CIS Controls - AI Engine Rules
The current version of this table is built on Version 7.1 of the CIS Controls. A mapping to Version 8 of the CIS Controls, will be completed in 2022.
Implementation Group 1
| AI Engine Rules | Description | Control Support | Alarming | Classifications | Log Sources |
|---|---|---|---|---|---|
| CCF: Account Modification | This AIE Rule creates a common event and provides detail around account modification activity. | 4.2 | No | Audit: Account Modified | Include All Log Sources |
| CCF: Account Password Not Changed | This rule is triggered when a user account is created and its password is not modified within three days of creation. | 4.2 | No | Audit: Account Created | Include All Log Sources |
| CCF: Audit Disabled by Admin | Login by an administrator followed by disabling of an audit process. CIS Critical Security Control(s): CSC 6.2 | 6.2 | No | Security: Compromise | 1. Include All Log Sources 2. Include All Log Sources |
| CCF: Audit Logging Stopped Alarm | This AIE Rule provides details on audit logging being stopped. | 6.2 | Yes | Audit: Configuration | Include All Log Sources |
| CCF: Backup Failure Alarm | More than 10 backup failure events are detected. | 10.1, 10.2 | Yes | Operations: Error | Include All Log Sources |
| CCF: Backup Information | This AIE Rule creates events for information from backup software. | 10.1, 10.2 | No | Operations: Information | Include All Log Sources |
| CCF: Blacklisted Egress Port Observed | Triggered when an internal host communicates with a host outside the network using a port not on the allowed list. | 9.4, 12.4 | No | Security: Compromise | Include All Log Sources |
| CCF: Blacklisted Ingress Port Observed | Triggered when an external host communicates with a network host on a port not on the allowed ingress list. CIS Critical Security Control(s): CSC 9.4, CSC 12.3 | 9.4, 12.4 | No | Security: Attack | Include All Log Sources |
| CCF: Config Change After Attack | Attack event on a host followed by a configuration change made to that host within 3 minutes. | 5.1 | No | Security: Compromise | 1. Include All Log Sources 2. Include All Log Sources |
| CCF: Config Change then Critical Error | Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise. | 5.1 | No | Security: Compromise | 1. Include All Log Sources 2. Include All Log Sources |
| CCF: Config Deleted/Disabled | Configuration deleted or disabled within the organization infrastructure. | 5.1 | No | Security: Compromise | Include All Log Sources |
| CCF: Config Modified | Configuration modified within the organization infrastructure. | 5.1 | No | Security: Compromise | Include All Log Sources |
| CCF: Critical/PRD Envir Patch Failure Alarm | This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure). | 3.4, 3.5 | No | Operations: Error | Include All Log Sources |
| CCF: Domain Trust Modified | This rule is meant to alert when any occurrence of windows event id 4716 is observed and a domain trust is modified. | 7.7, 15.10 | No | Audit: Policy | Include All Log Sources |
| CCF: Dormant User Account Observed | Rule intended to identify dormant and inactive user accounts that have no activity within the most recent 5 days after having activity in the previous 30. | 16.9 | No | Audit: Other Audit | Include All Log Sources |
| CCF: Early TLS/SSL Alarm | This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event. | 7.1, 12.4 | Yes | Security: Activity | Include All Log Sources |
| CCF: FIM Abnormal Activity | This AIE Rule creates events for all abnormal file integrity monitoring activity. | 13.1, 14.6 | No | Security: Suspicious | 1. Include All Log Sources 2. Include All Log Sources |
| CCF: FIM Add Activity | This AIE Rule creates events for all file integrity monitoring add activity. | 13.1, 14.6 | No | Security: Activity | Include All Log Sources |
| CCF: FIM Delete Activity Alarm | This AIE Rule alarms on file integrity monitoring delete activity. | 13.1, 14.6 | Yes | Security: Activity | Include All Log Sources |
| CCF: FIM General Activity | This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions. | 13.1, 14.6 | No | Operations: Information | Include All Log Sources |
| CCF: FIM Information | This AIE Rule creates events for general file integrity monitoring information. | 13.1, 14.6 | No | Operations: Information | Include All Log Sources |
| CCF: Inactive Systems | This statistical rule is designed to monitor system access activity. Low access activity for production servers and data storage systems is monitored over a span of 7 days. | 13.1, 13.2 | No | Operations: Other Operations | Include All Log Sources |
| CCF: Inactive User Activity | This rule block is intended to monitor user logon activity over a 6 day span as compared to the previous 14 days. If a user has not authenticated in the previous 14 days and then authenticates, this rule will fire. | 16.9 | No | Security: Suspicious | Include All Log Sources |
| CCF: Linux sudo Privilege Escalation | User not in the LogRhythm list "CCF: Privileged Accounts" and not in the local 'sudoers' file tries to use sudo on a Linux host. | 4.3 | No | Security: Suspicious | Include All Log Sources |
| CCF: Malware Alarm | This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied. | 7.7, 8.2 | Yes | Security: Malware | Include All Log Sources |
| CCF: Misuse | This AIE Rule provides details on misuse activity. | 4.3 | No | Security: Misuse | Include All Log Sources |
| CCF: Multiple Failed Access Attempts | User makes multiple failed access attempts within a short time period. CIS Critical Security Control(s): CSC 16.8 | 13.1, 14.6 | No | Security: Suspicious | Include All Log Sources |
| CCF: Multiple Object Access Failures | Multiple users failed to access the same file. CIS Critical Security Control(s): CSC 16.8 | 13.1, 14.6 | No | Security: Suspicious | Include All Log Sources |
| CCF: New Asset | 1.4, 1.6 | No | Operations: Other Operations | Include All Log Sources | |
| CCF: New Network Host | This rule is triggered when a new host is seen communicating in the environment for the first time. | 1.4, 1.6, 15.10 | No | Security: Reconnaissance | Include All Log Sources |
| CCF: Non-Encrypted Protocol Alarm | This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure). | 13.6, 15.7 | Yes | Operations: Information | Include All Log Sources |
| CCF: PRD Envir Signature Failure Alarm | This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure). | 3.4, 8.2 | Yes | Operations: Error | Include All Log Sources |
| CCF: Shared Account Access | This rule will alert when accounts listed within the CCF: Shared Accounts list have been accessed on a production server. | 16.8 | No | Audit: Authentication Success | Include All Log Sources |
| CCF: Social Media Activity | This rule tracks social media activity, to help identify if private or personal data that should not be in transmission is present within the environment's traffic. | 4.3 | No | Security: Suspicious | Include All Log Sources |
| CCF: Software Install Rule | This AIE rule creates an event and alerts on any software installation activity across the environment. | 2.6 | No | Audit: Configuration | Include All Log Sources |
| CCF: Software Uninstall Failure Alarm | This alerts on failed or interrupted software uninstallations. | 2.6 | Yes | Audit: Configuration | Include All Log Sources |
| CCF: Software Uninstall Rule | This AIE rule creates an event and alerts on any software uninstallation activity across the environment. | 2.6 | No | Audit: Configuration | Include All Log Sources |
| CCF: Unauthorized Data Transfer | This rule is configured to monitor any amount of data transferred from log sources contained within the CCF: Data Storage Systems list. | 13.1, 13.2 | No | Operations: Network Traffic | Include All Log Sources |
| CCF: Unauthorized Executable Observed | This rule is intended to alert when executable files that are not determined to be authorized by the organization are observed within the environment. | 7.1 | No | Operations: Other Operations | Include All Log Sources |
| CCF: Vulnerability Detected Alarm | This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment. | 3.4 | Yes | Security: Vulnerability | Include All Log Sources |
| CCF: Windows RunAs Privilege Escalation | User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option. | 4.3 | No | Security: Suspicious | 1. Include All Log Sources 2. Include All Log Sources |
Implementation Group 2
| AI Engine Rules | Description | Control Support | Alarming | Classifications | Log Sources |
|---|---|---|---|---|---|
| CCF: Account Deleted Rule | This rule provides details of accounts that have been deleted | 16.7, 16.10 | No | Audit: Account Deleted | Include All Log Sources |
| CCF: Account Disabled Rule | This AIE Rule alerts on the occurrence of any access revoking to accounts. | 16.7, 16.10, 16.12 | No | Audit: Access Revoked | Include All Log Sources |
| CCF: Account Enabled Rule | This AIE Rule alerts on the occurrence of any access granting to accounts. | 16.7, 16.10, 16.12 | Yes | Audit: Access Granted | Include All Log Sources |
| CCF: Account Modification | This AIE Rule creates a common event and provides detail around account modification activity. | 4.1, 4.5, 16.7, 16.10, 16.12, 20.8 | No | Audit : Account Modified | Include All Log Sources |
| CCF: Admin Password Modified | User changes the password of a different privileged user account. | 14.3, 15.6 | No | Security: Suspicious | Include All Log Sources |
| CCF: Audit Disabled by Admin | Login by an administrator followed by disabling of an audit process. CIS Critical Security Control(s): CSC 6.2 | 1.3, 4.9, 6.3, 6.4, 6.5, 7.6, 8.6 | Yes | Security : Compromise | Include All Log Sources |
| CCF: Audit Logging Stopped Alarm | This AIE Rule provides details on audit logging being stopped. | 1.3, 1.5, 4.9, 6.3, 6.4, 6.5, 7.6, 8.6, 8.7, 8.8 | Yes | Audit : Configuration | Include All Log Sources |
| CCF: Auth After Numerous Failed Auths | Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication. | 4.9 | No | Security : Compromise | Include All Log Sources |
| CCF: Backup Failure Alarm | More than 10 backup failure events are detected. | 10.3 | Yes | Operations : Error | Include All Log Sources |
| CCF: Backup Information | This AIE Rule creates events for information from backup software. | 10.3 | No | Operations : Information | Include All Log Sources |
| CCF: Blacklist Location Auth | Authentication success from a blacklisted location. | 12.2, 12.3 | No | Security : Compromise | Include All Log Sources |
| CCF: Blacklisted Account Alarm | This AIE creates an alarm when a blacklisted account activity occurs within the environment. This requires the CCF: User Blacklist to be populated and updated regularly. | 16.6, 16.7, 16.10, 16.12 | Yes | Audit : Other Audit Success | Include All Log Sources |
| CCF: Blacklisted Egress Port Observed | Triggered when an internal host communicates with a host outside the network using a port not on the allowed list. CIS Critical Security Control(s): CSC 9.4, CSC 12.3 | 1.7, 9.2, 9.3 | Yes | Security : Compromise | Include All Log Sources |
| CCF: Blacklisted Ingress Port Observed | Triggered when an external host communicates with a network host on a port not on the allowed ingress list. CIS Critical Security Control(s): CSC 9.4, CSC 12.3 | 1.7, 9.2, 9.3 | Yes | Security : Attack | Include All Log Sources |
| CCF: Config Change After Attack | Attack event on a host followed by a configuration change made to that host within 3 minutes. | 4.8, 5.4, 5.5, 11.2, 11.3 | No | Security: Compromise | Include All Log Sources |
| CCF: Config Change then Critical Error | Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise. | 5.4, 5.5, 11.2, 11.3, 20.4 | No | Security: Compromise | Include All Log Sources |
| CCF: Config Deleted/Disabled | Configuration deleted or disabled within the organization infrastructure. | 4.8, 5.4, 5.5, 11.2, 11.3 | No | Security: Compromise | Include All Log Sources |
| CCF: Config Modified | Configuration modified within the organization infrastructure. | 4.8, 5.4, 5.5, 11.2, 11.3 | No | Security : Compromise | Include All Log Sources |
| CCF: Credential Dumping | This rule is designed to look for processes/services started related to Mimikatz, a popular tool used in credential dumping exploits. | 14.3, 15.6 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Critical/PRD Envir Patch Failure Alarm | This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure). | 3.1, 3.2, 8.1, 18.3, 18.8, 18.11 | No | Operations: Error | Include All Log Sources |
| CCF: Data Loss Prevention | This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured. | 13.7 | No | Operations : Information | Include All Log Sources |
| CCF: Disabled Account Auth Success | Recently disabled or deleted account authenticates or accesses resources on the network. | 16.7, 16.10, 16.12 | No | Security : Compromise | Include All Log Sources |
| CCF: Domain Trust Modified | This rule is meant to alert when any occurrence of windows event id 4716 is observed and a domain trust is modified. | 8.7 | No | Audit: Policy | Include All Log Sources |
| CCF: Early TLS/SSL Alarm | This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event. | 14.4, 16.5, 18.5 | Yes | Security: Activity | Include All Log Sources |
| CCF: Excessive Authentication Failures Rule | This AIE Rule supports alerting on >10 authentication failures in 30 minutes (login failures). Match this threshold to your organization's specific authentication failure policies. | 4.9 | Yes | Audit: Authentication Failure | Include All Log Sources |
| CCF: External DNS Communication | This rule is intended to fire when internal hosts are seen using an external DNS server. | 8.7 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: FIM Abnormal Activity | This AIE Rule creates events for all abnormal file integrity monitoring activity. | 5.3 | No | Security: Suspicious | Include All Log Sources |
| CCF: FIM Add Activity | This AIE Rule creates events for all file integrity monitoring add activity. | 5.3 | No | Security: Activity | Include All Log Sources |
| CCF: FIM Delete Activity Alarm | This AIE Rule alarms on file integrity monitoring delete activity. | 5.3 | Yes | Security: Activity | Include All Log Sources |
| CCF: FIM General Activity | This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions. | 5.3 | No | Operations: Information | Include All Log Sources |
| CCF: FIM Information | This AIE Rule creates events for general file integrity monitoring information. | 5.3 | No | Operations: Information | Include All Log Sources |
| CCF: Lateral Movement then Exfil | Attack or compromise event from an internal host followed by data leaving the victim host. | 14.3, 15.6 | Yes | Security: Compromise | Include All Log Sources |
| CCF: Linux sudo Privilege Escalation Attack | User not in the LogRhythm list "CCF: Privileged Accounts" and not in the local 'sudoers' file tries to use sudo on a Linux host. | 4.1, 4.5, 4.8, 4.9, 11.6 | No | Security : Suspicious | Include All Log Sources |
| CCF: Local Account Created and Used | An account is created on a host and then used shortly thereafter on the same host. | 16.7 | No | Security : Compromise | Include All Log Sources |
| CCF: Malicious IP Communication | This rule is intended to monitor when a network allowed communication occurs to or from an IP on any of the LR Threat Intelligence lists. | 7.4, 7.6, 12.3 | Yes | Security: Malware | Include All Log Sources |
| CCF: Malicious URL | This rule is intended to fire when malicious characters in the URL string are found in a web server log. | 7.4, 7.6 | Yes | Security: Reconnaissance | Include All Log Sources |
| CCF: Malware Alarm | This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied. | 1.5, 3.1, 3.6, 5.2, 8.1, 8.6, 12.3, 12.6, 15.3, 18.8 | Yes | Security : Malware | Include All Log Sources |
| CCF: Multiple Failed Access Attempts | User makes multiple failed access attempts within a short time period. CIS Critical Security Control(s): CSC 16.8 | 3.3, 4.7, 5.3, 7.9, 11.6, 13.4, 20.4 | No | Security : Suspicious | Include All Log Sources |
| CCF: Multiple Object Access Failures | Multiple users failed to access the same file. CIS Critical Security Control(s): CSC 16.8 | 3.3, 4.7, 5.3, 7.9, 11.6, 13.4, 20.4 | No | Security : Suspicious | Include All Log Sources |
| CCF: New Network Host | This rule is triggered when a new host is seen communicating in the environment for the first time. | 15.1 | Yes | Security: Reconnaissance | Include All Log Sources |
| CCF: New Wireless Host | This rule is triggered when a new host is seen communicating within the environment for the first time. | 15.1, 15.2, 15.3 | No | Security: Suspicious | Include All Log Sources |
| CCF: Non-Encrypted Protocol Alarm | This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure). | 11.5, 12.11, 14.4, 16.5, 18.5 | Yes | Operations: Information | Include All Log Sources |
| CCF: Pass the Hash | This rule is intended to fire when the sekurlsa: pth command is seen with a process/service started common event. | 14.3, 15.6 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Port Misuse: 53 | This rule is triggered by network traffic not using DNS over the common DNS port (53). | 12.2, 18.10 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Port Misuse: 80 | This rule is intended to fire when traffic is seen not using HTTP over the common HTTP port (80). | 12.2, 18.10 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Powershell Executable | This rule is intended to fire when a powershell executable is observed. | 4.7, 8.8 | Yes | Security: Activity | Include All Log Sources |
| CCF: Powershell Executed with Encoded Commands | PowerShell Encoded Commands used to execute potentially dangerous actions on the target host. | 4.7, 8.8 | Yes | Security: Compromise | Include All Log Sources |
| CCF: PRD Envir Config/Policy Change Alarm | This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure). | 11.2, 11.3 | Yes | Audit : Policy | Include All Log Sources |
| CCF: PRD Envir Signature Failure Alarm | This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure). | 1.5, 3.1, 3.2, 3.6, 8.1, 8.6, 11.3 | Yes | Operations: Error | Include All Log Sources |
| CCF: Priv Group Access Granted Alarm | This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure. | 4.8, 4.9 | Yes | Audit: Access Granted | Include All Log Sources |
| CCF: Rogue Access Point Alarm | This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment. | 15.2, 15.3 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Software Install Rule | This AIE rule creates an event and alerts on any software installation activity across the environment. | 2.3 | No | Audit: Configuration | Include All Log Sources |
| CCF: Software Uninstall Failure Alarm | This alerts on failed or interrupted software uninstallations. | 2.3 | Yes | Audit : Configuration | Include All Log Sources |
| CCF: Software Uninstall Rule | This AIE rule creates an event and alerts on any software uninstallation activity across the environment. | 2.3 | No | Audit: Configuration | Include All Log Sources |
| CCF: Software Vulnerability | This rule is intended to monitor for a vulnerability detected on a host following a software installation or update. | 18.8 | Yes | Security: Vulnerability | Include All Log Sources |
| CCF: Suspicious Email Attachment | This rule is intended to fire when a suspicious email attachment is observed, followed by a started process and network connection. | 7.9 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Time Sync Error Alarm | This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source. | 6.1 | Yes | Operations: Warning | Include All Log Sources |
| CCF: Unauthorized Executable Observed | This rule is intended to alert when executable files that are not determined to be authorized by the organization are observed within the environment. | 7.2 | No | Operations: Other Operations | Include All Log Sources |
| CCF: User Added to Admin Group | This rule is intended to fire with the addition of 3 or more users to a group listed in the LogRhythm list "CCF: Privileged Groups" or "CCF: Privileged Accounts." | 4.8 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: User Removed from Admin Group | This rule is intended to fire with the removal of 3 or more users to a group listed in the LogRhythm list "CCF: Privileged Groups" or "CCF: Privileged Accounts." | 4.8 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Vulnerability Detected Alarm | This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment. | 1.7, 3.1, 3.2, 3.6, 5.2, 8.1, 8.6, 11.3, 12.3, 12.6, 15.3, 18.8, 18.10, 18.11, 20.6 | Yes | Security: Vulnerability | Include All Log Sources |
| CCF: Windows RunAs Privilege Escalation | User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option. | 4.1, 4.5, 4.8, 4.9, 11.6 | No | Security : Suspicious | Include All Log Sources |
Implementation Group 3
| AI Engine Rules | Description | Control Support | Alarming | Classification | Log Sources |
|---|---|---|---|---|---|
| CCF: Abnormal Amount of Data Transferred | This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host. | 16.13 | No | Operations : Warning | Include All Log Sources |
| CCF: Abnormal Auth Behavior | First tracks which hosts an account typically authenticates to. Afterwards, triggers when a new host or hosts are being accessed by the account. | 16.13 | Yes | Security : Compromise | Include All Log Sources |
| CCF: FIM Abnormal Activity | This AIE Rule creates events for all abnormal file integrity monitoring activity. | 16.13 | No | Security : Suspicious | Include All Log Sources |
| CCF: Abnormal Origin Location | First tracks geographic locations for VPN logins. Afterwards, triggers when a new origin location is seen for a user. | 16.13 | No | Security : Attack | Include All Log Sources |
| CCF: Abnormal Process Activity | First tracks processes associated with a user. Afterwards, triggers if drastically different processes are observed from the user. | 16.13 | Yes | Security : Malware | Include All Log Sources |
| CCF: Attack then Inbound Traffic | This rule is intended to monitor for attacks from an external source followed by traffic to or from that source. | 9.5, 12.7 | Yes | Security : Attack | Include All Log Sources |
| CCF: Config Change After Attack | Attack event on a host followed by a configuration change made to that host within 3 minutes. | 14.9 | No | Security : Compromise | Include All Log Sources |
| CCF: Config Change then Critical Error | Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise. | 14.9 | No | Security : Compromise | Include All Log Sources |
| CCF: Config Deleted/Disabled | Configuration deleted or disabled within the organization infrastructure. | 14.9 | No | Security : Compromise | Include All Log Sources |
| CCF: Config Modified | Configuration modified within the organization infrastructure. | 14.9 | No | Security : Compromise | Include All Log Sources |
| CCF: Early TLS/SSL Alarm | This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event. | 1.8, 12.10, 13.9, 14.8, 15.8 | Yes | Security : Activity | Include All Log Sources |
| CCF: FIM Abnormal Activity | This AIE Rule creates events for all abnormal file integrity monitoring activity. | 13.3, 13.5, 14.5, 14.9 | No | Security : Suspicious | Include All Log Sources |
| CCF: FIM Add Activity | This AIE Rule creates events for all file integrity monitoring add activity. | 13.3, 13.5, 14.5, 14.9 | No | Security : Activity | Include All Log Sources |
| CCF: FIM Delete Activity Alarm | This AIE Rule alarms on file integrity monitoring delete activity. | 13.3, 13.5, 14.5, 14.9 | Yes | Security : Activity | Include All Log Sources |
| CCF: FIM General Activity | This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions. | 13.3, 13.5, 14.5, 14.9 | No | Operations : Information | Include All Log Sources |
| CCF: FIM Information | This AIE Rule creates events for general file integrity monitoring information. | 13.3, 13.5, 14.5, 14.9 | No | Operations : Information | Include All Log Sources |
| CCF: Multiple Failed Access Attempts | User makes multiple failed access attempts within a short time period. CIS Critical Security Control(s): CSC 16.8 | 13.3, 13.5, 14.5, 14.9 | No | Security : Suspicious | Include All Log Sources |
| CCF: Multiple Object Access Failures | Multiple users failed to access the same file. CIS Critical Security Control(s): CSC 16.8 | 13.3, 13.5, 14.5, 14.9 | No | Security : Suspicious | Include All Log Sources |
| CCF: New Process and Traffic Destination | First, a process that normally doesn't run on the source host is started. Next, network traffic is generated from that process going to a host that the source doesn't normally communicate with. | 9.5, 12.7 | No | Security : Suspicious | Include All Log Sources |
| CCF: Non-Encrypted Protocol Alarm | This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure). | 1.8, 12.10, 13.9, 14.8, 15.8 | Yes | Operations : Information | Include All Log Sources |
| CCF: Port Misuse: 53 | This rule is triggered by network traffic not using DNS over the common DNS port (53). | 12.2, 18.10 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Port Misuse: 80 | This rule is intended to fire when traffic is seen not using HTTP over the common HTTP port (80). | 12.2, 18.10 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Significant Outbound Traffic Increase | Measures the rate of outbound traffic from a host and generates an event if that rate increases. | 9.5, 12.7 | No | Security : Suspicious | Include All Log Sources |
| CCF: Software Install Rule | This AIE rule creates an event and alerts on any software installation activity across the environment. | 2.7 | No | Audit: Configuration | Include All Log Sources |
| CCF: Software Uninstall Failure Alarm | This alerts on failed or interrupted software uninstallations. | 2.7 | Yes | Audit : Configuration | Include All Log Sources |
| CCF: Software Uninstall Rule | This AIE rule creates an event and alerts on any software uninstallation activity across the environment. | 2.7 | No | Audit: Configuration | Include All Log Sources |
| CCF: Suspicious Email Attachment | This rule is intended to fire when a suspicious email attachment is observed, followed by a started process and network connection. | 7.9 | Yes | Security: Suspicious | Include All Log Sources |
| CCF: Unauthorized Data Transfer | This rule is configured to monitor any amount of data transferred from log sources contained within the CCF: Data Storage Systems list. | 13.1, 13.2 | No | Operations: Network Traffic | Include All Log Sources |
| CCF: Unauthorized Executable Observed | This rule is intended to alert when executable files that are not determined to be authorized by the organization are observed within the environment. | 7.2 | No | Operations: Other Operations | Include All Log Sources |