Skip to main content
Skip table of contents

CCF Deployment Guide – Review Prerequisites

Pre-Implementation Checklist

The Pre-Implementation Checklist is used to collect all necessary infrastructure details used to configure the CCF Compliance Automation Suite. During this phase the following items should be collected:

  • Log Source Lists
  • User Lists
  • Group / General Value Lists
  • Location Lists
  • Application Lists
  • Entity Lists
  • Host Lists
  • Network Lists

LogRhythm Network Monitor is required for the use of the CCF Compliance Automation Suite’s TLS and SSL AIE rules, Investigations, and Reports. If Network Monitor is not used, some adjustments may need to be made to related objects previously mentioned.

Understand the LogRhythm Consolidated Compliance Framework

LogRhythm Compliance modules released after the software version 7.2.6 launch follow a Consolidated Compliance Framework (CCF) that structures objects, associated with the support of common compliance controls across different frameworks, to be shared between compliance modules. This eliminates the need to maintain duplicate objects and rules, by using restricted user profiles to separate reports, alarms, dashboard content, and more. LogRhythm administrators can create CCF-focused auditor or user profiles with the use of the CCF: All Log Sources list, Entities, or both and introduce scope through framework-specific All Host lists.

Unless CCF is intended to forever be the only compliance module installed, LogRhythm administrators should configure and tune rules based, off the CCF module. The compliance scope that is specific to CCF or other modules should be maintained by keeping the CCF: All Host lists, CCF: All Log Sources list, and a CCF-specific Entity structure up to date with the organization’s current CCF scope. After restricted user profiles have been created, every account using the list or Entity structure will always remain up to date by maintaining these items.

Alongside this, LogRhythm report schedules can also be restricted to the CCF: All Log Sources list or Entities. This is important to keep in mind because only LogRhythm Global Administrators can schedule reports, even though reports run directly from restricted user profiles fully reflect the restrictions applied to the account. Email alerts and Web Console content configured to restricted accounts also reflect any restrictions applied, so that restricted accounts do not receive out-of-scope alerts or see inappropriate information when logged into the Web Console.

CCF Compliance Modules

Module Name

Module ID


Compliance Automation Suite: GDPR


This module contains various LogRhythm components that have been mapped to support GDPR Articles and objectives.

Compliance Automation Suite: UAE-NESA


This module was created based on those controls that LogRhythm SIEM can augment. For more information, see the UAE Deployment Guide and User Guide.

Compliance Automation Suite: NIST


This module contains objects aligned with control objectives within NIST 800-53 rev. 5, NIST 800-171, and CSF v1.1. This compliance module relies on objects within the CCF module.

Compliance Automation Suite: NY-DFS


This module contains objects aligned with control objectives within NY-DFS. This compliance module relies on objects within the CCF module.

Compliance Automation Suite: CJIS


This module contains objects aligned with control objectives within the FBI’s Criminal Justice Information Services (CJIS) Security Policy version 5.7. This compliance module relies on objects within the CCF module.

Compliance Automation Suite: ASD83This module contains objects that help organizations pursue best practice adherence to the Australian Government Information Security Manual (ISM), produced by the Australian Cyber Security Centre (ACSC) within the Australian Signals Directorate (ASD).

Key CCF Support Features

  • CCF is the initial step along the Security Organization Maturity Model (SOMM), often serving as an introduction to SIEM
  • Knowledge Base CCF objects are shared between compliance modules to avoid duplicate items and better centralize tuning and optimization
  • Report Package templates that can be cloned for scheduling reports with restrictions to a given compliance framework that cater to various audiences involved in the audit
  • CCF content mapped to various compliance requirements and objectives
  • CCF workbook or Deployment Guides that can be downloaded and include control mappings to each CCF object that augments
  • AI Engine objects tailored to specifically cooperate with LogRhythm Web Console dashboards
  • CCF-specific SmartResponse plugins for additional scope definition and context
  • Reports specifically built to “run as investigations,” in the Web Console for evidence that can be stored in Case Management cases as extra reporting

Web Console Support

LogRhythm Global Administrators can schedule report packages. Upon scheduling a report package, administrators have the option to select Web Console as part of the report scheduling. Reports scheduled to be delivered to the Web Console can be run as investigations, which creates a digital version of the reports that can be stored in Case Management cases as evidence.

The screenshot above shows how cases can store these investigations as evidence, and incidents that occur during reporting review cases can be associated to cases as well. 

All the AI Engine objects found in the CCF module can be used with Web Console dashboards as well.  Web Console widgets can even be configured to look only at CCF AI engine events. The following is an example of a CCF filter string for Web Console dashboard widgets: commonEventName: AIE*CCF*.

Remember that it is highly recommended that CCF deployments utilize restricted user and administrator accounts.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.