RhythmX
Behavioral Threat Detection Platform Powered by Machine Learning
Version 3.0
RhythmX is a high-performance behavioral threat detection platform powered by Sigma-based detection and machine learning. It ingests logs in near real-time, applies community and custom RhythmX rules, and surfaces threats across Windows and Linux environments. RhythmX integrates with LogRhythm for log forwarding and case synchronization.
What It Does
RhythmX provides an independent detection and analytics layer powered by the open RhythmX rule standard and machine learning. It integrates with LogRhythm's Log Distribution Services for log ingestion, delivering flexible, community-driven threat detection at scale.
- Integrates with LogRhythm via Log Distribution Services for seamless log ingestion
- Ingests logs from multiple sources including LogRhythm-forwarded events
- Supports multiple log sources — Windows Event Logs, Linux Sysmon, and Linux Auditd
- Runs detections against every log batch in near real-time
- Correlates alerts across 23 threat use cases including APT chains, lateral movement, and Kerberos attacks
- Manages incidents with automated risk scoring, SLA tracking, and external ticket integration
- Outputs structured alerts in a format compatible with LogRhythm and other SIEM platforms
- Accepts custom RhythmX rules so teams can rapidly author and deploy new detections
Why RhythmX
| Capability | What RhythmX Delivers |
|---|---|
| RhythmX rule support | Runs the full RhythmX rule standard against forwarded logs |
| Machine learning | Adds ML-driven detection alongside rule-based analysis |
| 7-factor risk scoring | Composite risk model combining MITRE coverage, ML signals, privilege context, and behavioral volume |
| 23 correlation use cases | Automated detection of complex attack patterns including Kerberos, APT, and ransomware |
| Incident management | Automated incident creation, SLA tracking, Jira/ServiceNow integration |
| MSSP multi-tenancy | Full multi-tenant support with entity-aware data across all integrations |
| Rapid detection authoring | Drop in a .yml RhythmX rule — detections are live on the next cycle |
| Cross-platform coverage | Native support for Windows, Linux Sysmon, and Linux Auditd |
| External feed API | Read-only API for customer SOCs and SOAR platforms to pull incident data |
| Performance at scale | Optimized for 20,000–25,000 events per second sustained throughput |
| Open detection logic | RhythmX rules are open, portable, and community-driven |
Quick Overview
flowchart TD
A["LogRhythm<br><i>Log Sources</i>"] --> B["Log Distribution Services"]
B --> C["RhythmX Engine"]
D["RhythmX Rules + ML<br><i>Built-in + Custom</i>"] --> C
C --> E["Structured Detections<br><i>SIEM-compatible</i>"]
style A fill:#4a148c,stroke:#7c43bd,color:#fff
style B fill:#1a237e,stroke:#534bae,color:#fff
style C fill:#b71c1c,stroke:#f05545,color:#fff
style D fill:#e65100,stroke:#ff9d3f,color:#fff
style E fill:#1b5e20,stroke:#4c8c4a,color:#fffExplore the Architecture page for a detailed look at how logs flow through the system.