Every day, Alert Logic analyzes your logs for 29 pre-defined use cases that focus on compliance, security, and Amazon Web Services CloudTrail activity. This article provides a list of those 29 use cases and their details. A mapping of each use case to specific compliance standards is available upon request.
Note: This service is available only for customers with the Alert Logic Professional tier.
Log Compliance Use Cases
Microsoft Active Directory
Active Directory Global Catalog Change
The Microsoft Active Directory (AD) Global Catalog provides searchable information about every object controlled within your AD forest. Additionally, it provides the ability to search across multiple different domains without being required to access the AD for each domain directly. This use case identifies all changes to the AD Global Catalog that are recorded as log messages.
Active Directory Global Catalog Demotion
This use case looks for occurrences where a domain controller in your AD forest has been demoted and can no longer serve the global catalog.
Oracle and SQL Databases
Database Failed Logins
This use case identifies network device login failure log messages received from all monitored hosts.
Network Devices
Network Device Failed Logins
This use case identifies network device login failure log messages received from all monitored hosts.
Network Device Policy Change
This use case identifies when a policy is added, changed, or removed on network devices.
Windows Server - 2012, 2012 R2, 2008, 2008 R2, 2003
Excessive Windows Account Lockouts
This use case identifies when a threshold of two log messages has been exceeded. The messages indicate that Windows user accounts have been locked out.
Excessive Windows Failed Logins
This use case identifies excessive Windows login failure log messages received from all monitored hosts with a threshold greater than five messages.
Windows Remote Failed Logins
This use case identifies log messages that indicate that accounts have failed to successfully log into SSH, IIS, and FTP.
Windows Account Changes
This use case identifies log messages that indicate that user and Active Directory computer accounts have been created, changed, enabled, or deleted.
Windows Group Changes
This use case identifies log messages that indicate that a user group has been created, changed, or deleted or when users have been added or removed from groups.
Suspicious Service Installed
This use case identifies Windows PowerShell calls with encoded command flags that obfuscate activity.
UNIX/Linux
Failed UNIX Switch User Command
This use case identifies failed users of the UNIX switch user (su) command.
UNIX Failed Logins
This use case identifies log messages that indicate that local and FTP accounts have failed to successfully logged in.
UNIX Account Changes
This use case identifies log messages that indicate that a UNIX account was created or changed or when a UNIX group has been created.
UNIX SSH Failed Logins
This use case identifies UNIX SSH login failure log messages received from all monitored hosts.
UNIX Sudo Access
This use case identifies users that have executed the UNIX sudo command.
UNIX Switch User Command Success
This use case identifies log messages that indicate that a user has successfully executed the UNIX switch user (SU) command.
Amazon Web Services CloudTrail
Amazon S3 Bucket Activity
This use case identifies CloudTrail logs indicating that an Amazon S3 API call has been made to PUT or DELETE bucket policies, bucket life cycles, bucket replications, or to PUT a bucket Access Control List (ACL).
Security Group Configuration Changes
This use case identifies CloudTrail logs pertaining to configuration changes of EC2 Security Groups.
Network ACL Changes
This use case identifies CloudTrail logs indicating changes to Network ACLs.
Network Gateway Changes
This use case identifies CloudTrail logs indicating changes to Network ACLs.
Amazon VPC Cloud Changes
This use case identifies CloudTrail logs related to Virtual Private Cloud (VPC) creation, definition, relationships, and deletion.
EC2 Large Instance Changes
This use case identifies CloudTrail logs related to running instances of EC2 resources, focusing on unusual activity to larger instances.
CloudTrail Changes
This use case identifies changes in an account’s CloudTrail logging capabilities.
IAM Policy Changes
This use case identifies changes to Identity and Access Management (IAM) user, role, and group policies.
Console Login Without Multi-Factor Authentication
This use case identifies console log-in activity. Analysts focus on failure activity and successfully log-in without multi-factor authentication (MFA).
AWS User Access Modified
This use case identifies changes related to access keys and signing certificates for users.
AWS User Account Modified
This use case identifies excessive Windows login failures for user changes.
AWS User Group Modified
This use case identifies changes related to security groups and the user associations.
Compliance Overview
Alert Logic Professional tier coverage directly or indirectly addresses requirements for multiple regulations and industry security standards. The following list identifies how our coverage maps to the specific requirements, rules, or guidelines in some of the most popular standards. Details for each requirement or mandate are available from the respective regulatory or standards bodies.
Compliance Matrix
Requirement | SOX 404 (COBIT 5) | HIPAA Subpart C | PCI DSS | ISO 27001/27002 |
Must provide a policy log analysis | DSS05.05 | 164.308(a)(1)(i) | 10.6 |
5.1.1 6.1.1 |
Must provide a defined process for log analysis |
DSS05.02 DSS05.05 |
164.308(a)(1)(ii)(D) |
10.2 10.3 10.6 |
12.4.1 |
Must review logs within a specified time period | DSS05.02 | 164.308(a)(1)(ii)(D) | 10.6.1 |
12.4.1 12.4.3 |
Review access events | DSS05.07 |
164.308(a)(5)(ii)(C) 164.308(a)(6)(1) |
10.2.2 10.2.4 |
9.4.2 9.4.4 12.4.1 12.4.3 |
Review change events | DSS05.04 |
164.312(b) |
10.2.2 10.2.5 10.2.7 |
9.2.1 9.2.2 9.2.3 12.4.1 12.4.3 |
Maintain logs and audit trail for extended durations |
164.316(b)(2)(i) |
10.7 |
12.4 16.1.7 |
Additional Standards Mappings
Mappings to the following specific requirements of other security standards are available upon request by opening a ticket with Alert Logic Support:
- AICPA SOC2 Trust Services Criteria (TSP Section 100)
- Control Objectives for Information and Related Technology (COBIT)
- Family Educational Rights and Privacy Act (FERPA)
- Federal Financial Institutions Examination Council (FFIEC)
- Federal Information Processing Standards (FIPS)
- Federal Risk and Authorization Management Program (FedRAMP)
- Financial Industry Regulatory Authority (FINRA)
- National Institute of Standards and Technology (NIST)
Comments
0 comments
Please sign in to leave a comment.