General Deployment Requirements
The deployment of this module assumes the following:
- The overall LogRhythm deployment is in a fully-deployed and healthy state.
- LogRhythm version 7.2.1 or later is installed.
General Data Collection Requirements
When enabling the Healthcare (OT) module rules in your environment, be aware of the following considerations regarding data collection. Detailed data collection requirements are included in the Healthcare (OT) - Module User Guide:
- Endpoint logging is required for the majority of the monitoring rules to function.
- A number of rules in this module leverage third party monitoring software, including the following: Ordr, Medigate, LenelS2 Badge Reader, Keri Systems Doors, and AMAG Technology Symmetry Access Control.
Logging and Monitoring Configuration
Configure Windows Audit PnP Activity Logging
A number of AIE Rules in the Healthcare (OT) module monitor for system configuration changes. By default, Windows will not log plug-and-play activity to the event log. This can be valuable information for tracking configuration changes that might impact system stability. It is recommended that Audit PnP Activity logging be enabled to enhance system configuration monitoring within the Healthcare (OT) module.
Audit PnP Activity logging is only available in Windows 10/Server 2016 and later.
Configuration steps for Audit PnP Activity Logging can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/advanced-security-audit-policy-settings.
More information on Audit PnP Activity Logging can be found here: https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/audit-pnp-activity.
Import and Synchronize the Module
The Healthcare (OT) module is part of the LogRhythm Knowledge Base (KB). Updating the KB automatically creates the proper AI Engine Rules.
Make sure the Healthcare (OT) module is imported and enabled, as described in this section.
In the Client Console, click the Tools menu, click Knowledge, and then click Knowledge Base Manager.
To open the Knowledge Base Manager, the Deployment Manager must be closed.
- Under Knowledge Base Modules, find the Healthcare (OT) module. If the module is available, Healthcare (OT) is visible in the grid.
If the module name does not appear, update the Knowledge Base by doing either of the following:
- Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored Knowledge Base.
- Manual Download. For manual download instructions, see Import a Knowledge Base.
- Locate the Enabled column in the grid.
- If the box is checked, the module is already enabled and available to users in the SIEM deployment.
- If the Enabled box is not checked, enable the module by selecting its Action check box, right-clicking the module name, then clicking Actions, and clicking Enable Module. A dialog box appears to enable the selected module(s).
- Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this setting. For more information, see Use Intelligent Indexing.