Skip to main content
Skip table of contents

201 CMR 17 Deployment Guide – Meet the Compliance Requirements


The LogRhythm 201 CMR 17 Compliance Module provides bundled pre-created alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm. The 201 CMR 17 Package Post-Implementation section details the post-implementation processes necessary to meet specific 201 CMR 17 compliance requirements and augment others.

Compliance Module Noise Mitigation

LogRhythm’s 201 CMR 17 Compliance Module bundled alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive involves the following steps:

List Updating

Keeping Compliance Module lists updated is a vital part of decreasing false positives within the 201 CMR 17 Compliance Module. An organization’s applications, IP addresses, and users are dynamic for this reason the Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions which would require a list to be updated. The following section highlights a few instances where lists must be updated and direction on how to update the lists.

Update User Lists

The user list should be updated when a user account is disabled or terminated. Changes to these types of accounts would be evident by details in the access granted/revoked reports and account management reports. Follow the instructions listed below after implementation and every week to identify users who have not been added to the user lists.

  1. Open the LogRhythm Console and click the Report Center tab.
  2. Click the Reports tab, right-click the 201 CMR 17: Disabled/Locked Account Summary report, and then click Run.
  3. Click Next until you reach the Configuration screen, set the date range to Past Month, and then click OK.
  4. Click the name of the report in the Report Viewer.
  5. Search for “Account Disabled” common events to identify when an account may have been enabled or disabled.
  6. Follow steps 1-7 in Populating Users Lists to add applicable, disabled accounts to the 201 CMR 17: Disabled And Terminated Accounts list.

Filter Usage

Adjusting filter criteria is a vital part of decreasing the number of false positives within the 201 CMR 17 Compliance Module. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criteria; the following section highlights how to create exclude filters for AIE Rules, investigations, reports, and tails.

Configure Alarm Exclude Filter Criteria

All AIE Rules included in the 201 CMR 17 Compliance Module can be configured with exclude filters.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the Alarm tab.
  3. Right-click a 201 CMR 17 alarm on which an exclude filter should be configured, and then click Properties.
  4. Right-click the Rule Block, and then click Properties.
  5. Click the Exclude Filters tab.
  6. On the top menu, click the New icon.
  7. Specify the details for the exclude filter criteria.
  8. On the Log Message Filter, click OK.
  9. On the Alarm Rule Wizard, click OK.

Configure Investigation Exclude Filter Criteria

All Investigations included in the 201 CMR 17 Compliance Module can be configured with exclude filters.

  1. Open the LogRhythm Console and click Investigate on the main toolbar.
  2. Select one of the saved 201 CMR 17 Investigations on which an Exclude Filter should be configured.
  3. Click Next until you reach the Specify Event Selection screen.
  4. In the Add New Field Filter list, select the criteria.
  5. Click Edit Values and configure the criteria as required.
  6. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  7. Click OK.
  8. Click Next until you reach the Save Investigation Configuration screen, and then click Save.
  9. Click Cancel.

Configure Report Exclude Filter Criteria

All Reports included in the 201 CMR 17 Compliance Module can be configured with exclude filters.

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Reports tab.
  3. Select the Action check box of the report that needs that exclude filters, right-click the selection, and then click Properties.
  4. Click Next until you reach the Specify Additional Report Criteria Screen.
  5. In the Add New Field Filter list, select the criteria.
  6. Click Edit Values and configure the criteria as required.
  7. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  8. Click OK.
  9. Click Next to reach the Report Details screen, click Apply, and then click OK.

Suppression Usage

Adjusting suppression values is a vital part of adjusting the alarming configuration within the 201 CMR 17 Compliance Module. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE rules.

Configure Alarm Suppression

All Alarms included in the 201 CMR 17 Compliance Module can be configured with alarming suppression.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the Alarms tab.
  3. Right-click a 201 CMR 17 alarm on which suppression should be configured, and then click Properties.
  4. Click the Settings tab.

  5. Type a value for the Suppression Multiple.

    You must select the Enable Suppression check box for suppression to function. The Suppression Period is the amount of time in which an alarm will be suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.

  6. On the Alarm Rule Wizard, click OK.

Threshold Usage

Adjusting threshold values is a vital part of adjusting the alarming configuration within the 201 CMR 17 Compliance Module. Threshold values are used to specify the amount of occurrences of an event which must occur before a specific alarm is executed. The following section highlights how to adjust threshold values for alarms.

Configure Alarm Thresholds

All Alarms included in the 201 CMR 17 Compliance Module can be configured with alarming thresholds.

  1. Open the LogRhythm Console, click Deployment Manager.
  2. Click the Alarm tab.
  3. Right-click a 201 CMR 17 alarm on which a threshold should be configured, then click Properties.
  4. Click the Aggregation tab.

  5. Fill in a threshold value.

    The threshold is the number of events which must occur before an alarm occurs. When the threshold has been exceeded an alarm will occur.

  6. On the Alarm Rule, click OK.

Reporting Packages

The LogRhythm 201 CMR 17 Compliance Module provides bundled reports in the form of reporting packages which help demonstrate regulation compliance. The reporting packages are designed to be executed and delivered to specific functional areas at designated time periods. This section describes the proper configuration of 201 CMR 17 reporting packages.

201 CMR 17 Module Reporting Package

The Reporting Package included in the 201 CMR 17 Compliance Module is unscheduled by default. The following sections describe how to schedule the reporting package.

To schedule the Reporting Package

  1. On the main toolbar, click the Report Center.
  2. On the Tools menu, click Reports, and then click Scheduled Report Job Manager.
  3. Right-click in the white space of the Scheduled Report Job Manager, then click New.
  4. Select the Action checkbox for the LogRhythm 201 CMR 17 Reporting Package, then click Next.
  5. Select the Action checkbox for email recipients you want (designate internal audit staff if applicable), click attach report if you want the recipient to receive the reports as attachments, and then click Next.
  6. Select Past Week for the reporting period, select a single day (Sunday) for the report schedule, specify a unique time in which the reports should run, specify the UNC path of an archival location for the reports to be saved, and then click Next.
    Specify a name for the report schedule, and then click OK.
  7. Select the Action box for the schedule report, right-click on the report name, click Action, and then click Enable.

201 CMR 17 Package Usage

The LogRhythm 201 CMR 17 Compliance Module provides bundled pre-created alarms, investigations, and reports to help demonstrate regulatory compliance. The 201 CMR 17 Auditor will check for specific line-item regulations to be met by LogRhythm. This section describes the proper usage of the following functions:

  • Security Operations
  • Security Management

201 CMR 17 Package Usage for Security Operations

To demonstrate regulatory compliance, security operations personnel must perform the vital role of properly managing and using the LogRhythm 201 CMR 17 Compliance Module. This section describes the necessary security operations functions:

  • Compliance Monitoring
  • Compliance Incident Handling

Security Operations Compliance Monitoring

The process of monitoring required by 201 CMR 17 involves both automated and manual activities. The automated activities are typically associated with alarms, dashboards and report generation used by security operations personnel. Investigations are used to identify, report, and remediate incidents.

To meet 201 CMR 17 standards, 201 CMR 17 requires:

  • 24x7x365 monitoring
  • Review of the information being collected by LogRhythm

Monitoring requirements are located throughout the 201 CMR 17 Standards. Per 201 CMR 17 Requirement 17.03.2.h, “Regular monitoring to ensure that the comprehensive information security program is operating in a manner reasonably calculated to prevent unauthorized access to or unauthorized use of personal information; and upgrading information safeguards as necessary to limit risks.”

The most effective way to meet the monitoring requirements is for the security operations personnel to monitor alarms and dashboard activity, and review reports produced by the security operations daily reporting package on a daily interval. The 201 CMR 17 Alarms are configured to notify security operations personnel in the event of a security-related event.

201 CMR 17 Package Usage for Security Management

To demonstrate regulatory compliance, security management personnel must oversee the usage of the LogRhythm 201 CMR 17 Compliance Module. This section describes the necessary security management functions of monitoring security operations functions.

The process of monitoring security operations functions involves monitoring of the security posture of the organization as a whole and also monitoring of security operations processes such as incident response. The most effective way to monitor both the security posture of the organization and security operations functions is through the daily monitoring of dashboard activity, weekly reviewing of reports produced by the security management weekly reporting packages. The LogRhythm 201 CMR 17 Reporting Package is configured to send security management security-related reports on a weekly interval.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close