Security, et al

I’m very impressed with the Active Directory integration found in LogRhythm 5.0.  This represents a new frontier in log management maturity.  The new AD integration in LogRhythm 5.0 allows you to combine information from Active Directory with key security log events to take your monitoring and response procedures to the next level of intelligent filtering and automated incident response.

This kind of capability is important because you need to constantly look for ways to reduce the number of alerts and report pages that you have to review and respond to by either automating the response itself or doing a better job of qualifying events that are actually inconsequential – that is – expected activity. At the same time you need to constantly improve your monitoring procedures to quickly identity and respond to those events that truly are relevant.

With LogRhythm 5.0 you can add monitoring criteria, for instance, that take the user who triggered a given event and then look up that user in AD and check to see if he/she belongs to a specified group.  Based on their membership, you can discard the event or trigger an alarm. 

LogRhythm 5.0 also allows you to enrich reports with information from Active Directory.  Usually the only information about a user or group in a given log record is the object’s name which makes it difficult to contextualize the event.  But being able to pull additional properties for that user or group from AD saves you lots of time and greatly improves your analytical capabilities.

If you’d like to get more ideas for how you can integrate log data with Active Directory information for more sophisticated and automated monitoring and forensic analysis and if you’d like to see LogRhythm 5.0’s AD integration features demonstrated check out my on demand webinar: 5 Cutting Edge Response Techniques that Integrate Security Events with Active Directory.