impacted Location

The Origin Location is the location in which the Origin Host resides. The Impacted Location is the location in which the

Impacted Host resides. Location can be presented or considered for filtering at the Country, Region, or City level. These

fields are introduced as part of the new Geolocation feature described below and enable analysis, reporting, and alerting

based on geographic location

Meta-Data Field Resolution Enhancements The approach for deriving the following fields has been modified and improved in LogRhythm 5.1. Although these

improvements should not negatively affect an existing deployment, it is important to understand how these fields are

determined based on your configuration.

Known Origin Host Origin Zone*

Known Impacted Host Impacted Zone*

Known Origin Network* Direction

Known Impacted Network*

* NOTE: Although these fields are listed as new in 5.1, the fields did exist in previous versions. However, they were

minimally exposed or completely hidden from the end-user. In 5.1 how these fields are determined has changed

and the fields are visible and usable directly by the end-user.

Log Analysis Features and Improvements Geolocation

Ever wonder where an attack originated from geographically or where data was sent to? With LogRhythm Geolocation

wonder no more. LogRhythm‟s Geolocation capability can provide city level location awareness for every Origin and

Impacted Host represented in a log message. This capability is implemented at the Log Manager layer meaning EVERY

log collected by LogRhythm can have Geolocation information assigned. Geolocation information is assigned to a log

based on static assignment and automatic resolution.

Static location assignment is available to all 5.1 users. This capability allows you to assign specific locations to Known

Hosts and Networks that will be used during log processing to assign location to Origin and Impacted Hosts.


Automatic location resolution requires a separate software license purchased on an annual subscription basis. Automatic

location resolves public IP addresses to the last known physical location. The list of last known locations is provided via

the LogRhythm knowledge base and updated periodically. Country-level resolution accuracy is 99.9% with city level

resolution accuracy around 95%. Annual license fees for this functionality are $1,000, $2,500 and $5,000 for

LR500/LRX1, LR1000/LRX2 and LR2000/LRX3 XM and LM models respectively. If you are interested in licensing this

capability, please contact your LogRhythm Customer Relationship Manager at (303) 413-8745.

Geolocation information is available in Personal Dashboard, Investigator, and Tail. It is also available in Reports

targeting the Event Manager or Log Managers. Geolocation information is not currently available in Log Miner or

LogMart. Geolocation criteria can be specified for searches and for reports. Criteria can also be specified for Alarm

Rules and Global Log Processing Rules.

Use Case

Report and alert on remote authentication activity originating from locations outside expected states and/or

countries.

Use Case

Report and alert on data transfers from sensitive servers to locations outside known and authorized geographic

operating locations.

Network Visualization

A new tool has been added to Investigator for visually describing the relationships between hosts as represented in log

data. This tool maps the relationships between hosts as contained within configurable containers such as Zone (i.e., DMZ,

Internal), Location, and Network. Failure and security conditions are depicted with red links. Line width represents the

relative amount of activity between related hosts or host containers. “Mousing” over hosts or host containers provides

summary statistics such as kilobytes of traffic, packet counts, and log counts. This tool provides a revolutionary new way

of looking at log data containing information on host-to-host interactions.

The following screenshot depicts Port 80 and 443 traffic.


New Investigator and Personal Dashboard Charts

Two new charts have been added to Investigator and Personal Dashboard:

Logs by Day and Hour

Logs by Day of Week and Hour of Day

Use Case

Analyze VPN activity by day and hour of day to visually see the frequency and pattern of VPN authentications.

Identify anomalous trends in VPN activity based on daily averages and/or time-of-day.


New Investigator Meta-Data Charts

Three new charts have been added to the Meta-data Statistics tool within Investigator. These three charts provide a visual

display of every unique meta-data value compared to all other values across the number of logs, the amount of data

sent/received, and the number of packets sent/received. These charts are designed to provide visual trending and easy

identification of anomalous activity. Following is a screenshot of the three new charts for a meta-data statistics pain

configured to show Impacted Host.

Impacted Hosts by Log Count

Impacted Host by KBytes In/Out

Impacted Host by Items In/Out

Time-based Drill-Down Improvements

An improved drill-down mechanism has been introduced for all charts that show activity by time. In previous versions of

LogRhythm, you were able to drill down on an individual point representing a time range. In 5.1, this capability remains

and added is the ability to select a range of time. In any time-based chart simply click and hold the left mouse button and

drag the mouse to the right until at the end of the range. Release the left mouse button and double click into the

highlighted area to drill-down.


Reporting New Features and Improvements Custom Report Templates

You can now create your own report templates if the provided out-of-the box templates do not suit your organization‟s

needs. Both detail and summary templates can be created via a Wizard based tool. All log message properties can be used

with a variety of grouping and sorting options. The result is near infinite possibilities in terms of what you want included

in a report. This capability combined with LogRhythm‟s previous reporting capabilities provides near limitless reporting

options.


Custom Report Branding

You can now replace the LogRhythm logo that is printed on reports to an image of your choosing. This is done by

selecting File > Options from the Report Center and checking the „Use Custom Logo‟ checkbox.

Event Management New Features and Improvements Batch Alarm Record management

You can now select multiple alarms in Alarm Viewer and edit their status/comments in batch.


Personal Dashboard Shared Filters

The filtering function within Personal Dashboard has been significantly improved. Filters are easier to create and manage

with more powerful filtering options. In addition, Personal Dashboard Filters can be shared across the LogRhythm user

base.

Use Case

Configure shared Personal Dashboard Filters for security analyst team and helpdesk operations. When these

users access their Personal Dashboard, the events displayed are automatically filtered based on their job

function.

Administration New Features and Improvements Batch System Monitor Agent Editing

All properties of a System Monitor can now be edited in batch. This simplifies the administration of deployments where

large numbers of System Monitors are deployed.

Batch Host and Network Editing

Hosts and Networks can now be edited in batch. The following properties are available for batch editing:

Zone

Location

Risk Level

Threat Level

Right Click Add Host

Ever wished you could add a host from a log message you are analyzing to LogRhythm‟s list of Known Hosts? Wish no

more. A new context menu is available off Log/Event lists. Simply select the log or event containing the host you wish to

add and select to add Origin or Impacted Host as a Known Host.

•

LogRhythm Headquarters LogRhythm EMEA LogRhythm Asia Pacific Ltd. 3195 Sterling Circle Siena Court, The Broadway 8/F Exchange Square II Boulder, CO Maidenhead Berkshire SL6 1NJ 8 Connaught Place, Central, 80301 United Kingdom Hong Kong 303-413-8745 +44 (0) 1628 509 070 +852 2297 2812

what's new logrhythm 5.1 data sheet

Sports

variety of new capabilities

system monitor features

new directories

number of new features

whats new inlogrhythm

frequency of new connections

complete list of new

extensive list of new