Skip to main content
Skip table of contents

SOX User Guide – Investigations


Investigations can further assist in gathering vital information about security events, facilitate audit requests, and provide basic information about an environment and the processes and activities within it. SOX investigations can augment a change control process in identifying configuration changes and trying to understand their nature to determine whether or not they align with change procedures, along with their implications for SOX compliance. Investigations can also be run to support user access management (provisioning/de-provisioning/termination), privileged user activity, vendor account management, onboarding of new user access, and other activities. User lists within LogRhythm can align with existing user access provisioning within the company and can be updated at the completion of periodic SOX access reviews.

Log Requirements

The SOX: Vulnerability Detail and other investigations related to potential malicious activity cover all log sources in your environment, but specifically require logs from network security systems such as anti-malware systems, security enforcing devices, and vulnerability detection systems. After they are configured correctly, investigations allow IT and security operations to not only deep dive into potential security events but also to learn more about and continuously improve your overall compliance and cyber security program.

Further, with an emphasis on managing third-party access within your environment, vendor-related investigations are applied against all log sources across the environment that administer access to these accounts. The vendor account investigations deep dive into authentication and access activities within the environment to augment related SOX control objectives.

Knowledge Base Content

ID

Name

442

SOX: Malware Detected Inv

443

SOX: Vulnerability Detected Inv

444

SOX: Attack Detected Inv

445

SOX: Rogue Access Point Inv

376

SOX: Acct Created, Used, Deleted Inv

384

SOX: Vendor Acct Authentication Failure Inv

385

SOX: Vendor Acct Authentication Success Inv

386

SOX: Vendor Acct Access Failure Inv

388

SOX: Vendor Acct Access Success Inv

389

SOX: Vendor Acct Disabled/Enabled Inv

391

SOX: Vendor Acct UAM Inv

Actions

Investigations are used to pull additional details from log sources related to events of interest. The SOX Detail investigations can be used to monitor potential malicious activity to assist in reducing the mean time to detection and to learn about vulnerabilities or exposure points within the environment. IT Security Operations and Management should try to leverage these investigations as a learning mechanism and a means to gather vulnerability data in order to implement controls to reduce risk exposure.

On the vendor account side, IT Security Operations and Management should use SOX Detail investigations to deep dive into vendor account activity within the environment to better understand ‘normal’ third-party activities and identify when these accounts go beyond their scope of operations within your environment.

These investigations can also be used in access management to validate access within the environment against periodic reviews of third-party accounts.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.