Skip to main content
Skip table of contents

CIS-CSC User Guide – Investigations


The CIS Critical Security Controls Module contains preset investigations to help an analyst quickly gain visibility into any suspicious or malicious activity in their environment, as well as policy violations and operations info. This section details all of the investigations included in the module, including any additional configuration notes.

Generic Account Usage

Investigation ID: 218

CSC Control(s): CSC 16.8

Log Sources (minimum):

Host Logs

Log Sources (recommended):

Active Directory or LDAP

List:

Generic Accounts

Description:

All usage of activity with accounts on the list Generic Accounts. CIS Critical Security Control(s): CSC 16.8

New Domain Hosts

Investigation ID: 219

CSC Control(s): CSC 1.4, CSC 16.2

Log Sources (minimum):

Active Directory Logs

Log Sources (recommended):

N/A

List:

N/A

Description:

New hosts which have joined the domain. CIS Critical Security Control(s): CSC 1.4, CSC 16.2

Removed Domain Hosts

Investigation ID: 220

CSC Control(s): CSC 1.4, CSC 16.2

Log Sources (minimum):

Active Directory Logs

Log Sources (recommended):

N/A

List:

N/A

Description:

Hosts which have been removed from the domain in the last 7 days. CIS Critical Security Control(s): CSC 1.4, CSC 16.2

Configuration Changes

Investigation ID: 221

CSC Control(s): CSC 5.5, CSC 3.2

Log Sources (minimum):

Host or Network Device Logs

Log Sources (recommended):

N/A

List:

N/A

Description:

Configuration change events. CIS Critical Security Control(s):CSC 5.5, CSC 3.2

New Network Hosts

Investigation ID: 223

CSC Control(s): CSC 1.4

Log Sources (minimum):

AI Engine Events

Log Sources (recommended):

N/A

List:

N/A

Description:

Hosts which are new to the network. CIS Critical Security Control(s): CSC 1.4

Authentication Failures

Investigation ID: 225

CSC Control(s): CSC 14.9

Log Sources (minimum):

Host Logs

Log Sources (recommended):

Active Directory or LDAP

List:

N/A

Description:

Failed authentication events. CIS Critical Security Control(s): CSC 14.9

Online Storage Usage

Investigation ID: 226

CSC Control(s): CSC 13.5, CSC 13.4

Log Sources (minimum):

LogRhythm Network Monitor

Log Sources (recommended):

N/A

List:

Network: Functional : Online Storage

Description:

Usage of online cloud storage services such as Dropbox and Google Docs. CIS Critical Security Control(s): CSC 13.5, CSC 13.4

Application Usage

Investigation ID: 227

CSC Control(s): CSC 2.7, CSC 6.7

Log Sources (minimum):

LogRhythm Network Monitor

Log Sources (recommended):

N/A

List:

N/A

Description:

Impacted applications recorded by the LogRhythm Network Monitor. CIS Critical Security Control(s): CSC 2.7, CSC 6.7

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close