PCI-DSS Deployment Guide – Configure the Module
LogRhythm requires that you configure some objects included in the PCI-DSS 3.2 Compliance Automation Suite. This section describes the steps you must perform.
Intelligent Indexing
Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.
Population of Lists
The PCI-DSS 3.2 Compliance List must be populated with the data you collected before installing the module. Complete the following sections to populate all required lists.
Populate Log Source Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name of a PCI-DSS 3.2 Log Source List, and then click Properties.
- To view the log sources selector, click Add Item.
- Search for and select all log sources that you want, and then click OK.
- To save the list, click OK.
- Repeat this process (steps 1-5) for all PCI-DSS 3.2 Log Source Lists from your checklist.
Populate Users Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name for a PCI-DSS 3.2 Users List, and then click Properties.
- Select the Username for the Item Type.
- Type in the username in the Add Item field.
- Click Add Item to add the username.
- Repeat steps 4-5 to for all usernames.
- To save the list, click OK.
- Repeat this process (steps 1-7) for all PCI-DSS 3.2 Users Lists.
Populate Default Privileged Group List
- Open the LogRhythm Console and click List Manager.
- Right-click the PCI-DSS 3.2: Default Privileged Group list, and then click Properties.
- Click the List Items tab.
Type any privilege group designation within your environment within the Add Item text field, and then click Add Item.
This list comes pre-populated with fourteen (14) default privileged groups but can be customized according to the organization’s environment.
- To save the list, click OK.
Populate Network Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name for a PCI-DSS 3.2 Network List, and then click Properties.
- Click the List Items tab.
- Click the Add Item tab.
- Select he appropriate Networks, and then click OK to add.
- Repeat steps 4-5 to for all networks you want.
- To save the list, click OK.
- Repeat this process (steps 1-7) for all PCI-DSS 3.2 Networks Lists.
Populate Application Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name for a PCI-DSS 3.2 Application List, and then click Properties.
- Click the List Items tab.
- Click the Add Item tab.
- Select the appropriate Applications in the Service/Program Selector, and then click OK.
- Repeat steps 4-5 for all applications you want.
- To save the list, click OK.
- Repeat this process (steps 1-7) for all PCI-DSS 3.2 Applications Lists.
Activate and Configure AIE Rules
All AIE Rules included in the PCI-DSS 3.2 Compliance Automation Suite are disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the PCI-DSS 3.2 AIE rules.
- Right-click the AI Engine Rule Manager, click Actions, and then click Enable.
All alarming AIE Rules included in the PCI-DSS 3.2 Compliance Automation Suite have been alarmingly disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the PCI-DSS 3.2 AIE rules that are configured to alarm.
- Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
All alarming AIE Rules included in the PCI-DSS 3.2 Compliance Automation Suite must be configured for notifications.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select each of the PCI-DSS 3.2 AIE rules that are configured to alarm and notify.
- Right-click the AI Engine Rule Manager, click Actions, and then click Batch Notification Editor.
- Select all the roles, individuals, or groups to be notified, and then click OK to save the notifications.
- Repeat Steps 2-5 for all alarming PCI-DSS 3.2 AIE Rules that share notification personnel.
- On the top of the AI Engine Rule Manager, click Restart AIE Engine Servers.
Use of LogRhythm Network Monitor for TLS/SSL Auditing
For information on using Network Monitor to translate TLS and SSL traffic for review and analysis, see PCI-DSS User Guide—Network Monitor and TLS/SSL Auditing.