Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Good Practice Guide 13 (GPG13)

 

Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.6

The following table shows the custom properties that are updated in JSA GPG13 Content Extension V1.0.6.

Table 1: Updated Custom Properties in JSA GPG13 Content Extension V1.0.6

Custom Property

Capture Group

Optimized

Regex

GroupID

1

Yes

Group ID[:\s\\=]*(\d+)

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.5

The following table shows the rules and building blocks that are removed in JSA GPG13 Content Extension V1.0.5.

Table 2: Removed Rules and Building Blocks in JSA GPG13 Content Extension V1.0.5

Type

Name

Description

Rule

Configuration Changes Made to AV/Malware Devices

Detects configuration changes made to the anti-virus or anti-malware system.

Rule

Failed VPN Acceses

Detects failed accesses, such as authentication failures, or access from disabled and expired accounts, occurring from VPN devices.

Rule

User Privilege Changes on Protected Assets

Detects user privilege changes on protected assets.

Rule

VPN Session Tracking

Detects VPN sessions occurring in the system.

Building Block

BB:DeviceDefinition: AntiVirus

This rule defines all anti-virus devices on the system.

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.4

The following table shows the custom properties that are updated in JSA GPG13 Content Extension V1.0.4.

Table 3: Updated Custom Properties in JSA GPG13 Content Extension V1.0.4

Custom Property

Capture Group

Optimized

Regex

GroupID

1

No

Group ID[:\s\\=]*(\d+)

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.3

The following table shows the custom properties in JSA GPG13 Content Extension V1.0.3.

Table 4: Custom Properties in JSA GPG13 Content Extension V1.0.3

Name

Optimized

Capture Group

Regex

SSH Login Audit

Yes

1

\[Authentication\] \[User\] \[(UserLogin|LoginAttempt)\] .*? on host .*

Log Source Host

Yes

1

\s+hostName=(\S+)

Audit Object ID

Yes

1

\s+id=(\S+)

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.2

The following table shows the building blocks that are updated in JSA GPG13 Content Extension V1.0.2.

Table 5: Building Blocks in JSA GPG13 Content Extension V1.0.2

Type

Name

Description

Building Block

BB:DeviceDefinition: IDS / IPS

Updated building block with IDS/IPS devices.

Building Block

BB:DeviceDefinition: FW / Router / Switch

Updated building block with FW/Router/Switch devices.

Building Block

BB:DeviceDefinition: VPN

Updated building block with VPN devices.

Building Block

BB:HostDefinition: Proxy Servers

Added BB:PortDefinition: Proxy Ports to the rule test.

Building Block

BB:HostDefinition: Servers

Updated building block with server definition.

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added the following QIDs:

  • 5001948: Failure Audit: An account failed to log on: Account Disabled

  • 5001959: An account failed to log on: Account Disabled

  • 5001954: Failure Audit: An account failed to log on: User Locked Out

  • 5001965: An account failed to log on: User Locked Out

  • 5001949: Failure Audit: An account failed to log on: Account Expired

  • 5001960: An account failed to log on: Account Expired

  • 5001951: Failure Audit: An account failed to log on: Logon Outside Normal Time

  • 5001962: An account failed to log on: Logon Outside Normal Time

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.1

The following table shows the building block that are updated in JSA GPG13 Content Extension V1.0.1.

Table 6: Building Block in JSA GPG13 Content Extension V1.0.1

Type

Name

Description

Building Block

BB:CategoryDefinition: Authentication to Disabled Account

Added QID 5000475: Failure Audit: An account failed to log on.

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.

JSA GPG13 Content Extension V1.0.0

The following table shows the custom properties in JSA GPG13 Content Extension V1.0.0.

Table 7: Custom Properties in JSA GPG13 Content Extension V1.0.0

Name

Regex

Audit Object ID

\s+id=(\S+)

AccountDomain

Target Domain: (.*?)

AccountID

Target Account ID: (.*?)

Computer

\s+Computer=(\S+)

Version

\s+Version:\s+(\S+)

GroupID

Group ID: (\d+)

ChangedAttributes

Changed Attributes: (.*)

Log Source Hostname

\s+hostName=(\S+)

The following rules are included in JSA GPG13 Content Extension V1.0.0.

  • Configuration Changes Made to AV/Malware Devices

  • Failed VPN Acceses

  • User Authentication Failures on Internal Systems

  • User Sessions on non-Perimeter Devices

  • Packets Dropped by Perimiter Network Devices

  • VPN Session Tracking

  • Configuration Change Made to Device in Perimeter network

  • Blocked Inbound File Transfer on Perimeter

  • Blocked Outbound File Transfer on Perimeter

  • Critical Server Messages

  • User Authentication Failures on Perimeter Systems

  • User Privilege Changes on Protected Assets

  • User Responsibilities and Password Use

  • File System Access Failure

  • System: Device Stopped Sending Events (Firewall, IPS, VPN or Switch)

  • System: Service Stopped and not Restarted

  • System: Device Stopped Sending Events

The following building blocks are included in JSA GPG13 Content Extension V1.0.0.

  • BB:CategoryDefinition: Service Status Change Events

  • BB:CategoryDefinition: SIEM Authentication Failures

  • BB:CategoryDefinition: SIEM IP Lockouts

  • BB:CategoryDefinition: Logout Events

  • BB:CategoryDefinition: Failure Service or Hardware

  • BB:CategoryDefinition: Session Opened

  • BB:CategoryDefinition: Session Closed

  • BB:CategoryDefinition: System or Device Configuration Change

  • BB:CategoryDefinition: SIEM User and Role Modifications

  • BB:CategoryDefinition: Application or Service Installed or Modified

  • BB:CategoryDefinition: Authentication to Expired Account

  • BB:CategoryDefinition: CISCO Session Events

  • BB:CategoryDefinition: Accountable User Activities

  • BB:CategoryDefinition: Authentication to Disabled Account

  • BB:CategoryDefinition: VoIP Session Opened

  • BB:CategoryDefinition: Access Denied

  • BB:CategoryDefinition: System Start/Stop Events

  • BB:CategoryDefinition: Backup Categories

  • BB:CategoryDefinition: Service Stopped

  • BB:CategoryDefinition: System Status Change Events

  • BB:CategoryDefinition: VPN Status Changes

  • BB:CategoryDefinition: SIEM Authentication

  • BB:CategoryDefinition: Service Started

  • BB:CategoryDefinition: Superuser Accounts

  • BB:CategoryDefinition: Authentication Failures

  • BB:CategoryDefinition: VPN Access Denied

  • BB:CategoryDefinition: Authentication Success

  • BB:CategoryDefinition: Backup Events

  • BB:CategoryDefinition: Changed File or Folder Access Rights

  • BB:CategoryDefinition: Account Lockout Events

  • BB:DeviceDefinition: IDS / IPS

  • BB:DeviceDefinition: VPN

  • BB:DeviceDefinition: FW / Router / Switch

  • BB:DeviceDefinition: AntiVirus

  • BB:CategoryDefinition: SIEM Authentication Failures

  • BB:HostBased: Critical Events

  • BB:Compliance: Session Tracking

  • BB:CategoryDefinition: SIEM User and Role Modifications

  • BB:CategoryDefinition: Backup and Restore Events

  • BB:Compliance: SIEM Detection Configuration Changes

  • BB:CategoryDefinition: Backup Categories

  • BB:DeviceDefinition: Perimeter Network Devices

  • BB:CategoryDefinition: Backup Events

  • BB:CategoryDefinition: Failed File Accesses

  • BB:CategoryDefinition: Log File Manipulation Events

  • BB:CategoryDefinition: Backup Events

  • BB:CategoryDefinition: Changed File or Folder Access Rights

  • BB:HostDefinition: Network Management Servers

  • BB:HostDefinition: Servers

  • BB:HostDefinition: RPC Servers

  • BB:HostDefinition: Proxy Servers

  • BB:HostDefinition: Database Servers

  • BB:HostDefinition: LDAP Servers

  • BB:HostDefinition: Web Servers

  • BB:HostDefinition: SNMP Sender or Receiver

  • BB:HostDefinition: Virus Definition and Other Update Servers

  • BB:HostDefinition: FTP Servers

  • BB:HostDefinition: Mail Servers

  • BB:HostDefinition: DNS Servers

  • BB:HostDefinition: SSH Servers

  • BB:HostDefinition: DHCP Servers

  • BB:HostDefinition: Protected Assets

  • BB:HostDefinition: Windows Servers

  • BB:PortDefinition: Web Ports

  • BB:PortDefinition: Database Ports

  • BB:PortDefinition: FTP Ports

  • BB:PortDefinition: Windows Ports

  • BB:PortDefinition: SNMP Ports

  • BB:PortDefinition: LDAP Ports

  • BB:PortDefinition: Mail Ports

  • BB:PortDefinition: SSH Ports

  • BB:PortDefinition: RPC Ports

  • BB:ProtocolDefinition: Windows Protocols

  • BB:PortDefinition: DNS Ports

  • BB:PortDefinition: DHCP Ports

  • BB:PortDefinition: P2P Ports

  • BB:VMware: Session Activity

  • BB:Review Of Access Rights

The following reports are included in JSA GPG13 Content Extension V1.0.0.

  • GPG13 (PMC3) User Authentication Failures on Boundary Systems (Daily)

  • GPG13 (PMC3) Packets Being Dropped by Boundary Firewalls (Daily)

  • GPG13 (PMC7) Recording of session activity by user and workstation - Review Access Rights (Daily)

  • GPG13 (PMC7) Accountable User Activites or Transactions (Daily)

  • GPG13 (PMC4) Host Messages at Critical and Above (Daily)

  • GPG13 (PMC7) Network Account Status Changes (Daily)

  • GPG13 (PMC5) User Authentication Failures on Internal Monitoring Systems (Daily)

  • GPG13 (PMC8) Backup and Restore Events

  • GPG13 (PMC2) Configuration and Signature Changes in Boundary Devices

  • GPG13 (PMC6) VPN User Session Activity (Daily)

  • GPG13 (PMC4) Changes to File or Path Access Rights (Daily)

  • GPG13 (PMC4) Changes in System Status (Daily)

  • GPG13 (PMC9) Configuration Changes to SIEM, Alerts, Rules (Daily)

  • GPG13 (PMC6) Changes in Status of VPN Node Registration (Daily)

  • GPG13 (PMC7) Use of Administrative Facilities (Daily)

  • GPG13 (PMC4) Configuration Changes to AV/Malware Devices (Daily)

  • GPG13 (PMC7) User Network Account Status Change (Daily)

  • GPG13 (PMC4) Failing File System Access Attempts (Daily)

  • GPG13 (PMC10) Log File Resets, Errors and Threshold Conditions

  • GPG13 (PMC2) Blocked Inbound File Transfers at the Boundary (Daily)

  • GPG13 (PMC7) Changes in Privilege Status on Critical Assets (Daily)

  • GPG13 (PMC4) Changes in Service Status (Daily)

  • GPG13 (PMC6) Unsuccessful VPN Node Registrations (Daily)

  • GPG13 (PMC3) Changes in status of external attack recognition software (Daily)

  • GPG13 (PMC2) Blocked Outbound File Transfers at the Boundary (Daily)

  • GPG13 (PMC3) User Sessions on Boundary Devices (Daily)

  • GPG13 (PMC5) User Sessions on Internal Devices (Daily)

  • GPG13 (PMC7) User Network Sessions (Daily)

  • GPG13 (PMC4) Changes to any host A/V signature base

The following saved searches are included in JSA GPG13 Content Extension V1.0.0.

  • Packets Dropped by Perimeter Network Devices in the last 24 hours

  • User Authentication Failures on Perimeter Systems by User in the last 24 hours

  • Compliance: System Status Change Events

  • Critical Server Messages in the last 24 hours

  • Compliance: Changed File or Folder Access Rights

  • Compliance: Administrator Authentications and Sessions

  • Packets Dropped by Perimeter Network Devices by Source and Destination IP in the last 24 hours

  • Backup and Restore Events

  • User Authentication Failures on Perimeter Systems in the last 24 hours

  • Compliance: Windows Host A/V Signature Changes

  • Log File Manipulation Events in the last 24 hours

  • File System Access Failures in the last 24 hours

  • Compliance: Network Account Status Changes

  • Compliance: Blocked Outbound Transfer

  • Compliance: Failed VPN Accesses

  • Review of Access Rights, SIEM

  • Compliance: Accountable User Activity Events

  • Compliance: Blocked Inbound Transfers

  • User Authentication Failures on Internal Monitoring Systems in the last 24 hours

  • Compliance: User Privilege Change Events on Protected Assets

  • Compliance: VPN SessionTracking Events

  • Compliance: Service Status Change Events

  • Compliance: VPN Status Change Events

  • Review of Access Rights, Windows

  • Compliance: SIEM Configuration Changes

  • Compliance: All User Sessions

  • Review of Access Rights, Network

  • Compliance: Internal User Sessions

  • GPG13 (PMC7) - Review of Access Rights

  • Configuration and Signature Changes Made to Perimeter Devices

  • Compliance: SIEM Detection Configuration Changes

  • Compliance: Perimeter Device User Sessions

  • Compliance: Configuration Change Events on AV/Malware Devices

(Back to top)Use the JSA GPG13 Content Extension to help ensure GPG13 compliance.