Center for Internet Security Critical Security Controls Module Suite
The LogRhythm CIS Critical Security Controls Module (CIS CSCM) is a collection of AI Engine rules, investigations, reports and lists to help organizations detect and respond to the most important security and operational events, as well as map to other controls, such as NIST 800.
This guide describes how to deploy the LogRhythm CIS CSCM.
Matrices
Module Revisions
The AIE Rules, Investigations, and Reports from version 6.1 of the CIS CSCM were remapped to match version 7 of the CIS Controls. The following tables detail the old and new mappings.
AIE Rule ID | AIE Rule Name | CIS v6 control(s) | CIS v7 control(s) |
|---|---|---|---|
12 | CSC: Port Scan then Attack | CSC 9.6, CSC 12.4 | CSC 9.5, CSC 12.7 |
13 | CSC: Possible DDoS Detected | CSC 9.6, CSC 12.4 | CSC 9.5, CSC 12.7 |
14 | CSC: Multiple Unique Attacks Observed | CSC 8.1, CSC 12.4 | CSC 8.1, CSC 12.7 |
16 | CSC: Data Exfiltration Observed | CSC 13.6 | deleted |
18 | CSC: Attack then External Connection | CSC 12.3 | CSC 12.6 |
34 | CSC: Password Modified on Multiple Accounts | CSC 16.14, CSC 5.1 | CSC16.4 |
36 | CSC: Audit Disabled by Admin | CSC 6.2, CSC 5.1 | CSC 6.2 |
37 | CSC: Temporary Account Used | CSC 5.4 | CSC 4.8 |
40 | CSC: Local Account Created and Used | CSC 5.4 | CSC 4.8 |
58 | CSC: Lateral Movement then Exfil | CSC 13.6 | deleted |
76 | CSC: Disabled Account Auth Failures | CSC 16.8 | CSC 16.12 |
81 | CSC: Config Change then Critical Error | CSC 3.6 | CSCS 5.1 |
82 | CSC: Recon after Attack | CSC 12.4 | CSC 12.7 |
88 | CSC: Disabled Account Auth Success | CSC 16.8 | CSC 16.12 |
95 | CSC: SQL Injection Detected | CSC 18.2 | CSC 18.10 |
97 | CSC: Cross-site Scripting (XSS) Detected | CSC 18.2 | CSC 18.10 |
99 | CSC: Directory Traversal URL | CSC 18.2. CSC 8.1 | CSC 18.10, CSC 8.1 |
158 | CSC: Accounts Deleted by Admin | CSC 16.3, CSC 3.6 | CSC 16.7, CSC 5.5 |
159 | CSC: Accounts Disabled by Admin | CSC 16.3, CSC 3.6 | CSC 16.7, CSC 5.5 |
160 | CSC: Users Added to Admin Group | CSC 5.4, CSC 3.6 | CSC 4.8, CSC 5.5 |
161 | CSC: Users Removed from Admin Group | CSC 5.4, CSC 3.6 | CSC 4.8, CSC 5.5 |
162 | CSC: Windows RunAs Privilege Escalation | CSC 5.8, CSC 3.6 | CSC 4.3, CSC 5.5 |
165 | CSC: Linux sudo Privilege Escalation | CSC 5.8, CSC 3.6 | CSC 4.3, CSC 5.5 |
250 | CSC: Password Modified by Another User | CSC 16.14, CSC 5.1 | CSC16.4 |
287 | CSC: Abnormal File Access | CSC 3.5 | CSC 14.9 |
383 | CSC: New Network Host | CSC 1.2 | CSC 1.3 |
420 | CSC: Attack then Inbound Traffic | CSC 12.3 | CSC 12.6 |
432 | CSC: DMZ Jumping | CSC 12.9 | CSC 12.8 |
436 | CSC: Port Misuse: 80 | CSC 12.2 | CSC 12.5 |
437 | CSC: Port Misuse: 53 | CSC 12.2 | CSC 12.5 |
439 | CSC: Allowed Traffic from Non-Whitelist Country | CSC 12.1 | CSC 12.3 |
448 | CSC: Inbound SSH on Non-standard Port | CSC 12.2 | CSC 12.5 |
449 | CSC: Large Outbound Transfer | CSC 12.10, CSC 13.6 | deleted |
452 | CSC: New Application Detected | CSC 2.3, CSC 12.2 | CSC 2.3, CSC 12.5 |
453 | CSC: Excessive Inbound Firewall Denies | CSC 6.5, CSC 12.1 | CSC 6.2, CSC 12.3 |
457 | CSC: ICMP Flood Detected | CSC 12.3 | CSC 12.6 |
458 | CSC: TCP Flood Detected | CSC 12.3 | CSC 12.6 |
459 | CSC: UDP Flood Detected | CSC 12.3 | CSC 12.6 |
460 | CSC: Excessive Unknown Application | CSC 12.3 | CSC 12.6 |
464 | CSC: Allowed Traffic from Blacklist Country | CSC 12.1 | CSC 12.3 |
471 | CSC: Blocked Traffic then Allowed | CSC 12.3 | CSC 12.6 |
488 | CSC: Malware Event | CSC 8.1 | CSC 8.1 |
490 | CSC: Config Deleted/Disabled | CSC 3.5, CSC 11.3 | CSC 5.5, CSC 11.3 |
492 | CSC: Config Modified | CSC 3.5, CSC 11.3 | CSC 5.5, CSC 11.3 |
493 | CSC: Config Change After Attack | CSC 11.3, CSC 3.6 | CSC 11.3, CSC 5.1 |
494 | CSC: Vulnerability after Software Installed | CSC 4.1 | CSC 3.1 |
495 | CSC: Repeat Vulnerability Detected | CSC 4.7 | CSC 3.6 |
496 | CSC: Repeat Attacks Against a Host | CSC 12.2 | CSC 12.5 |
497 | CSC: Blacklisted User-Agent String | CSC 12.1, CSC 18.2 | CSC 12.3, CSC 18.10 |
498 | CSC: Backup Failure Detected | CSC 10.1 | CSC 10.1 |
499 | CSC: Blacklisted Egress Port Observed | CSC 9.2, CSC 12.1 | CSC 9.4, CSC 12.3 |
500 | CSC: Blacklisted Ingress Port Observed | CSC 9.2, CSC 12.1 | CSC 9.4, CSC 12.3 |
501 | CSC: Multiple Passwords Modified by Different User | CSC 16.14, CSC 5.1 | CSC 16.4 |
502 | CSC: External DNS Observed | CSC 12.1, CSC 12.8 | CSC 12.3 |
506 | CSC: Multiple Failed Access Attempts | CSC 16.6, CSC 5.1 | CSC 16.8 |
507 | CSC: Multiple Object Access Failures | CSC 16.6, CSC 5.1 | CSC 16.8 |
508 | CSC: New Wireless Host | CSC 1.2, CSC 15.3 | CSC 1.3, CSC 15.3 |
509 | CSC: Malware Not Cleaned | CSC 8.1 | CSC 8.1 |
1112 | CSC: External Malicious User-Agent | CSC 12.2, CSC 8.1 | CSC 12.5, CSC 8.1 |
1113 | CSC: External Malicious URL Characters | CSC 12.2, CSC 8.1 | CSC 12.5, CSC 8.1 |
| Report ID | Report Name | CIS v6 control(s) | CIS v7 control(s) |
|---|---|---|---|
15 | Policy Activity Summary | CSC 16.3 | CSC 16.7 |
67 | Compliance: Top Attackers | CSC 12.2 | CSC 12.5 |
84 | Compliance: System Critical And Error Conditions | CSC 6.4 | CSC 6.7 |
959 | Rogue Host Detection Summary | CSC 1.1, CSC 1.4 | CSC 1.1, CSC 1.4 |
1004 | Software Installation Summary | CSC 2.3 | CSC 2.3 |
1005 | Vulnerabilities By Entity | CSC 4.1, CSC 4.6, CSC 4.7, CSC 4.8 | CSC 3.1, CSC 3.6, CSC 3.7 |
1006 | Vulnerabilities By Vulnerability | CSC 4.1, CSC 4.6, CSC 4.7, CSC 4.8 | CSC 3.1, CSC 3.6, CSC 3.7 |
1007 | Malware Summary | CSC 8.1 | CSC 8.1 |
1008 | Backups Completed | CSC 10.1 | CSC 10.1 |
1015 | Top Attackers Summary | CSC 6.4, CSC 6.6 | CSC 6.7, CSC 6.6 |
1019 | Top Targeted Applications | CSC 18.2 | CSC 18.10 |
1020 | Configuration Change Summary | CSC 11.3 | CSC 11.3 |
1021 | Denial Of Service Summary | CSC 9.6 | CSC 9.5 |
1022 | Host Compromise Summary | CSC 3.2 | CSC 5.2 |
1023 | Backup Critical/Error Summary | CSC 10.1 | CSC 10.1 |
1024 | Backup Restore Summary | CSC 10.1, CSC 10.2 | CSC 10.1, CSC 10.3 |
| Investigation ID | Investigations Name | CIS v6 control(s) | CIS v7 control(s) |
|---|---|---|---|
218 | Generic Account Usage | CSC 16.6 | CSC 16.8 |
219 | New Domain Hosts | CSC 1.4, CSC 16.9 | CSC 1.4, CSC 16.2 |
220 | Removed Domain Hosts | CSC 1.4, CSC 16.9 | CSC 1.4, CSC 16.2 |
221 | Configuration Changes | CSC 3.5, CSC 3.2 | CSC 5.5, CSC 3.2 |
222 | File Access | CSC 13.6 | deleted |
223 | New Network Hosts | CSC 1.4 | CSC 1.4 |
224 | File Access Failure | CSC 13.6 | deleted |
225 | Authentication Failures | CSC 14.6 | CSC 14.9 |
226 | Online Storage Usage | CSC 13.7, CSC 13.8 | CSC 13.5, CSC 13.4 |
227 | Application Usage | CSC 2.2, CSC 6.4 | CSC 2.7, CSC 6.7 |