CIS Controls - Reports and Reporting Packages
The current version of this table is built on Version 7.1 of the CIS Controls. A mapping to Version 8 of the CIS Controls will be completed in 2022.
Summary Reports
Implementation Group 1
| Report Name | Report ID | Control Support | Data Source | Log Sources |
|---|---|---|---|---|
| CCF: Access Failure Summary | 2089 | 13.2, 14.6 | Platform Manager | All Available Log Sources |
| CCF: Access Success Summary | 2091 | 13.2, 14.6 | Platform Manager | All Available Log Sources |
| CCF: Account Disabled Summary | 2084 | 16.8, 16.9 | LogMart | All Available Log Sources |
| CCF: Applications Accessed By User Summary | 2063 | 2.6 | Data Processor(s) | All Available Log Sources |
| CCF: Audit Log Summary | 2076 | 6.2 | Platform Manager | All Available Log Sources |
| CCF: Auth Failure Summary | 2088 | 14.6, 16.8 | Platform Manager | All Available Log Sources |
| CCF: Auth Success Summary | 2090 | 14.6 | Platform Manager | All Available Log Sources |
| CCF: Backup Activity Summary | 2062 | 10.1, 10.2 | Data Processor(s) | All Available Log Sources |
| CCF: Compromises Detected Summary | 2064 | 8.4, 11.4 | LogMart | All Available Log Sources |
| CCF: Config/Policy Change Summary | 2049 | 5.1 | LogMart | All Available Log Sources |
| CCF: Critical Environment Error Summary | 2050 | 5.1 | Platform Manager | All Available Log Sources |
| CCF: Malware Detected Summary | 2051 | 7.7, 8.2, 8.4 | Platform Manager | All Available Log Sources |
| CCF: Object Access Summary | 2067 | 6.2, 13.1, 13.2, 14.6 | Data Processor(s) | All Available Log Sources |
| CCF: Patch Activity Summary | 2052 | 3.4, 3.5, 5.1 | Data Processor(s) | All Available Log Sources |
| CCF: Priv Account Management Activity Summary | 2080 | 4.3 | Data Processor(s) | All Available Log Sources |
| CCF: Priv Authentication Activity Summary | 2079 | 4.3 | Platform Manager | All Available Log Sources |
| CCF: Rogue Access Point Summary | 2054 | 12.1, 15.10 | Platform Manager | All Available Log Sources |
| CCF: Signature Activity Summary | 2055 | 5.1, 8.2 | LogMart | All Available Log Sources |
| CCF: Social Media Summary | 2070 | 4.3 | Platform Manager | All Available Log Sources |
| CCF: Suspected Wireless Attack Summary | 2056 | 11.4 | Platform Manager | All Available Log Sources |
| CCF: Term Account Activity Summary | 2087 | 16.8, 16.9 | Data Processor(s) | All Available Log Sources |
| CCF: Top Suspicious Users | 2059 | 17.3, 17.5, 17.6, 17.7, 17.8, 17.9 | Data Processor(s) | All Available Log Sources |
| CCF: Use Of Non-Encrypted Protocols Summary | 2060 | 7.1, 12.4, 13.6, 15.7 | LogMart | All Available Log Sources |
| CCF: User Misuse Summary | 2061 | 4.3, 15.10, 17.3 | Platform Manager | All Available Log Sources |
| CCF: User Object Access Summary | 2068 | 6.2, 13.1, 13.2, 14.6 | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (SU & SUDO) Summary | 2078 | 4.3 | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (Windows) Summary | 2077 | 4.3 | Data Processor(s) | All Available Log Sources |
| CCF: Vulnerability Detected Summary | 2058 | 2.2, 3.4, 3.5, 8.2, 11.4 | Platform Manager | All Available Log Sources |
| CCF: New Network Host Summary | 2101 | 1.4, 1.6 | Data Processor(s) | All Available Log Sources |
Implementation Group 2
| Report Name | Report ID | Control Support | Data Source | Log Sources |
|---|---|---|---|---|
| CCF: Access Failure Summary | 2089 | 4.7, 4.9, 16.6, 16.7, 16.12 | Platform Manager | All Available Log Sources |
| CCF: Access Success Summary | 2091 | 4.1, 4.5, 4.7, 16.6, 16.7, 16.10, 20.8 | Platform Manager | All Available Log Sources |
| CCF: Account Disabled Summary | 2084 | 4.1, 16.6, 16.7, 16.10, 16.12 | LogMart(s) | All Available Log Sources |
| CCF: Applications Accessed By User Summary | 2063 | 2.3, 2.4, 18.3, 18.8 | Data Processor(s) | All Available Log Sources |
| CCF: Audit Log Summary | 2076 | 1.3, 4.9, 6.3, 6.4, 6.5, 6.6, 6.7, 7.6, 8.6, 8.7, 8.8 | Platform Manager | All Available Log Sources |
| CCF: Auth Failure Summary | 2088 | 4.1, 4.7, 4.9, 16.10, 16.12 | Platform Manager | All Available Log Sources |
| CCF: Auth Success Summary | 2090 | 4.1, 4.5, 4.7, 16.6, 16.7, 16.10, 16.12, 20.8 | Platform Manager | All Available Log Sources |
| CCF: Backup Activity Summary | 2062 | 10.3 | Data Processor(s) | All Available Log Sources |
| CCF: Compromises Detected Summary | 2064 | 1.7, 3.1, 3.2, 3.6, 8.1, 8.6, 9.3, 12.3, 12.6, 15.1 | LogMart(s) | All Available Log Sources |
| CCF: Config/Policy Change Summary | 2049 | 4.8, 5.4, 5.5, 11.2, 11.3 | LogMart(s) | All Available Log Sources |
| CCF: Critical Environment Error Summary | 2050 | 10.3, 18.11, 20.4 | Platform Manager | All Available Log Sources |
| CCF: LogRhythm Data Loss Defender Log Summary | 2066 | 5.3, 13.7 | LogMart(s) | All Available Log Sources |
| CCF: Malware Detected Summary | 2051 | 3.1, 3.6, 8.1, 8.6, 12.3, 12.6 | Platform Manager | All Available Log Sources |
| CCF: New Network Host Summary | 2101 | 1.5 | Data Processor(s) | All Available Log Sources |
| CCF: Object Access Summary | 2067 | 4.7, 5.3 | Data Processor(s) | All Available Log Sources |
| CCF: Patch Activity Summary | 2052 | 3.1, 3.2, 18.3 | Data Processor(s) | All Available Log Sources |
| CCF: Priv Account Management Activity Summary | 2080 | 4.1, 4.5, 4.8, 4.9, 16.10, 16.12 | Data Processor(s) | All Available Log Sources |
| CCF: Priv Authentication Activity Summary | 2079 | 4.1, 4.5, 4.8, 4.9, 16.10, 16.12 | Platform Manager | All Available Log Sources |
| CCF: Rogue Access Point Summary | 2054 | 1.7, 15.1, 15.2 | Platform Manager | All Available Log Sources |
| CCF: Signature Activity Summary | 2055 | 3.1, 3.2, 3.6, 8.1, 8.6 | LogMart(s) | All Available Log Sources |
| CCF: Social Media Summary | 2070 | 3.3, 7.6, 11.6, 20.8 | Platform Manager | All Available Log Sources |
| CCF: Suspected Wireless Attack Summary | 2056 | 3.1, 7.4, 8.1, 8.6, 9.2, 12.2, 12.3, 15.1, 15.3, 15.6, 15.9 | Platform Manager | All Available Log Sources |
| CCF: Term Account Activity Summary | 2087 | 16.6, 16.7, 16.10, 16.12 | Data Processor(s) | All Available Log Sources |
| CCF: Time Sync Error Summary | 683 | 6.1 | Platform Manager | All Available Log Sources |
| CCF: Top Suspicious Users | 2059 | 4.1, 4.8, 16.6, 16.7, 17.1, 20.6, 20.8 | Data Processor(s) | All Available Log Sources |
| CCF: Use Of Non-Encrypted Protocols Summary | 2060 | 11.5, 14.4, 16.5, 18.5 | LogMart(s) | All Available Log Sources |
| CCF: User Misuse Summary | 2061 | 3.3, 4.1, 11.6, 16.6, 16.7, 16.10, 16.12, 17.1, 20.6, 20.8 | Platform Manager | All Available Log Sources |
| CCF: User Object Access Summary | 2068 | 3.3, 5.3, 7.9, 11.6, 13.4, 13.7, 17.1, 18.9, 20.4 | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (SUDO) Summary | 2078 | 4.1, 4.8, 4.9, 11.6, 16.7, 16.12, 20.8 | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (Windows) Summary | 2077 | 4.1, 4.8, 4.9, 11.6, 16.7, 16.12, 20.8 | Data Processor(s) | All Available Log Sources |
| CCF: Vulnerability Detected Summary | 2058 | 1.7, 3.1, 3.2, 3.6, 8.6, 12.3, 12.6, 18.10, 20.6 | Platform Manager | All Available Log Sources |
Implementation Group 3
| Report Name | Report ID | Control Support | Data Source | Log Sources |
|---|---|---|---|---|
| CCF: Top Suspicious Users | 2059 | 16.13 | Data Processor(s) | All Log Sources |
| CCF: User Object Access Summary | 2068 | 13.3, 13.5, 14.5, 14.9 | Data Processor(s) | All Log Sources |
| CCF: Use Of Non-Encrypted Protocols Summary | 2060 | 1.8, 12.10, 13.9, 14.8, 15.8 | LogMart(s) | All Log Sources |
| CCF: Auth Success Summary | 2090 | 16.13 | Platform Manager | All Log Sources |
| CCF: LogRhythm Data Loss Defender Log Summary | 2066 | 13.3, 13.5, 14.5, 14.9 | LogMart(s) | All Log Sources |
| CCF: Object Access Summary | 2067 | 13.3, 13.5, 14.5, 14.9 | Data Processor(s) | All Log Sources |
| CCF: Auth Failure Summary | 2088 | 16.13 | Platform Manager(s) | All Log Sources |
| CCF: Config/Policy Change Summary | 2049 | 14.9 | LogMart(s) | All Log Sources |
Detailed Reports
The Intelligent Indexing settings are recommendations. The default configuration is No.
Implementation Group 1
Report Name | Report Description | Control Support | Data Source | Intelligent Indexing | Classification | Log Sources | Report ID |
|---|---|---|---|---|---|---|---|
| CCF: Account Deleted Summary | This report provides detailed information when an account has access revoked (deleted) across any logged environments. This should align with the organization's policies regarding deleted accounts. | 16.9 | Platform Manager | Yes | Audit | All Available Log Sources | 2086 |
| CCF: Account Enabled Summary | This report provides detailed information when an account has access granted across any logged environments. This should align with the organization's policies regarding enabled accounts. | 4.3, 16.9 | Platform Manager | Yes | Audit | All Available Log Sources | 2085 |
| CCF: Account Modification Summary | This report provides summary information around account modifications across all logged environments. | 4.3, 14.6 | Platform Manager | Yes | Audit | All Available Log Sources | 2092 |
CCF: Host Access Granted And Revoked Detail | This report details all access granted and revoked for production systems. | 4.3, 5.1, 15.10 | Data Processor(s) | Yes | Audit | All Available Log Sources | 2065 |
CCF: Unknown User Account Detail | This report provides details of activity from unknown user accounts, based off CCF user lists. | 16.8 | Data Processor(s) | Yes | Security | All Available Log Sources | 2071 |
Implementation Group 2
Report Name | Report Description | Control Support | Data Source | Intelligent Indexing | Classification | Log Sources | Report ID |
|---|---|---|---|---|---|---|---|
| CCF: Account Deleted Summary | This report provides detailed information when an account has access revoked (deleted) across any logged environments. This should align with the organization's policies regarding deleted accounts. | 16.7, 16.10, 16.12 | Platform Manager | Yes | Audit | All Available Log Sources | 2086 |
| CCF: Account Enabled Summary | This report provides detailed information when an account has access granted across any logged environments. This should align with the organization's policies regarding enabled accounts. | 3.3, 4.5, 4.7, 16.7, 16.10, 16.12, 20.8 | Platform Manager | Yes | Audit | All Available Log Sources | 2085 |
| CCF: Account Modification Summary | This report provides summary information around account modifications across all logged environments. | 3.3, 4.1, 4.7, 4.8, 4.9, 16.6, 16.7, 16.10, 16.12, 20.8 | Platform Manager | Yes | Audit | All Available Log Sources | 2092 |
| CCF: Host Access Granted And Revoked Detail | This report details all access granted and revoked for production systems. | 11.6, 16.7, 16.10 | Data Processor(s) | Yes | Audit | All Available Log Sources | 2065 |
| CCF: Unknown User Account Detail | This report provides details of activity from unknown user accounts, based off CCF user lists. | 4.1, 4.8, 4.9, 16.6 | Data Processor(s) | Yes | Security | All Available Log Sources | 2071 |
Implementation Group 3
N/A
Reporting Packages
Report Package Name | Report Package Description | Report Package ID |
|---|---|---|
CCF: Daily IT Operations Reporting Package | This reporting package is a template to deliver pertinent content for IT Operations on a daily basis. | 89 |
CCF: Daily IT Security Reporting Package | This reporting package is a template to deliver pertinent content for IT Security on a daily basis. | 90 |
CCF: Executive Reporting Package | This reporting package is a template to deliver pertinent content for Executives on a monthly basis. | 87 |
CCF: Weekly Audit Reporting Package | This reporting package is a template to deliver pertinent content for Internal and/or External Audit groups on a weekly basis. | 88 |