As the COVID-19 situation continues to evolve and organizations are having to adjust, Alert Logic is here for you, 24/7. Learn More

What Alert Logic Reviews with Log Review

Overview

Every day, Alert Logic® Log Review™ analyzes 29 pre-defined reports that focus on compliance, security, and AWS CloudTrail activity. This article defines the events and activities that are analyzed in the Log Review service. A mapping of each report to specific compliance standards is available upon request.

Logs Analyzed with Log Review

Microsoft Active Directory

Active Directory Global Catalog Change

The Microsoft Active Directory (AD) Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This report details all changes to the AD Global Catalog that are recorded as log messages.

Active Directory Global Catalog Demotion

This report provides log message details each time a domain controller in your AD forest has been demoted and can no longer serve the global catalog.

Oracle and SQL Databases

Database Failed Logins

This report is generated to identify and display network device login failure log messages received from all monitored hosts.

Network Devices

Network Device Failed Logins

This report is generated to identify and display network device login failure log messages received from all monitored hosts.

Network Device Policy Change

This report is generated when a policy is added, changed, or removed on network devices.

Windows Server - 2012, 2012 R2, 2008, 2008 R2, 2003

Excessive Windows Account Lockouts

This report is generated when a threshold of two log messages has been exceeded. The messages indicate that Windows user accounts have been locked out.

Excessive Windows Failed Logins

This report is generated to identify and display excessive Windows login failure log messages received from all monitored hosts with a threshold greater than five messages.

Windows Remote Failed Logins

This report is generated when log messages indicate that accounts have failed to successfully log into SSH, IIS, and FTP.

Windows Account Changes

This report is generated when log messages indicate that user and Active Directory computer accounts have been created, changed, enabled, or deleted.

Windows Group Changes

This report is generated when log messages indicate that a user group has been created, changed, or deleted or when users have been added or removed from groups.

Suspicious Service Installed

This report is generated when Windows PowerShell is called with encoded command flags to obfuscate activity.

UNIX/Linux

Failed UNIX Switch User Command

This report provides details of all recorded failed users of the UNIX switch user (su) command.

UNIX Failed Logins

This report is generated when log messages indicate that local and FTP accounts have failed to successfully logged in.

UNIX Account Changes

This report is generated when log messages indicate that a UNIX account was created or changed or when a UNIX group has been created.

UNIX SSH Failed Logins

This report is generated to identify and display UNIX SSH login failure log messages received from all monitored hosts.

UNIX Sudo Access

This report is generated when a user has executed the UNIX sudo command.

UNIX Switch User Command Success

This report is generated when log messages indicate that a user has successfully executed the UNIX switch user (SU) command.

Amazon Web Services CloudTrail

Amazon S3 Bucket Activity

This report monitors for CloudTrail logs indicating that an Amazon S3 API call has been made to PUT or DELETE bucket policies, bucket life cycles, bucket replications, or to PUT a bucket Access Control List (ACL).

Security Group Configuration Changes

This report monitors CloudTrail logs pertaining to configuration changes of EC2 Security Groups.

Network ACL Changes

This report monitors for CloudTrail logs indicating changes to Network ACLs.

Network Gateway Changes

This report monitors for CloudTrail logs related to changes to Network Gateways.

Amazon VPC Cloud Changes

This report monitors for CloudTrail logs related to Virtual Private Cloud (VPC) creation, definition, relationships, and deletion.

EC2 Large Instance Changes

This report monitors for CloudTrail logs related to running instances of EC2 resources, focusing on unusual activity to larger instances.

CloudTrail Changes

This report monitors for changes in an account’s CloudTrail logging capabilities.

IAM Management Policy Changes

This report monitors for changes to Identity and Access Management (IAM) user, role, and group policies.

Console Login Without Multi-Factor Authentication

This report monitors for console log-in activity. Analysts focus on failure activity and successfully log-in without multi-factor authentication (MFA).

AWS User Access Modified

This report monitors for changes related to access keys and signing certificates for users.

AWS User Account Modified

This report monitors for user changes.

AWS User Group Modified

This report monitors for changes related to security groups and the user associations.

Compliance Overview

Log Review directly or indirectly addresses requirements for multiple regulations and industry security standards. The following list identifies how Log Review maps to the specific requirements, rules, or guidelines in some of the most popular standards. Details for each requirement or mandate are available from the respective regulatory or standards bodies.

Log Review Compliance Matrix

Requirement SOX 404 (COBIT 5) HIPAA Subpart C PCI DSS ISO 27001/27002
Must provide a policy for Log Review DSS05.05 164.308(a)(1)(i) 10.6 5.1.1
6.1.1
Must provide a defined process for Log Review DSS05.02
DSS05.05		 164.308(a)(1)(ii)(D) 10.2
10.3
10.6		 12.4.1
Must review logs within a specified time period DSS05.02 164.308(a)(1)(ii)(D) 10.6.1 12.4.1
12.4.3
Review access events DSS05.07 164.308(a)(5)(ii)(C)
164.308(a)(6)(1)		 10.2.2
10.2.4		 9.4.2
9.4.4
12.4.1
12.4.3
Review change events DSS05.04 164.312(b) 10.2.2
10.2.5
10.2.7		 9.2.1
9.2.2
9.2.3
12.4.1
12.4.3
Maintain logs and audit trail for extended durations   164.316(b)(2)(i) 10.7 12.4
16.1.7

Additional Standards Mappings

Mappings to the following specific requirements of other security standards are available upon request by opening a ticket with Alert Logic Support:

  • AICPA SOC2 Trust Services Criteria (TSP Section 100)
  • Control Objectives for Information and Related Technology (COBIT)
  • Family Educational Rights and Privacy Act (FERPA)
  • Federal Financial Institutions Examination Council (FFIEC)
  • Financial Industry Regulatory Authority (FINRA)
  • National Institute of Standards and Technology (NIST)

Related articles

Comments

0 comments

Please sign in to leave a comment.

Copyright © 2010-2020 Alert Logic, Inc.
All rights reserved. Terms of Use | Privacy Policy