Least Privileged User: PM, Alarming and Response Manager
Purpose
The ARM determines when events trigger alarm rules. Depending on the configuration, the ARM may also send notifications and execute SmartResponse actions.
Shared Resources
Note that the ARM directories for configuration and state are configurable—in particular, these paths may be different or on a remote file path in HA environments. You can also configure a notification policy to write alarms to a file. This feature is used for integration with other systems that want to consume alarms.
| Read | Write | Read & Execute | Modify | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|
| <LogRhythm Installation Directory Path>\LogRhythm\LogRhythm Alarming and Response Manager | X | |||||
| <Notification File Path> | X |
Registry Access
| Read Control | Write Owner | Write DAC | Delete | Create Link | Enumerate Subkeys | Set Value | Query Value | Full Control | Children Inherent | |
|---|---|---|---|---|---|---|---|---|---|---|
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ services\eventlog\Security | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ services\eventlog\Application | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\WinSock2\Parameters | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\LogRhythm ARM | X | X | X | X | X | X | X | X | X | |
| HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\Windows NT\ CurrentVersion\Perflib | X | X | X | X | X | X | X | X | ||
| HKEY_LOCAL_MACHINE\ System\CurrentControlSet\ Services\scarm | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Data | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Networking | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET CLR Networking 4.0.0.0 | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET Data Provider for Oracle | X | X | ||||||||
| HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSet\ services\.NET Data Provider for SqlServer | X | X |
Database Access
The ARM uses the LogRhythmARM database user and the LogRhythmGlobalARM security role to access the LogRhythm EMDBs. All permissions are set as required by the default security role.
Ports
Unless needed for a SmartResponse, the ARM does not require access to any special ports.
Other Resources
SmartResponse plug-ins are executed from either the ARM or the Windows Agent. In both cases, the SmartResponse runs under the context of the ARM service account. These plug-ins may include privilege escalation, impersonation, or alternate logins. Carefully review the SmartResponse actions you use to determine if any extra privileges are required—or exposed—by the SmartResponse.