MAS-TRMG Deployment Guide – Meet the Compliance Requirements
The LogRhythm MAS-TRMG Compliance Automation Suite provides bundled pre-created alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages to help demonstrate regulation compliance. The Auditor checks for specific line-item regulations to be met by LogRhythm. This section details the post-implementation processes necessary to meet specific MAS-TRMG compliance requirements and augment others.
Compliance Module Noise Mitigation
LogRhythm’s MAS-TRMG Compliance Automation Suite bundled alarms, AIE rules, investigations, layouts, lists, reports, and reporting packages need adjustments to ensure the likelihood of false positive events is diminished. The process to decrease false positive events involves the following steps:
List Updating
Keeping Compliance Module lists updated is a vital part of decreasing false positives within the MAS-TRMG Compliance Automation Suite. An organization’s applications, IP addresses, and users are dynamic. For this reason, the Compliance Module utilizes lists which can be dynamically updated as needed. There are many conditions which would require a list to be updated. The following section highlights a few instances where lists must be updated and direction on how to update the lists. Refer to the matrices on the home page of this module for specific AIE Rules, Investigations, and Reports where the lists are utilized. You may also leverage existing periodic reviews to incorporate updates to user lists as a result of various account access reviews performed by IT Management or HR.
Update User Lists
User lists should be updated when privileged access accounts and vendor accounts are created or deleted. Lists should also be updated when a user account is disabled or terminated. Changes to these types of accounts would be evident from details in the access granted/revoked reports and account management reports. Follow the instructions below after implementation and on a weekly basis to identify users that have not been added to the Users lists.
- On the main toolbar, click Report Center.
- Place a check mark in the Action box for the Saved MAS-TRMG: Account Management Activity report, right-click the report name, and then click Run.
- Click Next to reach the Configuration screen, set the date range to Past Month, and then click OK.
- Click on the name of the report in the Report Viewer.
- To identify when an account may have been created, search for User Account Created common events.
- Follow instructions 1-7 in Populating Users Lists to add applicable, enabled accounts to the MAS- TRMG: Default & Generic Accounts List, MAS-TRMG: PRD Privileged Accounts List, MAS-TRMG: Business User Accounts List, MAS-TRMG: Shared Accounts List, MAS-TRMG: Terminated Accounts List, MAS-TRMG: TST Privileged Accounts List, MAS-TRMG: IT User Accounts List, or MAS-TRMG: Vendor Accounts List, respectively.
- Repeat steps 1-6 above using the User Account Deleted or Account Disabled common events to add applicable deleted accounts to the MAS-TRMG: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update this list.
- Repeat step 2-4 for the MAS-TRMG: Account Management Detail investigation.
- Follow instructions 1-7 in Populate Users Lists to add applicable enabled accounts to the MAS-TRMG: Default Accounts List, MAS-TRMG: Guest Accounts List, MAS-TRMG: Privileged Accounts List, MAS- TRMG: Shared Accounts List, MAS-TRMG: Authorized VPN Accounts, or MAS-TRMG: Vendor Accounts List, or add applicable deleted or disabled accounts to the MAS-TRMG: Terminated Accounts List. You may also leverage any terminated account reports from an HR system to manually update the MAS- TRMG: Terminated Accounts list.
Filter Usage
Adjusting filter criteria is a vital part of decreasing the number of false positives within the MAS-TRMG Compliance Automation Suite. Exclude filters can remove applications, common events, hosts, IP addresses, etc. from search criteria. There are many conditions in which an exclude filter can decrease the number of false positives in a search criteria. The following section highlights how to create exclude filters for AIE Rules, investigations, reports, and tails.
Configure AIE Rule Exclude Filter Criteria
All AIE Rules included in the MAS-TRMG Compliance Automation Suite can be configured with exclude filters.
- Open the LogRhythm Console and click Deployment Manager on the main toolbar.
- Click the AI Engine tab.
- Right-click a MAS-TRMG AIE Rule on which an exclude filter should be configured, and then click Properties.
- Right-click the Rule Block, and then click Properties.
- Click the Exclude Filters tab.
- On the top menu, click the New icon.
- Specify the details for the exclude filter criteria.
- On the Log Message Filter, click OK.
- On the AI Engine Rule Block Wizard, click OK.
- On the AI Engine Rule Wizard, click OK.
- On the top of the AI Engine Rule Manager, click Restart AIE Engine.
Configure Investigation Exclude Filter Criteria
All Investigations included in the MAS-TRMG Compliance Automation Suite can be configured with exclude filters.
- Open the LogRhythm Console and click Investigate on the main toolbar.
- Select one of the saved MAS-TRMG Investigations on which an Exclude Filter should be configured.
- Click Next until you reach the Specify Event Selection screen.
- In the Add New Field Filter list, select the criteria.
- Click Edit Values and configure the criteria as required.
- (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
- Click OK.
- Click Next until you reach the Save Investigation Configuration screen, and then click Save.
- Click Cancel.
Configure Report Exclude Filter Criteria
All Reports included in the MAS-TRMG Compliance Automation Suite can be configured with exclude filters.
- Open the LogRhythm Console and click Report Center on the main toolbar.
- Click the Reports tab.
- Select the Action check box of the report that needs to exclude filters, right-click the selection, and then click Properties.
- Click Next until you reach the Specify Additional Report Criteria Screen.
- In the Add New Field Filter list, select the criteria.
- Click Edit Values and configure the criteria as required.
- (Optional) To specify exclusions, select the Filter Out (Is Not) option under Filter Mode.
- Click OK.
- Click Next to reach the Report Details screen, click Apply, and then click OK.
Suppression Usage
Adjusting suppression values is a vital part of adjusting the alarming configuration within the MAS-TRMG Compliance Automation Suite. Suppression values are used to suppress the number of alarms generated from the same type of event occurring numerous times within a specified time window. The following section highlights how to adjust suppression values for AIE Rules.
Configure AIE Rule Suppression
All AIE Rules included in the MAS-TRMG Compliance Automation Suite can be configured with alarm suppression. Follow the instructions below to configure suppression for AIE Rules.
- Open the LogRhythm Console and click Deployment Manager on the main toolbar.
- Click the AI Engine tab.
- Right-click a MAS-TRMG AIE Rule on which suppression should be configured, and then click Properties.
- Click the Settings tab.
Type a value for the Suppression Multiple.
You must select the Enable Suppression check box for suppression to function. The Suppression Period is the amount of time in which an alarm will be suppressed after the first occurrence. When the Suppression Period has elapsed, another alarm occurs if identical events occur.
- On the AI Engine Rule Wizard, click OK.
- On the top of the AI Engine Rule Manager, click Restart AIE Engine.
Enhanced Report & Alert Configuration
The following report may require enhanced configuration and assistance from LogRhythm Professional Services (ProServ). The organization should use ProServ to assist in establishing necessary log sources and other parameters to be defined according to the customer’s environment.
MAS-TRMG: Change in Software Config (Linux)
The following component in the MAS-TRMG Compliance Automation Suite requires the use of the Linux Audit Daemon and a custom auditing rule set.
- MAS-TRMG: Change in Software Config (Linux) – Linux package manager usage.
Configure Enhanced Auditing
This section describes which auditing to enable at the LogRhythmEMDB level to ensure that AI Engine Rule Configuration changes can be monitored. It is recommended that you seek the assistance of LogRhythm Professional Services when you implement Enhanced Auditing. This may be required, for example, as part of MAS-TRMG change control objectives.
This section only describes how to monitor changes to AIE rules, and both the processing policy and the UDLA query reflect this. A new log source would probably be required to parse changes to something else, but this would work as a template.
Enhanced Auditing can be configured by running the following scripts against LogRhythmEMDB in Microsoft SQL Server Management Studio. Please seek assistance from LogRhythm Professional Services if you are unfamiliar with running Microsoft SQL commands.
- 001_Populate_AuditTableExclusion_Table_with_Excludes.sql
- 002_Check_for_LogRhythmAIE_Account_in_AuditLogExclusion_Table.sql
- 003_Populate_AuditLogExclusion_Table_with_LogRhythmAIE_Account.sql
- 004_Enable_Enhanced_Auditing.sql
These scripts can be found on the LogRhythm Community.
- Run 001_Populate_AuditTableExclusion_Table_with_Excludes.sql
This script populates the <AuditTableExclusion> table with all the table names you do not wish to audit. In this case, all tables except for the dbo.AIERule table. This script should create 133 entries in the table, and it has been tested against LogRhythm versions 6.2.6 and 6.3.x.
- Run 002_Check_for_LogRhythmAIE_Account_in_AuditLogExclusion_Table.sql
This script checks whether the <AuditLoginExclusion> table already includes the LogRhythmAIE account.
- If the LogRhythmAIE account is not listed, run the following script:
003_Populate_AuditLogExclusion_Table_with_LogRhythmAIE_Account.sql
This script populates the <AuditLoginExclusion> table with the account you do not wish to audit, which is LogRhythmAIE.
- To enable enhanced auditing, run the following script:
004_Enable_Enhanced_Auditing.sql
Related Queries
The following may be useful in monitoring and maintaining the Enhanced Auditing configuration.
-- [AUDITLOGINEXCLUSION - USEFUL COMMANDS, QUERIES]
-- Use the below to view AuditLoginExclusion Table Content
USE LogRhythmEMDB
SELECT TOP 1000
[AuditLoginExclusionID],[LoginName]
FROM [LogRhythmEMDB].[dbo].[AuditLoginExclusion]
-- Use the below to delete AuditLoginExclusion Table Content
USE LogRhythmEMDB
DELETE FROM AuditLoginExclusion
-- Use the below to re-start the AuditLoginExcusionID column within
-- the AuditLoginExclusion Table USE LogRhythmEMDB
DBCC CHECKIDENT ("AuditLoginExclusion", RESEED, 0);
-- [AUDITTABLEEXCLUSION - USEFUL COMMANDS, QUERIES]
-- Use the below to view AuditTableExclusion Table Content
USE LogRhythmEMDB
SELECT TOP 1000
[AuditTableExclusionID],[TableName]
FROM [LogRhythmEMDB].[dbo].[AuditTableExclusion]
-- Use the below to delete AuditTableExclusion Table Content
USE LogRhythmEMDB
DELETE FROM AuditTableExclusion
-- Use the below to re-start the AuditTableExcusionID column within
-- the AuditTableExclusion Table USE LogRhythmEMDB
DBCC CHECKIDENT ("AuditTableExclusion", RESEED, 0);
-- To completely remove tables and triggers
-- This will delete all SHADOW tables and triggers
USE LogRhythmEMDB
EXEC dbo. LogRhythm_EMDB_Audit_Drop_All_Tables_Triggers
Processing Policy
- Create a new Log Source Type of format UDLA and name it: UDLA – LREnhancedAudit.
- Create a new Log Source Processing Policy based on the UDLA – LREnhancedAudit log source type.
- Create a new MPE Rule.
MPE Base Rule
- Set the Common Event to: “Audit: Other Audit Success: Configuration Success” Regex:
^.*?aieruleid=(?<object>\d+),name=(?<objectname>.*?),systemuser=(?<login>.*?),transtype=(?<vmid>.*?)$
- The AIE Rule ID is parsed into the Object field.
- The AIE Rule Name is parsed into the ObjectName field.
- The User who made the change is parsed into the Login field.
- The type of change (update or insert) is parsed into the VMID field (insert would imply a new rule created).
- Create a custom LogSource named UDLA – LR Config Auditing.
- Download UDLA-LRConfig.xml, available on the LogRhythm Community.
- Import UDLA-LRConfig.xml into the new log source.