ASD – Requirements
| Control Name | Rules | AIE Alerts | Investigations | Summary Reports | Detailed Reports |
|---|---|---|---|---|---|
| 1526 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0120 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0125 | |||||
| 0133 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: FIM Abnormal Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: User Object Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary | |
| 1213 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0138 | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Backup Information | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm CCF: Backup Failure Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Backup Activity Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: Backup Activity Summary | |
| 0123 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1053 | CCF: Excessive Authentication Failure | CCF: Priv Group Access Granted Alarm | CCF: Physical Access Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Physical Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | |
| 1074 | CCF: Excessive Authentication Failure | CCF: Priv Group Access Granted Alarm | CCF: Physical Access Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Physical Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | |
| 0157 | CCF: Abnormal Origin Location CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: GeoIP Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: GeoIP Summary | |
| 1296 | CCF: Physical Access Inv | CCF: Physical Access Summary | |||
| 1503 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0409 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0411 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0816 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1508 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0445 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1509 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1175 | CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Misuse | CCF: Blacklisted Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 0446 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0447 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0448 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0430 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: User Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1404 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: User Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: User Misuse Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0407 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0441 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0443 | CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used CCF: Corroborated Data Access Anomalies | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0078 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Enabled Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0854 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Enabled Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0553 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0555 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 1019 | |||||
| 0313 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 0311 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 0342 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: User Object Access Summary | |
| 1069 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 1469 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0414 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1538 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0420 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0975 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0415 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: GeoIP Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: GeoIP Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1403 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Auth After Numerous Failed Auths CCF: Excessive Authentication Failure CCF: Disabled Account Auth Success CCF: External Brute Force Auths | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0431 | CCF: Excessive Authentication Failure CCF: Account Disabled CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Distributed Brute Force | CCF: Excessive Authentication Failure Inv CCF: Account Disabled Inv CCF: Account Enabled Inv | CCF: Auth Failure Summary CCF: Account Modified Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | ||
| 1402 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm | CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Use Of Non-Encrypted Protocols Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Use Of Non-Encrypted Protocols Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1380 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1473 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1382 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1387 | |||||
| 1144 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 0940 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1472 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1494 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1495 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1496 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 0300 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 0298 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 1497 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1500 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1211 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 0115 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 1510 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 1511 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 1514 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0580 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1405 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0988 | CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm | CCF: Time Sync Error Inv CCF: Audit Log Inv | CCF: Time Sync Error Summary CCF: Audit Log Summary | ||
| 0584 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Blacklist Location Auth CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Term Account Activity Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0582 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1536 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1537 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0585 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0586 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 0859 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0991 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0109 | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1228 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1422 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1277 | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 1262 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1261 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1263 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1264 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1256 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: GeoIP Summary CCF: User Object Access Summary | |
| 1255 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1268 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1182 | #N/A | #N/A | #N/A | #N/A | #N/A |
| 1301 | CCF: Rogue Access Point Alarm | CCF: Rogue Access Point Inv | CCF: Rogue Access Point Summary | ||
| 1435 | CCF: Denial Of Service Alarm | CCF: Denial Of Service Inv | |||
| 1139 | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Rogue Access Point Summary | ||
| 0670 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| Control Name | Rules | AIE Alerts | Investigations | Summary Reports | Detailed Reports |
|---|---|---|---|---|---|
| 1526 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0120 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0125 | |||||
| 0133 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: FIM Abnormal Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: User Object Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary | |
| 1213 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0138 | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Backup Information | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm CCF: Backup Failure Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Backup Activity Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: Backup Activity Summary | |
| 0123 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1053 | CCF: Excessive Authentication Failure | CCF: Priv Group Access Granted Alarm | CCF: Physical Access Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Physical Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | |
| 1074 | CCF: Excessive Authentication Failure | CCF: Priv Group Access Granted Alarm | CCF: Physical Access Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Physical Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | |
| 0157 | CCF: Abnormal Origin Location CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: GeoIP Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: GeoIP Summary | |
| 1296 | CCF: Physical Access Inv | CCF: Physical Access Summary | |||
| 1503 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Password Modification Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0409 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0411 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0816 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1508 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0445 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1509 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1175 | CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Misuse | CCF: Blacklisted Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 0446 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0447 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0448 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0430 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: User Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1404 | CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: User Object Access Inv | CCF: Applications Accessed By User Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: User Misuse Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0407 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0441 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0443 | CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used CCF: Corroborated Data Access Anomalies | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0078 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Enabled Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0854 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Enabled Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0553 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0555 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 1019 | |||||
| 0313 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 0311 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 0342 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: User Object Access Summary | |
| 1069 | CCF: FIM Abnormal Activity CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: FIM Delete Activity Alarm | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary | |
| 1469 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0414 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1538 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0420 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0975 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0415 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: Blacklisted Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: GeoIP Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: GeoIP Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1403 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Auth After Numerous Failed Auths CCF: Excessive Authentication Failure CCF: Disabled Account Auth Success CCF: External Brute Force Auths | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 0431 | CCF: Excessive Authentication Failure CCF: Account Disabled CCF: Account Enabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Distributed Brute Force | CCF: Excessive Authentication Failure Inv CCF: Account Disabled Inv CCF: Account Enabled Inv | CCF: Auth Failure Summary CCF: Account Modified Summary CCF: Account Disabled Summary CCF: Account Enabled Summary | ||
| 1402 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Unknown User Account Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm | CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Use Of Non-Encrypted Protocols Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Use Of Non-Encrypted Protocols Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1380 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1473 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1382 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1387 | |||||
| 1144 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 0940 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1472 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1494 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1495 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 1496 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Abnormal Amount of Data Transferred CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Compromises Detected Alarm CCF: Suspected Wireless Attack Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Compromises Detected Inv CCF: Suspected Wireless Attack Inv CCF: Denial Of Service Inv CCF: Suspicious Users Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: GeoIP Inv CCF: Unknown User Account Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Compromises Detected Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Top Suspicious Users | CCF: Unknown User Account Detail |
| 0300 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 0298 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 1497 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1500 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1211 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 0115 | CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary | |
| 1510 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 1511 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Denial Of Service Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 1514 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0580 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1405 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0988 | CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm | CCF: Time Sync Error Inv CCF: Audit Log Inv | CCF: Time Sync Error Summary CCF: Audit Log Summary | ||
| 0584 | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Blacklist Location Auth CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Applications Accessed By User Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Term Account Activity Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 0582 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1536 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1537 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0585 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 0586 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: GeoIP Summary CCF: Top Suspicious Users CCF: User Object Access Summary | |
| 0859 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0991 | CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Denial Of Service Alert | CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Time Sync Error Summary | |
| 0109 | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1228 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force CCF: Excessive Authentication Failure | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| 1422 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1277 | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 1262 | CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Abnormal Origin Location CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User | CCF: Blacklisted Account Alarm | CCF: GeoIP Inv | CCF: GeoIP Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1261 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1263 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1264 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1256 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm | CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: User Object Access Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: GeoIP Summary CCF: User Object Access Summary | |
| 1255 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Denial Of Service Alarm CCF: Time Sync Error Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: Critical Environment Error Inv CCF: Denial Of Service Inv CCF: Time Sync Error Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: User Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1268 | CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failure CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Account Modification CCF: Account Deleted CCF: Account Disabled CCF: Account Enabled CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Misuse CCF: Local Account Created and Used CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: Unknown User Account Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm | CCF: Password Modification Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Host Access Granted And Revoked Inv CCF: Excessive Authentication Failure Inv CCF: Account Modified Inv CCF: Account Deleted Inv CCF: Account Disabled Inv CCF: Account Enabled Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Applications Accessed By User Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: GeoIP Summary CCF: User Object Access Summary CCF: Top Suspicious Users CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Account Disabled Summary CCF: Account Enabled Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1182 | #N/A | #N/A | #N/A | #N/A | #N/A |
| 1301 | CCF: Rogue Access Point Alarm | CCF: Rogue Access Point Inv | CCF: Rogue Access Point Summary | ||
| 1435 | CCF: Denial Of Service Alarm | CCF: Denial Of Service Inv | |||
| 1139 | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Rogue Access Point Summary | ||
| 0670 | CCF: Misuse CCF: Social Media Event CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: External Brute Force Auths CCF: Local Account Created and Used CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Account Enabled CCF: Account Disabled CCF: Account Deleted CCF: Account Modification CCF Excessive Authentication Failure CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Backup Information CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Software Install CCF: Software Uninstall CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Linux sudo Privilege Escalation CCF: Windows RunAs Privilege Escalation CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Distributed Brute Force | CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm CCF: FIM Delete Activity Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Early TLS/SSL Alarm CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Compromises Detected Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Denial Of Service Alarm | CCF: User Misuse Inv CCF: Social Media Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Account Enabled Inv CCF: Account Disabled Inv CCF: Account Deleted Inv CCF: Account Modified Inv CCF Excessive Authentication Failure Inv CCF: Password Modification Inv CCF: Object Access Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: GeoIP Inv CCF: Backup Activity Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Signature Activity Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Critical Environment Error Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Compromises Detected Inv CCF: Host Access Granted And Revoked Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Privileged Account Escalation Inv CCF: Malware Detected Inv CCF: Physical Access Inv CCF: Vulnerability Detected Inv CCF: Denial Of Service Inv | CCF: User Misuse Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modified Summary CCF: Term Account Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Object Access Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Backup Activity Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Signature Activity Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Critical Environment Error Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Malware Detected Summary CCF: Physical Access Summary CCF: Vulnerability Detected Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |