Upgrade your SIEM and UEBA Functions with LogRhythm 7.11

At Exabeam, we know the foundation of security information event management (SIEM) is collection. That’s why we’ve focused our efforts supporting as many log sources as possible and making it easier for customers to get into the system with our latest SIEM release, LogRhythm SIEM version 7.11. 

LogRhythm SIEM 7.11, which releases on Jan. 5, expands our library of supported sources, enhances Message Processing Engine (MPE) rule sharing, and adds functionality to the APIs for greater automation. Backed by nearly 20 years of experience in the security analytics space, we’re continuing to keep our quarterly promises to deliver new features and innovation for our customers. Let’s dive deeper into the features of latest SIEM release. 

Simplifying Open Collector administration   

Collection is the heart of the SIEM. Without a simple user interface to configure, test, and manage modern log sources using Open Collector, the service that parses JavaScript Object Notation (JSON) data, collection can be difficult for some users. To ease the user experience, we launched a new Web UI that runs on Open Collector called OC Admin. 

The new web-based UI eases the user experience and greatly reduces the time and effort it takes to configure, deploy, and manage log sources that require Open Collector. Prior to LogRhythm SIEM version 7.11, all interactions with Open Collector and its Beats took place from the command line. Rendering certain tasks, such as configuring collection from cloud sources using the Generic REST API Beat, is often difficult.  

The latest feature offers an easy-to-use graphical interface to help users more easily manage log sources collected by Open Collector. By using OC Admin, it takes teams a tenth of the time required to configure a Beats configuration since it’s no longer necessary to manually re-enter all the parameters when prompted by Open Collector’s command line tool. 

Enhanced auditing support  

As a LogRhythm SIEM customer, admins on your team often make changes to configurations such as adding a user or editing an AI Engine rule. When making any change, it’s crucial to track what occurred. Without this insight, it’s difficult to monitor for malicious internal and external activity. 

We recognized the need and now enables audit logging around critical administrative tasks out of the box. And with the SIEM’s powerful searching, reporting, and alarming capabilities, it’s easy to keep track of important changes. LogRhythm SIEM 7.11 introduces the Enhanced Auditing feature which enables teams to monitor configuration changes in the following areas: 

• AI Engine Rules  
• AI Engine Rule Sets 
• AI Engine Workloads 
• Alarm Rules 
• Entities 
• Global Log Processing Rules (GLPR) 
• Identities 
• People/User Accounts 
• Log Sources 

LogRhythm SIEM’s Enhanced Auditing feature lets you easily search through configuration changes to see who made changes and when they occurred. Admins can set up alerts to closely monitor critical configurations and now have greater visibility into users that have access to important data. Monitoring the configuration of the SIEM helps your team ensure system fidelity. 

Improved MPE Rule sharing 

When it comes to log sources, we know new, uncommon, and unique log sources that don’t have out-of-the-box parsers will always exist. Having a healthy Community that can share parsing rules often saves users time. To share work with peers, it’s crucial to have a reliable and easy way to export and import rules across environments. Today, exporting an MPE rule is simple, but importing one can be challenging. 

We recognized this challenge and created an easy way to import MPE rules. With LogRhythm SIEM 7.11’s MPE Rule Sharing feature, users are guided through an import process that makes it easy to view and customize MPE rule import options. 

When importing a rule, users can now clearly see the Common Events and Message Source Types associated with the exported rule. Users can also view the Common Events and Message Source Types that already exist in their systems. By having the import and existing information clearly displayed, administrators select how to handle the import — by overwriting or associating the existing object or creating a new object. This feature helps users easily share their work with peers in the Community.

Admin API endpoints for log source virtualization 

Automating log source onboarding and configuration through the Admin API helps administrators reduce day-to-day mundane tasks. The Admin API lets administrators take advantage of automation, but only to a certain extent. For example, configuring log source virtualization though the API is not available, making it impossible to automate advanced log source types and customizations.   

To overcome this hurdle, LogRhythm SIEM 7.11 introduces new endpoints to the Admin API, which lets users configure certain log source virtualization settings and MPE rules via API. The API helps users automate the creation of new virtualization templates and administration of MPE rules, enabling more advanced work with log sources. We plan to enhance the log source virtualization capability even further in the next release. 

Continuous log source support and parsing improvements 

As technology continues to evolve, it’s important to revisit our supported log sources and help you derive greater value. These updates enable better correlation and analysis of specific Beats to obtain a greater understanding of your data. Our latest Open Collector enhancements focus on Google Cloud Platform (GCP)’s Security Command Center (SCC) and Audit. The updates better equip customers to monitor Google Cloud’s centralized vulnerability and threat reporting services. 

Additionally, we’ve updated our MDI Fabric capabilities to enhance multiple MPE rules and signature IDs across Cisco Meraki, F5 Big-IP, VMWare, and Windows WMI. MDI Fabric converts complex terminology into human English. This helps analysts easily understand the data they are exploring. 

As part of our ongoing commitment to excellence, we’re constantly enhancing our ability to help you collect and receive value from log sources in your environment. A big part of that is updating our tooling — our System Monitor (SysMon) Agent. With this release, we now have additional support to host our SysMon agent on Ubuntu 20 and 22, which gives you another operating system on which to run agents. 

New and enhanced SmartResponses™ 

That’s not all. We’re continuing to add to our growing library of SmartResponses™, our prebuilt automated actions for third-party integrations. These actions enable you to execute preventative actions, accelerate your response, and shorten your workflow. With the LogRhythm SIEM 7.11 release, we’ve included the following new and enhanced SmartResponses™:  

• urlscan.io 
• Microsoft 365 Defender for Endpoint V1  
• TrendMicro Vision One  
• Microsoft OneDrive/SharePoint  
• Microsoft Office 365 V3 

Getting started with LogRhythm SIEM 7.11 

This is only the beginning. We’re laying the foundation for bigger things to come for LogRhythm SIEM. Download LogRhythm 7.11 from Community today!