|
Control ID
|
Rules
|
AIE Alerts
|
Investigations
|
Summary Reports
|
Detailed Report
|
|
AC.L1-3.1.1
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Rogue Access Point Inv
CCF: User Misuse Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L1-3.1.2
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Rogue Access Point Inv
CCF: User Misuse Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L1-3.1.20
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.21
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: User Object Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Object Access Inv
|
CCF: User Object Access Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Object Access Summary
|
|
|
AC.L2-3.1.5
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Backup Information
CCF: Excessive Authentication Failure Rule
CCF: Attack then External Connection
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Backup Failure Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.6
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Backup Information
CCF: Excessive Authentication Failure Rule
CCF: Attack then External Connection
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Backup Failure Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.8
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Backup Information
CCF: Account Modification
CCF: Attack then External Connection
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Backup Failure Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Account Modification Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.10
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Admin Password Modified
CCF: Attack then External Connection
CCF: Multiple Account Passwords Modified by Admin
CCF: Backup Information
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Backup Failure Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.16
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.12
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.14
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.3
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Config Modified
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Software Install
CCF: Software Uninstall
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.7
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Backup Information
CCF: Excessive Authentication Failure Rule
CCF: Attack then External Connection
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Backup Failure Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.17
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.18
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.13
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Attack then External Connection
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
AC.L2-3.1.15
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Suspected Wireless Attack Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AC.L2-3.1.19
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Data Destruction
CCF: Corroborated Data Access Anomalies
CCF: Data Exfiltration Observed
CCF: Abnormal Origin Location
CCF: Large Outbound Transfer
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.2
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.1
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.7
|
CCF: Config Modified
|
CCF: Time Sync Error Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Time Sync Error Inv
CCF: Audit Log Inv
|
CCF: Time Sync Error Summary
CCF: Audit Log Summary
|
|
|
AU.L2-3.3.3
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.4
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.8
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Attack then External Connection
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Backup Activity Inv
CCF: Config/Policy Change Inv
CCF: Physical Access Inv
CCF: Object Access Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Config/Policy Change Summary
CCF: Physical Access Summary
CCF: Object Access Summary
|
|
|
AU.L2-3.3.9
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Misuse
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: Physical Access Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Object Access Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Audit Log Summary
CCF: User Misuse Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.5
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Critical Event After Attack
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
AU.L2-3.3.6
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Corroborated Account Anomalies
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CM.L2-3.4.6
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Priv Group Access Granted Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Escalation Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CM.L2-3.4.9
|
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Software Install
CCF: Software Uninstall
|
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Audit Log Inv
|
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Audit Log Summary
|
|
|
CM.L2-3.4.2
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Corroborated Account Anomalies
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Local Account Created and Used
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CM.L2-3.4.3
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Local Account Created and Used
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CM.L2-3.4.8
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Corroborated Account Anomalies
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L1-3.5.1
|
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L1-3.5.2
|
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.7
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.8
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.9
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.10
|
|
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Audit Log Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Audit Log Summary
|
|
|
IA.L2-3.5.3
|
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.4
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Corroborated Account Anomalies
CCF: Attack then External Connection
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.5
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IA.L2-3.5.6
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Data Access Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: Data Loss Prevention
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IR.L2-3.6.1
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IR.L2-3.6.2
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
IR.L2-3.6.3
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
MA.L2-3.7.1
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Corroborated Account Anomalies
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Local Account Created and Used
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
MA.L2-3.7.2
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Local Account Created and Used
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
MA.L2-3.7.6
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
MP.L2-3.8.1
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Corroborated Data Access Anomalies
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
MP.L2-3.8.2
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Config Modified
CCF: Large Outbound Transfer
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Corroborated Data Access Anomalies
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Rogue Access Point Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Suspected Wireless Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Suspected Wireless Attack Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
MP.L2-3.8.7
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Attack then External Connection
CCF: Excessive Authentication Failure Rule
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Physical Access Inv
CCF: Object Access Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Physical Access Summary
CCF: Object Access Summary
|
|
|
MP.L2-3.8.8
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Attack then External Connection
CCF: Excessive Authentication Failure Rule
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Physical Access Inv
CCF: Object Access Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Physical Access Summary
CCF: Object Access Summary
|
|
|
MP.L2-3.8.5
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
PS.L2-3.9.2
|
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Password Modified by Admin
CCF: Disabled Account Auth Success
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Data Access Anomalies
CCF: Data Loss Prevention
CCF: FIM Information
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
PE.L1-3.10.1
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
PE.L1-3.10.3
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
PE.L1-3.10.4
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
PE.L1-3.10.5
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
PE.L2-3.10.2
|
CCF: Excessive Authentication Failure Rule
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Audit Log Summary
|
|
|
MP.L2-3.8.9
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Excessive Authentication Failure Rule
|
CCF: FIM Delete Activity Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
|
CCF: Physical Access Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Critical Environment Error Inv
CCF: Config/Policy Change Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Critical Environment Error Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
|
|
|
RM.L2-3.11.1
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Password Modified by Another User
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Backup Activity Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
RM.L2-3.11.3
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Password Modified by Admin
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CA.L2-3.12.1
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Backup Information
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Corroborated Account Anomalies
CCF: Auth After Security Event
CCF: Abnormal Origin Location
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
CA.L2-3.12.3
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Backup Information
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Corroborated Account Anomalies
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L1-3.13.1
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Password Modified by Admin
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L1-3.13.5
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Software Install
CCF: Software Uninstall
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Physical Access Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Physical Access Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.12
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Concurrent VPN from Multiple Locations
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Corroborated Data Access Anomalies
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Object Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.11
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Attack then External Connection
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: LogRhythm Data Loss Defender Log Summary
|
|
|
SC.L2-3.13.2
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Admin Password Modified
CCF: Password Modified by Admin
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Software Install
CCF: Software Uninstall
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.3
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Abnormal Origin Location
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Misuse
CCF: Critical Event After Attack
CCF: Social Media Event
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Config Change After Attack
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Backup Information
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Malware Detected Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Suspected Wireless Attack Inv
CCF: Vulnerability Detected Inv
CCF: Backup Activity Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.4
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Social Media Event
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Admin Password Modified
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: User Object Access Inv
CCF: Unknown User Account Inv
CCF: Social Media Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Object Access Summary
CCF: Object Access Summary
CCF: Social Media Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: GeoIP Summary
CCF: Social Media Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.6
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Software Install
CCF: Software Uninstall
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Physical Access Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Physical Access Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.7
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Software Install
CCF: Software Uninstall
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Physical Access Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Physical Access Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.8
|
CCF: Social Media Event
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Social Media Event
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Blacklist Location Auth
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Admin Password Modified
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Social Media Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: GeoIP Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Social Media Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: GeoIP Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.13
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: Corroborated Account Anomalies
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Priv Group Access Granted Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: User Misuse Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Critical Environment Error Summary
CCF: Time Sync Error Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Top Suspicious Users
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: User Misuse Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.15
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SC.L2-3.13.16
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Disabled Account Auth Success
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Attack then External Connection
CCF: Corroborated Account Anomalies
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Critical Environment Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Unknown User Account Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Critical Environment Error Summary
CCF: Config/Policy Change Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
|
SI.L1-3.14.1
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L1-3.14.2
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Disabled Account Auth Success
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Compromise Detected Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L1-3.14.4
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Config Modified
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Blacklist Location Auth
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Abnormal Origin Location
CCF: Corroborated Account Anomalies
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Local Account Created and Used
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Unknown User Account Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: User Object Access Inv
CCF: Object Access Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L1-3.14.5
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Deleted/Disabled
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Software Install
CCF: Software Uninstall
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Backup Activity Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L2-3.14.3
|
CCF: Abnormal Amount of Data Transferred
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Large Outbound Transfer
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Corroborated Account Anomalies
CCF: Corroborated Account Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L2-3.14.6
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Disabled Account Auth Success
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
SI.L2-3.14.7
|
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
CCF: FIM Information
CCF: Data Loss Prevention
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Critical Event After Attack
CCF: Config Deleted/Disabled
CCF: Social Media Event
CCF: Config Change After Attack
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Backup Information
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Corroborated Account Anomalies
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: FIM Delete Activity Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Backup Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Denial Of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
