Investigations can further assist in gathering vital information around security events or simply to learn about the environment, processes, and activities. The GPG-13: Internal Boundary Monitoring Device Change investigation can be part of a change control process, identifying configuration changes and trying to understand the nature of the change, whether or not the change was appropriate, and its implication to GPG- 13 compliance. Custom investigations can be configured in addition to those included within this module.
The following log sources must be collecting from the environment, including but not limited to:
- Windows Security Events or Unix host logs
- Boundary and internal security devices, both network and host-based, that can identify attack events
- Authentication logs
- Anti-Virus Software
- VPN & Wireless IDS Devices
- File Integrity Monitoring
- Servers and workstations
- Production Applications and Databases
Knowledge Base Content
GPG-13: Network Account Privilege/Group Change (Windows)
Investigations are used to pull additional details from the log source around particular events of interest. The GPG-13: Network Account Privilege/Group Change (Windows) investigation can be used to track authorized/unauthorized network privileges or group assignment changes through the environment. The investigation supplements existing user access management procedures and ensures only appropriate access provisioning within the network are implemented and the risk of unauthorized access changes are limited.