GPG-13 – Reports (Summary and Detail)
Summary Reports
Name | Description | Report ID | Meets Requirements | Data Source | Intelligent Indexing | Log Sources |
|---|---|---|---|---|---|---|
GPG-13: Accountable User Transactions Summary | This report provides summary information specific to accountable user transactions across all log sources by account and impacted host. This requirement will warrant the customer to work with Professional Services to assess their applications and database environments to determine what transactional data is available for logging. Consider using a reporting package to segregate by entity. | 1160 | PMC7.7 [B] – Augment | Log Manager | No | GPG-13: Application and Database Production Servers |
GPG-13: Backup Operations Status | This report provides summary information around backup, test and recovery operations based on a search for logs using various common events pertaining to overall backup operations within critical servers and workstations (lists). Consider using a reporting package to segregate by entity. | 1175 | PMC8.1 [A] - Augment, PMC8.3 [C] - Augment, PMC8.4 [D] – Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: LogRhythm Alert Config Change | This report provides summary information and statistics relating to any configuration changes to impacting alerts within the LogRhythm Console in direct support of GPG- 13 control PMC9.3. This report required Enhanced Auditing Configuration. Refer to the GPG-13 Deployment Guide for further configuration instructions. Consider using a reporting package to segregate by entity. | 1190 | PMC9.3 [B] – Direct | Log Manager | Yes | GPG-13: UDLA – LREnhancedAudit |
GPG-13: Audit Failure Executive Summary | This report provides an executive level summary of all audit failures (access failure, authentication failure, and other audit failure) by Impacted Entity. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1198 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Audit Success Executive Summary | This report provides an executive level summary of all audit successes (access success, authentication success, and other audit success) by Impacted Entity. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1199 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Operations Events Executive Summary | This report provides an executive level summary of operations incidents (critical, error, and warning) by Impacted Entity. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1200 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Privileged Failure Summary | This report augments GPG-13 control PMC11 by providing summary details on all privileged access and authentication failures. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1201 | PMC11 - Augment | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Security Events Executive Summary | This report provides a summary of security events (activity, attack, compromise, denial of service, malware, misuse, reconnaissance, suspicious, and vulnerabilities) by Entity. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1202 | PMC11 - Augment | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Security Failure Executive Summary | This report provides a summary of security failure events (failed activity, failed attack, failed compromise, failed denial of service, failed malware, failed misuse, and failed suspicious) by Entity. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1203 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Terminated Account Summary | This report summarizes terminated account activity for production systems. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1204 | PMC11 - Augment | Log Mart | No | GPG-13: All Log Sources |
GPG-13: Top Attacker Summary | This report augments GPG-13 controls PMC11 by providing a summary of the top security events by Origin Host. This report in conjunction with others intended for an executive audience helps augment GPG-13 control objective PMC11. | 1205 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Top Suspicious Login Summary | This report provides summary information of top suspicious logins across the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1206 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Top Targeted Application Summary | This report provides summary information of top targeted applications being monitored within the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1207 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Top Targeted Host Summary | This report provides summary information of top targeted hosts being monitored within the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1208 | PMC11 - Augment | Log Manager | No | GPG-13: All Log Sources |
GPG 13: New Account Summary | This report provides summary information on any new account created in the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1215 | PMC11 - Augment | Log Mart | No | GPG-13: All Log Sources |
GPG-13: File Integrity Monitor Summary | This report provides summary information to executives around FIM activities within the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1211 | PMC11 - Augment | Log Mart | No | GPG-13: File Integrity Monitoring |
GPG-13: User Access Granted/Revoked Summary | This report provides summary information to executives around user access provisioning for rights granted or revoked across the environment. This report in conjunction with others is intended for an executive audience helps augment GPG-13 control objective PMC11. | 1212 | PMC11 - Augment | Event Manager | No | GPG-13: All Log Sources |
Detail Reports
Name | Description | Report ID | Meets Requirements | Data Source | Intelligent Indexing | Log Sources |
|---|---|---|---|---|---|---|
GPG-13: Time Sync Errors | This report provides a summary of time sync errors occurring within in-scope entities in direct support of GPG-13 Control PMC1.1 [A] and PMC1.3 [B] and in supplemental support of GPG-13 Control PMC1.2. Consider using a reporting package to segregate by entity. | 1107 | PMC1.1 [A] - Direct, PMC1.2 – Direct, PMC1.3 [B] – Augment | Event Manager | Yes | GPG-13: All Log Sources |
GPG-13: Boundary Monitoring Device Commands | This report provides summary information on any command executed on a boundary device or console. Depending on the technology used, there may be a requirement for customization based on logs/data produced by the device or console. Work with Professional Services for any customization requirements based on the technology utilized. This report directly supports GPG-13 control objective PMC3.11. | 1185 | PMC3.11 [C] – Direct | Log Manager | No | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Internal Boundary Monitoring Device Change | This report provides summary information on any changes to an internal firewall or other relevant devices. This report augments the GPG-13 control objectives PMC5.6 [B], PMC5.12 [C] and PMC6.15 [C]. Consider using a reporting package to segregate by entity. | 1195 | PMC5.6 [B] - Direct, PMC5.12 [C] - Augment, PMC6.15 [C] – Augment | Log Manager | No | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: High Integrity Transaction Report | This report provides summary information relating to transactions classified under high integrity requirements. There is a dependence on the customer defining high integrity transactions and a third-party solution must be in place to capture details of the transaction, log file hash and signature. If classified and configured correctly, this report will supplement testing of GPG-13 control PMC1.4 [C]. Consider using a reporting package to segregate by entity. Please work with LogRhythm Professional Services, as needed. | 1214 | PMC1.4 [C] – Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Logging Exception | This report provides summary information against the LogRhythm Console for any logging exceptions that result in a log reset, error condition, failure or threshold reached. Consider using a reporting package to segregate by entity. | 1165 | PMC10.1 [A] – Direct | Event Manager | Yes | GPG-13: All Log Sources |
GPG-13: Log Volume Report | This report provides summary information for log volume status for the LogRhythm Console (central log storage) to indicate when insufficient disk space is realized. | 1192 | PMC10.2 [A] - Direct & PMC10.3 [B] - Direct | Event Manager | No | LogRhythm Console |
GPG-13: Log File Rotated | This report provides summary information for log file rotation activity within the LogRhythm Console (central log storage). Consider using a reporting package to segregate by entity. | 1193 | PMC10.4 [B] – Direct | Event Manager | No | LogRhythm Console |
GPG-13: Log Volume by Log Source | This standard report provides log management statistics by Log Source. | 1166 | PMC10.6 [B] – Direct | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Successful/Failed Malware Detected at Boundary | This report provides a summary of activity indicative of successful or failed malware installation, propagation, or use to directly address GPG-13 control PMC2.1. This classification is set to RR=9 because successful malware is indicative of complex control of systems within the boundary possibly leading to data loss with malicious intent, theft, tampering etc. Failed malware activity will allow visibility into top attack targets at your boundary. Consider using a reporting package to segregate by entity. | 1108 | PMC2.1 [A] – Direct | Event Manager | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Access to File Transfer Cache Folder | This report provides summary information around access success to defined folder(s) containing a file transfer cache. This report requires a Professional Services engagement to configure and define what folders are in-scope to be monitored. Consider using a reporting package to segregate by entity. | 1182 | PMC2.14 [D] – Augment | Event Manager | Yes | GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Boundary Anti-Malware Policy Change | This report provides a summary of all status update activities relating to anti-malware on the boundary. To supplement the Summary Report, consider running an Investigation to capture further information around the Anti-Malware policy change. Consider using a reporting package to segregate by entity. | 1109 | PMC2.2 [A] – Direct | Log Manager | No | GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Blocked Web Browsing | This report provides detail relating to blocked web browsing activities within the boundary to directly address GPG-13 control PMC2.3. Consider using a reporting package to segregate by entity. | 1176 | PMC2.3 [B] – Direct | Event Manager | Yes | GPG-13: Security Boundary Content Gateways |
GPG-13: Blocked File Import/Export Attempt | This report provides detail relating to blocked file import/export attempts across the boundary to supplemental testing of GPG-13 control PMC2.4 [Report B] and PMC2.5 [Report B]. It should be noted that in order to address PMC2.6 [Report C] and PMC2.7 [C], the blocking device should capture necessary information and an API will have to be configured to transfer information to LogRhythm. As an alternative, the LogRhythm Network Monitor is capable of full packet capture. Consider using a reporting package to segregate by entity. | 1110 | PMC2.4 [B] - Direct, PMC2.5 [B] - Direct, PMC2.6 [C] - Augment, PMC2.7 [C] – Augment | Event Manager | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices. |
GPG-13: Allowed Web Browsing Activity | This report provides detail relating to allowed web browsing activities within the boundary to directly address GPG-13 control PMC2.8 [B]. Consider using a reporting package to segregate by entity. | 1177 | PMC2.8 [C] – Direct | Event Manager | No | GPG-13: Security Boundary Content Gateways |
GPG-13: Completed File Import/Export | This report provides information around completed file import/export activities across the boundary to supplement testing of GPG-13 control PMC2.9 [C] and 2.10 [C]. Consider using a reporting package to segregate by entity. | 1111 | PMC2.9 [C] - Direct & PMC2.10 [C] - Direct | Event Manager | No | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Packet Dropped at Security Boundary | This report provides a summary information on packets being dropped by boundary firewalls. To supplement a Summary Report used, consider running an Investigation capturing the raw log message including the message content from the boundary monitoring system. Consider using a reporting package to segregate by entity. | 1112 | PMC3.1 [A] – Direct | Event Manager | Yes | GPG-13: Security Boundary Enforcing Devices |
GPG-13: Boundary Monitoring Warning Status | This report provides summary information on boundary monitoring device messages received at a warning status. To supplement the Summary Report, consider running an Investigation capturing the raw log message from the boundary monitoring device. Consider using a reporting package to segregate by entity. | 1180 | PMC3.10 [C] – Direct | Event Manager | No | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Packet Passed at Security Boundary | This report provides a summary information on packets being passed by boundary firewalls. Consider using a reporting package to segregate by entity. | 1115 | PMC3.12 [C] – Direct | Event Manager | No | GPG-13: Security Boundary Enforcing Devices |
GPG-13: Full Packet Capture Dropped at Boundary | LogRhythm's Network Monitor is a solution that can supplement this control by establishing full packet content based on a tap (install of Network Monitor) at the boundary which then feeds into the LogRhythm SIEM for reporting and further analysis. Within the Network Monitor, one can establish views and queries to determine how and what data is captured. Further a solution would be required to extract the file content from within the full packet capture. However, if a Data Loss Prevention (DLP) solution has previously been established and functions similarly to Network Monitor, LogRhythm SIEM can be configured to receive feeds from the DLP solution and report out on full packet capture activity. Lastly, depending on the blocking device in place, there may need to be some level of customization if packet capture is established within the blocking device. | 1116 | PMC3.13 [C] – Augment | Event Manager | No | GPG-13: Security Boundary Enforcing Devices |
GPG-13: Packet Dropped at Internal Boundary | LogRhythm SIEM is unable to perform full packet capture out of the box. However, an API can be established to pull this information if retained by the blocking device. As an alternative option, LogRhythm Network Monitor does have the capability to perform full packet capture. These configuration options would supplement testing of PMC5.11. Please coordinate with your LogRhythm Professional Services team, as needed. | 1213 | PMC5.11 [C] – Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: IPS Command and Response | This report provides summary information around commands executed and automated responses from IPS systems to supplement GPG-13 control PMC3.14 [Report D]. This report and respective AIE Rule may require additional configuration and LogRhythm Professional Services involvement to ensure appropriate auditing is configured on the IPS. | 1184 | PMC3.14 [D] – Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Full Packet Capture Passed at Boundary | LogRhythm's Network Monitor is a solution that can supplement this control by establishing full packet content based on a tap (install of Network Monitor) at the boundary which then feeds into the LogRhythm SIEM for reporting and further analysis. Within the Network Monitor, one can establish views and queries to determine how and what data is captured. Further a solution would be required to extract the file content from within the full packet capture. However, if a Data Loss Prevention (DLP) solution has previously been established and functions similarly to Network Monitor, LogRhythm SIEM can be configured to receive feeds from the DLP solution and report out on full packet capture activity. Lastly, depending on the blocking device in place, there may need to be some level of customization if packet capture is established within the blocking device. | 1117 | PMC3.15 [D] – Augment | Event Manager | No | GPG-13: Security Boundary Enforcing Devices |
GPG-13: Boundary Monitoring Device Critical Status | This report provides summary information on boundary monitoring device messages received at a critical or above status. To supplement a Summary Report used, consider running an Investigation capturing the raw log message including the message content from the boundary monitoring system. Consider using a reporting package to segregate by entity. | 1113 | PMC3.2 [B] - Direct | Event Manager | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Auth Failure on Boundary Device | This report provides summary information on authentication failure activity occurring on a boundary monitoring device including the common event detailing the reason for the authentication failure. Consider using a reporting package to segregate by entity. | 1188 | PMC3.3 [B] - Direct | Event Manager | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Attack Detected at Boundary | This report provides summary information on suspected attacks at the boundary including the type of attack and impacted (targeted) host and application (if applicable). To supplement this Summary Report consider running an Investigation to capture further information. Consider using a reporting package to segregate by entity. | 1178 | PMC3.4 [B] – Direct & 3.8 [B] - Augment | Event Manager | Yes | GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Boundary Monitoring Error Status | This report provides summary information on boundary monitoring device messages received at an error status. To supplement the Summary Report, consider running an Investigation capturing the raw log message from the boundary monitoring device. Consider using a reporting package to segregate by entity. | 1179 | PMC3.5 [B] – Direct | Event Manager | No | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: User Session on Boundary Device | This report provides summary information around user sessions on boundary devises and consoles of the boundary management systems. To supplement this Summary Report, consider running an Investigation to capture further information around user sessions on boundary devices and consoles. Consider using a reporting package to segregate by entity and establish a list of the entity's approved users to validate and distinguish when unauthorized sessions are opened. | 1114 | PMC5.5 [B] - Augment, PMC5.12 [C] - Augment, PMC6.15 [C] - Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: Boundary Monitoring Device Change | This report provides summary information around any changes to boundary firewall and other relevant device rule-bases. The report is driven on the classification of configuration or policy. To supplement this Summary Report, consider running an Investigation to capture further detail around changes to boundary firewall and other relevant device rule-bases. Consider using a reporting package to segregate by entity. | 1189 | PMC3.7 [B] – Direct & PMC3.8 [B] – Augment | Log Manager | No | GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Attack Recognition Software Policy Change | This report provides summary information on any policy changes to attack recognition software based on signature changes. To supplement the Summary Report, consider running an Investigation to provide further information around the change activity. Consider using a reporting package to segregate by entity. | 1194 | PMC3.9 [B] – Direct | Log Manager | Yes | GPG-13: Security Boundary Monitoring Devices |
GPG-13: Critical Host at Critical Status | This report provides summary information around logging of critical messages received against a critical host (defined servers and work stations). Consider using a reporting package to segregate by entity. | 1118 | PMC4.1 [A] – Direct | Event Manager | Yes | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: Change in Software Config Status (Linux) | This report provides summary information around any change in software configuration status specific to a Linux environment. Customization is required to establish a modified audited base rule which parses a unique key value specified in an auditd.conf file. This file must be configured to apply this unique value to certain types of audit logs (in this case execution attempts of standard package managers, yum, rpm, etc.). Consider using a reporting package to segregate by entity. | 1126 | PMC4.10 [B] – Direct | Log Manager | No | GPG-13: All Log Sources |
GPG-13: Change in Software Config Status (Windows) | This report provides summary information around any changes in software configuration status specific to a Windows environment. This report looks for logs of Windows software installed and uninstalled common events against Windows-only log source types. Consider using a reporting package to segregate by entity. | 1127 | PMC4.10 [B] – Direct | Event Manager | No | GPG-13: All Log Sources |
GPG-13: File Monitoring Event - File Changes | This report provides information around file changes within a file system where File Integrity Monitoring (FIM) has been established within the installed LogRhythm Agent. First, establish a list of production systems that generate file integrity monitoring logs, including LogRhythm File Integrity Monitoring logs. The specific agent residing on the file system will need to have FIM enabled in order to track real- time monitoring of file/folder modifications. Real time FIM will use the same list of watched/ignored files as standard FIM. For those files in the list of watched files, if the monitor is enabled, the Agent will report events as they happen. Appropriate system monitoring agent settings should be configured for endpoint FIM monitoring based on the environment (Windows/Linux) to capture file path information.
Further, in order to capture the file content (PMC4.17), a third party solution would have to be established and an API configured to feed into LogRhythm. Consider using a reporting package to segregate by entity. | 1128 | PMC4.11 [C] - Direct & PMC4.17 [D] – Augment | Log Manager | Yes | GPG-13: File Integrity Monitoring |
GPG-13: Critical Host at Warning Status | This report provides summary information on critical hosts (workstation or server) messages received at a warning (or below) status. To supplement the Summary Report, consider running an Investigation to capture further information around the status of the critical hosts. Consider using a reporting package to segregate by entity and to establish a list of critical hosts (workstations or servers) for each entity. | 1129 | PMC4.12 [C] – Direct | Event Manager | No | GPG-13: Servers And Workstations |
GPG-13: Changes to System Config on Monitored Host | This report provides summary information around any changes of system configurations (or registry) for monitored hosts. The report is driven on the classification of configuration, policy or registry changed. In order to capture the before and after configurations, it is recommended that a third-party solution be implemented to capture this information and an API configured to feed into LogRhythm. Consider using a reporting package to segregate by entity. | 1196 | PMC4.13 [C] -Augment & PMC4.18 [D] – Augment | Log Manager | No | GPG-13: Servers And Workstations |
GPG-13: Status Change of Process on Monitored Host | This report provides summary information around any change in status of a process on a monitored host according to common event. Consider using a reporting package to segregate by entity. | 1130 | PMC4.14 [C] – Augment | Log Manager | No | GPG-13: Servers And Workstations |
GPG-13: Successful/Failed Malware Detected on Host | This report provides a summary of activity indicative of malware installation, propagation, or use to directly address GPG-13 control PMC4.2. This report includes both successful and failed malware activity. This classification is set to RR=9 because malware is indicative of complex control of systems within the boundary possibly leading to data loss with malicious intent, theft, tampering etc. Consider using a reporting package to segregate by entity. | 1119 | PMC4.2 [A] – Direct | Event Manager | Yes | GPG-13: Servers and Workstations |
GPG-13: Critical Host at Error Status | This report provides summary information on critical hosts (workstation or server) messages received at an error status. To supplement the Summary Report, consider running an Investigation to capture further information around the status of the critical hosts. Consider using a reporting package to segregate by entity and to establish a list of critical hosts (workstations or servers) for each entity. | 1120 | PMC4.3 [A] – Direct | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Endpoint Anti-Malware Signature Update | This report provides summary information on endpoint anti-malware status changes based on signature updates. To supplement the Summary Report, consider running an Investigation to capture further information around the change activity. Ensure that the AV log source is included in the Log Source List. Consider using a reporting package to segregate by entity. | 1121 | PMC4.4 [A] – Direct | Log Manager | No | GPG-13: Host Anti-Malware |
GPG-13: Failed File System Access (Linux) | This report provides summary information for any access attempt failure within a Linux-based file system. Customized auditing within Linux should be established to log these events. Consider using a reporting package to segregate by entity. | 1122 | PMC4.5 [B] – Direct | Event Manager | Yes | GPG-13: All Log Sources |
GPG-13: Failed File System Access (Windows) | This report provides summary information for any access attempt failure within a Windows-based file system. Customized auditing within Windows should be established to log these events. Consider using a reporting package to segregate by entity. | 1168 | PMC4.5 [B] – Direct | Event Manager | Yes | GPG-13: All Log Sources |
GPG-13: Suspected Internal Attack | This report provides summary information on suspected attacks at the internal boundary including the type if attack and impacted (targeted) host and application (if applicable). To supplement this Summary Report consider running an Investigation to capture further information. | 1186 | PMC5.7 [C] - Direct, PMC5.12 [C] - Augment, PMC6.15 [C] – Augment | Event Manager | Yes | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: System File Permission Change (Linux) | This report provides summary information for any permission changes within a Linux- based file system. Customized auditing within Linux should be established to log these events. Consider using a reporting package to segregate by entity. | 1169 | PMC4.6 [B] – Augment | Log Manager | Yes | GPG-13: All Log Sources |
GPG-13: System File Permission Change (Windows) | This report provides summary information for any permission changes within a Windows-based file system. Customized auditing within Windows should be established to log these events. Consider using a reporting package to segregate by entity. | 1170 | PMC4.6 [B] – Augment | Log Manager | Yes | GPG-13: All Log Sources |
GPG-13: Networked Host Status Change | This report provides summary information of network host status through system startups and shutdowns for all network hosts. Consider using a reporting package to segregate by entity. | 1123 | PMC4.7 [B] – Augment | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Status Change Device Connected to Host | This report provides summary information around any device attached to a host and uses a custom base rule to look for kernel syslog messages that indicate a USB device attachment. Consider using a reporting package to segregate by entity. | 1171 | PMC4.8 [B] – Augment | Event Manager | No | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: Storage Volume Status Change (Linux) | This report provides summary information around status changes for storage volumes of monitored hosts based on common events of file mounted/unmounted within a Linux-based environment. Customized auditing within Linux should be established to log these events. Consider using a reporting package to segregate by entity. | 1124 | PMC4.9 [B] – Augment | Log Manager | No | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: Storage Volume Status Change (Windows) | This report provides summary information around status changes of storage volumes of monitored hosts based on a Windows specific MPE rule and relies upon LogRhythm DLD on a LogRhythm agent to detect mounting of volumes to a Windows environment. Customized auditing within Windows should be established to log these events. Consider using a reporting package to segregate by entity. | 1125 | PMC4.9 [B] – Augment | Log Manager | No | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: Internal Boundary Network Deny Activity | This report provides summary information of packets being dropped by internal firewalls by searching for logs with a classification of Network Deny against log sources that exist in the Critical Servers and Workstation and Internal Boundary Enforcing Devices Log Source lists. To supplement the Summary Report, consider running an Investigation to capture further information around the network deny activity. Consider using a reporting package to segregate by entity. | 1131 | PMC5.1 [A] – Direct & PMC5.11 [C] – Augment | Event Manager | Yes | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Packet Passed at Internal Boundary | This report provides a summary information on packets being passed by internal boundary firewalls. Consider using a reporting package to segregate by entity. LogRhythm SIEM is unable to perform full packet capture out of the box. However, an API can be established to pull this information if retained by the blocking device. As an alternative option, LogRhythm Network Monitor does have the capability to perform full packet capture. These configuration options would supplement testing of PMC5.10 and PMC5.15. | 1137 | PMC5.10 [C] – Direct & PMC5.15 [D] – Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: Packet Passed at Internal Boundary | LogRhythm SIEM is unable to perform full packet capture out of the box. However, an API can be established to pull this information if retained by the blocking device. As an alternative option, LogRhythm Network Monitor does have the capability to perform full packet capture. These configuration options would supplement testing of PMC5.11. Please coordinate with your LogRhythm Professional Services team, as needed. | 1116 | PMC5.10 [C] – Direct & PMC5.15 [D] – Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: Intrnl Attack Recog Software Sig Update | This report provides summary information on any signature-based changes to the internal attack recognition software. Consider using a reporting package to segregate by entity. | 1138 | PMC5.13 [C] – Direct | Log Manager | No | GPG-13: Internal Monitoring Devices |
GPG-13: Auto Response from Internal Bndry Firewall | This report provides summary information on any automated response from an internal boundary enforcing device. Consider using a reporting package to segregate by entity. | 1139 | PMC5.14 [D] – Augment | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Internal Monitoring Device Critical Status | This report provides summary information on internal boundary monitoring device messages received at a critical or above status. To supplement the Summary Report, consider running an Investigation to capture further information around the status of the Internal Boundary Monitoring Device. Consider using a reporting package to segregate by entity. | 1132 | PMC5.2 [B] – Direct | Event Manager | Yes | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices |
GPG-13: Auth Failure on Internal Boundary Device | This report provides summary information on authentication failure activity occurring on an internal boundary monitoring device including the common event detailing the reason for the authentication failure. Consider using a reporting package to segregate by entity. | 1133 | PMC5.3 [B] – Direct | Event Manager | Yes | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: Internal Boundary Monitoring Error Status | This report provides summary information on internal boundary monitoring device messages received at an error status. Consider using a reporting package to segregate by entity. | 1134 | PMC5.4 [B] – Direct | Event Manager | No | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices |
GPG-13: User Session on Internal Boundary Device | This report provides summary information around user sessions on internal boundary devices. Consider using a reporting package to segregate by entity and establish a list of the entity's approved users to validate and distinguish when unauthorized sessions are opened. | 1135 | PMC3.6 [B] - Augment, PMC3.8 [B] - Augment | Event Manager | No | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Internal Monitoring System at Warning | This report provides summary information on internal monitoring system console messages received at a warning status. Consider using a reporting package to segregate by entity. | 1136 | PMC5.8 [C] – Direct | Event Manager | No | GPG-13: Internal Monitoring Devices |
GPG-13: Internal Network Device Changes | This report provides summary information of changes to internal network devices based on commands and responses. This reporting is dependent upon the technology used and may require some customization. Consider using a reporting package to segregate by entity. | 1187 | PMC5.9 [C] – Augment | Log Manager | No | GPG-13: Internal Network Devices |
GPG-13: Remote Access Auth Failure | This report provides summary information on authentication failures originating from a remote access point into the boundary. Consider using a reporting package to segregate by entity. | 1140 | PMC6.1 [A] – Direct | Event Manager | Yes | GPG-13: Remote Access Devices |
GPG-13: Discovered Wireless Access Activity | This report provides summary information to support testing of GPG-13 control PMC6.10 by reporting discovered wireless access points grouped by Common Event and identify rogue wireless access points. Consider using a reporting package to segregate by entity. | 1149 | PMC6.10 [B] –Augment | Event Manager | Yes | GPG-13: Approved Wireless Access Points |
GPG-13: User Session on Network Connection Console | This report provides summary information to support testing of GPG-13 control PMC6.11 through reporting of user sessions opened on a network connection console. Consider using a reporting package to segregate by entity and capture customization around the entity's authorized users on network connection devices (list) to distinguish unauthorized user sessions opened. This list will be known by the LogRhythm agent to determine authorized vs. unauthorized sessions. | 1150 | PMC6.11 [B] – Augment | Event Manager | No | GPG-13: Network Connection Consoles |
GPG-13: Suspected Wireless Attack | This report provides summary information on suspected wireless attacks at the internal boundary including the type if attack and impacted (targeted) host and application (if applicable). To supplement this Summary Report consider running an Investigation to capture further information. | 1152 | PMC6.12 [C] – Direct | Event Manager | Yes | GPG-13: Approved Wireless Access Points |
GPG-13: Network Connection Console Warning Status | This report provides summary information on network connection console messages received at warning status. Consider using a reporting package to segregate by entity. | 1153 | PMC6.13 [C] - Direct | Event Manager | No | GPG-13: Network Connection Consoles |
GPG-13: Network Commands and Executables | This report provides summary information of commands issued by network connection consoles to supplement testing of GPG-13 controls PMC7.11 and 6.14. Typically the response to command execution is not logged and would require customization. However, a third party solution would need to be in place to capture the 'responses' and customization to feed into LogRhythm. Consider using a reporting package to segregate by entity. | 1173 | PMC6.14 [C] - Augment & PMC7.11 [C] – Augment | Log Manager | No | GPG-13: Network Connection Consoles |
GPG-13: WIDS Config Change | This report provides summary information on any configuration change on the Wireless Intrusion Detection System (WIDS). This report requires the customer to populate a specific WIDS list. Consider using a reporting package to segregate by entity. | 1197 | PMC6.16 [C] – Direct | Log Manager | No | GPG-13: Wireless IDS |
GPG-13: Suspicious Rogue Host Activity | This report provides summary information on any suspicious rogue wireless activity within the boundary. Consider using a reporting package to segregate by entity. | 1191 | PMC6.17 [D] – Direct | Event Manager | Yes | GPG-13: Wireless IDS |
GPG-13: VPN Node Registration Failure (authorized) | This report provides summary information on unsuccessful node registration resulting in a failed VPN connection attempt into the boundary. This is analyzed against an authorized VPN user list to distinguish un-authorized vs. authorized VPN authentication failures. Consider using a reporting package to segregate by entity. | 1142 | PMC6.2 [A] – Direct | Event Manager | Yes | GPG-13: VPN Devices |
GPG-13: VPN Node Registration Failure (un-auth) | This report provides summary information on unsuccessful node registration resulting in a failed VPN connection attempt into the boundary. This is analyzed against an authorized VPN user list to distinguish un-authorized vs. authorized VPN authentication failures. Consider using a reporting package to segregate by entity. | 1141 | PMC6.2 [A] – Direct | Event Manager | Yes | GPG-13: VPN Devices |
GPG-13: DHCP IP Address Assignment Change | This report provides summary information for any change of status for a dynamic IP address assignment by searching for logs pertaining to DHCP status events across all log sources. Consider using a reporting package to segregate by entity. | 1172 | PMC6.3 [A] – Direct | Log Manager | Yes | GPG-13: Network Connection Consoles |
GPG-13: User Remote Access Session | This report provides summary information around access sessions for remote users based on common events. Consider using a reporting package to segregate by entity. | 1143 | PMC6.4 [A] – Augment | Log Manager | Yes | GPG-13: Network Connection Consoles |
GPG-13: Status of VPN Node Registration (auth) | This report provides summary information relating to any change in status of a VPN node registration by searching for logs pertaining to VPN connection changes at the boundary. This is analyzed against an authorized VPN user list to distinguish un- authorized vs. authorized VPN authentication failures. Consider using a reporting package to segregate by entity. | 1145 | PMC6.5 [A] – Direct | Log Manager | Yes | GPG-13: VPN Devices |
GPG-13: Status of VPN Node Registration (un- auth) | This report provides summary information relating to any change in status of a VPN node registration by searching for logs pertaining to VPN connection changes at the boundary. This is analyzed against an authorized VPN user list to distinguish un- authorized vs. authorized VPN authentication failures. Consider using a reporting package to segregate by entity. | 1144 | PMC6.5 [A] – Direct | Log Manager | Yes | GPG-13: VPN Devices |
GPG-13: Rejected Connection to Network | This report provides summary information relating to all rejected attempts to connect equipment to protected network attachment points by searching for logs of failed access from network equipment at the boundary. This report is specifically concerned with 802.1x port security on switches. Consider using a reporting package to segregate by entity. | 1181 | PMC6.6 [B] – Direct | Event Manager | No | GPG-13: Network Connection Consoles |
GPG-13: Network Connection Console Critical Status | This report provides summary information on network component messages received at a critical or above status. To supplement the Summary Report, consider running an Investigation to capture further information around the status message from the network connection consoles. Consider using a reporting package to segregate by entity. | 1146 | PMC6.7 [B] – Direct | Event Manager | Yes | GPG-13: Network Connection Consoles |
GPG-13: Network Auth Failure | This report provides summary information of authentication failure activity on network connection consoles. Consider using a reporting package to segregate by entity. | 1147 | PMC6.8 [B] – Direct | Event Manager | Yes | GPG-13: Network Connection Consoles |
GPG-13: Network Connection Console at Error Status | This report provides summary information on network connection console messages received at an error status. Consider using a reporting package to segregate by entity. | 1217 | PMC6.9 [B] – Direct | Event Manager | No | GPG-13: Network Connection Consoles |
GPG-13: User Network Sessions Summary | This report supplements testing of GPG-13 control PMC7.1 by providing summary information on user network sessions based on authentication success and failure activity within a Windows environment. Consider using a reporting package to segregate by entity. | 1154 | PMC7.1 [A] – Augment | Event Manager | No | GPG-13: All Log Sources |
GPG-13: Critical WS User Acct Priv/Group Change | This report provides summary information of changes to critical workstation user privilege, group or member ship assignments and is configured specific to windows logs form the in-scope workstations and servers. Filtering is applied to not include computer accounts (SQL pattern - %$) and Kerberos application agents as these do not appear on Linux machines. Consider using a reporting package to segregate by entity. | 1163 | PMC7.10 [C] – Direct | Event Manager | Yes | GPG-13: Critical Workstations |
GPG-13: Critical WS Commands and Executables | This report provides summary information of critical workstation commands and executables through reporting based on defined critical workstations (list). Consider using a reporting package to segregate by entity. | 1174 | PMC7.13 [D] – Augment | Log Manager | No | GPG-13: Critical Workstations |
GPG-13: User Network Account Change Summary | This report supplements testing of GPG-13 control PMC7.2 by providing summary information on user network account status change. This report is windows specific and searches against a selection of common events relating to account modifications on windows domains and is restricted to include logs only from windows log source types. Further, the report will capture events to supplement control PMC7.5 [Alert B] to report any account 'locked-out' activities. The control does not require changes to a user’s password. Consider using a reporting package to segregate by entity. | 1155 | PMC7.2 [A] – Direct | Event Manager | Yes | GPG-13: Servers And Workstations |
GPG-13: Network Account Privilege/Group Change | This report provides summary information of changes to network user privilege, group or member ship assignments and is configured specific to windows logs form the in-scope workstations and servers. The common events pertain to specific group modifications and account metadata field must not end with '$' which has the effect of excluding computer accounts from the report. Consider using a reporting package to segregate by entity. | 1157 | PMC7.3 [A] – Direct | Event Manager | Yes | GPG-13: Servers And Workstations |
GPG-13: APP or DB Administrative Activity | This report provides summary information around APP or DB administrative activities based on in-scope workstations and servers (log sources). It should be noted that this requires customization (auditing and reporting) for the customer to define a list of administrative accounts, commands or activities within each specific environment. If configured correctly this report supplements testing of GPG-13 control PMC7.4. Consider using a reporting package to segregate by entity. | 1156 | PMC7.4 [A] – Augment | Event Manager | Yes | GPG-13: APP and DB Admin List |
GPG-13: User Privilege Level Change (su and sudo) | This report provides summary information specific to a user change in privilege level status on a critical server or work station (list). This report is specific to Linux based on a search for the MPE rule of SU Session Opened (flat file, SUDO log or syslog). Consider using a reporting package to segregate by entity. | 1158 | PMC7.6 [B] – Augment | Log Manager | Yes | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: User Privilege Level Change (Windows) | This report provides summary information around changes in privilege level status of a user on a critical server or workstation, specific to Windows based on event ID, security metadata field of 2. This type of log is generated when a new process is created on a Windows machine the token type is recorded in the object metadata field. Audit privilege use and audit process tracking must be enabled on the Windows machine being audited. Consider using a reporting package to segregate by entity. | 1159 | PMC7.6 [B] – Augment | Log Manager | Yes | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: Accountable User Transactions Summary | This report provides summary information specific to accountable user transactions across all log sources by account and impacted host. This requirement will warrant the customer to work with Professional Services to assess their applications and database environments to determine what transactional data is available for logging. Consider using a reporting package to segregate by entity. | 1160 | PMC7.7 [B] – Augment | Log Manager | No | GPG-13: Application and Database Production Servers |
GPG-13: Local User Session on Critical Host | This report supplements testing of GPG-13 control PMC7.8 by providing summary information on local user sessions on critical hosts (servers or workstations) based on authentication success and failure. Filtering is applied to not include computer accounts (SQL pattern - %$) and Kerberos application agents as these do not appear on Linux machines. Consider using a reporting package to segregate by entity. | 1161 | PMC7.8 [C] – Augment | Event Manager | No | GPG-13: Critical Workstations |
GPG-13: Local Critical Host User Account Status Change | This report supplements testing of GPG-13 control PMC7.9 by providing summary information on local user account status changes. This report searches against a selection of common events relating to account modifications on critical hosts (servers or workstations). Filtering is applied to not include computer accounts (SQL pattern - %$) and Kerberos application agents as these do not appear on Linux machines. Consider using a reporting package to segregate by entity. | 1216 | PMC7.9 [C] – Augment | Event Manager | Yes | GPG-13: Critical Workstations |
GPG-13: Backup Operations Status | This report provides summary information around backup, test and recovery operations based on a search for logs using various common events pertaining to overall backup operations within critical servers and workstations (lists). Consider using a reporting package to segregate by entity. | 1175 | PMC8.1 [A] - Augment, PMC8.3 [C] - Augment, PMC8.4 [D] – Augment | Log Manager | No | GPG-13: All Log Sources |
GPG-13: LogRhythm Alert Config Change | This report provides summary information and statistics relating to any configuration changes to impacting alerts within the LogRhythm Console in direct support of GPG- 13 control PMC9.3. This report required Enhanced Auditing Configuration. Refer to the GPG-13 Deployment Guide for further configuration instructions. Consider using a reporting package to segregate by entity. | 1190 | PMC9.3 [B] – Direct | Log Manager | Yes | GPG-13: UDLA – LREnhancedAudit |