Skip to main content
Skip table of contents

CMMC – Investigations

The Intelligent Indexing settings are recommendations. The default configuration is No.

NameDescriptionInvestigation IDControl SupportData SourceClassificationsLog Sources
CCF: Account Modification InvThis investigation provides details of account modifications across the environment.709AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Applications Accessed By User InvThis investigation provides information about user accessed applications.689AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Audit Log InvThis investigation provides details around potential control failures around auditing systems.  This requires the configuration and enablement of the CCF: Audit Logging Stopped Alarm, CCF: Audit Log Cleared Alarm, and CCF: Failed Audit Log Write Alarm.701AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.21, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.13, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.7, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.9, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.10, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MA.L2-3.7.6, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, MP.L2-3.8.5, PS.L2-3.9.2, PE.L1-3.10.1, PE.L1-3.10.3, PE.L1-3.10.4, PE.L1-3.10.5, PE.L2-3.10.2, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.11, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Backup Activity InvThis investigation provides details of activity from backup events.688AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)OperationsAll Available Log Sources
CCF: Compromises Detected InvThis investigation provides a summary of detected compromises of security by Entity and Impacted Host.690AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7LogMart(s)SecurityAll Available Log Sources
CCF: Config/Policy Change InvThis investigation provides a summary of the occurrence of configuration or policy changes across critical and production environments (entity structure).675AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.13, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.9, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.11, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Critical Environment Error InvThis investigation provides summary details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures.676AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)OperationsAll Available Log Sources
CCF: Deleted Account InvThis investigation provides detailed information when any new accounts are deleted across any logged environments (entity structure).706AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Denial of Service InvThis investigation provides details of detected denial of service attempts.707AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)SecurityAll Available Log Sources
CCF: Disabled Account InvThis investigation provides detailed information when any new accounts are revoked (disabled) across any logged environments (entity structure).705AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Enabled Account InvThis investigation provides detailed information when any new accounts are granted (enabled) across any logged environments (entity structure).704AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Excessive Authentication Failure InvThis investigation provides detailed information around excessive user account authentication failures  (>10 authentication failures in 30 minutes) across any logged environments (entity structure).708AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MA.L2-3.7.6, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, MP.L2-3.8.5, PS.L2-3.9.2, PE.L1-3.10.1, PE.L1-3.10.3, PE.L1-3.10.4, PE.L1-3.10.5, PE.L2-3.10.2, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: GeoIP InvThis report summarizes GeoIP activity that is associated with AI Engine GeoIP rules, in the CCF compliance automation suite.696AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: Host Access Granted And Revoked InvThis investigation details all access granted and revoked for production systems.691AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: LogRhythm Data Loss Defender Log InvThis investigation provides information on data generated by the LogRhythm Data Loss Defender.  Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the investigation period.692AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.21, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.13, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, PS.L2-3.9.2, MP.L2-3.8.9, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.11, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Malware Detected InvThis investigation provides a summary of malware activity by entity and impacted host within the organization's critical and production environments (entity structure).677AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: Object Access InvThis investigation summarizes object access by Impacted Host.693AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.21, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.7, SC.L2-3.13.15, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Password Modification InvThis investigation provides detail around password modification to accounts within the environment.702AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Patch Activity InvThis investigation provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed.678AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.9, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)SecurityAll Available Log Sources
CCF: Physical Access InvThis investigation summarizes physical door access/authentication success and failures within the organization's physical security perimeter.679AC.L1-3.1.1, AC.L1-3.1.2, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.3, AC.L2-3.1.7, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.6, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.6, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, MP.L2-3.8.5, PS.L2-3.9.2, PE.L1-3.10.1, PE.L1-3.10.3, PE.L1-3.10.4, PE.L1-3.10.5, PE.L2-3.10.2, MP.L2-3.8.9, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SI.L1-3.14.1, SI.L1-3.14.2, SI.L2-3.14.3, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Privileged Account Escalation InvThis investigation provides detail around privileged access escalation within a Linux and Windows OS.  This requires configuration and enablement of CCF: Windows RunAs Privilege Escalation & CCF: Linux sudo Privilege Escalation AIE rules.700AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: Privileged Account Modification InvThis investigation provides details around modifications made to privileged accounts within the environment.  This investigation requires the CCF: Privileged Accounts (user list) to be established and updated periodically.703AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Rogue Access Point InvThis investigation provides a summary of all detected rogue wireless access points by Impacted Host across critical, production, and online banking environments (entity structure).680AC.L1-3.1.1, AC.L1-3.1.2, AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: Signature Activity InvThis investigation provides summary information on signature update activity across critical and production environments (entity structure).681AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.9, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7LogMart(s)OperationsAll Available Log Sources
CCF: Social Media InvSummarizes the top URLs related to Social Media activity.695AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MP.L2-3.8.1, MP.L2-3.8.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Suspected Wireless Attack InvThis investigation provides information on suspected wireless attacks at the internal boundary including the type of attack and impacted (targeted) host and application (if applicable).  This is based on Critical and Production environments (can be defined with entity structure).682AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MP.L2-3.8.1, MP.L2-3.8.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: Suspicious Users InvThis investigation lists all users generating suspicious activity ordered by the number of events detected highest to lowest.685AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)SecurityAll Available Log Sources
CCF: Time Sync Error InvThis investigation provides a summary of time sync errors occurring within critical and production environments (can be defined with entity structure).683AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.7, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)AuditAll Available Log Sources
CCF: Unknown User Account InvThis investigation provides detail of activity from unknown user accounts, based off of CCF user lists.697AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)SecurityAll Available Log Sources
CCF: Use Of Non-Encrypted Protocols InvThis investigation lists any use of non-encrypted protocols.686AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.13, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.10, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.11, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.8, SC.L2-3.13.13, SC.L2-3.13.15, SC.L2-3.13.16, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7LogMart(s)AuditAll Available Log Sources
CCF: User Misuse InvThis investigation summarizes detected misuse by user.687AC.L1-3.1.1, AC.L1-3.1.2, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.12, AC.L2-3.1.3, AC.L2-3.1.7, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MP.L2-3.8.1, MP.L2-3.8.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
CCF: User Object Access InvThis investigation summarizes successful object access activity by user.694AC.L1-3.1.1, AC.L1-3.1.2, AC.L1-3.1.20, AC.L2-3.1.21, AC.L2-3.1.5, AC.L2-3.1.6, AC.L2-3.1.8, AC.L2-3.1.10, AC.L2-3.1.16, AC.L2-3.1.12, AC.L2-3.1.14, AC.L2-3.1.3, AC.L2-3.1.7, AC.L2-3.1.17, AC.L2-3.1.18, AC.L2-3.1.15, AC.L2-3.1.19, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.8, AU.L2-3.3.9, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.6, CM.L2-3.4.2, CM.L2-3.4.3, CM.L2-3.4.8, IA.L1-3.5.1, IA.L1-3.5.2, IA.L2-3.5.7, IA.L2-3.5.8, IA.L2-3.5.9, IA.L2-3.5.3, IA.L2-3.5.4, IA.L2-3.5.5, IA.L2-3.5.6, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, MA.L2-3.7.1, MA.L2-3.7.2, MP.L2-3.8.1, MP.L2-3.8.2, MP.L2-3.8.7, MP.L2-3.8.8, PS.L2-3.9.2, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.12, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.4, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.4, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Data Processor(s)AuditAll Available Log Sources
CCF: Vulnerability Detected InvThis investigation provides a summary of potential vulnerabilities detected across the critical and production environments (can be defined with entity structure).684AC.L2-3.1.12, AC.L2-3.1.3, AU.L2-3.3.2, AU.L2-3.3.1, AU.L2-3.3.3, AU.L2-3.3.4, AU.L2-3.3.5, AU.L2-3.3.6, CM.L2-3.4.8, IR.L2-3.6.1, IR.L2-3.6.2, IR.L2-3.6.3, RM.L2-3.11.1, RM.L2-3.11.3, CA.L2-3.12.1, CA.L2-3.12.3, SC.L1-3.13.1, SC.L1-3.13.5, SC.L2-3.13.2, SC.L2-3.13.3, SC.L2-3.13.6, SC.L2-3.13.7, SC.L2-3.13.13, SC.L2-3.13.15, SI.L1-3.14.1, SI.L1-3.14.2, SI.L1-3.14.5, SI.L2-3.14.3, SI.L2-3.14.6, SI.L2-3.14.7Platform Manager(s)SecurityAll Available Log Sources
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close