Data Sheet

LogRhythm NetMon

Reveal Threats with Network Data

Security teams need visibility into their organization’s networks to detect Unified Security Intelligence
threats, perform forensic investigations, support audits, and identify LogRhythm NetMon is available as a
operational issues. Because cyberattacks are often first observed within the standalone network forensics solution or as a
network itself, network monitoring plays an essential role in helping detect, component of the LogRhythm SIEM platform.
neutralize, and recover from attacks. The integrated solution delivers:

LogRhythm NetMon delivers more detailed network visibility than • Security analytics across a centralized
nextgeneration firewalls, IDS/IPS systems, and other common network data set for corroborated evidence
equipment. The rich data and deep insights delivered by NetMon help chaining, including:
organizations detect and respond to advanced threats, including nation-state
- All machine data generated by
espionage, zero-day malware, and data exfiltration. Out-of-band deployment
the environment
prevents any impact on network device capacity and performance.
- Host activity captured by

Detect Advanced Threats endpoint sensors

- Layer 7 application flow and packet

Detect advanced threats with market-leading application recognition,
data captured by LogRhythm NetMon
script-based analytics across network and application data, and rich data
for centralized scenario-based analytics. With NetMon, you can: • Analysis of sensor data to detect critical
anomalies indicative of spear phishing,
• Recognize data theft, advanced malware, botnet beaconing,
lateral movement, and suspicious
inappropriate network usage, and other threats.
file transfers
• Corroborate high-risk events observed at the network and application
• Centralized search and visualization to
level with environmental activity collected by the SIEM.
expedite investigations, and contextual
• Create powerful custom analysis rules to alert on advanced threats.
access to session-based PCAPs
• Act on hundreds of attributes, including individual application,
• Embedded security orchestration,
application family, SSL information, IP address, and more.
automation, and response
(SOAR) function
Empower Incident Responders
NetMon provides the option to capture and store session-
based PCAPs selectively or in full. The product provides
out-of-the-box application identification and application-
specific metadata. NetMon further enables your incident
response team with unstructured search, session playback,
and file reconstruction.
• Determine incident scope and exactly which data
and systems have been compromised.
• Generate irrefutable network-based evidence for
threat analysis, policy enforcement, audit support,
and legal action.
• Reconstruct files transferred across networks to
investigate suspected data exfiltration, malware
infiltration, and unauthorized data access.
Support Auditing and Operations
NetMon captures and analyzes data to help
resolve operational issues and meet audit
and compliance requirements:
• Alert on policy violations and workarounds.
• Detect bandwidth bottlenecks and other
performance issues.
• Identify compliance issues like exposed PII,
plain text passwords, and outdated protocols.
Flexible Deployment Options
NetMon sensors deploy via TAP, SPAN, or integration
with a third-party network packet broker. NetMon begins
analyzing traffic and recognizing applications immediately
upon installation. SmartFlow can be forwarded to an
analytics platform for further analysis.
• Physical appliances provide significant scalability
in a purposebuilt form factor.
• Software-based NetMon provides a cost-effective
choice for monitoring low-bandwidth sites, such as
remote locations.
• Virtual sensors illuminate activity on cloud
infrastructure and virtual environments.
[email protected] // 1.866.384.0713 // +44 (0)1628 918 330 // +65 6222 8110 // +61 2 8019 7185
© LogRhythm Inc. | DS217823-04
Powerful Capabilities
True Application Identification: Expedite network
forensics by automatically identifying and categorizing
traffic from over 3,300 applications using deep packet
inspection (DPI) and advanced classification methods.
Metadata Generation: Leverage NetMon-generated
SmartFlow™ metadata revealing Layer 2–7 details to
enable automated analysis, provide rich data for effective
investigation, and support automated response — all
without packet analysis or significant storage requirements.
Deep Packet Analytics (DPA): Automate threat detection
by continuously correlating against full packet payload
and SmartFlow™ metadata with out-of-the-box,
customizable scripts.
Unstructured Search: Perform ad hoc analysis. Drill down
to critical flow and packet data. With our Elasticsearch
backend, you have a powerful search engine to streamline
your investigation.
Full Packet Capture: Empower your incident responders
by capturing every bit crossing your network in industry
standard PCAP format.
SmartCapture™: Programmatically capture sessions based
on application or packet content to drastically reduce your
storage requirements while preserving the information
you need.
Packet Replay: Replay previously captured packets
through NetMon for deeper analysis. Replay traffic
manually or automatically through the NetMon REST API.
Alerts and Dashboards: Perform continuous analysis
via saved searches to immediately detect when specific
conditions are met, then surface alerts on customizable
monitoring dashboards.
SIEM Integration: Empower analysis and administrators
by integrating with third-party analysis and orchestration
tools via REST APIs providing direct access to session-
based PCAPs and reconstructed files.
www.logrhythm.com