GPG-13 – Investigations
Intelligent Indexing must be set according to the table below. Work with LogRhythm Support to set this configuration.
Name | Description | Investigation ID | Direct/Augment Control Activity | Data Source | Intelligent Indexing | Classifications | Log Source Lists |
|---|---|---|---|---|---|---|---|
GPG-13: Attack Detected at Boundary | This investigation provides detailed information on suspected attacks at the boundary including the type of attack and impacted (targeted) host and application (if applicable). This supplements testing of GPG-13 control PMC3.4 [Report B]. | 289 | PMC3.4 – Direct | Event Manager | Yes | Security: Attack | GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Auth Failure on Boundary Device | This investigation provides detailed information on authentication failure activity occurring on a boundary monitoring device including the common event detailing the reason for the authentication failure. This supplements testing of GPG-13 control PMC3.3 [Report B]. | 290 | PMC3.3 - Direct | Event Manager | Yes | Audit: Authentication Failure | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Completed File Import/Export | This investigation provides details around completed file import/export activities across the boundary to supplement testing of GPG-13 control PMC2.9 [Report C] and 2.10 [Report C]. | 288 | PMC2.9 – Direct PMC2.10 – Direct | Log Manager | No | Operations: Information | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Failed File Import/Export Attempt | This investigation provides detail relating to blocked file import/export attempts across the boundary to supplemental testing of GPG-13 control PMC2.4 [Report B] and PMC2.5 [Report B]. | 287 | PMC2.4 - Direct PMC2.5 - Direct | Event Manager | Yes | Operations: Network Deny | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices. |
GPG-13: Internal Boundary Monitoring Device Change | This investigation supplements testing of GPG-13 control PMC5.6, 5.12, 6.15 (and related reporting) to provide additional details around internal boundary monitoring device changes. Reports will provide the current version of the change, but the investigation will provide the previous version of the signature within the raw log message. | 298 | PMC5.6 - Direct, PMC5.12 – Augment, PMC6.15 - Augment | Log Manager | Yes | Audit: Configuration | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: LogRhythm Alert Config Change | This investigation supplements testing of GPG-13 control PMC9.3 [Report C] by providing additional details on the alert configuration change being investigated. This report required Enhanced Auditing Configuration. Refer to the GPG-13 Deployment Guide for further configuration instructions. | 296 | PMC9.3 - Direct | Log Manager | Yes | Audit: Configuration | GPG-13: UDLA – LREnhancedAudit |
GPG-13: Malware Detected on Host | This investigation provides a details of activity indicative of malware installation, propagation, or use to directly address GPG-13 control PMC4.2 [Report A]. This investigation includes both successful and failed malware activity. | 291 | PMC4.2 – Direct | Event Manager | Yes | Security: Malware | GPG-13: Servers And Workstations |
GPG-13: Malware Detection Activity | This investigation provides details of activity indicative of successful or failed malware installation, propagation, or use to directly address GPG-13 control PMC2.1 [Report A]. | 286 | PMC2.1 – Direct | Event Manager | Yes | Security: Malware | GPG-13: All Log Sources |
GPG-13: Network Act Priv/Group Change (Windows) | This investigation provides detailed information of changes to network user privilege, group or membership assignments and is configured specific to windows logs form the in-scope workstations and servers. The common events pertain to specific group modifications and account metadata field must not end with '$' which has the effect of excluding computer accounts from the investigation. This supplements testing of GPG-13 control PMC7.3 [Report A]. | 295 | PMC7.3 – Direct | Event Manager | Yes | Audit: Account Modified | GPG-13: Servers And Workstations |
GPG-13: Remote Auth Failure | This investigation provides detailed information on authentication failures originating from a remote access point into the boundary. This supplements testing of GPG-13 control PMC6.1 [Report A]. | 293 | PMC6.1 - Direct | Event Manager | Yes | Audit : Authentication Failure | GPG-13: Remote Access Devices |
GPG-13: Suspected Internal Attack | This investigation provides summary information on suspected attacks at the internal boundary including the type if attack and impacted (targeted) host and application (if applicable). This supplements testing of GPG-13 control PMC5.7 [Report C]. | 292 | PMC5.7 – Direct | Event Manager | Yes | Security : Attack | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: User Network Act Status Change (Windows) | This investigation supplements testing of GPG-13 control PMC7.2 [Report A] by providing summary information on user network account status change. This report is windows specific and searches against a selection of common events relating to account modifications on windows domains and is restricted to include logs only from windows log source types. Further, the investigation will capture events to supplement control PMC7.5 [Alert B] to report any account 'locked-out' activities. | 294 | PMC7.2 - Direct | Event Manager | Yes | Audit: Account Modified | GPG-13: Servers And Workstations |