After you install the Knowledge Base, you can configure the KSA-ECC module. This section shows you how to verify that the KSA-ECC module was properly installed. Since the module was built around the Consolidated Compliance Framework (CCF) methodology, it utilizes CCF content. It is important to leverage scope definition, system inventory, data classification, and audit evidence to build out Entity structure and populate related lists.
Intelligent Indexing allows reports, investigations, and tails to keep the appropriate log data online in the Log Manager/Data Processor. Be careful when choosing which object to allow Intelligent Indexing because broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For events that are less mission critical or are creating noise, apply this feature to further streamline and prioritize incoming log data.
Verify thirty-one (31) total Lists are contained in the List Manager. The Lists are available in the CCF documentation.
Establish Lists based on the content that is enabled (see the following three sections).
Check AIE Rules
Verify sixty-five (65) AI Engine Rules are contained in the Advanced Intelligence (AI) Engine Rule Manager found in the Deployment Manager.
Verify twenty-five (25) Investigations are contained in the LogRhythm Client Console.
Verify twenty-five (25) Reports and four (4) Reporting Packages are contained in the Reports tab of the Report Center.