EventSentry Best Practices

EventSentry can help users comply with a variety of compliance frameworks, including NIST, CMMC, PCI and others. This section shows all available compliance components in EventSentry along with the required steps to setup compliance.

 

Every EventSentry installation includes the following components that assist with you compliance:

 

•Compliance Reports

•Compliance Dashboard (select compliance packages only)

•Event Log Package "Compliance"

•Validation Scripts

 

Compliance Reports (Web Reports)

Compliance reports are built-in reports that are included with every EventSentry installation but not activated by default. Compliance reports can be enabled in the web reports by navigating to Reports → Compliance → Modify Requirements and selecting the applicable compliance requirement(s). After the reports are imported it's recommended to set the desired review period for all reports by clicking on the name check box and selecting "Set Review".

 

 

After the desired review period has been set the reports can either be run manually or scheduled with jobs. Jobs can either dispatch reports via email or store the resulting report in the file system.

 

Compliance Dashboard (Web Reports)

EventSentry ships with a number of dashboard templates, including templates for compliance requirements like CMMC. To import a dashboard template first load any dashboard from the "Dashboards" menu and then click on the "Change" and then the "Settings" link. In the "Dashboard Manager" click on "Import" and select the respective dashboard template. All imported dashboard templates can be customized after they are imported.

 

 

Event Log Compliance Package (Management Console)

EventSentry also ships with the "Compliance" event log package that is enabled regardless of which compliance reports and/or dashboards are utilized. The package includes a variety of event log filter rules for events that are important for any environment and various compliance requirements. The compliance event log package can be found in the management console under Packages → Event Logs → Compliance.

 

Difference between compliance reports and compliance event log package:

 

 

The "Compliance" event log package is configured for the "Primary Database" action by default, which ensures that all covered events are stored in a database and available for later analysis. Some compliance reports may also rely on events collected by this package (if not covered by the "Database Consolidation") package.

 

Individual filters in the package can be configured to send alerts to actions in addition to the Primary database. To accomplish this, the "Override actions in this package" option needs to be unchecked. Click the package → click "Properties" in the ribbon → Uncheck "Override actions of all objects in this package" → edit actions of the respective filter(s).

 

 

Validation Scripts (Management Console)

Compliance frameworks often dictate certain security settings, such as disabling SMBv1, which encryption algorithms to use and more. EventSentry's validation scripts continuously compare critical settings on your monitored hosts with baselines set by the respective compliance framework. Non-compliant settings are quickly identified in the web reports on a dashboard or the validation scripts section. Validation scripts can be reviewed under "Scripts" in the management console.

 

 

To setup validation scripts for compliance, follow the steps below in the management console:

 

1.Navigate to Packages → Validation Scripts

2.Click on "Add" in the ribbon to add a new package and give it a descriptive name (e.g. CMMC)

3.Select the newly created package and select "Add" under "Validation Scripts" in the ribbon

4.Select the newly created "Scripts" object

5.In the top section "Assigned Tags & Scripts" add all relevant tags, e.g. "compliance-server"

6.Click the "Add" button on the bottom in the "Database" section to configure in which database validation script output is stored