LogLogic FISMA Compliance Suite Quick Start Guide v3.3

TIBCO LogLogic®

FISMA Compliance Suite

Quick Start Guide

Software Release: 3.5.0

December 2012

Important Information

SOME TIBCO SOFTWARE EMBEDS OR BUNDLES OTHER TIBCO SOFTWARE. USE OF SUCH EMBEDDED OR BUNDLED TIBCO SOFTWARE IS SOLELY TO ENABLE THE FUNCTIONALITY (OR PROVIDE LIMITED ADD-ON FUNCTIONALITY) OF THE LICENSED TIBCO SOFTWARE. THE EMBEDDED OR BUNDLED SOFTWARE IS NOT LICENSED TO BE USED OR ACCESSED BY ANY OTHER TIBCO SOFTWARE OR FOR ANY OTHER PURPOSE.

USE OF TIBCO SOFTWARE AND THIS DOCUMENT IS SUBJECT TO THE TERMS AND CONDITIONS OF A LICENSE AGREEMENT FOUND IN EITHER A SEPARATELY EXECUTED SOFTWARE LICENSE AGREEMENT, OR, IF THERE IS NO SUCH SEPARATE AGREEMENT, THE CLICKWRAP END USER LICENSE AGREEMENT WHICH IS DISPLAYED DURING DOWNLOAD OR INSTALLATION OF THE SOFTWARE (AND WHICH IS DUPLICATED IN THE LICENSE FILE) OR IF THERE IS NO SUCH SOFTWARE LICENSE AGREEMENT OR CLICKWRAP END USER LICENSE AGREEMENT, THE LICENSE(S) LOCATED IN THE “LICENSE” FILE(S) OF THE SOFTWARE. USE OF THIS DOCUMENT IS SUBJECT TO THOSE TERMS AND CONDITIONS, AND YOUR USE HEREOF SHALL CONSTITUTE ACCEPTANCE OF AND AN AGREEMENT TO BE BOUND BY THE SAME.

This document contains confidential information that is subject to U.S. and international copyright laws and treaties. No part of this document may be reproduced in any form without the written authorization of TIBCO Software Inc.

TIBCO, Two-Second Advantage and LogLogic are either registered trademarks or trademarks of TIBCO Software Inc. and/or subsidiaries of TIBCO Software Inc. in the United States and/or other countries.

All other product and company names and marks mentioned in this document are the property of their respective owners and are mentioned for identification purposes only.

THIS SOFTWARE MAY BE AVAILABLE ON MULTIPLE OPERATING SYSTEMS. HOWEVER, NOT ALL OPERATING SYSTEM PLATFORMS FOR A SPECIFIC SOFTWARE VERSION ARE RELEASED AT THE SAME TIME. PLEASE SEE THE README.TXT FILE FOR THE AVAILABILITY OF THIS SOFTWARE VERSION ON A SPECIFIC OPERATING SYSTEM PLATFORM.

THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT. THIS DOCUMENT COULD INCLUDE TECHNICAL INACCURACIES OR TYPOGRAPHICAL ERRORS. CHANGES ARE PERIODICALLY ADDED TO THE INFORMATION HEREIN; THESE CHANGES WILL BE INCORPORATED IN NEW EDITIONS OF THIS DOCUMENT. TIBCO SOFTWARE INC. MAY MAKE IMPROVEMENTS AND/OR CHANGES IN THE PRODUCT(S) AND/OR THE PROGRAM(S) DESCRIBED IN THIS DOCUMENT AT ANY TIME.

THE CONTENTS OF THIS DOCUMENT MAY BE MODIFIED AND/OR QUALIFIED, DIRECTLY OR INDIRECTLY, BY OTHER DOCUMENTATION WHICH ACCOMPANIES THIS SOFTWARE, INCLUDING BUT NOT LIMITED TO ANY RELEASE NOTES AND "READ ME" FILES.

Copyright © 2002-2012 TIBCO Software Inc. ALL RIGHTS RESERVED.

TIBCO Software Inc. Confidential Information

CONTENTS

Contents

Preface : About This Guide

Technical Support Information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Documentation Support Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Contact Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Chapter 1: LogLogic Reports and Alerts for FISMA

LogLogic Reports for FISMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

LogLogic Alerts for FISMA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic Reports and Alerts Quick Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

FISMA Compliance Suite Quick Start Guide 3

CONTENTS

4 FISMA Compliance Suite Quick Start Guide

PREFACE :

About This Guide

The LogLogic FISMA Compliance Suite Guidebook provides introduction and overview information regarding the Federal Information Security Management Act (FISMA) and National Institute of Standards and Technology’s (NIST) standards and security procedures. It also covers topics related to managing LogLogic’s FISMA compliance reports, alerts, and using log data collected and aggregated from all types of source systems to monitor and report on FISMA compliance.

Technical Support InformationLogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Compliance Suites.

To reach the LogLogic Support team by telephone:

Toll Free—1-800-957-LOGS

Local—1-408-834-7480

EMEA— +44 1480 479391

Email: [email protected]

Support Website: http://loglogic.com/contact/customer-support

When contacting LogLogic Support, be prepared to provide the following information:

Your name, email address, phone number, and fax number Your company name and company address Your appliance model and release version Serial number located on the back of the Appliance or the eth0 MAC address A description of the problem and the content of pertinent error messages (if any)

Documentation Support InformationThe LogLogic documentation includes Portable Document Format (PDF) files. To read the PDF documentation, you need a PDF file viewer such as Adobe Acrobat Reader. You can download the Adobe Acrobat Reader at http://www.adobe.com.

Contact Information

Your feedback on the LogLogic documentation is important to us. If you have questions or comments, send email to [email protected]. In your email message, please indicate the software name and version you are using, as well as the title and document release date of your documentation. Your comments will be reviewed and addressed by the LogLogic Technical Publications team.


mailto:[email protected]

http://www.loglogic.com/contact/customer-support/

http://www.adobe.com



mailto:[email protected]

: Conventions

ConventionsThe LogLogic documentation uses the following conventions to distinguish text and information that might require special attention.

Caution: Highlights important situations that could potentially damage data or cause system failure.

IMPORTANT! Highlights key considerations to keep in mind.

Note: Provides additional information that is useful but not always essential or highlights guidelines and helpful hints.

This guide also uses the following typographic conventions to highlight code and command line elements:

Monospace is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as file names, directories, paths, and URLs).

Monospace bold is used to distinguish system prompts or screen output from user responses, as in this example:

username: system

home directory: home\app

Monospace italic is used for placeholders, which are general names that you replace with names specific to your site, as in this example:

LogLogic_home_directory\upgrade\

Straight brackets signal options in command line syntax.

ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path ...]


CHAPTER 1:

LogLogic Reports and Alerts for FISMA

This chapter provides a detailed listing of all FISMA specifications with their corresponding LogLogic compliance suite reports and/or alerts.

LogLogic Reports for FISMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

LogLogic Alerts for FISMA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

LogLogic Reports and Alerts Quick Reference. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

LogLogic Reports for FISMAThe following table lists the reports included in the LogLogic Compliance Suite: FISMA Edition.

# LogLogic Report Description

1 FISMA: Accepted VPN Connections - RADIUS

Displays all users connected to the internal network through the RADIUS VPN

2 FISMA: Account Activities on UNIX Servers Displays all accounts activities on UNIX servers to ensure authorized and appropriate access.

3 FISMA: Account Activities on Windows Servers

Displays all accounts activities on Windows servers to ensure authorized and appropriate access.

4 FISMA: Accounts Changed on Sidewinder Displays all accounts changed on Sidewinder to ensure authorized and appropriate access.

5 FISMA: Accounts Changed on NetApp Filer Displays all accounts changed on NetApp Filer to ensure authorized and appropriate access.

6 FISMA: Accounts Changed on TIBCO Administrator

Displays all accounts changed on TIBCO Administrator to ensure authorized and appropriate access.

7 FISMA: Accounts Created on NetApp Filer Displays all accounts created on NetApp Filer to ensure authorized and appropriate access.

8 FISMA: Accounts Created on NetApp Filer Audit

Displays all accounts created on NetApp Filer Audit to ensure authorized and appropriate access.

9 FISMA: Accounts Created on Sidewinder Displays all accounts created on Sidewinder to ensure authorized and appropriate access.

10 FISMA: Accounts Created on Symantec Endpoint Protection

Displays all accounts created on Symantec Endpoint Protection to ensure authorized and appropriate access.

11 FISMA: Accounts Created on TIBCO Administrator

Displays all accounts created on TIBCO Administrator to ensure authorized and appropriate access.

12 FISMA: Accounts Created on UNIX Servers Displays all accounts created on UNIX servers to ensure authorized and appropriate access.

13 FISMA: Accounts Created on Windows Servers

Displays all accounts created on Windows servers to ensure authorized and appropriate access.

14 FISMA: Accounts Deleted on Sidewinder Displays all accounts deleted on Sidewinder to ensure authorized and appropriate access.

15 FISMA: Accounts Deleted on NetApp Filer Displays all accounts deleted on NetApp Filer to ensure authorized and appropriate access.


LogLogic Reports and Alerts for FISMA : LogLogic Reports for FISMA

16 FISMA: Accounts Deleted on NetApp Filer Audit

Displays all accounts deleted on NetApp Filer Audit to ensure authorized and appropriate access.

17 FISMA: Accounts Deleted on Symantec Endpoint Protection

Displays all accounts deleted on Symantec Endpoint Protection to ensure authorized and appropriate access.

18 FISMA: Accounts Deleted on TIBCO Administrator

Displays all accounts deleted on TIBCO Administrator to ensure authorized and appropriate access.

19 FISMA: Accounts Deleted on UNIX Servers Displays all accounts deleted on UNIX servers to ensure authorized and appropriate access.

20 FISMA: Accounts Deleted on Windows Servers

Displays all accounts deleted on Windows servers to ensure authorized and appropriate access.

21 FISMA: Active Directory System Changes Displays changes made within Active Directory.

22 FISMA: Administrators Activities on Servers

Displays the latest activities performed by administrators and root users to ensure appropriate access.

23 FISMA: Applications Under Attack Displays all applications under attack as well as the attack signatures.

24 FISMA: Applications Under Attack - Cisco IOS

Displays all applications under attack as well as the attack signatures by Cisco IOS.

25 FISMA: Applications Under Attack - ISS SiteProtector

Displays all applications under attack as well as the attack signatures by ISS SiteProtector.

26 FISMA: Applications Under Attack - SiteProtector

Displays all applications under attack as well as the attack signatures by SiteProtector.

27 FISMA: Attack Origins Displays the sources that have initiated the most attacks.

28 FISMA: Attack Origins - Cisco IOS Displays the sources that have initiated the most attacks by Cisco IOS.

29 FISMA: Attack Origins - ISS SiteProtector Displays the sources that have initiated the most attacks by ISS SiteProtector.

30 FISMA: Attack Origins - SiteProtector Displays the sources that have initiated the most attacks by SiteProtector.

31 FISMA: Attacks Detected Displays all IDS attacks detected to servers and applications.

32 FISMA: Attacks Detected - Cisco IOS Displays all IDS attacks detected to servers and applications by Cisco IOS.

33 FISMA: Attacks Detected - ISS SiteProtector Displays all IDS attacks detected to servers and applications by ISS SiteProtector.

34 FISMA: Attacks Detected - SiteProtector Displays all IDS attacks detected to servers and applications by SiteProtector.

35 FISMA: Check Point Configuration Changes Displays all Check Point audit events related to configuration changes.

36 FISMA: Check Point Management Station Login

Displays all login events into the Check Point Management Station.

37 FISMA: Check Point Object Activity Displays all creation, deletion, and modification of Check Point objects.

38 FISMA: Cisco ESA: Attacks by Event ID Displays Cisco ESA attacks by Event ID.

39 FISMA: Cisco ESA: Attacks Detected Displays attacks detected by Cisco ESA.

40 FISMA: Cisco ESA: Attacks by Threat Name Displays Cisco ESA attacks by threat name.

41 FISMA: Cisco ESA: Scans Scans using Cisco ESA

42 FISMA: Cisco ESA: Updated Updates to Cisco ESA.

43 FISMA: Cisco ISE, ACS Accounts Created Displays all accounts created on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access.

44 FISMA: Cisco ISE, ACS Accounts Removed Displays all accounts removed on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access.

45 FISMA: Cisco ISE, ACS Configuration Changes

Displays Cisco ISE and Cisco SecureACS configuration changes.




46 FISMA: Cisco ISE, ACS Password Changes Displays all password change activities on Cisco ISE and Cisco SecureACS to ensure authorized and appropriate access.

47 FISMA: Cisco Line Protocol Status Changes Displays all Cisco line protocol up and down events.

48 FISMA: Cisco Link Status Changes Displays all Cisco link up and down events.

49 FISMA: Cisco Peer Reset/Reload Displays all Cisco Peer reset and reload events.

50 FISMA: Cisco Peer Supervisor Status Changes

Displays all Cisco Peer Supervisor status changes.

51 FISMA: Cisco PIX, ASA, FWSM Failover Disabled

Displays all logs related to disabling Cisco PIX, ASA, and FWSM failover capability.

52 FISMA: Cisco PIX, ASA, FWSM Failover Performed

Displays all logs related to performing a Cisco PIX, ASA, and FWSM failover.

53 FISMA: Cisco PIX, ASA, FWSM Policy Changed

Displays all configuration changes made to the Cisco PIX, ASA, and FWSM devices.

54 FISMA: Cisco PIX, ASA, FWSM Restarted Displays all Cisco PIX, ASA, or FWSM restart activities to detect unusual activities.

55 FISMA: Cisco PIX, ASA, FWSM Routing Failure

Displays all Cisco PIX, ASA, and FWSM routing error messages.

56 FISMA: Cisco Redundancy Version Check Failed

Displays all Cisco redundancy version check failures.

57 FISMA: Cisco Switch Policy Changes Displays all configuration changes to the Cisco router and switch policies.

58 FISMA: Cisco System Restarted Displays all Cisco System restart events.

59 FISMA: DB2 Database Backup Failed Displays all IBM DB2 Database Server backup failures.

60 FISMA: DB2 Database Failed Logins Displays all failed login attempts to review any access violations or unusual activity.

61 FISMA: DB2 Database Logins Displays DB2 database logins.

62 FISMA: DB2 Database Restore Failed Displays all IBM DB2 Database restore failure events.

63 FISMA: DB2 Database Stop and Start Events Displays DB2 database events related to starting and stopping the database.

64 FISMA: Denied VPN Connections - RADIUS

Displays all users denied access to the internal network by the RADIUS VPN.

65 FISMA: DHCP Granted/Renewed Activities on Microsoft DHCP

Displays all DHCP Granted/Renewed activities on Microsoft DHCP Server.

66 FISMA: DHCP Granted/Renewed Activities on VMware vShield

Displays all DHCP Granted/Renewed activities on VMware vShield Edge.

67 FISMA: DNS Server Error Displays all events when DNS Server has errors.

68 FISMA: Domain Activities on Symantec Endpoint Protection

Display all domain activities on Symantec Endpoint Protection.

69 FISMA: Escalated Privilege Activities on Servers

Displays all privilege escalation activities performed on servers to ensure appropriate access.

70 FISMA: ESX Accounts Activities Displays all accounts activities on VMware ESX servers to ensure authorized and appropriate access.

71 FISMA: ESX Accounts Created Displays all accounts created on VMware ESX servers to ensure authorized and appropriate access.

72 FISMA: ESX Accounts Deleted Displays all accounts deleted on VMware ESX servers to ensure authorized and appropriate access.

73 FISMA: ESX Failed Logins Failed VMware ESX logins for known user.




74 FISMA: ESX Group Activities Displays all group activities on VMware ESX servers to ensure authorized and appropriate access.

75 FISMA: ESX Kernel log daemon terminating Displays all VMware ESX Kernel log daemon terminating.

76 FISMA: ESX Kernel logging Stop Displays all VMware ESX Kernel logging stops.

77 FISMA: ESX Logins Failed Unknown User Failed VMware ESX logins for unknown user.

78 FISMA: ESX Logins Succeeded Displays successful logins to VMware ESX to ensure only authorized personnel have access.

79 FISMA: ESX Syslogd Restart Displays all VMware ESX syslogd restarts.

80 FISMA: F5 BIG-IP TMOS Login Failed Displays all F5 BIG-IP TMOS Login events which have failed.

81 FISMA: F5 BIG-IP TMOS Login Successful Displays all F5 BIG-IP TMOS Login events which have succeeded.

82 FISMA: F5 BIG-IP TMOS Password Changes

Displays all password change activities on F5 BIG-IP TMOS to ensure authorized and appropriate access.

83 FISMA: F5 BIG-IP TMOS Restarted Displays all events when the F5 BIG-IP TMOS has been restarted.

84 FISMA: Files Accessed on NetApp Filer Audit

Displays all files accessed on NetApp Filer Audit to ensure appropriate access.

85 FISMA: Files Accessed on Servers Displays all files accessed on servers to ensure appropriate access.

86 FISMA: Files Accessed through Juniper SSL VPN (Secure Access)

Displays all files accessed through Juniper SSL VPN (Secure Access).

87 FISMA: Firewall Connections Accepted - Check Point

Displays all traffic passing through the Check Point firewall.

88 FISMA: Firewall Connections Accepted - Cisco ASA

Displays all traffic passing through the Cisco ASA firewall.

89 FISMA: Firewall Connections Accepted - Cisco FWSM

Displays all traffic passing through the Cisco FWSM firewall.

90 FISMA: Firewall Connections Accepted - Cisco IOS

Displays all traffic passing through the Cisco IOS firewall.

91 FISMA: Firewall Connections Accepted - Cisco Netflow

Displays all traffic passing through the Cisco Netflow.

92 FISMA: Firewall Connections Accepted - Cisco NXOS

Displays all traffic passing through the Cisco NXOS devices.

93 FISMA: Firewall Connections Accepted - Cisco PIX

Displays all traffic passing through the Cisco PIX firewall.

94 FISMA: Firewall Connections Accepted - F5 BIG-IP TMOS

Displays all traffic passing through the F5 BIG-IP TMOS device.

95 FISMA: Firewall Connections Accepted - Fortinet

Displays all traffic passing through the Fortinet firewall.

96 FISMA: Firewall Connections Accepted - Juniper Firewall

Displays all traffic passing through the Juniper Firewall.

97 FISMA: Firewall Connections Accepted - Juniper JunOS

Displays all traffic passing through the Juniper JunOS firewall.

98 FISMA: Firewall Connections Accepted - Juniper RT Flow

Displays all traffic passing through the Juniper RT Flow.

99 FISMA: Firewall Connections Accepted - Nortel

Displays all traffic passing through the Nortel firewall.

100 FISMA: Firewall Connections Accepted - PANOS

Displays all traffic passing through the Palo Alto Networks firewall.




101 FISMA: Firewall Connections Accepted - Sidewinder

Displays all traffic passing through the Sidewinder firewall.

102 FISMA: Firewall Connections Accepted - VMware vShield

Displays all traffic passing through the VMware vShield device.

103 FISMA: Firewall Connections Denied - Check Point

Displays the traffic that has been denied access by the Check Point to review access violations.

104 FISMA: Firewall Connections Denied - Cisco ASA

Displays the applications that have been denied access the most by the Cisco ASA devices.

105 FISMA: Firewall Connections Denied - Cisco FWSM

Displays the applications that have been denied access the most by the Cisco FWSM devices.

106 FISMA: Firewall Connections Denied - Cisco IOS

Displays the traffic that has been denied access by the Cisco IOS to review access violations.

107 FISMA: Firewall Connections Denied - Cisco NXOS

Displays the applications that have been denied access the most by the Cisco NXOS to review access violations.

108 FISMA: Firewall Connections Denied - Cisco PIX

Displays the applications that have been denied access the most by the Cisco PIX devices.

109 FISMA: Firewall Connections Denied - Cisco Router

Displays the applications that have been denied access the most by the Cisco Router.

110 FISMA: Firewall Connections Denied - F5 BIG-IP TMOS

Displays the applications that have been denied access the most by the F5 BIG-IP TMOS .

111 FISMA: Firewall Connections Denied - Fort-inet

Displays the applications that have been denied access the most by the Fortinet devices.

112 FISMA: Firewall Connections Denied - Juni-per Firewall

Displays the applications that have been denied access the most by the Juniper firewalls.

113 FISMA: Firewall Connections Denied - Juni-per JunOS

Displays the applications that have been denied access the most by the Juniper JunOS.

114 FISMA: Firewall Connections Denied - Juni-per RT Flow

Displays the applications that have been denied access the most by the Juniper RT Flow.

115 FISMA: Firewall Connections Denied - Nortel

Displays the applications that have been denied access the most by the Nortel devices.

116 FISMA: Firewall Connections Denied - PANOS

Displays the applications that have been denied access the most by the Palo Alto Networks devices.

117 FISMA: Firewall Connections Denied - Sidewinder

Displays the applications that have been denied access the most by the Sidewinder to review access violations.

118 FISMA: Firewall Connections Denied - VMware vShield

Displays the applications that have been denied access the most by the VMware vShield.

119 FISMA: Firewall Traffic Considered Risky - Check Point

Displays Check Point allowed firewall traffic that is considered risky.

120 FISMA: Firewall Traffic Considered Risky - Cisco ASA

Displays Cisco ASA allowed firewall traffic that is considered risky.

121 FISMA: Firewall Traffic Considered Risky - Cisco FWSM

Displays Cisco FWSM allowed firewall traffic that is considered risky.

122 FISMA: Firewall Traffic Considered Risky - Cisco IOS

Displays Cisco IOS firewall traffic that is considered risky.

123 FISMA: Firewall Traffic Considered Risky - Cisco Netflow

Displays Cisco Netflow allowed firewall traffic that is considered risky.

124 FISMA: Firewall Traffic Considered Risky - F5 BIG-IP TMOS

Displays F5 BIG-IP TMOS allowed firewall traffic that is considered risky.




125 FISMA: Firewall Traffic Considered Risky - Cisco PIX

Displays Cisco PIX allowed firewall traffic that is considered risky.

126 FISMA: Firewall Traffic Considered Risky - Fortinet

Displays Fortinet allowed firewall traffic that is considered risky.

127 FISMA: Firewall Traffic Considered Risky - Juniper Firewall

Displays Juniper firewall allowed firewall traffic that is considered risky.

128 FISMA: Firewall Traffic Considered Risky - Juniper JunOS

Displays Juniper JunOS allowed firewall traffic that is considered risky.

129 FISMA: Firewall Traffic Considered Risky - Juniper RT Flow

Displays Juniper RT Flow allowed firewall traffic that is considered risky.

130 FISMA: Firewall Traffic Considered Risky - Nortel

Displays Nortel allowed firewall traffic that is considered risky.

131 FISMA: Firewall Traffic Considered Risky - PANOS

Displays Palo Alto Networks allowed firewall traffic that is considered risky.

132 FISMA: Firewall Traffic Considered Risky - Sidewinder

Displays Sidewinder allowed firewall traffic that is considered risky.

133 FISMA: Firewall Traffic Considered Risky - VMware vShield

Displays VMware vShield Edge firewall traffic that is considered risky.

134 FISMA: FortiOS: Attacks by Event ID Displays FortiOS attacks by Event ID.

135 FISMA: FortiOS: Attacks by Threat Name Displays FortiOS attacks by threat name.

136 FISMA: FortiOS: Attacks Detected Displays attacks detected by FortiOS.

137 FISMA: FortiOS DLP Attacks Detected Display all DLP attacks detected by FortiOS.

138 FISMA: Guardium SQL Guard Audit Log-ins

Displays all login attempts to the Guardium SQL Server Audit database.

139 FISMA: Guardium SQL Guard Audit Startup or Shutdown

Displays all startup and shutdown events on Guardium SQL Audit Server.

140 FISMA: Guardium SQL Guard Logins Displays all login attempts to the Guardium SQL Server database.

141 FISMA: Guardium SQL Guard Startup or Shutdown

Displays all startup and shutdown events on Guardium SQL Server.

142 FISMA: Group Activities on NetApp Filer Audit

Displays all group activities on NetApp Filer Audit to ensure authorized and appropriate access.

143 FISMA: Group Activities on Symantec End-point Protection

Displays all group activities on Symantec Endpoint Protection to ensure authorized and appropriate access.

144 FISMA: Group Activities on UNIX Servers Displays all group activities on UNIX Servers to ensure authorized and appropriate access.

145 FISMA: Group Activities on Windows Serv-ers

Displays all group activities on Windows Servers to ensure authorized and appropriate access.

146 FISMA: i5/OS DST Password Reset Displays i5/OS events related to the reset of the DST (Dedicated Service Tools) password.

147 FISMA: i5/OS Files Accessed Lists all events when a user gains access an i5/OS file.

148 FISMA: i5/OS Network User Login Failed Lists all events when a network user was denied access into the i5/OS.

149 FISMA: i5/OS Network User Login Successful

LIsts all events when a network user successfully logs into the i5/OS.

150 FISMA: i5/OS Network User Profile Creation

Displays i5/OS events when a network user profile has been created.

151 FISMA: i5/OS Network User Profile Dele-tion

Displays i5/OS events when a network user profile has been deleted.




152 FISMA: i5/OS Network User Profile Modified

Displays all permission modification activities on i5/OS to ensure autho-rized access.

153 FISMA: i5/OS Object Permissions Modified Displays all permission modification activities on i5/OS to ensure autho-rized access.

154 FISMA: i5/OS Restarted Lists all events when the i5/OS has been restarted.

155 FISMA: i5/OS Service Started Lists all events when a user starts a service on the i5/OS.

156 FISMA: i5/OS User Login Failed Lists all events when a user was denied access into the i5/OS.

157 FISMA: i5/OS User Login Successful Lists all events when a user successfully logs into the i5/OS.

158 FISMA: i5/OS User Profile Creation Displays i5/OS events when a user profile has been created.

159 FISMA: i5/OS User Profile Modifications Displays i5/OS events when a user profile has been modified.

160 FISMA: Juniper Firewall HA State Changed Displays state change in the Juniper Firewall HA Policy.

161 FISMA: Juniper Firewall Policy Changed Displays all configuration changes to the Juniper Firewall policies.

162 FISMA: Juniper Firewall Policy Out of Sync Displays events that indicate the Juniper Firewall’s HA policies are out of sync.

163 FISMA: Juniper Firewall Reset Accepted Displays events that indicate the Juniper Firewall has been reset to its fac-tory default state.

164 FISMA: Juniper Firewall Reset Imminent Displays events that indicate the Juniper Firewall will be reset to its fac-tory default state.

165 FISMA: Juniper Firewall Restarted Displays all Juniper Firewall restart events.

166 FISMA: Juniper SSL VPN (Secure Access) Failed Logins

Displays a report of all failed logins at the Juniper SSL VPN (Secure Access).

167 FISMA: Juniper SSL VPN (Secure Access) Failed Logins by User

Displays all failed Juniper SSL VPN (Secure Access) logins based on user.

168 FISMA: Juniper SSL VPN (Secure Access) Policy Changed

Displays all configuration changes to the Juniper SSL VPN (Secure Access) policies.

169 FISMA: Juniper SSL VPN (Secure Access) Successful Logins

Displays successful connections through the Juniper SSL VPN (Secure Access).

170 FISMA: Juniper SSL VPN (Secure Access) Successful Logins by User

Displays all successful Juniper SSL VPN (Secure Access) logins based on user.

171 FISMA: Juniper SSL VPN Failed Logins Displays a report of all failed logins at the Juniper SSL VPN.

172 FISMA: Juniper SSL VPN Failed Logins by User

Displays all failed logins per user at the Juniper SSL VPN.

173 FISMA: Juniper SSL VPN Successful Logins Displays successful connections through the Juniper SSL VPN.

174 FISMA: Juniper SSL VPN Successful Log-ins by User

Displays all successful logins per user at the Juniper SSL VPN.

175 FISMA: Failed Logins Displays all failed login attempts to review any access violations or unusual activity.

176 FISMA: Successful Logins Displays successful logins to ensure only authorized personnel have access.

177 FISMA: LogLogic Disk Full Displays events that indicate the LogLogic appliance’s disk is near full.

178 FISMA: LogLogic DSM Logins Displays all login attempts to the LogLogic DSM database.

179 FISMA: LogLogic DSM Startup or Shut-down

Displays all startup and shutdown events on LogLogic DSM database.

180 FISMA: LogLogic File Retrieval Errors Displays all errors while retrieving log files from devices, servers and applications.

181 FISMA: LogLogic HA State Changed Displays all LogLogic appliance failover state change events.





182 FISMA: LogLogic Message Routing Errors Displays all log forwarding errors on the LogLogic Appliance to ensure all logs are archived properly.

183 FISMA: LogLogic NTP Service Stopped Displays events that indicate the NTP engine on the LogLogic appliance has stopped.

184 FISMA: McAfee AntiVirus: Attacks by Event ID

Displays McAfee AntiVirus attacks by Event ID.

185 FISMA: McAfee AntiVirus: Attacks by Threat Name

Displays McAfee AntiVirus attacks by threat name.

186 FISMA: McAfee AntiVirus: Attacks Detected

Displays attacks detected by McAfee AntiVirus.

187 FISMA: Microsoft Operations Manager - Windows Accounts Activities

Displays all accounts activities on Windows servers to ensure authorized and appropriate access.

188 FISMA: Microsoft Operations Manager - Windows Accounts Created

Displays all accounts created on Windows servers to ensure authorized and appropriate access.

189 FISMA: Microsoft Operations Manager - Windows Accounts Enabled

Displays all accounts enabled on Windows servers to ensure authorized and appropriate access.

190 FISMA: Microsoft Operations Manager - Windows Events by Users

Displays a summary of access-related Windows events by source and tar-get users.

191 FISMA: Microsoft Operations Manager - Windows Password Changes

Displays all password change activities on Windows servers to ensure authorized and appropriate access.

192 FISMA: Microsoft Operations Manager - Windows Permissions Modified

Displays all permission modification activities on Windows servers to ensure authorized access.

193 FISMA: Microsoft Operations Manager - Windows Policies Modified

Displays all policy modification activities on Windows servers to ensure authorized and appropriate access.

194 FISMA: Microsoft Operations Manager - Windows Servers Restarted

Displays all Windows server restart activities to detect unusual activities.

195 FISMA: Microsoft Sharepoint Content Deleted

Displays all events when content has been deleted from Microsoft Share-point.

196 FISMA: Microsoft Sharepoint Content Updates

Displays all events when content is updated within Microsoft Sharepoint.

197 FISMA: Microsoft Sharepoint Permissions Changed

Displays all delete and update events to Microsoft Sharepoint user/group permissions.

198 FISMA: Microsoft Sharepoint Policy Add, Remove, or Modify

Displays all events when a Microsoft Sharepoint policy is added, removed, or modified.

199 FISMA: Microsoft SQL Server Database Failed Logins

Displays failed Microsoft SQL Server database logins.

200 FISMA: Microsoft SQL Server Database Logins

Displays logins to Microsoft SQL Server databases.

201 FISMA: Microsoft SQL Server Backup Failed

Displays all Microsoft SQL Server backup failures.

202 FISMA: Microsoft SQL Server Restore Failed

Displays all Microsoft SQL Server restore failure events.

203 FISMA: NetApp Filer Accounts Locked Displays all accounts locked out of NetApp Filer to detect access viola-tions or unusual activities.

204 FISMA: NetApp Filer Audit Login Failed Displays all NetApp Filer Audit Login events which have failed.

205 FISMA: NetApp Filer Audit Login Success-ful

Displays all NetApp Filer Audit Login events which have succeeded.

206 FISMA: NetApp Filer Audit Logs Cleared Displays all audit logs clearing activities on NetApp Filer Audit to detect access violations or unusual activity.



207 FISMA: NetApp Filer Audit Policies Modi-fied

Displays all policy modification activities on NetApp Filer Audit to ensure authorized and appropriate access.

208 FISMA: NetApp Filer Disk Failure Displays all disk failure events on the NetApp Filer servers.

209 FISMA: NetApp Filer Disk Missing Displays events that indicate disk missing on the NetApp Filer servers.

210 FISMA: NetApp Filer File activity Display all file activities on NetApp Filer.

211 FISMA: NetApp Filer File System Full Displays events that indicate the NetApp Filer’s disk is near full.

212 FISMA: NetApp Filer Login Failed Displays all NetApp Filer Login events which have failed.

213 FISMA: NetApp Filer Login Successful Displays all NetApp Filer Login events which have succeeded.

214 FISMA: NetApp Filer Password Changes Displays all password change activities on NetApp Filer to ensure autho-rized and appropriate access.

215 FISMA: NetApp Filer Snapshot Error Displays events that indicate backup on the NetApp Filer has failed.

216 FISMA: NTP Clock Synchronized Displays events that indicate NTP has successfully synchronized the clock.

217 FISMA: NTP Daemon Exited Displays events that indicate the NTP service has stopped.

218 FISMA: NTP Server Unreachable Displays events that indicate the remote NTP server is not reachable.

219 FISMA: Oracle Database Logins Displays Oracle database logins.

220 FISMA: Oracle Database Shutdown Displays Oracle database events related to shutting down the server.

221 FISMA: Oracle Database Failed Logins Displays all failed login attempts to the Oracle database.

222 FISMA: PANOS: Attacks by Event ID Displays Palo Alto Networks attacks by Event ID.

223 FISMA: PANOS: Attacks by Threat Name Displays Palo Alto Networks attacks by threat name.

224 FISMA: PANOS: Attacks Detected Displays attacks detected by Palo Alto Networks.

225 FISMA: Password Changes on Windows Servers

Displays all password change activities on Windows servers to ensure authorized and appropriate access.

226 FISMA: Periodic Review of Log Reports Displays all review activities performed by administrators to ensure review for any access violations.

227 FISMA: Periodic Review of User Access Logs

Displays all review activities performed by administrators to ensure review for any access violations.

228 FISMA: Permissions Modified on Windows Servers

Displays all permission modification activities on Windows servers to ensure authorized access.

229 FISMA: Policies Modified on Windows Servers

Displays all policy modification activities on Windows servers to ensure authorized and appropriate access.

230 FISMA: RACF Accounts Created Displays all accounts created on RACF servers to ensure authorized and appropriate access.

231 FISMA: RACF Accounts Deleted Displays all accounts deleted on RACF servers to ensure authorized and appropriate access.

232 FISMA: RACF Accounts Modified Displays all events when a network user profile has been modified.

233 FISMA: RACF Failed Logins Displays all failed login attempts to review any access violations or unusual activity.

234 FISMA: RACF Files Accessed Displays all files accessed on RACF servers to ensure appropriate access.

235 FISMA: RACF Password Changed Displays all password change activities on RACF servers to ensure autho-rized and appropriate access.

236 FISMA: RACF Permissions Changed Displays all permission modification activities on RACF to ensure autho-rized access.

237 FISMA: RACF Process Started Displays all processes started on the RACF servers.

238 FISMA: RACF Successful Logins Displays successful logins to ensure only authorized personnel have access.




239 FISMA: Software Update Successes on i5/OS

Displays all successful events related to the system’s software or patch update.

240 FISMA: Sybase ASE Database Backup and Restoration

Displays Sybase ASE DUMP and LOAD events

241 FISMA: Sybase ASE Database Startup or Shutdown

Displays all startup and shutdown events for the Sybase database.

242 FISMA: Sybase ASE Failed Logins Displays failed Sybase ASE database logins.

243 FISMA: Sybase ASE Successful Logins Displays successful Sybase ASE database logins.

244 FISMA: Symantec AntiVirus: Attacks by Threat Name

Displays Symantec AntiVirus attacks by threat name.

245 FISMA: Symantec AntiVirus: Attacks Detected

Displays attacks detected by Symantec AntiVirus.

246 FISMA: Symantec AntiVirus: Scans Displays scans using Symantec Endpoint Protection.

247 FISMA: Symantec AntiVirus: Updated Displays updates to Symantec Endpoint Protection.

248 FISMA: Symantec Endpoint Protection: Attacks by Threat Name

Displays Symantec Endpoint Protection attacks by threat name.

249 FISMA: Symantec Endpoint Protection: Attacks Detected

Displays attacks detected by Symantec Endpoint Protection

250 FISMA: Symantec Endpoint Protection Con-figuration Changes.

Displays Symantec Endpoint Protection configuration changes

251 FISMA: Symantec Endpoint Protection Password Changes

Displays all password change activities on Symantec Endpoint Protection to ensure authorized and appropriate access.

252 FISMA: Symantec Endpoint Protection Pol-icy Add, Remove, or Modify

Displays all events when a Symantec Endpoint Protection policy is added, removed, or modified.

253 FISMA: Symantec Endpoint Protection: Scans

Displays scans using Symantec Endpoint Protection.

254 FISMA: Symantec Endpoint Protection: Updated

Updates to Symantec Endpoint Protection.

255 FISMA: System Restarted Displays all logs related to system restarts.

256 FISMA: TIBCO Administrator Password Changes

Displays all password change activities on TIBCO Administrator to ensure authorized and appropriate access.

257 FISMA: TIBCO Administrator Permission Changes

Displays events related to TIBCO Administrator permission modifications.

258 FISMA: TrendMicro Control Manager: Attacks Detected

Displays attacks detected by TrendMicro Control Manager.

259 FISMA: TrendMicro Control Manager: Attacks Detected by Threat

Displays attacks detected by TrendMicro Control Manager by threat name.

260 FISMA: TrendMicro OfficeScan: Attacks Detected

Displays attacks detected by TrendMicro OfficeScan.

261 FISMA: TrendMicro OfficeScan: Attacks Detected by Threat Name

Displays attacks detected by TrendMicro OfficeScan by threat name.

262 FISMA: UNIX Failed Logins Failed UNIX logins for known and unknown users.

263 FISMA: vCenter Change Attributes Modification of VMware vCenter and VMware ESX properties.

264 FISMA: vCenter Data Move Entity has been moved within the VMware vCenter infrastructure.

265 FISMA: vCenter Datastore Events Displays create, modify, and delete datastore events on VMware vCenter.

266 FISMA: vCenter Failed Logins Failed logins to the VMware vCenter console.




267 FISMA: vCenter Modify Firewall Policy Displays changes to the VMware ESX allowed services firewall policy.

268 FISMA: vCenter Orchestrator Change Attributes

Modification of VMware vCenter Orchestrator properties.

269 FISMA: vCenter Orchestrator Datastore Events

Displays create, modify, and delete datastore events on VMware vCenter Orchestrator.

270 FISMA: vCenter Orchestrator Data Move Entity has been moved within the VMware vCenter Orchestrator infrastructure.

271 FISMA: vCenter Orchestrator Failed Logins Display all failed logins for VMWare vCenter Orchestrator.

272 FISMA: vCenter Orchestrator Virtual Machine Created

Virtual machine has been created from VMware vCenter Orchestrator.

273 FISMA: vCenter Orchestrator Virtual Machine Deleted

Virtual machine has been deleted from VMware vCenter Orchestrator.

274 FISMA: vCenter Orchestrator Virtual Machine Shutdown

Virtual machine has been shutdown or paused from VMware vCenter Orchestrator console.

275 FISMA: vCenter Orchestrator Virtual Machine Started

Virtual machine has been started or resumed from VMware vCenter Orchestrator console.

276 FISMA: vCenter Orchestrator vSwitch Added, Changed or Removed

vSwitch has been added, modified or removed from VMware vCenter Orchestrator console.

277 FISMA: vCenter Resource Usage Change Resources have changed on VMware vCenter.

278 FISMA: vCenter Restart ESX Services VMware vCenter restarted services running on VMware ESX Server.

279 FISMA: vCenter Shutdown or Restart of ESX Server

VMware ESX Server is shutdown or restarted from VMware vCenter console.

280 FISMA: vCenter Successful Logins Successful logins to the VMware vCenter console.

281 FISMA: vCenter User Permission Change A permission role has been added, changed, removed, or applied to a user on VMware vCenter server.

282 FISMA: vCenter Virtual Machine Created Virtual machine has been created from VMware vCenter console.

283 FISMA: vCenter Virtual Machine Deleted Virtual machine has been deleted or removed from VMware vCenter console.

284 FISMA: vCenter Virtual Machine Shutdown Virtual machine has been shutdown or paused from VMware vCenter console.

285 FISMA: vCenter Virtual Machine Started Virtual machine has been started or resumed from VMware vCenter console.

286 FISMA: vCenter vSwitch Added, Changed or Removed

vSwitch on VMware ESX server has been added, modified or removed from the VMware vCenter console.

287 FISMA: vCloud Failed Logins Failed logins to the VMware vCloud Director console.

288 FISMA: vCloud Organization Created VMware vCloud Director organization created events.

289 FISMA: vCloud Organization Deleted VMware vCloud Director organization deleted events.

290 FISMA: vCloud Organization Modified VMware vCloud Director organization modified events.

291 FISMA: vCloud Successful Logins Successful logins to the VMware vCloud Director console.

292 FISMA: vCloud User Created VMware vCloud Director user created events.

293 FISMA: vCloud User Deleted or Removed VMware vCloud Director users have been deleted or removed from the system.

294 FISMA: vCloud vApp Created, Modified, or Deleted

VMware vCloud Director vApp created, deleted, and modified events.

295 FISMA: vCloud vDC Create, Modify, or Delete

VMware vCloud Director virtual datacenter created, modified, or deleted events.




296 FISMA: VPN Active Connections Displays all currently active VPN connections.

297 FISMA: VPN Connection Disconnect Reasons

Displays the disconnect reasons for VPN connections.

298 FISMA: VPN Connections by Users Displays users who are made the most connections.

299 FISMA: VPN Denied Connections by Users Displays users with the most denied connections.

300 FISMA: VPN Sessions by Users Displays all VPN sessions categorized by authenticated users.

301 FISMA: VPN Users Accessing Corporate Network

Displays all users logging into the corporate network via Virtual Private Network to ensure appropriate access.

302 FISMA: vShield Edge Configuration Changes

Displays changes to VMware vShield Edge policies.

303 FISMA: Windows Accounts Enabled Displays all accounts enabled on Windows servers to ensure authorized and appropriate access.

304 FISMA: Windows Accounts Locked Displays all accounts locked out of Windows servers to detect access violations or unusual activities.

305 FISMA: Windows Audit Logs Cleared Displays all audit logs clearing activities on Windows servers to detect access violations or unusual activity.

306 FISMA: Windows Domain Activities Displays all trusted domains created or deleted on Windows servers to ensure authorized and appropriate access.

307 FISMA: Windows Events by Users Displays all windows events summarized by user names.

308 FISMA: Windows Group Members Added Displays all accounts added to groups on the Windows servers to ensure appropriate access.

309 FISMA: Windows Group Members Deleted Displays all accounts removed from groups on the Windows servers to ensure appropriate access.

310 FISMA: Windows New Services Installed Displays a list of new services installed on Windows servers to ensure authorized access

311 FISMA: Windows Programs Accessed Displays all programs started and stopped on servers to ensure appropriate access.

312 FISMA: Windows Servers Restarted Displays all Windows server restart activities to detect unusual activities.

313 FISMA: Windows Software Update Activities

Displays all events related to the system’s software or patch update.

314 FISMA: Windows Software Update Failures Displays all failed events related to the system’s software or patch update.

315 FISMA: Windows Software Update Successes

Displays all successful events related to the system’s software or patch update.



LogLogic Reports and Alerts for FISMA : LogLogic Alerts for FISMA

LogLogic Alerts for FISMAThe following table lists the alerts included in the LogLogic Compliance Suite: FISMA Edition.

# LogLogic Alert Description

1 FISMA: Accounts Created Alert when a new account is created on servers.

2 FISMA: Accounts Deleted Alert when an account is deleted on servers.

3 FISMA: Accounts Enabled Alert when an account has been enabled on servers.

4 FISMA: Accounts Locked Alert when an account has been locked on servers.

5 FISMA: Accounts Modified Alert when an account is modified on servers.

6 FISMA: Active Directory Changes Alert when changes are made within Active Directory.

7 FISMA: Anomalous Firewall Traffic Alert when firewall traffic patterns are out of the norm.

8 FISMA: Anomalous IDS Alerts Alert when IDS anomalies are above or below defined thresholds.

9 FISMA: Check Point Policy Changed Alert when a Check Point firewall’s policy has been modified.

10 FISMA: Cisco ISE, ACS Configuration Changed

Alert when configuration changes are made to the Cisco ISE or Cisco SecureACS.

11 FISMA: Cisco ISE, ACS Passwords Changed

Alert when a user changes their password via Cisco ISE and Cisco SecureACS.

12 FISMA: Cisco PIX, ASA, FWSM Failover Disabled

Alert when a Cisco PIX, ASA, or FWSM HA configuration is disabled.

13 FISMA: Cisco PIX, ASA, FWSM Failover Errors

Alert when an error has occurred during PIX, ASA, or FWSM failover.

14 FISMA: Cisco PIX, ASA, FWSM Failover Performed

Alert when a failover has occurred on the Cisco, ASA, or FWSM devices.

15 FISMA: Cisco PIX, ASA, FWSM Policy Changed

Alert when a Cisco PIX, ASA, or FWSM firewall policy has been modified.

16 FISMA: Cisco PIX, ASA, FWSM Routing Failure

Alert when routing failure occurred in the Cisco PIX, ASA, or FWSM devices.

17 FISMA: Cisco Switch Policy Changed Alert when Cisco router or switch configuration has been modified.

18 FISMA: DB2 Database Backup Failed Alert when a DB2 database backup fails.

19 FISMA: DB2 Database Restore Failed Alert when a database restore fails on a DB2 database.

20 FISMA: DB2 Database Started or Stopped Alert when a DB2 database is started or stopped.

21 FISMA: DNS Server Shutdown Alert when DNS Server has been shutdown.

22 FISMA: DNS Server Started Alert when DNS Server has been started.

23 FISMA: Escalated Privileges Alert when a user or program has escalated the privileges.

24 FISMA: F5 BIG-IP TMOS Risky Traffic F5 BIG-IP TMOS traffic considered risky.

25 FISMA: Firewall Traffic Considered Risky Alert on non HTTP, SSL, or SSH traffic passing through the firewall.

26 FISMA: Group Members Added Alert when new members are added to user groups.

27 FISMA: Group Members Deleted Alert when members are removed from user groups.

28 FISMA: Groups Created Alert when new user groups are created.

29 FISMA: Groups Deleted Alert when a user group is deleted.

30 FISMA: Groups Modified Alert when a user group has been modified.

31 FISMA: Guardium SQL Guard Logins Alert when a user logs into the Guardium SQL Database.

32 FISMA: Guardium SQL Guard Startup or Shutdown

Alert when the Guardium SQL Database is started or stopped.



33 FISMA: i5/OS Network Profile Changes Alerts when any changes are made to an i5/OS network profile.

34 FISMA: i5/OS Permission or Policy Change Alerts when policies or permissions are changed on the i5/OS.

35 FISMA: i5/OS Server or Service Status Change

Alerts when the i5/OS is restarted or a service stops or starts.

36 FISMA: i5/OS Software Updates Alert when events related to the i5/OS software updates.

37 FISMA: i5/OS User Profile Changes Alerts when a user profile is changed on the i5/OS.

38 FISMA: IBM AIX Password Changed Alert when an account password is changed on IBM AIX servers.

39 FISMA: Juniper Firewall HA State Change Alert when Juniper Firewall has changed its failover state.

40 FISMA: Juniper Firewall Peer Missing Alert when a Juniper Firewall HA peer is missing.

41 FISMA: Juniper Firewall Policy Changes Alert when Juniper Firewall configuration is changed.

42 FISMA: Juniper Firewall Policy Out of Sync Alert when the Juniper Firewall’s policy is out of sync.

43 FISMA: Juniper VPN Policy Change Alert when Juniper VPN configuration is changed.

44 FISMA: Logins Failed Alert when login failures are over the defined threshold.

45 FISMA: Logins Succeeded Alert when successful logins are over the defined threshold.

46 FISMA: LogLogic Disk Full Alert when the LogLogic appliance’s disk is near full.

47 FISMA: LogLogic DSM Logins Alert when a user logs into the LogLogic DSM database.

48 FISMA: LogLogic DSM Startup or Shutdown

Alert when the LogLogic DSM database is started or stopped.

49 FISMA: LogLogic File Retrieval Errors Alert when problems are detected during log file retrieval.

50 FISMA: LogLogic HA State Change Alert when the LogLogic appliance failover state changes.

51 FISMA: LogLogic Message Routing Errors Alert when problems are detected during message forwarding.

52 FISMA: LogLogic NTP Service Stopped Alert when the LogLogic NTP engine has stopped.

53 FISMA: Microsoft Operations Manager - Permissions Changed

Alert when user or group permissions have been changed.

54 FISMA: Microsoft Operations Manager - Windows Passwords Changed

Alert when users have changed their passwords.

55 FISMA: Microsoft Operations Manager - Windows Policies Changed

Alert when Windows policies changed.

56 FISMA: Microsoft Sharepoint Content Deleted

Alerts on Microsoft Sharepoint content deleted events.

57 FISMA: Microsoft Sharepoint Content Updated

Alerts on Microsoft Sharepoint content updated events.

58 FISMA: Microsoft Sharepoint Permission Changed

Alerts on Microsoft Sharepoint permission changed events.

59 FISMA: Microsoft Sharepoint Policies Added, Removed, Modified

Alerts on Microsoft Sharepoint policy additions, deleteions, and modifications.

60 FISMA: Microsoft SQL Server Backup Failed

Alert when Microsoft SQL Server backup process has failed.

61 FISMA: Microsoft SQL Server Restore Failed

Alert when Microsoft SQL Server restore process failed

62 FISMA: Microsoft SQL Server Shutdown Alert when Microsoft SQL Server has been shutdown.

63 FISMA: NetApp Authentication Failure Alerts when NetApp authentication failure events occur.

64 FISMA: NetApp Filer Audit Policies Changed

Alert when NetApp Filer Audit policies changed.

65 FISMA: NetApp Filer Disk Failure Disks are failing on the NetApp Filer device.




66 FISMA: NetApp Filer Disk Inserted Alert when a disk is inserted into the NetApp Filer.

67 FISMA: NetApp Filer Disk Missing Disk is missing on the NetApp Filer device.

68 FISMA: NetApp Filer Disk Pulled Alert when a RAID disk has been pulled from the Filer device.

69 FISMA: NetApp Filer File System Full Alert when the file system is full on the NetApp Filer device.

70 FISMA: NetApp Filer Snapshot Error The NetApp Filer device is experiencing backup problems.

71 FISMA: NetApp Filer NIS Group Update Alert when the NIS group has been updated on the Filer device.

72 FISMA: NetApp Filer Unauthorized Mounting

Alert when an unauthorised mount event occurs.

73 FISMA: NTP Daemon Exited Alert when the NTP service has stopped.

74 FISMA: NTP Server Unreachable Alert when the remote NTP server is unreachable.

75 FISMA: Oracle Database Shutdown Alerts when an Oracle database is shutdown.

76 FISMA: RACF Files Accessed Alert when files are accessed on the RACF servers.

77 FISMA: RACF Passwords Changed Alert when users have changed their passwords.

78 FISMA: RACF Permissions Changed Alert when user or group permissions have been changed.

79 FISMA: RACF Process Started Alert whenever a process is run on a RACF server.

80 FISMA: Sybase ASE Database Backed Up or Restored

Alerts on backup and restore events to the Sybase ASE Database.

81 FISMA: Sybase ASE Database Started Alerts on Sybase ASE Database start events.

82 FISMA: Sybase ASE Database Stopped Alerts on Sybase ASE Database stop events.

83 FISMA: Symantec Endpoint Protection Configuration Changed

Alert when configuration changes are made to the Symantec Endpoint Protection.

84 FISMA: Symantec Endpoint Protection Policy Add, Delete, Modify

Alerts on Symantec Endpoint Protection additions, deletions, and modifications.

85 FISMA: System Restarted Alert when systems such as routers and switches have restarted.

86 FISMA: vCenter Create Virtual Machine Virtual machine has been created from VMware vCenter console.

87 FISMA: vCenter Data Move Entity has been moved within the VMware vCenter infrastructure.

88 FISMA: vCenter Datastore Event Displays create, modify, and delete datastore events on VMware vCenter.

89 FISMA: vCenter Delete Virtual Machine Virtual machine has been deleted or removed from WMWare vCenter console.

90 FISMA: vCenter Firewall Policy Change Displays changes to the VMware ESX allowed services firewall policy.

91 FISMA: vCenter Orchestrator Create Virtual Machine

Virtual machine has been created from VMware vCenter Orchestrator console.

92 FISMA: vCenter Orchestrator Data Move Entity has been moved within the VMware vCenter Orchestrator infrastructure.

93 FISMA: vCenter Orchestrator Datastore Events

Displays create, modify, and delete datastore events on VMware vCenter Orchesrator.

94 FISMA: vCenter Orchestrator Delete Virtual Machine

Virtual machine has been deleted or removed from WMWare vCenter Orchestrator console.

95 FISMA: vCenter Orchestrator Login Failed Failed logins to the VMware vCenter Orchestrator console.

96 FISMA: vCenter Orchestrator Virtual Machine Shutdown

Virtual machine has been shutdown or paused from VMware vCenter Orchestrator console.

97 FISMA: vCenter Orchestrator Virtual Machine Started

Virtual machine has been started or resumed from VMware vCenter Orchestrator console.

98 FISMA: vCenter Orchestrator vSwitch Add, Modify or Delete

vSwitch on VMware ESX server has been added, modified or removed from vCenter Orchestrator.




99 FISMA: vCenter Permission Change A permission role has been added, changed, removed, or applied on VMware vCenter.

100 FISMA: vCenter Restart ESX Services VMware vCenter restarted services running on VMware ESX Server.

101 FISMA: vCenter Shutdown or Restart ESX VMware ESX Server is shutdown from vCenter console.

102 FISMA: vCenter User Login Failed Failed logins to the VMware vCenter console.

103 FISMA: vCenter User Login Successful Successful logins to the VMware vCenter console.

104 FISMA: vCenter Virtual Machine Shutdown Virtual machine has been shutdown or paused from VMware vCenter console.

105 FISMA: vCenter Virtual Machine Started Virtual machine has been started or resumed from VMware vCenter console.

106 FISMA: vCenter vSwitch Add, Modify or Delete

Alert when vSwitch on VMware ESX server has been added, modified or removed from vCenter.

107 FISMA: vCloud Director Login Failed Failed logins to the VMware vCloud Director console.

108 FISMA: vCloud Director Login Success Successful logins to the VMware vCloud Director console.

109 FISMA: vCloud Organization Created Organization successfully created on VMware vCloud Director.

110 FISMA: vCloud Organization Deleted Organization successfully deleted on VMware vCloud Director.

111 FISMA: vCloud Organization Modified Organization successfully modified on VMware vCloud Director.

112 FISMA: vCloud User Created User successfully created on VMware vCloud Director.

113 FISMA: vCloud User, Group, or Role Modified

VMware vCloud Director user, group, or role has been modified.

114 FISMA: vCloud vApp Created, Deleted, or Modified

VMware vCloud Director vApp has been created, deleted, or modified.

115 FISMA: vCloud vDC Created, Modified, or Deleted

VMware vCloud Director Virtual Datacenters have been created, deleted, or modified.

116 FISMA: vShield Edge Configuration Change

Alerts on configuration changes to VMware vShield Edge policies.

117 FISMA: vShield Risky Traffic VMware vShield Edge traffic considered risky.

118 FISMA: Windows Audit Log Cleared Alert when audit logs on Windows servers have been cleared.

119 FISMA: Windows Files Accessed Show files accessed on the Windows servers.

120 FISMA: Windows Objects Create/Delete Alert when system level objects have been created or deleted.

121 FISMA: Windows Passwords Changed Alert when users have changed their passwords.

122 FISMA: Windows Permissions Changed Alert when user or group permissions have been changed.

123 FISMA: Windows Policies Changed Alert when Windows policies changed.

124 FISMA: Windows Process Started Displays all processes started on Windows servers.

125 FISMA: Windows Programs Accessed Programs started on the Windows servers.

126 FISMA: Windows Server Restarted Alert when a Windows server has been restarted.

127 FISMA: Windows Software Updates Alert when events related to the Windows’ software updates.

128 FISMA: Windows Software Updates Failed Alert when failed events related to the software updates.

129 FISMA: Windows Software Updates Succeeded

Alert for successful events related to the software updates.



LogLogic Reports and Alerts for FISMA : LogLogic Reports and Alerts Quick Reference

LogLogic Reports and Alerts Quick ReferenceThe following table lists the reports and alerts included in the LogLogic Compliance Suite for FISMA.

Section Description LogLogic Reports and Alerts

Access Control

AC-2 Account Management Compliance Suite Reports

FISMA: Accepted VPN Connections - RADIUS

FISMA: Account Activities on UNIX Servers

FISMA: Account Activities on Windows Servers

FISMA: Accounts Changed on NetApp Filer

FISMA: Accounts Changed on Sidewinder

FISMA: Accounts Changed on TIBCO Administrator

FISMA: Accounts Created on NetApp Filer

FISMA: Accounts Created on NetApp Filer Audit

FISMA: Accounts Created on Sidewinder

FISMA: Accounts Created on Symantec Endpoint Protection

FISMA: Accounts Created on TIBCO Administrator

FISMA: Accounts Created on UNIX Servers

FISMA: Accounts Created on Windows Servers

FISMA: Accounts Deleted on NetApp Filer

FISMA: Accounts Deleted on NetApp Filer Audit

FISMA: Accounts Deleted on Sidewinder

FISMA: Accounts Deleted on Symantec Endpoint Protection

FISMA: Accounts Deleted on TIBCO Administrator

FISMA: Accounts Deleted on UNIX Servers

FISMA: Accounts Deleted on Windows Servers

FISMA: Administrators Activities on Servers

FISMA: Check Point Management Station Login

FISMA: Cisco ISE, ACS Accounts Created

FISMA: Cisco ISE, ACS Accounts Removed

FISMA: Cisco ISE, ACS Password Changes

FISMA: DB2 Database Failed Logins

FISMA: DB2 Database Logins

FISMA: Denied VPN Connections - RADIUS

FISMA: Escalated Privilege Activities on Servers

FISMA: ESX Accounts Activities

FISMA: ESX Accounts Created

FISMA: ESX Accounts Deleted

FISMA: ESX Failed Logins



AC-2 Account Management Compliance Suite Reports - Continued

FISMA: ESX Group Activities

FISMA: ESX Logins Failed Unknown User

FISMA: ESX Logins Succeeded

FISMA: F5 BIG-IP TMOS Login Failed

FISMA: F5 BIG-IP TMOS Login Successful

FISMA: F5 BIG-IP TMOS Password Changes

FISMA: Failed Logins

FISMA: Guardium SQL Guard Audit Logins

FISMA: Guardium SQL Guard Logins

FISMA: Group Activities on NetApp Filer Audit

FISMA: Group Activities on Symantec Endpoint Protection

FISMA: Group Activities on UNIX Servers

FISMA: Group Activities on Windows Servers

FISMA: i5/OS DST Password Reset

FISMA: i5/OS Network User Login Failed

FISMA: i5/OS Network User Login Successful

FISMA: i5/OS Object Permissions Modified

FISMA: i5/OS User Login Failed

FISMA: i5/OS User Login Successful

FISMA: Juniper SSL VPN (Secure Access) Failed Logins

FISMA: Juniper SSL VPN (Secure Access) Failed Logins by User

FISMA: Juniper SSL VPN (Secure Access) Successful Logins

FISMA: Juniper SSL VPN (Secure Access) Successful Logins by User

FISMA: Juniper SSL VPN Failed Logins

FISMA: Juniper SSL VPN Failed Logins by User

FISMA: Juniper SSL VPN Successful Logins

FISMA: Juniper SSL VPN Successful Logins by User

FISMA: LogLogic DSM Logins

FISMA: Microsoft Operations Manager - Windows Account Activities

FISMA: Microsoft Operations Manager - Windows Password Changes

FISMA: Microsoft Operations Manager - Windows Permissions Modified

FISMA: Microsoft Operations Manager - Windows Policies Modified

FISMA: Microsoft Sharepoint Permissions Changed

FISMA: Microsoft Sharepoint Policy Add, Remove, or Modify

FISMA: Microsoft SQL Server Database Failed Logins

FISMA: Microsoft SQL Server Database Logins

FISMA: NetApp Filer Audit Login Failed

FISMA: NetApp Filer Audit Login Successful

FISMA: NetApp Filer Login Failed




AC-2 Account Management Compliance Suite Reports - Continued

FISMA: NetApp Filer Login Successful

FISMA: NetApp Filer Password Changes

FISMA: Oracle Database Logins

FISMA: Oracle Database Failed Logins

FISMA: RACF Failed Logins

FISMA: RACF Password Changed

FISMA: RACF Permissions Changed

FISMA: RACF Successful Logins

FISMA: Successful Logins

FISMA: Sybase ASE Failed Logins

FISMA: Sybase ASE Successful Logins

FISMA: Symantec Endpoint Protection Password Changes

FISMA: TIBCO Administrator Password Changes

FISMA: TIBCO Administrator Permission Changes

FISMA: UNIX Failed Logins

FISMA: vCenter Failed Logins

FISMA: vCenter Orchestrator Failed Logins

FISMA: vCenter Successful Logins

FISMA: vCloud Failed Logins

FISMA: vCloud Successful Logins

FISMA: vCloud User Created

FISMA: vCloud User Deleted or Removed

FISMA: VPN Users Accessing Corporate Network

FISMA: Password Changes on Windows Servers

FISMA: Permissions Modified on Windows Servers

FISMA: Policies Modified on Windows Servers




AC-2 Account Management Compliance Suite Alerts

FISMA: Accounts Created

FISMA: Accounts Deleted

FISMA: Cisco ISE, ACS Passwords Changed

FISMA: Escalated Privileges

FISMA: Groups Created

FISMA: Groups Deleted

FISMA: Groups Modified


FISMA: i5/OS Network Profile Changes

FISMA: i5/OS Permission or Policy Change

FISMA: i5/OS User Profile Changes

FISMA: IBM AIX Password Changed

FISMA: Logins Failed

FISMA: Logins Succeeded


FISMA: Microsoft Operations Manager - Permissions Changed

FISMA: Microsoft Operations Manager - Windows Passwords Changed

FISMA: Microsoft Operations Manager - Windows Policies Changed

FISMA: Microsoft Sharepoint Permission Changed

FISMA: Microsoft Sharepoint Policies Added, Removed, Modified

FISMA: NetApp Authentication Failure

FISMA: RACF Passwords Changed


FISMA: Symantec Endpoint Protection Policy Add, Delete, Modify

FISMA: vCenter Orchestrator Login Failed

FISMA: vCenter User Login Failed

FISMA: vCenter User Login Successful

FISMA: vCloud Director Login Failed

FISMA: vCloud Director Login Success


FISMA: Windows Objects Create/Delete

FISMA: Windows Passwords Changed

FISMA: Windows Permissions Changed

FISMA: Windows Policies Changed




Access Control

AC-3 Access Enforcement Compliance Suite Reports FISMA: Active Directory System Changes

FISMA: Check Point Configuration Changes

FISMA: Check Point Object Activity

FISMA: Cisco ISE, ACS Configuration Changes

FISMA: Cisco PIX, ASA, FWSM Policy Changes

FISMA: Cisco PIX, ASA, FWSM Routing Failure

FISMA: Cisco Switch Policy Changes

FISMA: Firewall Traffic Considered Risky - Cisco PIX

FISMA: Firewall Traffic Considered Risky - Juniper Firewall

FISMA: Firewall Traffic Considered Risky - Juniper JunOS

FISMA: Firewall Traffic Considered Risky - Check Point

FISMA: Firewall Traffic Considered Risky - Cisco ASA

FISMA: Firewall Traffic Considered Risky - Cisco FWSM

FISMA: Firewall Traffic Considered Risky - Cisco IOS

FISMA: Firewall Traffic Considered Risky - Cisco Netflow

FISMA: Firewall Traffic Considered Risky - Fortinet

FISMA: Firewall Traffic Considered Risky - F5 BIG-IP TMOS

FISMA: Firewall Traffic Considered Risky - Juniper RT Flow

FISMA: Firewall Traffic Considered Risky - Nortel

FISMA: Firewall Traffic Considered Risky - PANOS

FISMA: Firewall Traffic Considered Risky - Sidewinder

FISMA: Firewall Traffic Considered Risky - VMware vShield

FISMA: Juniper Firewall Policy Changed

FISMA: Juniper SSL VPN (Secure Access) Policy Changed

FISMA: NetApp Filer Audit Policies Modified

FISMA: Symantec Endpoint Protection Configuration Changes

FISMA: Symantec Endpoint Protection Policy Add, Remove, or Modify

FISMA: vCenter Change Attributes

FISMA: vCenter Modify Firewall Policy

FISMA: vCenter Orchestrator Change Attributes

FISMA: vCenter Orchestrator vSwitch Added, Changed or Removed

FISMA: vCenter Resource Usage Change

FISMA: vCenter vSwitch Added, Changed or Removed

FISMA: vShield Edge Configuration Changes

Compliance Suite Alerts

FISMA: Active Directory Changes

FISMA: Check Point Policy Changed

FISMA: Cisco ISE, ACS Configuration Changed

FISMA: Cisco PIX, ASA, FWSM Policy Changed



FISMA: F5 BIG-IP TMOS Risky Traffic




AC-3 Access Enforcement Compliance Suite Alerts - Continued

FISMA: Firewall Traffic Considered Risky

FISMA: Juniper Firewall Policy Changes

FISMA: Juniper VPN Policy Change

FISMA: NetApp Filer Audit Policies Changed

FISMA: Symantec Endpoint Protection Configuration Changed

FISMA: vCenter Firewall Policy Change

FISMA: vCenter Orchestrator vSwitch Add, Modify or Delete

FISMA: vCenter vSwitch Add Modify or Delete

FISMA: vShield Edge Configuration Change

FISMA: vShield Risky Traffic




AC-4 Information Flow Enforcement

Compliance Suite Reports

FISMA: Active Directory System Changes FISMA: Check Point Configuration Changes FISMA: Check Point Object Activity FISMA: Cisco ISE, ACS Configuration Changes FISMA: Cisco Line Protocol Status Changes FISMA: Cisco Link Status Changes FISMA: Cisco PIX, ASA, FWSM Policy Changed FISMA: Cisco Switch Policy Changes FISMA: Firewall Connections Accepted - Check Point FISMA: Firewall Connections Accepted - Cisco ASA FISMA: Firewall Connections Accepted - Cisco FWSM FISMA: Firewall Connections Accepted - Cisco IOS

FISMA: Firewall Connections Accepted - Cisco Netflow FISMA: Firewall Connections Accepted - Cisco NXOS FISMA: Firewall Connections Accepted - Cisco PIX

FISMA: Firewall Connections Accepted - F5 BIG-IP TMOS

FISMA: Firewall Connections Accepted - Fortinet FISMA: Firewall Connections Accepted - Juniper Firewall FISMA: Firewall Connections Accepted - Juniper JunOS FISMA: Firewall Connections Accepted - Juniper RT Flow FISMA: Firewall Connections Accepted - Nortel FISMA: Firewall Connections Accepted - PANOS FISMA: Firewall Connections Accepted - Sidewinder FISMA: Firewall Connections Accepted - VMware vShield FISMA: Firewall Connections Denied - Check Point FISMA: Firewall Connections Denied - Cisco ASA FISMA: Firewall Connections Denied - Cisco FWSM FISMA: Firewall Connections Denied - Cisco IOS FISMA: Firewall Connections Denied - Cisco NXOS FISMA: Firewall Connections Denied - Cisco PIX FISMA: Firewall Connections Denied - Cisco Router

FISMA: Firewall Connections Denied - F5 BIG-IP TMOS

FISMA: Firewall Connections Denied - Fortinet FISMA: Firewall Connections Denied - Juniper Firewall FISMA: Firewall Connections Denied - Juniper JunOS FISMA: Firewall Connections Denied - Juniper RT Flow FISMA: Firewall Connections Denied - Nortel FISMA: Firewall Connections Denied - PANOS FISMA: Firewall Connections Denied - Sidewinder FISMA: Firewall Connections Denied - VMware vShield FISMA: Firewall Traffic Considered Risky - Cisco IOS FISMA: Firewall Traffic Considered Risky - Cisco Netflow FISMA: Firewall Traffic Considered Risky - Cisco PIX FISMA: Firewall Traffic Considered Risky - Juniper Firewall FISMA: Firewall Traffic Considered Risky - Juniper JunOS FISMA: Firewall Traffic Considered Risky - Check Point FISMA: Firewall Traffic Considered Risky - Cisco ASA FISMA: Firewall Traffic Considered Risky - Cisco FWSM FISMA: Firewall Traffic Considered Risky - Fortinet





AC-4 Information Flow Enforcement

Compliance Suite Reports - Continued FISMA: Firewall Traffic Considered Risky - Juniper JunOS FISMA: Firewall Traffic Considered Risky - Juniper RT Flow FISMA: Firewall Traffic Considered Risky - Nortel FISMA: Firewall Traffic Considered Risky - PANOS

















FISMA: Anomalous Firewall Traffic




FISMA: Cisco Switch Policy Changed









FISMA: vCenter vSwitch Add, Modify or Delete






AC-5 Separation of Duties Compliance Suite Reports










































AC-5 Separation of Duties Compliance Suite Reports - Continued









FISMA: vCenter Orchestrator Virtual Machine Created

FISMA: vCenter Orchestrator Virtual Machine Deleted

FISMA: vCenter Virtual Machine Created

FISMA: vCenter Virtual Machine Deleted

FISMA: vCloud Organization Created

FISMA: vCloud Organization Deleted

FISMA: vCloud Organization Modified



FISMA: vCloud vApp Created, Modified, or Deleted

FISMA: vCloud vDC Create, Modify, or Delete







AC-5 Separation of Duties Compliance Suite Alerts

FISMA: Anomalous Firewall Traffic





FISMA: Group Members Added













FISMA: vCenter Create Virtual Machine

FISMA: vCenter Delete Virtual Machine

FISMA: vCenter Orchestrator Create Virtual Machine

FISMA: vCenter Orchestrator Delete Virtual Machine





FISMA: vCloud vApp Created, Deleted, or Modified

FISMA: vCloud vDC Created, Modified, or Deleted







AC-6 Least Privilege Compliance Suite Reports































FISMA: Files Accessed on NetApp Filer Audit

FISMA: Files Accessed on Servers

FISMA: Files Accessed through Juniper SSL VPN (Secure Access)










AC-6 Least Privilege Compliance Suite Reports - Continued

FISMA: i5/OS Files Accessed


FISMA: i5/OS Network User Profile Modified

FISMA: i5/OS Service Started


FISMA: i5/OS User Profile Modifications




FISMA: Microsoft Sharepoint Content Deleted

FISMA: Microsoft Sharepoint Content Updates


FISMA: NetApp Filer File activity


FISMA: RACF Accounts Modified

FISMA: RACF Files Accessed

FISMA: RACF Process Started



FISMA: vCenter Data Move

FISMA: vCenter Datastore Events


FISMA: vCenter Orchestrator Datastore Events

FISMA: vCenter Orchestrator Data Move



FISMA: vCenter User Permission Change






FISMA: Windows Programs Accessed




AC-6 Least Privilege Compliance Suite Alerts



FISMA: Accounts Modified












FISMA: Microsoft Sharepoint Content Updated


FISMA: NetApp Filer NIS Group Update



FISMA: vCenter Data Move

FISMA: vCenter Datastore Event

FISMA: vCenter Orchestrator Data Move

FISMA: vCenter Orchestrator Datastore Event


FISMA: vCenter Permission Change






FISMA: vCloud User, Group, or Role Modified

FISMA: Windows Files Accessed






AC-7 Unsuccessful Login Attempts Compliance Suite Reports










































AC-7 Unsuccessful Login Attempts Compliance Suite Reports - Continued




















AC-12 Session Termination Compliance Suite Reports






FISMA: Microsoft Operations Manager - Windows Events by Users


FISMA: Microsoft Sharepoint Policy Add, Delete, or Modify


FISMA: Windows Events by Users










AC-13 Supervision and Review – Access Control











































Compliance Suite Reports - Continued




















































































Compliance Suite Alerts - Continued










FISMA: NetApp Filer Unauthorized Mounting

















AC-17 Remote Access Compliance Suite Reports










FISMA: VPN Active Connections

FISMA: VPN Connection Disconnect Reasons

FISMA: VPN Connections by Users

FISMA: VPN Denied Connections by Users

FISMA: VPN Sessions by Users





AC-18 Wireless Access Restrictions

Audit and Accountability

AU-2 Auditable Events Compliance Suite Reports

FISMA: LogLogic Disk Full

FISMA: LogLogic File Retrieval Errors

FISMA: LogLogic Message Routing Errors

FISMA: NetApp Filer Audit Logs Cleared

FISMA: Windows Audit Logs Cleared





FISMA: Windows Audit Log Cleared

AU-3 Content of Audit Records

AU-4 Audit Storage Capacity

AU-5 Audit Processing

AU-6 Audit Monitoring, Analysis, and Reporting




AU-7 Audit Reduction and Report Generation


FISMA: DNS Server Error




FISMA: Periodic Review of Log Reports

FISMA: Periodic Review of User Access Logs








AU-8 Time Stamps Compliance Suite Reports

FISMA: LogLogic NTP Service Stopped

FISMA: NTP Clock Synchronized

FISMA: NTP Daemon Exited

FISMA: NTP Server Unreachable


FISMA: LogLogic NTP Service Stopped

FISMA: NTP Daemon Exited

FISMA: NTP Server Unreachable

AU-9 Protection of Audit Information
















AU-11 Audit Retention Compliance Suite Reports







Certification, Accreditation, and Security Assessments




CA-3 Information System Connections


FISMA: Active Directory System Changes








FISMA: ESX Kernel log daemon terminating

FISMA: ESX Kernel logging Stop

FISMA: ESX Syslogd Restart































CA-3 Information System Connections










FISMA: i5/OS Server or Service Status Change




FISMA: NetApp Filer Disk Inserted




FISMA: vCenter vSwitch Add Modify or Delete



FISMA: Windows Process Started

CA-7 Continuous Monitoring Compliance Suite Reports
















Configuration Management

CM-3 Configuration Change Control





FISMA: Cisco ESA: Updated


FISMA: Cisco PIX, ASA, FWSM Failover Disabled

FISMA: Cisco PIX, ASA, FWSM Failover Performed



FISMA: Cisco System Restarted

FISMA: DB2 Database Stop and Start Events

FISMA: F5 BIG-IP TMOS Restarted

FISMA: Guardium SQL Guard Audit Startup or Shutdown

FISMA: Guardium SQL Guard Startup or Shutdown

FISMA: i5/OS Restarted

FISMA: Juniper Firewall HA State Changed


FISMA: Juniper Firewall Restarted


FISMA: LogLogic DSM Startup or Shutdown


FISMA: Oracle Database Shutdown

FISMA: Software Update Successes on i5/OS

FISMA: Sybase ASE Database Startup or Shutdown

FISMA: Symantec AntiVirus: Updated



FISMA: Symantec Endpoint Protection: Scans

FISMA: Symantec Endpoint Protection: Updated

FISMA: System Restarted






FISMA: vCenter Orchestrator Virtual Machine Shutdown

FISMA: vCenter Orchestrator Virtual Machine Started








FISMA: vCenter Restart ESX Services

FISMA: vCenter Shutdown or Restart of ESX Server



FISMA: vCenter Virtual Machine Shutdown

FISMA: vCenter Virtual Machine Started

FISMA: vCenter vSwitch Add, Changed or Removed







FISMA: Windows New Services Installed

FISMA: Windows Software Update Activities

FISMA: Windows Software Update Failures

FISMA: Windows Software Update Successes













FISMA: DB2 Database Started or Stopped

FISMA: DNS Server Shutdown

FISMA: DNS Server Started



FISMA: i5/OS Software Updates

FISMA: Juniper Firewall HA State Change




FISMA: Microsoft SQL Server Shutdown




FISMA: Sybase ASE Database Started

FISMA: Sybase ASE Database Stopped












FISMA: vCenter Shutdown or Restart ESX















FISMA: Windows Server Restarted

FISMA: Windows Software Updates

FISMA: Windows Software Updates Failed

FISMA: Windows Software Updates Succeeded




CM-4 Monitoring Configuration Changes

























FISMA: Cisco ESA: Updated









FISMA: Domain Activities on Symantec Endpoint Protection






































FISMA: Symantec Endpoint Protection: Scans





























FISMA: Windows Domain Activities



















































CM-5 Access Restrictions for Change






































FISMA: Files Accessed on NetApp Filer Audit

FISMA: Files Accessed on Servers






FISMA: Files Accessed through Juniper SSL VPN (Secure Access)







FISMA: i5/OS Files Accessed



FISMA: i5/OS Service Started
















FISMA: Microsoft Sharepoint Content Updates





FISMA: NetApp Filer File activity






































FISMA: Microsoft Sharepoint Content Updated













CM-6 Configuration Settings Compliance Suite Reports

FISMA: Active Directory System Changes FISMA: Check Point Configuration Changes FISMA: Check Point Object Activity FISMA: Cisco ESA: Updated FISMA: Cisco ISE, ACS Configuration Changes FISMA: Cisco PIX, ASA, FWSM Policy Changed FISMA: Cisco PIX, ASA, FWSM Routing Failure FISMA: Cisco Switch Policy Changes FISMA: Firewall Traffic Considered Risky - Cisco IOS FISMA: Firewall Traffic Considered Risky - Cisco Netflow FISMA: Firewall Traffic Considered Risky - Cisco PIX FISMA: Firewall Traffic Considered Risky - Juniper Firewall FISMA: Firewall Traffic Considered Risky - Check Point FISMA: Firewall Traffic Considered Risky - Cisco ASA FISMA: Firewall Traffic Considered Risky - Cisco FWSM FISMA: Firewall Traffic Considered Risky - Fortinet


FISMA: Firewall Traffic Considered Risky - Juniper JunOS FISMA: Firewall Traffic Considered Risky - Juniper RT Flow FISMA: Firewall Traffic Considered Risky - Nortel FISMA: Firewall Traffic Considered Risky - PANOS FISMA: Firewall Traffic Considered Risky - Sidewinder FISMA: Firewall Traffic Considered Risky - VMware vShield FISMA: Juniper Firewall Policy Changed FISMA: Juniper SSL VPN (Secure Access) Policy Changed





FISMA: Symantec Endpoint Protection: Scans FISMA: vCenter Change Attributes FISMA: vCenter Modify Firewall Policy



FISMA: vCenter Resource Usage Change FISMA: vCenter vSwitch Added, Changed or Removed FISMA: vShield Edge Configuration ChangesCompliance Suite Alerts FISMA: Active Directory Changes FISMA: Check Point Policy Changed FISMA: Cisco ISE, ACS Configuration Changed FISMA: Cisco PIX, ASA, FWSM Policy Changed FISMA: Cisco PIX, ASA, FWSM Routing Failure FISMA: Cisco Switch Policy Changed

CM-7 Least Functionality




CM-6

CM-7

Configuration Settings

Least Functionality



FISMA: Firewall Traffic Considered Risky FISMA: Juniper Firewall Policy Changes FISMA: Juniper VPN Policy Change





FISMA: vCenter vSwitch Add, Modify or Delete FISMA: vShield Edge Configuration Change





Contingency Planning

CP-9 Information System Backup Compliance Suite Reports

FISMA: DB2 Database Backup Failed

FISMA: DB2 Database Restore Failed

FISMA: NetApp Filers Backup Errors

FISMA: NetApp Filer Disk Failure

FISMA: NetApp Filer Disk Missing

FISMA: NetApp Filer Snapshot Error

FISMA: Microsoft SQL Server Backup Failed

FISMA: Microsoft SQL Server Restore Failed

FISMA: Sybase ASE Database Backup and Restoration


FISMA: DB2 Database Backup Failed

FISMA: DB2 Database Restore Failed

FISMA: Microsoft SQL Server Backup Failed

FISMA: Microsoft SQL Server Restore Failed




FISMA: NetApp Filer Disk Pulled


FISMA: Sybase ASE Database Backed Up or Restored




Identification and Authentication

IA-2 User Identification and Authentication



FISMA: Accounts created on UNIX Servers










FISMA: Accounts Enabled on Windows Servers






FISMA: DHCP Granted/Renewed Activities on Microsoft DHCP

FISMA: DHCP Granted/Renewed Activities on VMware vShield












FISMA: i5/OS Network User Profile Creation



FISMA: i5/OS User Profile Creation

















FISMA: Microsoft Operations Manager - Windows Accounts Created

FISMA: Microsoft Operations Manager - Windows Accounts Enabled









FISMA: RACF Accounts Created













FISMA: Windows Group Members Added







FISMA: Accounts Enabled


















IA-3 Device Identification andAuthentication


















FISMA: DHCP Granted/Renewed Activities on Microsoft DHCP

FISMA: DHCP Granted/Renewed Activities on VMware vShield























































FISMA: Windows Accounts Enabled


























IA-4 Identifier Management Compliance Suite Reports













































IA-4 Identifier Management Compliance Suite Reports - Continued

































IA-4 Identifier Management Compliance Suite Alerts

























IA-5 Authenticator Management Compliance Suite Reports












































IA-5 Authenticator Management Compliance Suite Reports - Continued








































IA-5 Authenticator Management Compliance Suite Alerts FISMA: Accounts Created
























Maintenance

MA-4 Remote Maintenance Compliance Suite Reports










































MA-4 Remote Maintenance Compliance Suite Reports - Continued
































Personnel Security

PS-4 Access Control to Program Source Code
























FISMA: i5/OS Network User Profile Deletion

FISMA: i5/OS Network User Profile Modified



FISMA: i5/OS User Profile Modifications










FISMA: NetApp Filer Accounts Locked


PS-5 Control of Technical Vulnerabilities

PS-6 Access Agreements




PS-4PS-5PS-6



FISMA: RACF Accounts Deleted

FISMA: RACF Accounts Modified







FISMA: vCenter User Permission Change




FISMA: Windows Accounts Locked

FISMA: Windows Group Members Deleted


PS-4 Access Control to Program Source Code



FISMA: Accounts Modified

FISMA: Accounts Locked

FISMA: Group Members Deleted













FISMA: vCenter Permission Change



FISMA: vCloud User, Group, or Role Modified


PS-5 Control of Technical Vulnerabilities

PS-6 Access Agreements




System and Services Acquisition

SA-2 Allocation of Resources Compliance Suite Reports


FISMA: NetApp Filer File System Full










Compliance Suite Alert















SA-9 Outsourced Information System Services




FISMA: Cisco System Restarted

FISMA: DB2 Database Stop and Start Events

FISMA: F5 BIG-IP TMOS Restarted

FISMA: Guardium SQL Guard Audit Startup or Shutdown


FISMA: i5/OS Restarted


FISMA: Juniper Firewall Restarted


FISMA: Microsoft Operations Manager - Windows Servers Restarted




FISMA: Sybase ASE Database Startup or Shutdown

FISMA: Symantec Endpoint Protection: Updated







FISMA: vCenter Shutdown or Restart of ESX Server










FISMA: Windows Servers Restarted




SA-9 Outsourced Information System Services



FISMA: Cisco PIX, ASA, FWSM Failover Errors


FISMA: DB2 Database Started or Stopped

FISMA: DNS Server Shutdown

FISMA: DNS Server Started





FISMA: Microsoft SQL Server Shutdown


FISMA: Sybase ASE Database Started

FISMA: Sybase ASE Database Stopped









FISMA: vCenter Shutdown or Restart ESX








FISMA: Windows Server Restarted




SA-10 Developer Configuration Management

































FISMA: Domain Activities on Symantec Endpoint Protection



























































FISMA: Windows Domain Activities























































System and Communications Protection

SC-2 Application Partitioning Compliance Suite Reports













SC-2 Application Partitioning Compliance Suite Reports





































SC-3 Security Function Isolation

SC-7 Boundary Protection




SC-2SC-3SC-7





























SC-18 Mobile Code Compliance Suite Reports

FISMA: Applications Under Attack FISMA: Applications Under Attack - Cisco IOS

FISMA: Applications Under Attack - ISS SiteProtector

FISMA: Applications Under Attack - SiteProtector

FISMA: Attack Origins FISMA: Attack Origins - Cisco IOS

FISMA: Attack Origins - ISS SiteProtector

FISMA: Attack Origins - SiteProtector

FISMA: Attacks Detected FISMA: Attacks Detected - Cisco IOS

FISMA: Attacks Detected - ISS SiteProtector

FISMA: Attacks Detected - SiteProtector

FISMA: Firewall Connections Accepted - Check Point

FISMA: Firewall Connections Accepted - Cisco ASA

FISMA: Firewall Connections Accepted - Cisco FWSM

FISMA: Firewall Connections Accepted - Cisco IOS

FISMA: Firewall Connections Accepted - Cisco Netflow

FISMA: Firewall Connections Accepted - Cisco NXOS

FISMA: Firewall Connections Accepted - Cisco PIX

FISMA: Firewall Connections Accepted - F5 BIG-IP TMOS

FISMA: Firewall Connections Accepted - Fortinet

FISMA: Firewall Connections Accepted - Juniper Firewall

FISMA: Firewall Connections Accepted - Juniper JunOS

FISMA: Firewall Connections Accepted - Juniper RT Flow

FISMA: Firewall Connections Accepted - Nortel

FISMA: Firewall Connections Accepted - PANOS

FISMA: Firewall Connections Accepted - Sidewinder

FISMA: Firewall Connections Accepted - VMware vShield

FISMA: Firewall Connections Denied - Check Point

FISMA: Firewall Connections Denied - Cisco ASA

FISMA: Firewall Connections Denied - Cisco FWSM

FISMA: Firewall Connections Denied - Cisco IOS

FISMA: Firewall Connections Denied - Cisco NXOS

FISMA: Firewall Connections Denied - Cisco PIX

FISMA: Firewall Connections Denied - Cisco Router


FISMA: Firewall Connections Denied - Fortinet

FISMA: Firewall Connections Denied - Juniper Firewall

FISMA: Firewall Connections Denied - Juniper JunOS

FISMA: Firewall Connections Denied - Juniper RT Flow

FISMA: Firewall Connections Denied - Nortel

FISMA: Firewall Connections Denied - PANOS




SC-18 Mobile Code Compliance Suite Reports - Continued

FISMA: Firewall Connections Denied - Sidewinder

FISMA: Firewall Connections Denied - VMware vShield



FISMA: Anomalous IDS Alerts




System and Information Integrity

SI-2 Flaw Remediation Compliance Suite Reports

FISMA: Cisco Peer Reset/Reload

FISMA: Cisco Peer Supervisor Status Changes



FISMA: Cisco PIX, ASA, FWSM Restarted

FISMA: Cisco Redundancy Version Check Failed


FISMA: Juniper Firewall Policy Out of Sync

FISMA: Juniper Firewall Reset Accepted

FISMA: Juniper Firewall Reset Imminent


FISMA: LogLogic HA State Changed





FISMA: Software Update Successes on i5/OS

FISMA: Windows Software Update Activities

FISMA: Windows Software Update Failures

FISMA: Windows Software Update Successes





FISMA: Juniper Firewall Peer Missing

FISMA: Juniper Firewall Policy Out of Sync

FISMA: LogLogic HA State Change




FISMA: NetApp Filer Disk Pulled








SI-3 Malicious Code Protection Compliance Suite Reports










FISMA: Cisco ESA: Attacks by Event ID FISMA: Cisco ESA: Attacks Detected FISMA: Cisco ESA: Attacks by Threat Name FISMA: Cisco ESA: Scans FISMA: Firewall Connections Denied - Check Point FISMA: Firewall Connections Denied - Cisco ASA FISMA: Firewall Connections Denied - Cisco FWSM FISMA: Firewall Connections Denied - Cisco IOS FISMA: Firewall Connections Denied - Cisco NXOS FISMA: Firewall Connections Denied - Cisco PIX FISMA: Firewall Connections Denied - Cisco Router


FISMA: Firewall Connections Denied - Fortinet FISMA: Firewall Connections Denied - Juniper Firewall FISMA: Firewall Connections Denied - Juniper JunOS FISMA: Firewall Connections Denied - Juniper RT Flow FISMA: Firewall Connections Denied - Nortel FISMA: Firewall Connections Denied - PANOS FISMA: Firewall Connections Denied - Sidewinder FISMA: Firewall Connections Denied - VMware vShield FISMA: FortiOS: Attacks by Event ID FISMA: FortiOS: Attacks by Threat Name FISMA: FortiOS: Attacks Detected FISMA: FortiOS DLP Attacks Detected FISMA: McAfee AntiVirus: Attacks by Event ID FISMA: McAfee AntiVirus: Attacks by Threat Name FISMA: McAfee AntiVirus: Attacks Detected FISMA: PANOS: Attacks by Event ID FISMA: PANOS: Attacks by Threat Name FISMA: PANOS: Attacks Detected FISMA: Software Update Successes on i5/OS FISMA: Symantec AntiVirus: Attacks by Threat Name FISMA: Symantec AntiVirus: Attacks Detected FISMA: Symantec AntiVirus: Scans FISMA: Symantec Endpoint Protection: Attacks by Threat Name FISMA: Symantec Endpoint Protection: Attacks Detected




SI-3 Malicious Code Protection Compliance Suite Reports - Continued

FISMA: TrendMicro Control Manager: Attacks Detected FISMA: TrendMicro Control Manager: Attacks Detected by Threat FISMA: TrendMicro OfficeScan: Attacks Detected FISMA: TrendMicro OfficeScan: Attacks Detected by Threat Name FISMA: Windows New Services Installed FISMA: Windows Software Update Activities FISMA: Windows Software Update Failures FISMA: Windows Software Update SuccessesCompliance Suite Alerts






SI-4 Intrusion Detection Tools and Techniques

















Documents

LogLogic FISMA Compliance Suite Quick Start Guide v3.3