LogRhythm Intelligent IT Search

Would it be valuable for you to be able to discover which users outside of a trusted user community had accessed a file server that stores highly sensitive information? What about knowing what systems had been affected by a zero day exploit and prioritize them based upon the asset value of the impacted hosts? How about being able to automically be alerted when transactions in your financials application exceed a certain dollar amount?

Logs are the digital fingerprints for virtually all network, system and application activity. Whether you're searching for the root cause of a system failure or performance issue, looking for suspicious activity or potential security breaches, or identifying if and when compliance policies have been violated, log data provides necessary detail for true understanding of important events throughout your IT environment.

For IT professionals, the question isn't whether or not you'll be searching log data, the question is how quickly can you find the information you're looking for, if at all. Will it take days, weeks or months, or can you find it with a few clicks of the mouse? The answer depends on 4 things:

  • Is your log data collected centrally from all log sources and stored in an intelligent indexed format?
  • How well has your log data been enriched and prepared for Intelligent search?
  • How intuitive and quick is the search process?
  • How meaningful and insightful are the search results?

Traditional approaches to log search require users to know precisely what they are looking for, and to create, then refine search terms to locate events that map to their query. LogRhythm processes logs and tags them using a rich and granular three tier classification model that enables users to perform intelligent IT search. This capability assesses the impact of events in multiple dimensions to extract meaning from what would otherwise appear to be just isolated logs.

By adding this additional intelligence to raw logs, LogRhythm enables IT organizations to quickly identify internal and external threats, operations issues and compliance violations. Additionally, Intelligent IT Search simplifies and accelerates forensic investigations and eDiscovery responses.

Adding Intelligence to Raw Logs

LogRhythm enriches logs with the following information to generate query results that provide intelligence… not simply data:

  • Universal time stamp for every log: Essential for accurate correlation and contextualization, especially when conducting forensic analysis of events that span multiple geographies.
  • Three Tier Classification System
    • Security: Compromise, Attack, Denial of Service, etc.
    • Operations: Critical Event, System Error, Warning, etc.
    • Audit: Admin Account Creation, Failed Authentication, etc.
  • Prioritization of Events - 100 point risk model prioritizes events based on what happened, what systems or applications were impacted, what users were involved, etc.
  • User and Host Contextualization – Differentiates origin from impacted users and hosts. Enables security teams to rapidly identify exposure, impacted users and systems, determine the origin of threats and the direction of the activity. For example, a large file transfer (10 MB) from a sensitive internal database (SAP) to an external IP address (in Romania).

Utility Tool Chest for Intelligent IT Search

Once log data is enriched, LogRhythm's broad suite of search utilities empowers users to rapidly investigate, view, correlate and visualize logs in a variety of ways to meet specific search objectives. The Intelligent Search Utilities include:

  • Wizard-based Search - Easily create complex search criteria across normalized, classified and contextualized data
  • Real-time Search- Apply search criteria to log data as it is generated in real time via LogRhythm Tail. Configure alerts to be sent whenever conditions with specified search criteria occur in the future.
  • Visualization - Present millions of logs in 3-D graphical representation to discover anomalies and analyze trends
  • One-click Correlation - Rapidly refine search with a single click on related data
  • Quick Search Tool Bar - Provides rapid search initiation directly from any screen

Investigator and Search

The LogRhythm Investigator is a powerful investigation tool used for searching and viewing specific sets of logs and events, such as those associated with a specific user, set of users, specific IP address or range, impacted hosts, impacted applications, date and time, and more. An easy to use wizard guides users through the selection of criteria for their specific investigation. Once defined, investigation criteria can be saved and used again. Investigations can include events, log metadata, raw log data or any combination thereof.

LogRhythm also offers comprehensive search capabilities to meet the unique needs of a variety of users. Whether you're an investigator looking for all activity associated for a specific user, an IT operations manager seeking to understand performance trends for a particular server or an auditor looking for a list of individuals outside of a trusted user community that accessed a highly sensitive file server over the last 90 days, LogRhythm's quick search function can serve up unique and highly valuable information derived from millions of logs quickly and easily.