Axon NIST 800-171 Compliance User Guide
The following documented support for the NIST 800-171 content bundle utilizes the mapping and controls for NIST 800-171 version 3. Additional support and updates to content will be made while bundle is available.
Overview
Support for NIST 800-171 compliance in Axon includes a combination of searches, lists, dashboards, and reports that allow users to monitor defined activities, produce reports, and provide evidence to assessors and auditors as needed. The basis for data gathering in Axon is saved searches. Saved Searches allow a user to filter and surface specific activities that need to be monitored in dashboards or reported to management and assessors. This data is further refined by the usage of framework-specific LogRhythm System Lists. These lists are specific to customer environments and must be updated to include systems and users that are in-scope for the given compliance mandate. Dashboards allow analysts and/or management to monitor compliance focused activity on a recurring basis to look for anomalous behavior, system health, and environmental trends. Reports are PDF formatted exports of search data that can be scheduled by customers. Reports can be utilized by management and assessors to review activity, provide a population of data for testing, and provide evidence of management reviews as necessary. Where data would be best provided in a spreadsheet format, CSV exports can be run directly from the Search Page.
Getting Started
Update Compliance System Lists
System lists are published without any list items so that you can populate them with values that apply to your organization. Many of the searches included in this bundle are configured to use compliance focused system lists to outline the scope of your NIST 800-171 environment and surface that data within dashboards and reports.
Follow the Edit Lists workflow to populate the compliance system lists with values. List data should be reviewed and updated annually at a minimum.
Validate Dashboard Output and Search Data
Once system lists have been updated with appropriate users and log sources, data should be populated within the dashboard widgets and underlying searches. It is recommended to review dashboards and all related searches to ensure data is being returned as expected. Customers should refer to the “Tuning Guidance” section within the searches and dashboards tables when modifying search and widget parameters. If logs are not being surfaced by searches due to an unexpected common event assignment, custom log source policies can be built in the Policy Builder. If the log source policy is LogRhythm created, use the Resource Center to submit a parsing request for updates to existing log sources.
Schedule Reports
Now that searches and dashboards have been validated, reports can be scheduled from the saved searches. It is recommended that all searches within this bundle be scheduled to run on a recurring basis, but can be run ad-hoc if desired. Review the Recommended Scheduling column in the Reports table below during setup and customize as needed.
Searches
The below table contains all the searches included in this content bundle, object types the search supports, list requirements, and optional tuning guidance.
Search Name | Purpose of Search | Supporting Object Types | List Required * | Tuning Guidance |
---|---|---|---|---|
NIST 800-171 - Anti-Malware Audit Activity | Data to show that audit log data for anti-malware solution is captured and retained. | Report | Yes | If data returned in search includes more systems than desired, search criteria can be narrowed to a single log source. |
NIST 800-171 - Authentication Failures | Data to verify that all attempted authentication requests to CDE are captured and retained. | Report | Yes | N/A |
NIST 800-171 - Axon Audit Logs | Data to verify that access to all audit logs is captured. | Report Dashboard | No | N/A |
NIST 800-171 - In-Scope Data Environment Access | Data verify that all individual user access to In-Scope data is logged. | Report | Yes | N/A |
NIST 800-171 - In-Scope Data Environment Activity | Data to verify that all activities taken place within system components and In-Scope data is logged. | Report | Yes | N/A |
NIST 800-171 - Common Event Health | Data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events and logs without assigned events could be missing from searches. | Report Dashboard | Optional | This search can be updated to exclude log sources that are known to not generate a common event or are not in-scope for NIST 800-171. |
NIST 800-171 - Elevated Privileges | Data to verify that all elevations of privileges are captured and retained. | Report Dashboard | Optional | This search could be updated to exclude logged systems that are not in-scope for NIST 800-171 or system and service accounts by using a custom list. |
NIST 800-171 - Firewall Activity | Data can confirm that traffic and behavior matches expected activity and rule out anomalous activity. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search criteria can be narrowed to a specific log source. |
NIST 800-171 - Firewall Configuration Changes | This search is meant to surface changes to firewall configurations which can be used to evidence that changes to network security controls follow a documented procedure. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source. |
NIST 800-171 - Malware Activity | Data related to potential malware to evidence effectiveness of anti-malware solutions. | Report Dashboard | Optional | N/A |
NIST 800-171 - Network Security Controls Access | Data can confirm that systems or files containing network security controls and configurations are protected from unauthorized access. | Report Dashboard | Yes | If data returned in search includes more systems than desired, search filter can be narrowed to a specific log source. |
NIST 800-171 - New Accounts | Data to verify that all newly created accounts are captured and retained. | Report | Optional | N/A |
NIST 800-171 - Physical Security Activity | Data to verify that physical security logs are captured and retained. | Report Dashboard | Yes | N/A |
NIST 800-171 - Privileged Account Activity | Data to verify that all privileged account activities are logged within system components, In-Scope data, and systems in relation to NIST 800-171. | Report Dashboard | Yes | List ‘NIST 800-171 - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
NIST 800-171 - Privileged Account Modification | Data to verify all privileged account modifications are captured and retained. | Report | Yes | List ‘NIST 800-171 - Privileged Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
NIST 800-171 - Security Controls Monitoring | Data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place. | Report Dashboard | Optional | If a sub-set of LogRhythm Threat Detection analytics are being used, a custom list could be used to exclude the other analytics. For tuning guidance related to analytics rules, refer to the MITRE ATT&CK Module. |
NIST 800-171 - Shared Account Activity | Data to show shared account authentication activity to demonstrate to management/auditors that use of shared accounts is limited. | Report Dashboard | Yes | List ‘NIST 800-171 - Shared Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
NIST 800-171 - System and Service Account Activity | Data to verify that system and service account activity is logged and aligns with principles of least privilege. | Report Dashboard | Yes | List ‘NIST 800-171 - System and Service Accounts’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
NIST 800-171 - System-Level Object Activity | Data to demonstrate that all system-level object creation and deletion is captured. | Report Dashboard | Optional | This search could be updated to focus on specific systems and/or file locations by using a custom list. If a FIM solution is in place to monitor this activity, it is highly recommended that this search be updated to either utilize that log source specifically or tuned for events it generates |
NIST 800-171 - Third-Party Activity | Data to show all third-party access and activity during a period of time. | Report Dashboard | Yes | List ‘NIST 800-171 - Third-Party Users’ should be reviewed frequently to ensure all privileged account activity is captured by these searches. |
* Searches can be modified to remove the list requirement, especially if all logged users and systems are in-scope for a given framework. Please note that searches are based on common event activity and without list filtering could become noisy and/or include more data than is necessary.
LogRhythm System Lists
The below table contains all the lists that are utilized in this content bundle. Each list has a specific purpose and what searches utilize that list as well as examples of systems and users that should be included.
List Name | Purpose of List | Examples | Linked Search |
---|---|---|---|
NIST 800-171 - In-Scope Data Systems | This list should be populated with systems that contain In-Scope Data in your environment. | Any systems containing data, including databases. | NIST 800-171 - Authentication Failures NIST 800-171 - In-Scope Data Environment Access NIST 800-171 - In-Scope Data Environment Activity NIST 800-171 - Common Event Health |
NIST 800-171 - Physical Security Systems | This list should be populated with physical security systems (badge/card readers & door access). | Any system used to authenticate access to physical locations. | NIST 800-171 - Physical Security Activity NIST 800-171 - Common Event Health |
NIST 800-171 - Network Security Systems | This list should be populated with production network security systems. | Firewalls, intrusion detection/prevention, malware detection/prevention, network access control, remote access, virtual private network, and vulnerability scanning. | NIST 800-171 - Firewall Configuration Changes NIST 800-171 - Firewall Activity NIST 800-171 - Anti-Malware Audit Activity NIST 800-171 - Network Security Control Access NIST 800-171 - Common Event Health |
NIST 800-171 - Privileged Users | This list should be populated with all privileged accounts and updated accordingly based on periodic reviews. | Any user with privileged access to production systems. | NIST 800-171 - Privileged Account Activity NIST 800-171 - Privileged Account Modification |
NIST 800-171 - Third-Party Users | This list should be populated with contractors, vendors, other third-party members. | Any users that are considered contractors, vendors, or third-parties to your organization. | NIST 800-171 - Third-Party Activity |
NIST 800-171 - Shared Accounts | This list should be populated with any user accounts that have been identified as shared accounts. | Any accounts that multiple people have access to should be listed. | NIST 800-171 - Shared Account Activity |
NIST 800-171 - System & Service Accounts | This list should be populated with default, service, and automation accounts. | Any accounts that are default to a system, service, or automation accounts. | NIST 800-171 - System and Service Account Activity |
Reports
The below table contains all the recommended Reports for this content bundle.
Customers must enable reporting in the Saved Search for these reports to be produced on a recurring basis.
Search Name | NIST 800-171 Controls | Use of Report | Recommended Audience | Recommended Scheduling * |
---|---|---|---|---|
NIST 800-171 - Anti-Malware Audit Activity | 3.3.3 | This report will contain log data of anti-malware solution which can be reviewed by management or provided to auditors for evidence of captured and retained log data. | Management & Auditors | Quarterly |
NIST 800-171 - In-Scope Data Environment Activity | 3.1.2 | This report will capture data to verify that all activities taking place within system components and In-Scope data is logged and can be reviewed by management or provided to auditors for evidence of CDE log activity. | Management & Auditors | Quarterly |
NIST 800-171 - In-Scope Data Environment Access | 3.1.2 | This report will contain data to verify that all individual user access to In-Scope data is logged. The report can be used by management for periodic reviews or provided to auditors for evidence of all access to the CDE. | Management & Auditors | Quarterly |
NIST 800-171 - Elevated Privileges | 3.1.7 | This report will contain data to verify that all elevations of privileges are captured and retained. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. The report can also be used by management for periodic reviews and auditors for proof of evidence and retention. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Authentication Failures | 3.3.3 | This report will contain data to verify that all invalid authentication attempts are captured and retained. This report can be used by analysts for reviewing and investigating anomalous authentication activity. The report can also be used by management for periodic reviews and auditors for evidence of logging and retention. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Firewall Activity | 3.13.1, 3.13.6 | This report will contain data to confirm that traffic and behavior matches expected activity. This report can be used by analysts for monitoring activity that is not approved. The report can also be used by management for periodic reviews and auditors for proof of logging and that data aligns with system configurations. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Firewall Configuration Changes | 3.4.3 | This report will contain changes to firewall configurations. This report can be used by analysts for reviewing and investigating unusual configuration change activity. The report can also be used by management for periodic reviews and auditors for evidence that changes follow documented procedures and/or population of changes for auditors to verify via testing. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Common Event Health | 3.3.2 | This report will contain data to help customers ensure that their audit data will be complete and accurate. Searches are largely based on common events and logs without assigned events could be missing from searches. The report can be used by management for periodic reviews and auditors for helping support that report data is complete and accurate. | Management & Auditors | Monthly |
NIST 800-171 - Axon Audit Logs | 3.3.8 | This report will contain data to verify that access to all audit logs is captured. This report can be used by management for periodic reviews of activity in the Axon environment and auditors for proof of evidence and retention of logging audit data. | Management & Auditors | Quarterly |
NIST 800-171 - Malware Activity | 3.14.2 | This report will contain data related to potential malware to evidence effectiveness of anti-malware solutions. This report can be used by analysts for monitoring malware activity. The report can also be used by management for periodic reviews of malware activity and mitigation and auditors for evidence of logging. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Network Security Controls Access | 3.4.3 | This report will contain data to confirm that network security files are protected from unauthorized access. This report can be used by analysts for reviewing and investigating anomalous access to network security control environments and file configurations. The report can also be used by management for periodic reviews and auditors for evidence of logging. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - New Accounts | 3.1.1 | This report will contain data to verify that all newly created accounts are captured and retained. This report can also be used by management for periodic reviews and auditors for proof of logging of new users. | Management & Auditors | Quarterly |
NIST 800-171 - Physical Security Activity | 3.10.2 | This report will contain data to verify that physical security logs are captured and retained. This report can be used by analysts for reviewing Physical Access to to sensitive areas within a In-Scope Data Environment. The report can also be used by management for periodic reviews and auditors for evidence of logging. | Management, Analysts, & Auditors | Monthly |
NIST 800-171 - Privileged Account Activity | 3.1.6 | This report will contain data verify that all privileged account activities are logged within system components, In-Scope data, and systems in relation to NIST 800-171. This report can be used by analysts for reviewing and investigating anomalous privileged activity. The report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing. | Management, Analysts, & Auditors | Monthly |
NIST 800-171 - Privileged Account Modification | 3.1.1 | This report will contain data to verify all privileged account modifications. This report can also be used by management for periodic reviews and auditors for proof of logging. | Management & Auditors | Quarterly |
NIST 800-171 - Security Controls Monitoring | 3.12.03, 3.14.6 | This report will contain data to verify that security monitoring (intrusion detection and prevention techniques) and alerts are in place. This report can be used by analysts for reviewing and investigating anomalous usage of elevated privileges. The report can also be used by management for periodic reviews and auditors for evidence of logging or to verify via testing. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Shared Account Activity | 3.3.1, 3.5.1 | This report will contain data to show shared account activity to demonstrate to management/auditors that use of shared accounts is limited. This report can be used by analysts for reviewing and investigating anomalous usage of shared accounts privileges. The report can also be used by management for periodic reviews and auditors to demonstrate limited usage. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - System and Service Account Activity | 3.3.1, 3.5.1 | This report will contain data to verify that system and service account activity is logged and aligns with principles of least privilege. This report can be used by analysts for reviewing activity that is anomalous for the related system and service accounts privileges. The report can also be used by management for periodic reviews and auditors for evidence of accounts being limited to their privileges. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - System-Level Object Activity | 3.4.3 | This report will contain data to demonstrate that all system-level object creation and deletion is captured. This report can be used by analysts for reviewing for creation, deletion, and modification. Unexpected changes to these files can compromise system security. The report can also be used by management for periodic reviews and auditors for evidence that no files were changed. | Management, Analysts, & Auditors | Quarterly |
NIST 800-171 - Third-Party Activity | 3.3.1 | This report will contain data to show all third-party access and activity during a period of time. This report can be used by analysts for reviewing and investigating anomalous third-party activity. The report can also be used by management for periodic reviews and auditors for evidence of captured third-party activity. | Management, Analysts, & Auditors | Quarterly |
* NIST 800-171 does not prescribe a specific review period for most controls. The frequency of periodic reviews should be determined by the entity as appropriate for the size and complexity of their environment. As such, these are recommendations based on an average review schedule.
Dashboards
The two dashboards contained in this bundle are targeted at different users of the Axon platform. The NIST 800-171 - Analyst dashboard is intended for power users of the Axon platform performing active monitoring and what data they might need to utilize during the course of their work. The NIST 800-171 - Management dashboard is intended for users that might not be in Axon on a day-to-day basis but need to get an understanding of the platform health and activities being performed on the platform. Widgets and the underlying searches from either dashboard can be incorporated and used by any Axon user to fit their needs. The default time period for the management dashboard is the last 7 days worth of log data and the analyst dashboard is the last 24 hours of data. It is recommended that analysts and management use the date and time picker to evaluate multiple time periods for which the dashboard displays results throughout monitoring.
The below tables contain details of the two dashboards. Each widget and the underlying search are listed with tuning guidance for customers to optimize their dashboard deployment.
NIST 800-171 - Analyst Dashboard Widgets
Search Name | NIST 800-171 Controls | Use of Widget | Widget Type | Tuning Guidance |
---|---|---|---|---|
NIST 800-171 - Elevated Privileges | 3.1.7 | Audit Logs for elevations of privileges are required to be captured and maintained. This widget should be monitored for anomalous usage of elevated privileges. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Firewall Activity | 3.13.1 | Firewall services, protocols, and ports should have a defined and approved business need. Monitor this widget for activity that is not approved. | Tree Map | Widget metrics are set to view Network Protocol Name and the target host IP Port. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Firewall Configuration Changes | 3.4.3 | Firewall configurations should be approved and managed with change control process. Monitor this dashboard for unusual configuration change activity. | Trend Chart | Widget metric shows the trend in a linear curved graph to indicate trends of configuration changes to firewall. If additional detail of activity is needed, change widget style to bar chart and add metrics. |
NIST 800-171 - Malware Activity | 3.14.2 | Anti-malware solutions should periodically scan, detect, block, and remove known malware. Monitor this widget for malware activity. | Donut Chart | Widget metrics are set to view Threat Severity and Policy Name to indicate priority of threat and policy affected. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Network Security Controls Access | 3.4.3 | Monitor this widget for users that should not have access to network control systems or network configuration files and investigate unfamiliar users. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Physical Security Activity | 3.10.2 | Physical Access to sensitive areas within a In-Scope Data Environment are to be monitored. | Bar Chart | Widget metric is set to view origin account name. If Physical Security log source contains entry and exit data adjust sub metric to include this field information. |
NIST 800-171 - Privileged Account Activity | 3.1.6 | Privileged account activity is required to be captured and retained. Monitor this widget for anomalous behavior. | Donut Chart | Widget metrics are set to view origin account name and common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Security Controls Monitoring | 3.12.03, 3.14.6 | Monitor this widget for activity that could indicate compromise. Visit LogRhythm Threat Detection Rules for more information on Threat Detection Analytics by LogRhythm. | Bar Chart | Widget metrics are set to view origin account name and the target host. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Shared Account Activity | 3.5.1 | Shared Accounts should only be used when necessary on an exception basis. This widget should be monitored for anomalous levels of shared account activity. | Trend Chart | Widget metric shows the trend in a linear curved graph to indicate trends of shared account activity. If additional detail of activity is needed, change widget style to bar chart and add metrics. |
NIST 800-171 - System and Service Account Activity | 3.5.1 | System and Service Accounts should be limited to least privilege. This widget should be monitored for activity that is anomalous for the related system and service accounts privileges. | Bar Chart | Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - System-Level Object Activity | 3.4.3 | Critical Files and System-Level Objects should be monitored for creation, deletion, and modification. Unexpected changes to these files can compromise system security. | Bar Chart | Widget metrics are set to view Target Host Name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
NIST 800-171 - Third-Party Activity | 3.3.1 | Third-Party Activity in NIST 800-171 environments should be monitored for unexpected activity. | Bar Chart | Widget metrics are set to view origin account name and the common event. Adjust chart primary and sub metric dependent upon log source parsing and desired field information. |
Management Dashboard Widgets
Search Name | NIST 800-171 Controls | Use of Widget | Widget Type | Tuning Guidance |
---|---|---|---|---|
NIST 800-171 - Axon Audit Logs | 3.3.8 | Audit Logs should capture all access to audit data and read access to that data should be limited to those with job-related need. Monitor these widgets for unexpected users and activity taken. | Bar Chart Donut Chart | The donut chart widget is set to view origin account name and the action command statement to showcase users taking actions and actions being taken. The bar chart widget is set to view action type and the action command statement to showcase what types of Axon Objects are having actions taken on them. Adjust chart primary and sub metric for desired field information within Audit Logs. |
NIST 800-171 - Common Event Health | 3.3.2 | The basis for all compliance searches utilizes the common event schema. Logs without event assignment could become excluded from widgets and/or reports. Monitor these widgets for logs and log sources without event assignment and correct as needed. | Trend Chart Bar Chart | The trend chart widget shows the trend in a linear curved graph to indicate trends of logs without common event assignment. The bar chart widget is set to view log source type and the log source to showcase what types of log sources do not have event assignment and what specific log sources of that type do not have common even assignment. Adjust chart primary and sub metric for desired field information. |
Additional Axon Support
The below sections contain additional product features and functionality that can help customers support their NIST 800-171 compliance.
Log Integrity, Availability, & Security
Users of Axon do not have the capability to delete log data from the application interface, ensuring the integrity of logs collected. Additionally, LogRhythm issues a SOC 2, Type 2 report for the Axon Platform that includes controls relevant to the Security, Availability, and Confidentiality of customer data. This inability to modify log data and SOC 2 attestation supports NIST 800-171 control 3.3.8 related to Audit Log integrity, availability, and security. Customers interested in reviewing the Axon SOC 2 attestation can request access to a copy through their account representative.
Log Retention
LogRhythm Axon licensing options allow customers to fit their personal log retention needs. NIST 800-171 control 3.3.3 requires that entities retain audit records for a time period consistent with the records retention policy. To ensure this NIST 800-171 requirement is met, customers should confirm their licensing Time-to-Live (TTL) options with their account representative.
Scheduled Reporting to Automate Log Review
LogRhythm’s comprehensive reporting capabilities provide the flexibility of custom and pre-configured reports. The Schedule Reporting feature allows you regularly capture data from the Dashboard or from specific searches and deliver a report to selected recipients. Scheduled Reporting supports NIST 800-171 control 3.3.6 by automating the delivery of the reports in this bundle that provide the normalized and filtered data for completing log reviews.
Case Management
The Axon Case Management feature is a collaborative forensic tool for creating cases to track and document suspicious logs that are believed to be related to the same threat. The ability to create, own, and update cases, as well as to collaborate on cases that are created and owned by others, is available to all Axon users by default. Case Management supports NIST 800-171 control 3.6.2 by facilitating the review process for exceptions and anomalies.
Silent Log Source Alerting
The Axon Silent Log Source Alerting feature can be used to alert personnel if specific data sources stop sending data for a configurable amount of time. A log source that has not sent data for a specified amount of time is referred to as a “silent log source.” Silent Log Source Alerting supports NIST 800-171 control 3.3.4 by alerting to potential audit logging process failure.