Skip to main content
Skip table of contents

CCF Deployment Guide – Meet the Compliance Requirements


The LogRhythm CCF Compliance Automation Suite provides bundled pre-created Alarms, AIE Rules, Investigations, Lists, Reports, and Reporting Packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm.

This section details the post-implementation processes necessary to meet specific CCF compliance requirements and augment others. The process involves the following steps:

  • Noise Mitigation
  • Scheduling
  • Package Usage

Compliance Module Noise Mitigation

LogRhythm’s CCF Compliance Automation Suite bundled Alarms, AIE Rules, Investigations, Lists, Reports, and Reporting Packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive events involves the following steps:

  • List Updating
  • Filters
  • Suppression

List Updating

Keeping Compliance Module lists updated is a vital part of decreasing false positives within the CCF Compliance Automation Suite. An organization’s applications, IP addresses, and users are dynamic. For this reason, the Compliance Module utilizes lists that can be dynamically updated as needed. There are many conditions which require a list to be updated. The following section highlights a few instances when lists must be updated and directions on how to update the lists. You may also leverage the data impact assessment, privacy impact assessment, system inventory, data classification, and risk control matrices for reflecting your CCF scope within LogRhythm Enterprise.

Filter Usage

Adjusting filter criteria is a vital part of decreasing the number of false positives within the CCF Compliance Automation Suite. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criterion. The following section highlights how to create exclude filters for AIE Rules, investigations, and reports.

Configure AIE Rule Exclude Filter Criteria

All AIE Rules included in the CCF Compliance Automation Suite can be configured with exclude filters.

To configure exclude filters for AIE Rules

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click a CCF AIE Rule on which an exclude filter should be configured, and then click Properties.
  4. Right-click the Rule Block, and then click Properties.
  5. Click the Exclude Filters tab.
  6. Click the New icon on the top menu.
  7. Specify the details for the exclude filter criteria.
  8. On the Log Message Filter, click OK.
  9. On the AI Engine Rule Block Wizard, click OK.
  10. On the AI Engine Rule Wizard, click OK.
  11. At the top of the AI Engine Rule Manager, click Restart AI Engine.

Configure Investigation Exclude Filter Criteria

All Investigations included in the CCF Compliance Automation Suite can be configured with exclude filters.

To configure exclude filters for Investigations

  1. Open the LogRhythm Console and click Investigate on the main toolbar.
  2. Select one of the Saved CCF Investigations on which an Exclude Filter should be configured.
  3. Click Next until you reach the Specify Event Selection screen.
  4. In the Add New Field Filter list, select the criteria.

  5. Click Edit Values and configure the criteria as required.

    To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.

  6. Click OK.
  7. Click Next until you reach the Save Investigation Configuration screen, and then click Save.
  8. Click Cancel.

Configure Report Exclude Filter Criteria

All Reports included in the CCF Compliance Automation Suite can be configured with exclude filters.

To configure exclude filters for Reports

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Reports tab.
  3. Select the Action check box of the report that needs that exclude the filter right-click the selection, and then click Properties.
  4. Click Next until you reach the Specify Additional Report Criteria Screen.
  5. In the Add New Field Filter list, select the criteria.

  6. Click Edit Values and configure the criteria as required.

    To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  7. Click OK.
  8. Click Next to reach the Report Details screen, click Apply, and then click OK.

Suppression Usage

Adjusting suppression values is a vital part of adjusting the alarming configuration within the CCF Compliance Automation Suite. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE Rules.

Configure AIE Rule Suppression

All AIE Rules included in the CCF Compliance Automation Suite can be configured with alarm suppression.

To configure suppression for AIE Rules.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click a CCF AIE Rule on which an exclude filter should be configured, and then click Properties.
  4. Click the Settings tab.

  5. Type a value for the Suppression Multiple. 

    You must select the Enable Suppression check box for suppression to function. The Suppression Period is the amount of time for which an alarm is suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.
  6. On the AI Engine Rule Wizard, click OK.
  7. On the top of the AI Engine Rule Manager, click Restart AI Engine.

Reporting Packages

Reporting packages can be easily created, cloned, or adjusted by a LogRhythm Admin to provide needed content for Audit, Executive Management, or other audiences who require output for assessment. Within the CCF, module there are four (4) CCF reporting package templates that can be adjusted according to audit and organizational needs.

To create a new Reporting Package to be used at your discretion

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Report Packages tab.
  3. Right-click the grid and click New Report Package.
  4. Within the Select Reports window, select the CCF reports you want to include in this reporting package, and then click Next.

  5. Click Next on the Override Log Source Criteria without making any changes. 

    Do not override log source criteria.
  6. Select the frequency for which the reporting package will be produced and the timeframe.
  7. Choose additional settings for report delivery options, and then click Next.
  8. Add the name and description of the new CCF reporting package, and then click OK.


To create a cloned Reporting Package to apply the CCF Log Source List:

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Report Packages tab.
  3. Right-click the reporting package you want and select Clone.
  4. Ensure desired reports are selected within the reporting package.
  5. Click Next until you reach the Override Log Source Criteria.
  6. Select Selected Log Source List and type CCF within the Name search field.
  7. Select the check box for CCF: All Log Sources.
  8. Select Next until you reach Package Details and change the Package Name.
  9. Set Report Package Permissions and click OK or Apply to save.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close