LogRhythm Data Flows

The Scope

Entities / Relationships
Logical Processes
Current State of the System

Processing

Explicit vs Implicit

Parsing

Repeatable
Predictable
Mappable

Enriching

More dimensions
Uncertainty
Complexity

06 20 2016 16:00:42 10.3.10.53 <LOC0:INFO> Jun 20 16:00:42 192.168.1.60 
EVID:0022 Denial of service detected 67.149.241.76:40009 -> 161.200.1.1:69 UDP

Map, Reduce, Filter

Mapping

const doubledArray = [1, 2, 3, 4].map(function (n) {
  return n * 2;
});

doubledArray == [2, 4, 6, 8];

Reducing

const sum = [1, 2, 3, 4].reduce(function (previousValue, n) {
  return previousValue + n;
}, 0);

sum == 10;

Filtering

const evens = [1, 2, 3, 4].reduce(function (n) {
  return n % 2 == 0;
});

evens == [2, 4];

Inputs

Raw Logs

Self-contained
Require parsing
Poor signal-to-noise

Endpoint Monitoring

File System
Registry
Process List
Network Connections
User Logons
Removable Media

Network Packets

Through NetMon
Generates Flows
Forwards Logs

SIEM

Log Processing

Storage

Alarming

Cases

The Good, the Bad, and the Ugly

One-way data flows
Single entry point
Immutable logs

LogRhythm Data Flows

The Scope

Processing

Explicit vs Implicit

Parsing

Enriching

Map, Reduce, Filter

Mapping

Reducing

Filtering

Inputs

Raw Logs

Endpoint Monitoring

Network Packets

SIEM

Log Processing

Storage

Alarming

Cases

The Good, the Bad, and the Ugly

The Good

The Bad / Ugly

Log Serialization

Archiving

Events

Alarms

Sessions / Flows