Follow

What Alert Logic Reviews with Log Review | Feature Education

Overview

Every day, Alert Logic® Log Review™ analyzes 33 pre-defined reports that focus on compliance, security, and AWS CloudTrail activity. This article defines the events and activities that are analyzed in the Log Review service. A mapping of each report to specific compliance standards is available upon request.

Logs Analyzed with Log Review

Microsoft Active Directory

Active Directory Global Catalog Change - The Microsoft Active Directory (AD) Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This report details all changes to the AD Global Catalog that are recorded as log messages.

Active Directory Global Catalog Demotion - This report provides log message details each time a domain controller in your AD forest has been demoted and can no longer serve the global catalog.

Oracle and SQL Databases

Database Failed Logins - This report is generated to identify and display network device login failure log messages received from all monitored hosts.

Network Devices

Network Device Failed Logins - This report is generated to identify and display network device login failure log messages received from all monitored hosts.

Network Device Policy Change - This report is generated when a policy is added, changed, or removed on network devices.

Windows® Server - 2012, 2012 R2, 2008, 2008 R2, 2003

Excessive Windows Account Lockouts - This report is generated when a threshold of two log messages has been exceeded. The messages indicate that Windows user accounts have been locked out.

Excessive Windows Account Lockouts by Administrative Users - This report is generated when a threshold of two log messages has been exceeded. The messages indicate that the Windows Administrator account has been locked out.

Excessive Windows Failed Logins - This report is generated to identify and display excessive Windows login failure log messages received from all monitored hosts with a threshold greater than five messages.

Excessive Windows Failed Logins by Administrative User - This report is generated when an excessive amount of Windows login failure log messages are received from a single host for the Administrator account. The threshold is messages greater than five.

Windows Remote Failed Logins - This report is generated when log messages indicate that accounts have failed to successfully log in to SSH, IIS, and FTP.

Windows Account Created - This report is generated when log messages indicate that user accounts and Active Directory computer accounts have been successfully created.

Windows Account Modified - This report is generated when log messages indicate that user accounts and Active Directory computer accounts have been modified (changed, created, or deleted).

Windows User Group Created - This report is generated when log messages indicate that a user group has been created.

Windows User Group Modified - This report is generated when log messages indicate that user groups have been modified (changed, created, or deleted).

UNIX/Linux

Failed UNIX Switch User Command - This report provides details of all recorded failed uses of the UNIX switch user (su) command.

UNIX Account Created - This report is generated when log messages indicate the creation of UNIX accounts.

UNIX Failed Logins - This report is generated when log messages indicate that local and FTP accounts have failed to successfully log in.

UNIX Group Created - This report is generated when log messages indicate that a UNIX user groups was added.

UNIX SSH Failed Logins - This report is generated to identify and display UNIX SSH login failure log messages received from all monitored hosts.

UNIX Sudo Access - This report is generated when a user has executed the UNIX sudo command.

UNIX Switch User Command Success - This report is generated when log messages indicate that a user has successfully executed the UNIX switch user (su) command.

Amazon Web Services CloudTrail

Amazon S3 Bucket Activity - This report monitors for CloudTrail logs indicating that an Amazon S3 API call has been made to PUT or DELETE bucket policies, bucket life cycles, bucket replications, or to PUT a bucket Access Control List (ACL).

Security Group Configuration Changes - This report monitors CloudTrail logs pertaining to configuration changes of EC2 Security Groups.

Network ACL Changes - This report monitors for CloudTrail logs indicating changes to Network ACLs.

Network Gateway Changes - This report monitors for CloudTrail logs related to changes to Network Gateways.

Amazon VPC Cloud Changes - This report monitors for CloudTrail logs related to Virtual Private Cloud (VPC) creation, definition, relationships, and deletion.

EC2 Large Instance Changes - This report monitors for CloudTrail logs related to running instances of EC2 resources, focusing on unusual activity to larger instances.

CloudTrail Changes - This report monitors for changes in an account's CloudTrail logging capabilities.

IAM Management Policy Changes - This report monitors for changes to Identity and Access Management (IAM) user, role, and group policies.

Console Log-In Without Multi-Factor Authentication - This report monitors for console log-in activity. Analysts focus on failure activity and successful log-in without multi-factor authentication (MFA).

AWS User Access Modified - This report monitors for changes related to access keys and signing certificates for users.

AWS User Account Modified - This report monitors for user changes.

AWS User Group Modified - This report monitors for changes related to security groups and the user associations.

Was this article helpful?
6 out of 6 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.