Skip to main content
Skip table of contents

CIS-CSC Deployment Guide – Configure the Module

LogRhythm requires that you configure some objects included in the CIS-CSC Compliance Automation Suite. This section describes the steps you must perform.

Intelligent Indexing

Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.

Populate Lists

  1. Open the LogRhythm Console and click List Manager on the main toolbar.
  2. Right-click the name of a CIS-CSC Log Source List, and then click Properties.
  3. Click the List Items tab, click Add Item.
  4. Use the Add Item dialog to add items to the list individually or click Import to import a text file or clipboard contents.
  5. To save the list, click OK.
  6. Repeat this process (steps 1-5) for all CIS-CSC Lists from your checklist.

Enable AI Engine Rules

Some of the AI Engine Rules in this module need more configuration to ensure they will work properly. For rule configuration information, see Getting Started in CloudAI.

  1. Open the LogRhythm Console and click Deployment Manager.
  2. Click the AI Engine tab.
  3. In the Rule Group column, filter for CIS Critical Security Controls to find the AI Engine Rules you want for the module.
  4. To the left of each AI Engine rule you want to enable, select the Action check box.
  5. Right-click the grid, click Actions, and then click Enable.
  6. If the Restart column displays Needed for a rule, the AI Engine service must restart to load the new rules. Click Restart AI Engine Servers at the top of the window. This action only restarts the necessary services, not the appliance itself.

    You must select the AI Engine instance in the View field to see the Restart column.

Enable AI Engine Rule Alarming

By default, alarms are disabled for all AI Engine rules, except for those noted earlier, but events are generated when the rule is enabled and its criteria satisfied. These events are displayed in the Web Console dashboard and are visible by running an Investigation or Tail against the Event Manager.

Before enabling alarming, review events and tune rules as necessary. Refer to the CIS Critical Security Controls User Guide for information about tuning individual AI Engine rules. When you are finished tuning one or more rules, and an acceptable level of false positives is achieved, enable alarming on the rules to bring events to the alarm layer and give visibility to the monitoring team.

To enable alarming for AI Engine rules:

  1. On the main menu of the LogRhythm Console, click Deployment Manager.
  2. Click the AI Engine tab and find the rules you want. 
    The value under Alarm Status shows whether alarming is enabled for a rule.
  3. To the left of each rule, select the Action check box .
  4. Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
  5. (Optional) Right-click the grid, click Actions, click Batch Notification Editor, and Add Notifyees or Remove Notifyees as necessary.

    You can configure alarming for individual alarms on the Settings tab of the Alarm Properties dialog box.

(Optional) Add Item to List Using a SmartResponse Plugin

Using SmartResponse, LogRhythm can automatically update the Privileged Users list.

  1. Go to the LogRhythm Community.
  2. On the top menu bar, click Sharables.
  3. In the SmartResponses, download the Add Item to List plugin and user guide.
  4. Follow the instructions in the guide to import the plugin and make it available to the AI Engine rules.
  5. In the Client Console on the main toolbar, click Deployment Manager.
  6. Click the AI Engine tab.
  7. In the AI Engine Rule Name column, filter for CIS Critical Security Controls.
  8. Double-click the rule you want, and then click the Actions tab.
  9. In the Action menu, select the Add Item to List plugin that you imported.
  10. As described in the Add Item to List Plugin User Guide, fill in the proper fields: Target Host, Target Account, Administrator Account, and Administrator Password.
  11. Click OK.

Import the Web Console Dashboard Layout

Layouts currently cannot be imported as part of the KB. Instead, you must manually download and apply them.

  1. Go to the LogRhythm Community.
  2. On the top menu bar, click Sharables.
  3. In the Dashboards, click Client Console Dashboard and Investigation Layouts , and download the Critical Security Controls Dashboard Layout.
  4. Start a supported Web browser and log in to the LogRhythm Web Console.
  5. On the upper-right side of the page, click the Dashboard Layout icon.
  6. At the bottom of the dashboard layouts list, do one of the following depending on your user permission level:
    • Global Administrators. Click either Add Public or Add Private depending on the type of view that you want to create from the import.
    • All other users. Click Add Private.
  7. In the edit area, click Import.
    The Open dialog box appears.
  8. Navigate to and select the dashboard layout file (.wdlt) that you want to import, and then click the Open button.
    The selected dashboard layout is imported into your dashboard layout menu.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.