Skip to main content
Skip table of contents

Healthcare Security Deployment Guide – Meet the Compliance Requirements


The LogRhythm Healthcare Security Compliance Automation Suite provides bundled pre-created alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm. This section details the post-implementation processes necessary to meet specific HIPAA, HITECH, and Promoting Interoperability compliance requirements and augment others.

Compliance Module Noise Mitigation

LogRhythm’s Healthcare Security Compliance Automation Suite bundled alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive events involves the following steps:

List Updating

Keeping Compliance Module lists updated is a vital part of decreasing false positives within the Healthcare Security Compliance Automation Suite. An organization’s applications, IP addresses, and users are dynamic. For this reason, the Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions which would require a list to be updated. The following section highlights a few instances where lists must be updated and direction on how to update the lists. Refer to the matrices on the home page of this module for specific AIE Rules, Investigations, and Reports where the lists are utilized. You may also leverage existing periodic reviews to incorporate updates to user lists as a result of various account access reviews performed by IT Management or HR.

Update User Lists

User lists should be updated when privileged access accounts and vendor accounts are created or deleted. Lists should also be updated when a user account is disabled or terminated. Changes to these types of accounts would be evident from details in the access granted/revoked reports and account management reports. Follow the instructions below after implementation and on a weekly basis to identify users that have not been added to the Users lists.

  1. On the main toolbar, click Report Center.
  2. Place a check mark in the Action box for the Saved HSS: Account Management Activity report, right-click the report name, and then click Run.
  3. Click Next to reach the Configuration screen, set the date range to Past Month, and then click OK.
  4. Click on the name of the report in the Report Viewer.
  5. To identify when an account may have been created, search for User Account Created common events.
  6. Follow instructions 1-7 in Populate Users Lists to add applicable, enabled accounts to the any list within the Healthcare Security Compliance Automation Suite that dictates the List Type as User.
  7. Repeat steps 1-6 above using the User Account Deleted or Account Disabled common events to add applicable deleted accounts to the HSS: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update this list.
  8. Repeat step 2-4 for the HSS: Account Management Detail investigation.
  9. Follow instructions 1-7 in Populate Users Lists to add applicable enabled accounts to any list within the Healthcare Security Compliance Automation Suite that dictates the List Type as User.

Filter Usage

Adjusting filter criteria is a vital part of decreasing the number of false positives within the Healthcare Security Compliance Automation Suite. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criteria. The following section highlights how to create exclude filters for AIE Rules, investigations, reports, and tails.

Configure AIE Rule Exclude Filter Criteria

All AIE Rules included in the Healthcare Security Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click an HSS AIE Rule on which an exclude filter should be configured, and then click Properties.
  4. Right-click the Rule Block, and then click Properties.
  5. Click the Exclude Filters tab.
  6. On the top menu, click the New icon.
  7. Specify the details for the exclude filter criteria.
  8. On the Log Message Filter, click OK.
  9. On the AI Engine Rule Block Wizard, click OK.
  10. On the AI Engine Rule Wizard, click OK.
  11. On the top of the AI Engine Rule Manager, click Restart AIE Engine.

Configure Investigation Exclude Filter Criteria

All Investigations included in the Healthcare Security Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click the Investigate button, available on the main toolbar.
  2. Select one of the saved HSS Investigations on which an Exclude Filter should be configured.
  3. Click Next until you reach the Specify Event Selection screen.
  4. In the Add New Field Filter list, select the criteria.
  5. Click Edit Values and configure the criteria as required.
  6. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  7. Click OK.
  8. Click Next until you reach the Save Investigation Configuration screen, and then click Save.
  9. Click Cancel.

Configure Report Exclude Filter Criteria

All Reports included in the Healthcare Security Compliance Automation Suite can be configured with exclude filters.

  1. Open the LogRhythm Console and click Report Center on the main toolbar.
  2. Click the Reports tab.
  3. Select the Action check box of the report that needs exclude filters, right-click the selection, and then click Properties.
  4. Click Next until you reach the Specify Additional Report Criteria Screen.
  5. In the Add New Field Filter list, select the criteria.
  6. Click Edit Values and configure the criteria as required.
  7. (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
  8. Click OK.
  9. Click Next to reach the Report Details screen, click Apply, and then click OK.

Suppression Usage

Adjusting suppression values is a vital part of adjusting the alarming configuration within the Healthcare Security Compliance Automation Suite. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE Rules.

Configure AIE Rule Suppression

All AIE Rules included in the Healthcare Security Compliance Automation Suite can be configured with alarm suppression. Follow the instructions below to configure suppression for AIE Rules.

  1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
  2. Click the AI Engine tab.
  3. Right-click an HSS AIE Rule on which suppression should be configured, and then click Properties.
  4. Click the Settings tab.

  5. Type a value for the Suppression Multiple.

    You must select the Enable Suppression check box in order for suppression to function. The Suppression Period is the amount of time in which an alarm will be suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.

  6. On the AI Engine Rule Wizard, click OK.
  7. On the top of the AI Engine Rule Manager, click Restart AIE Engine.

Enhanced Report & Alert Configuration

The following report may require enhanced configuration and assistance from LogRhythm Professional Services (ProServ). The organization should use ProServ to assist in establishing necessary log sources and other parameters to be defined according to the customer’s environment.

Case Management and Web Console

The Healthcare Security Compliance Automation Suite is structured to easily coalesce with LogRhythm’s Web Console and Case Management. The extensive selection of AI Engine rules allows for simplified dashboard mapping, so that widgets can represent AI Engine events in a clear concise manner. Both widgets and AI Engine rules allow drill-down functions that can then be sent directly to Case Management cases as “evidence.” Drilldowns stored within Case Management can be utilized for digital reporting purposes, and integrated into daily, monthly, and weekly reporting practices.


Since Case Management cases retain data until manually purged, investigations and reports saved as investigations can also be stored to cases for future review. The Healthcare Security Compliance Automation Suite components can also be associated with events that might not otherwise be related to the configuration of the module, through the use of Case Management’s “associate” feature. All of this makes Case Management an ideal incidence response and enhanced reporting tool that fully supports the Healthcare Security Compliance Automation Suite objects.

AIE Rules with Advanced Threshold or Expression Configurations

The following table lists all AI Engine rules that may require specialized assistance if there are no in-house statisticians assigned to the operation of LogRhythm.

IDAIE Rule Name

954

HSS: Abnormal Auth Behavior Rule

957

HSS: Default Act Access Failure Rule

958

HSS: Default Act Access Success Rule

959

HSS: Priv Act Access Failure Rule

963

HSS: Business Associate Act Access Failure Rule

972

HSS: FIM Abnormal Activity

974

HSS: Abnormal Amount of Data Transferred

975

HSS: Large Out-of-Scope Data Transfer

986

HSS: Eligible Professional Act Access Failure Rule

989

HSS: Threat IP Access Attempt Alert

996

HSS: Backup Failure Alert

998

HSS: TST Activity

1001

HSS: Primary Eligible Professional Utilization Statistics

1002

HSS: Secondary Eligible Professional Utilization Statistics

Apply Entity Restrictions to Report Packages

Report Packages can be used to restrict log source criteria to all reports added to a package. There might be instances where there may be a preference to run the same report against different hosts for security, controlled sampling, or general filtering needs for representing specific sets of logging data. Adding the same report to different Report Packages using different entity restrictions can simplify and streamline reporting practices. Compliance package objects can be cloned; however, be aware that a cloned object will not receive any potentially beneficial changes from Knowledge Base updates.

  1. Open the LogRhythm Console and click the Report Center tab on the main toolbar.
  2. Click the Report Packages tab.
  3. Right-click the report package in need of restriction, and then click Actions.
  4. Click Edit Entity Restrictions.

Configure Enhanced Auditing

This section describes which auditing to enable at the LogRhythmEMDB level to ensure that AI Engine Rule Configuration changes can be monitored. It is recommended that you seek the assistance of LogRhythm Professional Services when you implement Enhanced Auditing. This may be required, for example, as part of HIPAA, HITECH, and Promoting Interoperability change control objectives.

This section only describes how to monitor changes to AIE rules, and both the processing policy and the UDLA query reflect this. A new log source would probably be required to parse changes to something else, but this would work as a template.

Enhanced Auditing can be configured by running the following scripts against LogRhythmEMDB in Microsoft SQL Server Management Studio. Please seek assistance from LogRhythm Professional Services if you are unfamiliar with running Microsoft SQL commands.

  • 001_Populate_AuditTableExclusion_Table_with_Excludes.sql
  • 002_Check_for_LogRhythmAIE_Account_in_AuditLogExclusion_Table.sql
  • 003_Populate_AuditLogExclusion_Table_with_LogRhythmAIE_Account.sql
  • 004_Enable_Enhanced_Auditing.sql

These scripts can be found on the LogRhythm Community.

For more information, see Enhanced Database Auditing.
  1. Run 001_Populate_AuditTableExclusion_Table_with_Excludes.sql

    This script populates the <AuditTableExclusion> table with all the table names you do not wish to audit. In this case, all tables except for the dbo.AIERule table. This script should create 133 entries in the table, and it has been tested against LogRhythm versions 6.2.6 and 6.3.x.

  2. Run 002_Check_for_LogRhythmAIE_Account_in_AuditLogExclusion_Table.sql

    This script checks whether the <AuditLoginExclusion> table already includes the LogRhythmAIE account.

  3. If the LogRhythmAIE account is not listed, run the following script:

    003_Populate_AuditLogExclusion_Table_with_LogRhythmAIE_Account.sql

    This script populates the <AuditLoginExclusion> table with the account you do not wish to audit, which is LogRhythmAIE.

  4. To enable enhanced auditing, run the following script:

    004_Enable_Enhanced_Auditing.sql

Related Queries

The following may be useful in monitoring and maintaining the Enhanced Auditing configuration.

-- [AUDITLOGINEXCLUSION - USEFUL COMMANDS, QUERIES]

-- Use the below to view AuditLoginExclusion Table Content

USE LogRhythmEMDB

SELECT TOP 1000

[AuditLoginExclusionID],[LoginName]

FROM [LogRhythmEMDB].[dbo].[AuditLoginExclusion]


-- Use the below to delete AuditLoginExclusion Table Content

USE LogRhythmEMDB

DELETE FROM AuditLoginExclusion


-- Use the below to re-start the AuditLoginExcusionID column within

-- the AuditLoginExclusion Table USE LogRhythmEMDB

DBCC CHECKIDENT ("AuditLoginExclusion", RESEED, 0);


-- [AUDITTABLEEXCLUSION - USEFUL COMMANDS, QUERIES]

-- Use the below to view AuditTableExclusion Table Content

USE LogRhythmEMDB

SELECT TOP 1000

[AuditTableExclusionID],[TableName]

FROM [LogRhythmEMDB].[dbo].[AuditTableExclusion]


-- Use the below to delete AuditTableExclusion Table Content

USE LogRhythmEMDB

DELETE FROM AuditTableExclusion


-- Use the below to re-start the AuditTableExcusionID column within

-- the AuditTableExclusion Table USE LogRhythmEMDB

DBCC CHECKIDENT ("AuditTableExclusion", RESEED, 0);


-- To completely remove tables and triggers

-- This will delete all SHADOW tables and triggers

USE LogRhythmEMDB

EXEC dbo. LogRhythm_EMDB_Audit_Drop_All_Tables_Triggers

Processing Policy

  1. Create a new Log Source Type of format UDLA and name it: UDLA – LREnhancedAudit.
  2. Create a new Log Source Processing Policy based on the UDLA – LREnhancedAudit log source type.
  3. Create a new MPE Rule.

MPE Base Rule

  1. Set the Common Event to: “Audit: Other Audit Success: Configuration Success” Regex:

    ^.*?aieruleid=(?<object>\d+),name=(?<objectname>.*?),systemuser=(?<login>.*?),transtype=(?<vmid>.*?)$

    • The AIE Rule ID is parsed into the Object field.
    • The AIE Rule Name is parsed into the ObjectName field.
    • The User who made the change is parsed into the Login field.
    • The type of change (update or insert) is parsed into the VMID field (insert would imply a new rule created).
  2. Create a custom LogSource named UDLA – LR Config Auditing.
  3. Download UDLA-LRConfig.xml, available on the LogRhythm Community.
  4. Import UDLA-LRConfig.xml into the new log source.
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close