SOX Deployment Guide – Configure the Module
LogRhythm requires that you configure some objects included in the SOX Compliance Automation Suite. This section describes the steps you must perform.
Intelligent Indexing
Intelligent Indexing allows Reports, Investigations, and Tails to keep the appropriate log data online in the Log Manager/Data Processor. Care must be taken when choosing which object to allow Intelligent Indexing as broad criteria can cause an exceptional amount of online data and overwhelm the Log Manager/Data Processor. For a list of Intelligent Indexing-capable objects and their recommended settings, see the matrices available from the home page of this module.
Establish Entity Structure
SOX requires the organization to determine in-scope systems and components that facilitate compliance and financial reporting. According to this audit scope, LogRhythm can apply the categorization within the Entity Structure to identify in-scope environments and components. Organizations should leverage any IT asset listing, system inventory, or risk assessment to assign categorization accordingly.
The following are the existing components to the Entity Structure:
- Parent Entity Structure should reflect the locations for in-scope components. Access provisioning and restrictions can be applied by Entity Structure. Here are some examples:
- Head Quarters
- Location 1
- Location 2
- Datacenter 1
- Datacenter 2
- Child Entity Structure should reflect classification of in-scope environments/servers:
Child Entity Name | Description | Restricted Access |
---|---|---|
Critical Servers | Any server possessing financial-related data, the ability to perform transactions that impact financials, or containing proprietary information associated with competitive advantage. | Yes, limit to select privileged users in the LogRhythm environment. |
Production Servers | Any server or system related to business or IT functionality associated with the production environment. These servers should not possess financially related data, the ability to perform transactions that impact financials or contain proprietary information associated with a competitive advantage. | Yes, limit to select users. |
Test Servers | Test (TST) Servers - apply UAM and authorization/access monitoring to (1) demonstrate a TST environment exists, and (2) apply security standards/best practices to TST environment for more mature compliance programs. | Yes, limit to select users. |
- Log into the Client Console using administrator credentials.
- On the main toolbar, click Deployment Manager.
- Click the Entities tab.
- Right-click the Global Entity node, and then click New Root Entity or New Child Entity.
The Entity Properties dialog box appears. - Specify the properties for the new Entity, and then click OK.
Population of Lists
The SOX Compliance List must be populated with the data you collected before installing the module. Complete the following sections to populate all required lists.
Populate Log Source Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name of a SOX Log Source List, and then click Properties.
- To view the log sources selector, click Add Item.
- Search for and select all log sources that you want, and then click OK.
- To save the list, click OK.
- Repeat this process (steps 1-5) for all SOX Log Source Lists from your checklist.
Populate Users Lists
- Open the LogRhythm Console and click List Manager.
- Right-click the name for a SOX Users List, and then click Properties.
- Select the Username for the Item Type.
- Type in the username in the Add Item field.
- Click Add Item to add the username.
- Repeat steps 4-5 to for all usernames.
- To save the list, click OK.
- Repeat this process (steps 1-7) for all SOX Users Lists.
Populate Default Privileged Group List
- Open the LogRhythm Console and click List Manager.
- Right-click the SOX: Default Privileged Group list, and then click Properties.
- Click the List Items tab.
Type any privilege group designation within your environment within the Add Item text field, and then click Add Item.
This list comes pre-populated with fourteen (14) default privileged groups but can be customized according to the organization’s environment.
- To save the list, click OK.
Activate and Configure AIE Rules
All AIE Rules included in the SOX Compliance Automation Suite are disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the SOX AIE rules.
- Right-click the AI Engine Rule Manager, click Actions, and then click Enable.
All alarming AIE Rules included in the SOX Compliance Automation Suite have alarming disabled by default.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select all the SOX AIE rules that are configured to alarm.
- Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable Alarms.
All alarming AIE Rules included in the SOX Compliance Automation Suite must be configured for notifications.
- Open the LogRhythm Console and click Deployment Manager.
- Click the AI Engine tab.
- Select each of the SOX AIE rules that are configured to alarm and notify.
- Right-click the AI Engine Rule Manager, click Actions, and then click Batch Notification Editor.
- Select all the roles, individuals, or groups to be notified, and then click OK to save the notifications.
- Repeat Steps 2-5 for all alarming SOX AIE Rules that share notification personnel.
- On the top of the AI Engine Rule Manager, click Restart AIE Engine Servers.