General Deployment Requirements
The deployment of the CIS CSCM assumes the following:
- The overall LogRhythm deployment is in a fully-deployed state and is healthy.
- Minimum software version 7.1 is deployed.
- Entity structure is appropriately configured to identify DMZ and Internal networks.
Configure Microsoft Windows Audit Logging Levels
It is highly recommended that you follow Microsoft’s guidance on Audit Policy Recommendations. Search Microsoft’s website for the latest recommendations.
Configure Linux Audit Logging
By default, most recent Linux distributions log the event “user NOT in sudoers file” when a user tries to sudo without permission. The only requirement here is that LogRhythm collects the Auth.log via syslog, flat file, or syslog file log sources. The most common collection method is to configure rsyslog to send all facilities and severities to a LogRhythm Sysmon Agent.
Data Collection Requirements
The matrices on the module home page list the log source types that should be collected to make effective use of each AIE Rule, Investigation, and Report in the CIS CSCM.
Gather the Following Information Before Deploying the Module
The following information should be gathered prior to implementing the CIS CSCM. This information is needed when populating lists and configuring individual AI Engine Rules.
- Blacklisted Countries
- Network Access Control Systems
- Privileged Groups
- Privileged Users
- Production Servers
- Remote Access Systems
- Vulnerability Scanners
- Whitelisted Countries
- Whitelisted Processes
- Wireless Access Points
By default, updating the Knowledge Base does not update the user-customizable settings in AIE rules, such as Rule Block Time Limit settings, Unique Value Rule Block occurrences and Threshold Rule Block values. The default behavior is intended to preserve any user customizations made to the AIE rules.
You may want to have the latest rule settings overwrite the existing settings as part of the Knowledge Base sync. To do so select the Enable Advanced Synchronization Settings check box in the Knowledge Base Manager Synchronization Settings. Enabling this option does so for all enabled Knowledge Base modules, not just the CIS CISM Module.
For more details on how the Knowledge Base synchronization settings can affect AIE rules, see Configure Knowledge Base Synchronization Settings.