MAS-TRMG Deployment Guide – Configure the Compliance Module
LogRhythm requires that you configure some objects included in the MAS-TRMG Compliance Automation Suite. This section describes the steps you must perform.
Intelligent Indexing
Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.
Establish Entity Structure
MAS-TRMG requires the organization to determine in-scope systems and components that facilitate compliance and financial reporting. According to this audit scope, LogRhythm can apply the categorization within the Entity Structure to identify in-scope environments and components. Organizations should leverage any IT asset listing, system inventory, or risk assessment to assign categorization accordingly.
The following are the existing components of the Entity Structure:
- Parent Entity Structure should reflect the locations for in-scope components. Access provisioning and restrictions can be applied by Entity Structure. Here are some examples:
- Head Quarters
- Location 1
- Location 2
- Datacenter 1
- Datacenter 2
- Child Entity Structure should reflect the classification of in-scope environments/servers:
Child Entity Name | Description | Restricted Access |
|---|---|---|
Critical Servers | Any server possessing financial-related data, the ability to perform transactions that impact financials, or containing proprietary information associated with competitive advantage. | Yes, limit to select privileged users in the LogRhythm environment. |
Production Servers | Any server or system related to business or IT functionality associated with the production environment. These servers should not possess financially related data, the ability to perform transactions that impact financials or contain proprietary information associated with a competitive advantage. | Yes, limit to select users. |
Online Banking Servers | Any server that facilitates Online Banking functionality including front-end web servers or back-end database servers. As these tend to be highly customized, transactional environments, this may require additional Professional Services hours. | Yes, limit to select privileged users in the LogRhythm environment. |
Test Servers | Test (TST) Servers - apply UAM and authorization/access monitoring to (1) demonstrate a TST environment exists, and (2) apply security standards/best practices to the TST environment for more mature compliance programs. | Yes, limit to select users. |
- Log into the Client Console using administrator credentials.
- On the main toolbar, click Deployment Manager.
- Click the Entities tab.
- Right-click the Global Entity node, and then click New Root Entity or New Child Entity.
The Entity Properties dialog box appears. - Specify the properties for the new Entity, and then click OK.
Population of Lists
The MAS-TRMG Compliance List must be populated with the data you collected before installing the module. Complete the following sections to populate all required lists.
Populate Log Source Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name of a MAS-TRMG Log Source List, and then click Properties.
- To view the log sources selector, click Add Item.
- Search for and select all log sources that you want, and then click OK.
- To save the list, click OK.
- Repeat this process (steps 1-5) for all MAS-TRMG Log Source Lists from your checklist.
Populate Users Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name for a MAS-TRMG Users List, and then click Properties.
- Select the Username for the Item Type.
- Type in the username in the Add Item field.
- Click Add Item to add the username.
- Repeat steps 4-5 for all usernames.
- To save the list, click OK.
- Repeat this process (steps 1-7) for all MAS-TRMG user lists.
Populate Default Privileged Group List
- Open the LogRhythm Console and click List Manager.
- Right-click the MAS-TRMG: Default Privileged Group list, and then click Properties.
- Click the List Items tab.
Type any privilege group designation within your environment within the Add Item text field, and then click Add Item.
This list comes pre-populated with fourteen (14) default privileged groups but can be customized according to the organization’s environment.
- To save the list, click OK.
Activate and Configure AIE Rules
All AIE Rules included in the MAS-TRMG Compliance Automation Suite are disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the MAS-TRMG AIE rules.
- Right-click the AI Engine Rule Manager, click Actions, and then click Enable.
All alarming AIE Rules included in the MAS-TRMG Compliance Automation Suite have been alarmingly disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the MAS-TRMG AIE rules that are configured to alarm.
- Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
All alarming AIE Rules included in the MAS-TRMG Compliance Automation Suite must be configured for notifications.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select each of the MAS-TRMG AIE rules that are configured to alarm and notify.
- Right-click the AI Engine Rule Manager, click Actions, and then click Batch Notification Editor.
- Select all the roles, individuals, or groups to be notified, and then click OK to save the notifications.
- Repeat Steps 2-5 for all alarming MAS-TRMG AIE Rules that share notification personnel.
- On the top of the AI Engine Rule Manager, click Restart AIE Engine Servers.