CMMC – Requirements
| Control ID | Rules | AIE Alerts | Investigations | Summary Reports | Detailed Report |
|---|---|---|---|---|---|
| AC.L1-3.1.1 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv CCF: User Misuse Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L1-3.1.2 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Rogue Access Point Inv CCF: User Misuse Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L1-3.1.20 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.21 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Data Loss Prevention CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: User Object Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv | CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Object Access Summary | |
| AC.L2-3.1.5 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.6 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.8 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Account Modification CCF: Attack then External Connection CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Account Modification Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.10 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Admin Password Modified CCF: Attack then External Connection CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.16 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.12 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.14 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.3 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Config Modified CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Software Install CCF: Software Uninstall CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.7 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm CCF: Backup Failure Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.17 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.18 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.13 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Attack then External Connection | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary | |
| AC.L2-3.1.15 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AC.L2-3.1.19 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Data Destruction CCF: Corroborated Data Access Anomalies CCF: Data Exfiltration Observed CCF: Abnormal Origin Location CCF: Large Outbound Transfer CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.2 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.7 | CCF: Config Modified | CCF: Time Sync Error Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Time Sync Error Inv CCF: Audit Log Inv | CCF: Time Sync Error Summary CCF: Audit Log Summary | |
| AU.L2-3.3.3 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.4 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.8 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Attack then External Connection | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Config/Policy Change Inv CCF: Physical Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Config/Policy Change Summary CCF: Physical Access Summary CCF: Object Access Summary | |
| AU.L2-3.3.9 | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Misuse | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: Physical Access Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.5 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| AU.L2-3.3.6 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Corroborated Account Anomalies CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CM.L2-3.4.6 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Privilege Escalation After Attack Alarm CCF: Priv Group Access Granted Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Escalation Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CM.L2-3.4.9 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary | |
| CM.L2-3.4.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CM.L2-3.4.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CM.L2-3.4.8 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L1-3.5.1 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L1-3.5.2 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.7 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.8 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.9 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.10 | CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary | ||
| IA.L2-3.5.3 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.4 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Corroborated Account Anomalies CCF: Attack then External Connection CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.5 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IA.L2-3.5.6 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Data Access Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IR.L2-3.6.1 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IR.L2-3.6.2 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| IR.L2-3.6.3 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| MA.L2-3.7.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Corroborated Account Anomalies CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| MA.L2-3.7.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| MA.L2-3.7.6 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| MP.L2-3.8.1 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Corroborated Data Access Anomalies CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| MP.L2-3.8.2 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Corroborated Data Access Anomalies CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Rogue Access Point Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| MP.L2-3.8.7 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Excessive Authentication Failure Rule | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Physical Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Physical Access Summary CCF: Object Access Summary | |
| MP.L2-3.8.8 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Excessive Authentication Failure Rule | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Physical Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Physical Access Summary CCF: Object Access Summary | |
| MP.L2-3.8.5 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| PS.L2-3.9.2 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Disabled Account Auth Success CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Data Access Anomalies CCF: Data Loss Prevention CCF: FIM Information CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| PE.L1-3.10.1 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| PE.L1-3.10.3 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| PE.L1-3.10.4 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| PE.L1-3.10.5 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| PE.L2-3.10.2 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| MP.L2-3.8.9 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Excessive Authentication Failure Rule | CCF: FIM Delete Activity Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Config/Policy Change Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary | |
| RM.L2-3.11.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Password Modified by Another User CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Backup Activity Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| RM.L2-3.11.3 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Password Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CA.L2-3.12.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| CA.L2-3.12.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L1-3.13.1 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Password Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L1-3.13.5 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Software Install CCF: Software Uninstall CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.12 | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Concurrent VPN from Multiple Locations CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Corroborated Data Access Anomalies CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.11 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Attack then External Connection | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary | |
| SC.L2-3.13.2 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Admin Password Modified CCF: Password Modified by Admin CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Software Install CCF: Software Uninstall CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.3 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Malware Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv CCF: Backup Activity Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Suspected Wireless Attack Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.4 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Social Media Event CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: Social Media Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: Object Access Summary CCF: Social Media Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: GeoIP Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.6 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Software Install CCF: Software Uninstall CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.7 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Software Install CCF: Software Uninstall CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.8 | CCF: Social Media Event CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Social Media Event CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Blacklist Location Auth CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Admin Password Modified CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Social Media Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: GeoIP Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Social Media Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: GeoIP Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.13 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Priv Group Access Granted Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: User Misuse Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Top Suspicious Users CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.15 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SC.L2-3.13.16 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Corroborated Account Anomalies | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Unknown User Account Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Critical Environment Error Summary CCF: Config/Policy Change Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| SI.L1-3.14.1 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L1-3.14.2 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Compromise Detected Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L1-3.14.4 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L1-3.14.5 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Backup Activity Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L2-3.14.3 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L2-3.14.6 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| SI.L2-3.14.7 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |