Whats New in LogRhythm Version 5.

Whats New in LogRhythm Version 5.1

Dear LogRhythm Customers, I am pleased to introduce LogRhythm 5.1, the latest version of our award winning software. I think you will be very happy with the extensive list of new features, capabilities, and improvements introduced. As I think youll come to appreciate, LogRhythm 5.1 is far from a typical minor release. I think this release provides a great balance between core blocking and tackling capabilities with leading edge innovation. We have long felt our log data collection and management infrastructure is second-to-none. We continue to invest in this area by adding significant new log collection capabilities including native support for SNMP traps and the latest version of Netflow. We have invested in improving our reporting infrastructure by providing you the ability to create your own templates for determining exactly how you want a report to look. In addition, you can select to use your company logo instead of ours for presentation in a report. We have introduced new meta-data fields and significantly enhanced how some derived meta-data values are determined. We also introduced a variety of new capabilities and improvements for easing the administration of your LogRhythm deployment. On more of the leading-edge innovation front, we have introduced a number of new features that I am personally very excited about. Weve added Geolocation, the ability to see where hosts contained in log messages physically reside. While some of our competitors have capabilities in this area, what excites me is that we introduce Geolocation at the log and event layer whereas others have only focused at the event layer. This provides great forensic context for every log message, context that provides a wealth of capabilities today and more in the future. One of those capabilities is leveraged in another new feature called Network Visualization. This is a very powerful visual analysis tool that provides a visual depiction of host-to-host relationships across boundaries such as location. One thing I feel has always differentiated us is our focus on filling the visibility gaps. While logs do provide tremendous visibility on their own, often they dont provide the complete story. A core capability of the LogRhythm System Monitor is to fill in these gaps at the endpoint. Two new powerful forensic visibility capabilities have been introduced in 5.1. Process Monitor provides independent monitoring of processes running on a host, when they start, and when they stop. Network Monitor provides independent monitoring of listening services, inbound connections, and outbound connections to/from a host. These capabilities, combined with existing endpoint monitoring features (i.e., File Integrity Monitor, DataLoss Defender), provide powerful and unequaled forensic awareness and visibility at the host. I hope you find LogRhythm 5.1 as exciting as we do. The LogRhythm engineering team has worked hard to bring you another quality software release we are very proud of. Sincerely, Chris Petersen CTO, VP Engineering, Co-founder

Whats New in LogRhythm Version 5.1

Overview
This document provides a brief description of new features and the most significant improvements introduced in LogRhythm 5.1. Please refer to the Release Notes for the complete list of new features, improvements, modifications, and known issues found in LogRhythm 5.1.

System Monitor Features and Improvements

New Operating System Support
We have added support for the following operating systems and Linux distributions: HP-UX Linux Debian Linux Ubuntu

New Collection Interfaces, Capabilities, and Improvements

SNMP Trap Listener

The Windows System Monitor now includes an integrated SNMP Trap Listener. SNMP versions 1, 2 and 3 are supported.
Netflow v9

The Windows System Monitor now supports Netflow v9 in addition to version 1 and 5. This provides support for the latest version of Netflow shipping with Cisco products. Netflow v9 is also compatible with a variety of non-Cisco products.
Recursive Flat File Collection

This capability allows for the collection of flat files matching a specific file name pattern that reside in root or child directories. This is ideal for applications (i.e., web servers) that generate new directories containing log files on a daily or weekly basis.
Integrated Syslog Server for UNIX and Linux System Monitor

The Windows System Monitor has always had an integrated Syslog Listener for receiving UDP and TCP based Syslog. This same capability has been added in UNIX and Linux versions of the System Monitor. This is ideal for extending the collection infrastructure in *NIX-centric environments where a single agent can collect and forward Syslog from the entire environment.
Checkpoint Firewall/VPN Secure Configuration Verification (SCV) Support

The Windows System Monitor now supports collection of logs generated via Checkpoints Secure Configuration Verification module.
Windows Remote Event Log Connection Optimization

The number and frequency of new connections required to collect Event Logs remotely has been significantly reduced. This results in overall performance improvements and reduces the number of logs written to the Windows Security Event log as a result of remote collection activity.

Whats New in LogRhythm Version 5.1

Windows 1252 Codepage Extended ASCII support

Log messages containing Extended ASCII characters for languages included in the Windows 1252 codepage will be collected and presented in native language. This includes the following languages:
Afrikaans Basque Catalan Danish Dutch English Faroese Finnish French Galician German Icelandic Indonesian Italian Malay Norwegian Portuguese Spanish Swahili Swedish

New Forensic Visibility and Awareness Features

A tenet of LogRhythms vision is to provide profound visibility into the operating environment. We do this to help our customers better understand the environment as it affects or is impacted by security, operations, and compliance/audit events. In LogRhythm 5.1, we have introduced two significant features that provide forensic awareness into the activity of a host.
Network Connection Monitor

This feature provides an audit trail of connections to and from the host on which the System Monitor is installed. We also detect and log listening services. This is an optional capability available in System Monitor Lite that can provide constant or on-demand visibility into how a host is interacting on the LAN, WAN and Internet.
Use Case

Deploy System Monitors and enable Network Connection Monitor on servers in a DMZ and alert on unauthorized connections from DMZ hosts to hosts on the Internet or inside the trusted network.
Use Case

Deploy System Monitors and enable Network Connection Monitor on key servers and alert if observe network connection initiating directly from the Internet or other unauthorized networks.
Process Monitor

This feature provides an audit trail of processes running on a host. Logs are generated whenever a new process or program starts or a previously running process or program stops. This is an optional capability available in System Monitor Lite that can provide constant or on-demand visibility into what processes and applications a host is running.
Use Case

Deploy System Monitors and enable Process Monitor on key servers. Create a whitelist of authorized programs and alert if any program is observed not in the approved whitelist.
Use Case

Deploy System Monitors and enable Process Monitor on user desktops. Create a blacklist of high-risk unauthorized programs (i.e., BitTorrent) and alert if such programs are observed on monitored hosts.

Whats New in LogRhythm Version 5.1

System Monitor Feature Matrix

System Monitor System Monitor

Lite
Windows
Timestamp Normalization Collection Scheduling Compressed Data Transmission Encrypted Data Transmission Flat File Log Collection Recursive Flat File Log Collection Windows Event Log Collection Remote Windows Event Log Collection Integrated UDP Syslog Server Integrated TCP Syslog Server Integrated Netflow Server v1 and v5 Integrated Netflow Server v9 Integrated SNMP Trap Receiver Remote Checkpoint Firewall Log Collection (via LEA) Remote Cisco IDS Log Collection (via (SDEE) Remote Database Log Collection (UDLA) System Performance Monitoring Data Loss Defender File Integrity Monitoring Process Monitor Network Connection Monitor User Activity Monitoring X X X X X New! 5.1 X X X X

Pro
UNIX
X X X X X New! 5.1

Windows
X X X X X New! 5.1 X X X X X New! 5.1 New! 5.1 X X X X X X New! 5.1 New! 5.1 X

UNIX
X X X X X New! 5.1

New! 5.1 New! 5.1

New! 5.1 New! 5.1

X X New! 5.1 New! 5.1 X

X X New! 5.1 New! 5.1 X

New! 5.1 New! 5.1 X

New Meta-data Fields and Resolution Enhancements

In 5.1, new meta-data fields have been introduced. We also improve how some derived values are determined. These are very significant changes in terms of what information is presented for every log message and event. These new fields and enhancements provide immediate value from an analysis, reporting, and alerting standpoint. They have also been implemented to prepare for additional automated and visual analysis capabilities planned in future releases. NOTE: It is very important the Administrator of LogRhythm understands how the configuration of your deployment affects how these fields are determined and as a result, their usefulness throughout the product. Please refer to online help to learn more or contact support for additional information.

New Meta-Data Fields

Origin & Impacted Entity

The Origin Entity is the Entity to which the Origin Host is associated. The Impacted Entity is the Entity to which the Impacted Host is associated. Because Entities typically map to physical operating locations or classes of systems, these two fields provide very useful context in terms of understanding the Entity from which the action (i.e., attack, logon) originated and the Entity impacted by the action. The introduction of these fields enable analysis, reporting and alerting based on the Entity in which the Origin or Impacted Host resides.

Whats New in LogRhythm Version 5.1

Use Case

Report and alert on authentication activity across Entity boundaries. For instance if each entity were a separate business unit, this report would be of authentications between business units.
Origin & Impacted Network

The Origin Network is the network to which the Origin Host is associated. The Impacted Network is the Network to which the Impacted Host is associated. These two fields provide very useful context when analyzing Host-to-Network and Network-to-Network relationships. The introduction of these fields enable analysis, reporting and alerting based on the Network in which the Origin or Impacted Host resides.
Use Case

Report and alert on network traffic between untrusted and trusted networks. For instance, if you had created a DMZ Network and a Production Servers Network, you could alert on any activity originating from the DMZ Network targeting any host in the Production Servers network.
Origin & Impacted Zone

The Origin Zone is the Zone (Internal, External, DMZ) in which the Origin Host resides. The Impacted Zone is the Zone in which the Impacted Host resides. The introduction of these fields enable analysis and reporting based on the Zone in which the Origin or Impacted Host resides.
Origin & Impacted Location

The Origin Location is the location in which the Origin Host resides. The Impacted Location is the location in which the Impacted Host resides. Location can be presented or considered for filtering at the Country, Region, or City level. These fields are introduced as part of the new Geolocation feature described below and enable analysis, reporting, and alerting based on geographic location

Meta-Data Field Resolution Enhancements

The approach for deriving the following fields has been modified and improved in LogRhythm 5.1. Although these improvements should not negatively affect an existing deployment, it is important to understand how these fields are determined based on your configuration.
Known Origin Host Known Impacted Host Known Origin Network* Known Impacted Network* Origin Zone* Impacted Zone* Direction

* NOTE: Although these fields are listed as new in 5.1, the fields did exist in previous versions. However, they were minimally exposed or completely hidden from the end-user. In 5.1 how these fields are determined has changed and the fields are visible and usable directly by the end-user.

Log Analysis Features and Improvements

Geolocation

Ever wonder where an attack originated from geographically or where data was sent to? With LogRhythm Geolocation wonder no more. LogRhythms Geolocation capability can provide city level location awareness for every Origin and Impacted Host represented in a log message. This capability is implemented at the Log Manager layer meaning EVERY log collected by LogRhythm can have Geolocation information assigned. Geolocation information is assigned to a log based on static assignment and automatic resolution. Static location assignment is available to all 5.1 users. This capability allows you to assign specific locations to Known Hosts and Networks that will be used during log processing to assign location to Origin and Impacted Hosts.

Whats New in LogRhythm Version 5.1

Automatic location resolution requires a separate software license purchased on an annual subscription basis. Automatic location resolves public IP addresses to the last known physical location. The list of last known locations is provided via the LogRhythm knowledge base and updated periodically. Country-level resolution accuracy is 99.9% with city level resolution accuracy around 95%. Annual license fees for this functionality are $1,000, $2,500 and $5,000 for LR500/LRX1, LR1000/LRX2 and LR2000/LRX3 XM and LM models respectively. If you are interested in licensing this capability, please contact your LogRhythm Customer Relationship Manager at (303) 413-8745. Geolocation information is available in Personal Dashboard, Investigator, and Tail. It is also available in Reports targeting the Event Manager or Log Managers. Geolocation information is not currently available in Log Miner or LogMart. Geolocation criteria can be specified for searches and for reports. Criteria can also be specified for Alarm Rules and Global Log Processing Rules.
Use Case

Report and alert on remote authentication activity originating from locations outside expected states and/or countries.
Use Case

Report and alert on data transfers from sensitive servers to locations outside known and authorized geographic operating locations.
Network Visualization

A new tool has been added to Investigator for visually describing the relationships between hosts as represented in log data. This tool maps the relationships between hosts as contained within configurable containers such as Zone (i.e., DMZ, Internal), Location, and Network. Failure and security conditions are depicted with red links. Line width represents the relative amount of activity between related hosts or host containers. Mousing over hosts or host containers provides summary statistics such as kilobytes of traffic, packet counts, and log counts. This tool provides a revolutionary new way of looking at log data containing information on host-to-host interactions. The following screenshot depicts Port 80 and 443 traffic.

Whats New in LogRhythm Version 5.1

New Investigator and Personal Dashboard Charts

Two new charts have been added to Investigator and Personal Dashboard: Logs by Day and Hour Logs by Day of Week and Hour of Day
Use Case

Analyze VPN activity by day and hour of day to visually see the frequency and pattern of VPN authentications. Identify anomalous trends in VPN activity based on daily averages and/or time-of-day.

Whats New in LogRhythm Version 5.1

New Investigator Meta-Data Charts

Three new charts have been added to the Meta-data Statistics tool within Investigator. These three charts provide a visual display of every unique meta-data value compared to all other values across the number of logs, the amount of data sent/received, and the number of packets sent/received. These charts are designed to provide visual trending and easy identification of anomalous activity. Following is a screenshot of the three new charts for a meta-data statistics pain configured to show Impacted Host. Impacted Hosts by Log Count Impacted Host by KBytes In/Out Impacted Host by Items In/Out

Time-based Drill-Down Improvements

An improved drill-down mechanism has been introduced for all charts that show activity by time. In previous versions of LogRhythm, you were able to drill down on an individual point representing a time range. In 5.1, this capability remains and added is the ability to select a range of time. In any time-based chart simply click and hold the left mouse button and drag the mouse to the right until at the end of the range. Release the left mouse button and double click into the highlighted area to drill-down.

Whats New in LogRhythm Version 5.1

Reporting New Features and Improvements

Custom Report Templates

You can now create your own report templates if the provided out-of-the box templates do not suit your organizations needs. Both detail and summary templates can be created via a Wizard based tool. All log message properties can be used with a variety of grouping and sorting options. The result is near infinite possibilities in terms of what you want included in a report. This capability combined with LogRhythms previous reporting capabilities provides near limitless reporting options.

Whats New in LogRhythm Version 5.1

Custom Report Branding

You can now replace the LogRhythm logo that is printed on reports to an image of your choosing. This is done by selecting File > Options from the Report Center and checking the Use Custom Logo checkbox.

Event Management New Features and Improvements

Batch Alarm Record management

You can now select multiple alarms in Alarm Viewer and edit their status/comments in batch.

Whats New in LogRhythm Version 5.1

Personal Dashboard Shared Filters

The filtering function within Personal Dashboard has been significantly improved. Filters are easier to create and manage with more powerful filtering options. In addition, Personal Dashboard Filters can be shared across the LogRhythm user base.
Use Case

Configure shared Personal Dashboard Filters for security analyst team and helpdesk operations. When these users access their Personal Dashboard, the events displayed are automatically filtered based on their job function.

Administration New Features and Improvements

Batch System Monitor Agent Editing

All properties of a System Monitor can now be edited in batch. This simplifies the administration of deployments where large numbers of System Monitors are deployed.
Batch Host and Network Editing

Hosts and Networks can now be edited in batch. The following properties are available for batch editing: Zone Location Risk Level Threat Level
Right Click Add Host

Ever wished you could add a host from a log message you are analyzing to LogRhythms list of Known Hosts? Wish no more. A new context menu is available off Log/Event lists. Simply select the log or event containing the host you wish to add and select to add Origin or Impacted Host as a Known Host.

LogRhythm Headquarters
3195 Sterling Circle Boulder, CO 80301 303-413-8745

LogRhythm EMEA
Siena Court, The Broadway Maidenhead Berkshire SL6 1NJ United Kingdom +44 (0) 1628 509 070

LogRhythm Asia Pacific Ltd.

8/F Exchange Square II 8 Connaught Place, Central, Hong Kong +852 2297 2812