CCF – AI Engine Rules
AIE Rules & Alerts | Applicable Frameworks | Corresponding Investigation | Corresponding Report | CCF SRP 1.0 Ready |
|---|---|---|---|---|
CCF: Abnormal Amount of Data Transferred | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
✓ |
CCF: Abnormal Origin Location | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Account Deleted Rule | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Deleted Account Inv | CCF: Account Deleted Summary |
|
CCF: Account Disabled Rule | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Disabled Account Inv | CCF: Account Disabled Summary |
|
CCF: Account Enabled Rule | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Enabled Account Inv | CCF: Account Enabled Summary |
|
CCF: Account Modification | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Account Modification Inv | CCF: Account Modified Summary |
|
CCF: Admin Password Modified | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Password Modified Inv |
|
|
CCF: Attack then External Connection | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Audit Log Cleared Alarm | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Audit Log Inv | CCF: Audit Log Summary | ✓ |
CCF: Audit Logging Stopped Alarm | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Audit Log Inv | CCF: Audit Log Summary | ✓ |
CCF: Auth After Numerous Failed Auths | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
✓ |
CCF: Auth After Security Event | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Backup Failure Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ✓ |
CCF: Backup Information | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ✓ |
CCF: Blacklist Location Auth | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Blacklisted Account Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Compromise Detected Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Compromises Detected Inv | CCF: Compromises Detected Summary | ✓ |
CCF: Concurrent VPN from Multiple Locations | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Concurrent VPN from Same User | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Config Change After Attack | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ✓ |
CCF: Config Change then Critical Error | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ✓ |
CCF: Config Deleted/Disabled | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ✓ |
CCF: Config Modified | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary | ✓ |
CCF: Corroborated Account Anomalies | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Suspicious Users Inv | N/A |
|
CCF: Corroborated Data Access Anomalies | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Suspicious Users Inv | N/A |
|
CCF: Critical Event After Attack | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Critical/PRD Envir Patch Failure Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary |
✓ |
CCF: Data Destruction | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary |
✓ |
CCF: Data Exfiltration Observed | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary |
✓ |
CCF: Data Loss Prevention | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary |
✓ |
CCF: Denial of Service Alert | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Denial of Service Inv | N/A | ✓ |
CCF: Disabled Account Auth Success | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Distributed Brute Force | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Early TLS/SSL Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
|
CCF: Excessive Authentication Failures Rule | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Excessive Authentication Failure Inv | CCF: Auth Failure Summary |
✓ |
CCF: External Brute Force Auths | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Failed Audit Log Write Alarm | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Audit Log Inv | CCF: Audit Log Summary | ✓ |
CCF: FIM Abnormal Activity | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: FIM Add Activity | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: FIM Delete Activity Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: FIM General Activity | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: FIM Information | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: GeoIP Blacklisted Region Activity | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: GeoIP Inv | CCF: GeoIP Summary |
|
CCF: GeoIP General Activity | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: GeoIP Inv | CCF: GeoIP Summary |
|
CCF: Large Outbound Transfer | GDPR, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Linux sudo Privilege Escalation | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Privileged Account Escalation Inv | CCF: User Priv Escalation (SU & SUDO) Summary |
✓ |
CCF: Local Account Created and Used | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: LogRhythm Silent Log Source Error Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Audit Log Inv | CCF: Audit Log Summary |
✓ |
CCF: Malware Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Malware Detected Inv | CCF: Malware Detected Summary | ✓ |
CCF: Misuse | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: User Misuse Inv | CCF: User Misuse Summary | ✓ |
CCF: Multiple Account Passwords Modified by Admin | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Password Modified Inv | CCF: Priv Account Management Activity Summary |
|
CCF: Non-Encrypted Protocol Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Use Of Non- Encrypted Protocols Inv | CCF: Use Of Non- Encrypted Protocols Summary |
|
CCF: Password Modified by Admin | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Password Modified Inv | CCF: Priv Account Management Activity Summary |
|
CCF: Password Modified by Another User | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Password Modified Inv | CCF: Priv Account Management Activity Summary |
|
CCF: Priv Group Access Granted Alarm | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Privileged Account Modification Inv | CCF: Priv Account Management Activity Summary |
|
CCF: Privilege Escalation After Attack Alarm | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Privileged Account Modification Inv | CCF: Priv Account Management Activity Summary |
✓ |
CCF: PRD Envir Config/Policy Change Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Config/Policy Change Inv | CCF: Config/Policy Change Summary |
✓ |
CCF: PRD Envir Signature Failure Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Critical Environment Error Inv | CCF: Critical Environment Error Summary |
✓ |
CCF: Rogue Access Point Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Rogue Access Point Inv | CCF: Rogue Access Point Summary | ✓ |
CCF: Social Media Event | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Social Media Inv | CCF: Social Media Summary | ✓ |
CCF: Software Install Rule | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Software Install Failure Alarm | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Software Uninstall Rule | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A | ✓ |
CCF: Software Uninstall Failure Alarm | NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | N/A | N/A |
✓ |
CCF: Suspected Wireless Attack Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Suspected Wireless Attack Inv | CCF: Suspected Wireless Attack Summary |
✓ |
CCF: Time Sync Error Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Time Sync Error Inv | CCF: Time Sync Error Summary | ✓ |
CCF: Unknown User Account Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Unknown User Account Inv | N/A | ✓ |
CCF: Vulnerability Detected Alarm | GDPR, UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Vulnerability Detected Inv | CCF: Vulnerability Detected Summary | ✓ |
CCF: Windows RunAs Privilege Escalation | UAE-NESA, NIST 800-53, NIST 800-171, NIST CSF, NY DFS, CJIS, State DPLs, ISO 27001, ASD | CCF: Privileged Account Escalation Inv | CCF: User Priv Escalation (Windows) Summary |
✓ |