This guide is intended for the designated LogRhythm administrators within your organization.
This guide assumes the following:
- The ISO-27001 Compliance Automation Suite has been imported, the desired AI Engine rules are enabled, and network entity structure has been configured. Contact LogRhythm Customer Support for any additional questions about establishing entity structure in the console.
- Appropriate log sources (such as Windows Security Events, Firewalls, Intrusion Detection Systems, and so forth) have been configured for collection by LogRhythm.
- The network entity structure has been configured to identify internal and external sources for directional traffic. Contact LogRhythm support for any additional questions or guidance about establishing directional traffic.
- To use the rules and reports that monitor various users or groups, the seven (7) ISO-27001 lists have been modified to include the privileged user groups, privileged accounts, vendor accounts, shared accounts, guest accounts, default accounts, and terminated accounts that your organization wishes to monitor. The task of updating these lists can be easily integrated into existing periodic account reviews of the various systems within the environment.
How to Use This Guide
Suppression Period: The Suppression Period defines how much time must pass before the same AI Engine rule can be triggered again for the same set of criteria.
Environmental Dependence Factor: EDF is a high level quantification of how much effort is required in configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
False Positive Probability: FPP is a factor that determines the likelihood that an event represents a real risk, as follows:
- 0: The event represents a real risk less than 1 time out of 10.
- 1: The event represents a real risk 1 time out of 10.
- 0: The event represents a real risk 9 times out of 10.