Good Practice Guide 13 (GPG13)
Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.6
The following table shows the custom properties that are updated in JSA GPG13 Content Extension V1.0.6.
Table 1: Updated Custom Properties in JSA GPG13 Content Extension V1.0.6
Custom Property | Capture Group | Optimized | Regex |
|---|---|---|---|
GroupID | 1 | Yes | Group ID[:\s\\=]*(\d+) |
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.5
The following table shows the rules and building blocks that are removed in JSA GPG13 Content Extension V1.0.5.
Table 2: Removed Rules and Building Blocks in JSA GPG13 Content Extension V1.0.5
Type | Name | Description |
|---|---|---|
Rule | Configuration Changes Made to AV/Malware Devices | Detects configuration changes made to the anti-virus or anti-malware system. |
Rule | Failed VPN Acceses | Detects failed accesses, such as authentication failures, or access from disabled and expired accounts, occurring from VPN devices. |
Rule | User Privilege Changes on Protected Assets | Detects user privilege changes on protected assets. |
Rule | VPN Session Tracking | Detects VPN sessions occurring in the system. |
Building Block | BB:DeviceDefinition: AntiVirus | This rule defines all anti-virus devices on the system. |
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.4
The following table shows the custom properties that are updated in JSA GPG13 Content Extension V1.0.4.
Table 3: Updated Custom Properties in JSA GPG13 Content Extension V1.0.4
Custom Property | Capture Group | Optimized | Regex |
|---|---|---|---|
GroupID | 1 | No | Group ID[:\s\\=]*(\d+) |
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.3
The following table shows the custom properties in JSA GPG13 Content Extension V1.0.3.
Table 4: Custom Properties in JSA GPG13 Content Extension V1.0.3
Name | Optimized | Capture Group | Regex |
|---|---|---|---|
SSH Login Audit | Yes | 1 | \[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .* |
Log Source Host | Yes | 1 | \s+hostName=(\S+) |
Audit Object ID | Yes | 1 | \s+id=(\S+) |
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.2
The following table shows the building blocks that are updated in JSA GPG13 Content Extension V1.0.2.
Table 5: Building Blocks in JSA GPG13 Content Extension V1.0.2
Type | Name | Description |
|---|---|---|
Building Block | BB:DeviceDefinition: IDS / IPS | Updated building block with IDS/IPS devices. |
Building Block | BB:DeviceDefinition: FW / Router / Switch | Updated building block with FW/Router/Switch devices. |
Building Block | BB:DeviceDefinition: VPN | Updated building block with VPN devices. |
Building Block | BB:HostDefinition: Proxy Servers | Added BB:PortDefinition: Proxy Ports to the rule test. |
Building Block | BB:HostDefinition: Servers | Updated building block with server definition. |
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added the following QIDs:
|
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.1
The following table shows the building block that are updated in JSA GPG13 Content Extension V1.0.1.
Table 6: Building Block in JSA GPG13 Content Extension V1.0.1
Type | Name | Description |
|---|---|---|
Building Block | BB:CategoryDefinition: Authentication to Disabled Account | Added QID 5000475: Failure Audit: An account failed to log on. |
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.
JSA GPG13 Content Extension V1.0.0
The following table shows the custom properties in JSA GPG13 Content Extension V1.0.0.
Table 7: Custom Properties in JSA GPG13 Content Extension V1.0.0
Name | Regex |
|---|---|
Audit Object ID | \s+id=(\S+) |
AccountDomain | Target Domain: (.*?) |
AccountID | Target Account ID: (.*?) |
Computer | \s+Computer=(\S+) |
Version | \s+Version:\s+(\S+) |
GroupID | Group ID: (\d+) |
ChangedAttributes | Changed Attributes: (.*) |
Log Source Hostname | \s+hostName=(\S+) |
The following rules are included in JSA GPG13 Content Extension V1.0.0.
Configuration Changes Made to AV/Malware Devices
Failed VPN Acceses
User Authentication Failures on Internal Systems
User Sessions on non-Perimeter Devices
Packets Dropped by Perimiter Network Devices
VPN Session Tracking
Configuration Change Made to Device in Perimeter network
Blocked Inbound File Transfer on Perimeter
Blocked Outbound File Transfer on Perimeter
Critical Server Messages
User Authentication Failures on Perimeter Systems
User Privilege Changes on Protected Assets
User Responsibilities and Password Use
File System Access Failure
System: Device Stopped Sending Events (Firewall, IPS, VPN or Switch)
System: Service Stopped and not Restarted
System: Device Stopped Sending Events
The following building blocks are included in JSA GPG13 Content Extension V1.0.0.
BB:CategoryDefinition: Service Status Change Events
BB:CategoryDefinition: SIEM Authentication Failures
BB:CategoryDefinition: SIEM IP Lockouts
BB:CategoryDefinition: Logout Events
BB:CategoryDefinition: Failure Service or Hardware
BB:CategoryDefinition: Session Opened
BB:CategoryDefinition: Session Closed
BB:CategoryDefinition: System or Device Configuration Change
BB:CategoryDefinition: SIEM User and Role Modifications
BB:CategoryDefinition: Application or Service Installed or Modified
BB:CategoryDefinition: Authentication to Expired Account
BB:CategoryDefinition: CISCO Session Events
BB:CategoryDefinition: Accountable User Activities
BB:CategoryDefinition: Authentication to Disabled Account
BB:CategoryDefinition: VoIP Session Opened
BB:CategoryDefinition: Access Denied
BB:CategoryDefinition: System Start/Stop Events
BB:CategoryDefinition: Backup Categories
BB:CategoryDefinition: Service Stopped
BB:CategoryDefinition: System Status Change Events
BB:CategoryDefinition: VPN Status Changes
BB:CategoryDefinition: SIEM Authentication
BB:CategoryDefinition: Service Started
BB:CategoryDefinition: Superuser Accounts
BB:CategoryDefinition: Authentication Failures
BB:CategoryDefinition: VPN Access Denied
BB:CategoryDefinition: Authentication Success
BB:CategoryDefinition: Backup Events
BB:CategoryDefinition: Changed File or Folder Access Rights
BB:CategoryDefinition: Account Lockout Events
BB:DeviceDefinition: IDS / IPS
BB:DeviceDefinition: VPN
BB:DeviceDefinition: FW / Router / Switch
BB:DeviceDefinition: AntiVirus
BB:CategoryDefinition: SIEM Authentication Failures
BB:HostBased: Critical Events
BB:Compliance: Session Tracking
BB:CategoryDefinition: SIEM User and Role Modifications
BB:CategoryDefinition: Backup and Restore Events
BB:Compliance: SIEM Detection Configuration Changes
BB:CategoryDefinition: Backup Categories
BB:DeviceDefinition: Perimeter Network Devices
BB:CategoryDefinition: Backup Events
BB:CategoryDefinition: Failed File Accesses
BB:CategoryDefinition: Log File Manipulation Events
BB:CategoryDefinition: Backup Events
BB:CategoryDefinition: Changed File or Folder Access Rights
BB:HostDefinition: Network Management Servers
BB:HostDefinition: Servers
BB:HostDefinition: RPC Servers
BB:HostDefinition: Proxy Servers
BB:HostDefinition: Database Servers
BB:HostDefinition: LDAP Servers
BB:HostDefinition: Web Servers
BB:HostDefinition: SNMP Sender or Receiver
BB:HostDefinition: Virus Definition and Other Update Servers
BB:HostDefinition: FTP Servers
BB:HostDefinition: Mail Servers
BB:HostDefinition: DNS Servers
BB:HostDefinition: SSH Servers
BB:HostDefinition: DHCP Servers
BB:HostDefinition: Protected Assets
BB:HostDefinition: Windows Servers
BB:PortDefinition: Web Ports
BB:PortDefinition: Database Ports
BB:PortDefinition: FTP Ports
BB:PortDefinition: Windows Ports
BB:PortDefinition: SNMP Ports
BB:PortDefinition: LDAP Ports
BB:PortDefinition: Mail Ports
BB:PortDefinition: SSH Ports
BB:PortDefinition: RPC Ports
BB:ProtocolDefinition: Windows Protocols
BB:PortDefinition: DNS Ports
BB:PortDefinition: DHCP Ports
BB:PortDefinition: P2P Ports
BB:VMware: Session Activity
BB:Review Of Access Rights
The following reports are included in JSA GPG13 Content Extension V1.0.0.
GPG13 (PMC3) User Authentication Failures on Boundary Systems (Daily)
GPG13 (PMC3) Packets Being Dropped by Boundary Firewalls (Daily)
GPG13 (PMC7) Recording of session activity by user and workstation - Review Access Rights (Daily)
GPG13 (PMC7) Accountable User Activites or Transactions (Daily)
GPG13 (PMC4) Host Messages at Critical and Above (Daily)
GPG13 (PMC7) Network Account Status Changes (Daily)
GPG13 (PMC5) User Authentication Failures on Internal Monitoring Systems (Daily)
GPG13 (PMC8) Backup and Restore Events
GPG13 (PMC2) Configuration and Signature Changes in Boundary Devices
GPG13 (PMC6) VPN User Session Activity (Daily)
GPG13 (PMC4) Changes to File or Path Access Rights (Daily)
GPG13 (PMC4) Changes in System Status (Daily)
GPG13 (PMC9) Configuration Changes to SIEM, Alerts, Rules (Daily)
GPG13 (PMC6) Changes in Status of VPN Node Registration (Daily)
GPG13 (PMC7) Use of Administrative Facilities (Daily)
GPG13 (PMC4) Configuration Changes to AV/Malware Devices (Daily)
GPG13 (PMC7) User Network Account Status Change (Daily)
GPG13 (PMC4) Failing File System Access Attempts (Daily)
GPG13 (PMC10) Log File Resets, Errors and Threshold Conditions
GPG13 (PMC2) Blocked Inbound File Transfers at the Boundary (Daily)
GPG13 (PMC7) Changes in Privilege Status on Critical Assets (Daily)
GPG13 (PMC4) Changes in Service Status (Daily)
GPG13 (PMC6) Unsuccessful VPN Node Registrations (Daily)
GPG13 (PMC3) Changes in status of external attack recognition software (Daily)
GPG13 (PMC2) Blocked Outbound File Transfers at the Boundary (Daily)
GPG13 (PMC3) User Sessions on Boundary Devices (Daily)
GPG13 (PMC5) User Sessions on Internal Devices (Daily)
GPG13 (PMC7) User Network Sessions (Daily)
GPG13 (PMC4) Changes to any host A/V signature base
The following saved searches are included in JSA GPG13 Content Extension V1.0.0.
Packets Dropped by Perimeter Network Devices in the last 24 hours
User Authentication Failures on Perimeter Systems by User in the last 24 hours
Compliance: System Status Change Events
Critical Server Messages in the last 24 hours
Compliance: Changed File or Folder Access Rights
Compliance: Administrator Authentications and Sessions
Packets Dropped by Perimeter Network Devices by Source and Destination IP in the last 24 hours
Backup and Restore Events
User Authentication Failures on Perimeter Systems in the last 24 hours
Compliance: Windows Host A/V Signature Changes
Log File Manipulation Events in the last 24 hours
File System Access Failures in the last 24 hours
Compliance: Network Account Status Changes
Compliance: Blocked Outbound Transfer
Compliance: Failed VPN Accesses
Review of Access Rights, SIEM
Compliance: Accountable User Activity Events
Compliance: Blocked Inbound Transfers
User Authentication Failures on Internal Monitoring Systems in the last 24 hours
Compliance: User Privilege Change Events on Protected Assets
Compliance: VPN SessionTracking Events
Compliance: Service Status Change Events
Compliance: VPN Status Change Events
Review of Access Rights, Windows
Compliance: SIEM Configuration Changes
Compliance: All User Sessions
Review of Access Rights, Network
Compliance: Internal User Sessions
GPG13 (PMC7) - Review of Access Rights
Configuration and Signature Changes Made to Perimeter Devices
Compliance: SIEM Detection Configuration Changes
Compliance: Perimeter Device User Sessions
Compliance: Configuration Change Events on AV/Malware Devices
(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.