Risk Posture

A company's overall capacity to identify and respond to risks is referred to as its risk posture. It entails inspecting every aspect of a company's network and identifying potential vulnerabilities. All users, network elements, and any information that may be stored but is at risk of being hacked are included. It also involves examining current security practices and software to assess how well they can fend off attacks.

Edit Compliance

Risk Posture

Go to Manage Compliance.
Select the required risk posture source.
Click Edit to edit parameters of the rules with the possible values to get your personalized scores. (By default, the recommended values from the Microsoft/CIS standards will be present).

Run Analysis Schedules:

You can get the fresh analysis results by clicking the Run Now link at the top left corner of the Risk Posture.
The frequency can be set by clicking the Schedule button next to the Run Now Link.
By default, the schedule will run once per day. It also allows you to change the frequency of analysis.
Click the Schedule button to see the time when the next analysis is scheduled to run.
You can also see the time when the last analysis has been completed.

Rule Status and its definitions

Low/No Risk

This status informs that the selected source's configurations have met the Recommended / User set compliance value as per their norms.

High Risk

This status informs that the selected source's configurations have not met the Recommended / User set compliance value as per their norms.

Unable to Verify

High Risk

This status informs that the log360 server was unable to fetch the required data needed for analyzing the specific rule. It can be due to the following reasons.

1. Active Directory

Possible Reasons for the status "Unable to verify" as follows:

Insufficient Domain Details
Access Denied for SYSVOL Folder.

Insufficient Domain Details:

This error occurs when the domain details or credentials haven't been synced properly while integrating with child components.

Troubleshooting Steps:

Navigate to Admin → Log360 integration.
Make sure any one of the child components has been integrated and at least one domain is configured.
Click the Sync Now button.
Make sure the credentials have been synced correctly by checking in ADSCredentials table. To view table data, You can go to http(s)://<hostname>:<log360 port number>/runQuery.do page and Execute the below Query.

select * from ADSCredentials;

If there is no credentials data in the table,Trigger sync now button once again.
Now, Go to Compliance → Risk Posture → Active Directory.
Click the Run Now button.

Access Denied for SYSVOL Folder:

This error occurs when a log360 installed machine was unable to access the SYSVOL Folder of the domain controllers of selected domain. This restriction was made by Microsoft after 2015.

Kindly Make sure the SYSVOL Folder (C:\Windows\SYSVOL\sysvol) of the domain controllers has been shared to the User with which the domain is configured.

Troubleshooting Steps:

Using GPO of log360 installed Machine's Domain:

Go to "Computer Configuration → Administrative Templates → Network → Network Provider" in the Domain Controller.
Enable the Hardened UNC Paths. In Options, Click the show button.
Kindly add "\\*\SYSVOL" value in "Value Name" Field.
Kindly add "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" value in "Value" Field.
For immediate results, open Command prompt as Administrator and run "gpupdate /force" command in the log360 installed Machine.
Click Ok.

(or)

Using Local Security Policy Editor:

Open Local Security Policy Editor with "gpedit.msc" in the log360 installed Machine.
Go to Computer Configuration → Administrative Templates → Network → Network Provider.
Enable the Hardened UNC Paths. In Options, Click the show button.
Kindly add "\\*\SYSVOL" value in "Value Name" Field.
Kindly add "RequireMutualAuthentication=0,RequireIntegrity=0,RequirePrivacy=0" value in "Value" Field.
Click Ok.

(or)

Execute the below command in Command Prompt as Administrator in Log360 installed Machine:

%COMSPEC% /C reg add HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\NetworkProvider\HardenedPaths /v "\\*\SYSVOL" /d "RequireMutualAuthentication=0" /t REG_SZ

After these trouble shooting Steps, Go to Compliance → Risk Posture → Active Directory, and click Run Now button

2. SQL Server

Possible reasons for the status "Unable to verify" are as follows:

Dependent product down (EventLog Analyzer)
SQL Server down
Insufficient server details/user credentials

Dependent product down

The analysis requires EventLog Analyzer to be up and running. If the product is down, the analysis cannot be completed. In case of distributed ELA setup, the respective managed server in which the concerned SQL server is configured should also be up and running.

Troubleshooting Steps:

Make sure EventLog Analyzer is integrated and running smoothly.

SQL Server down

The analysis requires SQL Server to be up and running. If the SQL server is down, the analysis cannot be completed.

Troubleshooting Steps:

Make sure the selected SQL server(s) is up and running.

Insufficient server details/user credentials

The selected SQL server(s) configuration details and credentials should be up to date and valid. Outdated or wrong details will cause analysis to fail. The configured user should have sysadmin role in the selected SQL server for all the rules to succeed.

Troubleshooting Steps:

Update credentials and server details in EventLog Analyzer -> Settings -> Log Source Configuration -> Database Audit.
Update Advanced Auditing credentials in EventLog Analyzer -> Settings -> Log Source Configuration -> Database Audit -> Advanced Auditing.
Refer here for more details.

Possible Reasons for "No SQL Server(s) Configured" in edit compliance are as follows:

No SQL server(s) is configured.
To configure MSSQL DB, please refer here.
Advanced Auditing not enabled for the SQL server.
To enable Advanced Auditing, please refer here.