KSA-ECC – Requirements
| Control Name | Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|
| 1.6.2 | AIE: CCF: Vulnerability Detected Alarm | CCF: Vulnerability Detected Inv | CCF: Vulnerability Detected Summary | |
| 1.6.3 | AIE: CCF: Vulnerability Detected Alarm AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm | CCF: Vulnerability Detected Inv CCF: Signature Activity Inv CCF: Patch Applied Inv | CCF: Vulnerability Detected Summary CCF: Signature Activity Summary CCF: Patch Activity Summary | |
| 1.8.3 | CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: Physical Access Inv | CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary CCF: GeoIP Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Patch Activity Summary CCF: Physical Access Inv CCF: Audit Log Summary CCF: Physical Access Summary CCF: Time Sync Error Summary | ||
| 1.9.5 | CCF: Disabled Account Auth Success | |||
| 2.2.3 | CCF: Abnormal Origin Location CCF: Account Deleted Rule CCF: Account Disabled Rule CCF: Account Enabled Rule CCF: Account Modification CCF: Admin Password Modified CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: GeoIP Blacklisted Region Activity CCF: GeoIP General Activity CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation | AIE: CCF: Blacklisted Account Alarm AIE: CCF: Priv Group Access Granted Alarm AIE: CCF: Privilege Escalation After Attack Alarm AIE: CCF: Unknown User Account Alarm | CCF: GeoIP Inv CCF: Host Access Granted And Revoked Inv CCF: Host Access Granted And Revoked Inv CCF: Password Modification Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: User Misuse Inv | CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary |
| 2.3.3 | CCF: Abnormal Amount of Data Transferred CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Data Loss Prevention CCF: Denial Of Service Alert CCF: Distributed Brute Force CCF: Large Outbound Transfer CCF: Software Install Rule CCF: Software Uninstall Rule | AIE: CCF: Backup Failure Alarm AIE: CCF: Compromise Detected Alarm AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm AIE: CCF: Early TLS/SSL Alarm AIE: CCF: LogRhythm Silent Log Source Error Alarm AIE: CCF: Malware Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Rogue Access Point Alarm AIE: CCF: Software Install Failure Alarm AIE: CCF: Software Uninstall Failure Alarm AIE: CCF: Suspected Wireless Attack Alarm AIE: CCF: Vulnerability Detected Alarm | CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Vulnerability Detected Inv | CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Vulnerability Detected Summary |
| 2.4.3 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified | AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv | CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary |
| 2.5.3 | CCF: Distributed Brute Force CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Critical Event After Attack CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity | AIE: CCF: Early TLS/SSL Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Rogue Access Point Alarm AIE: CCF: Vulnerability Detected Alarm AIE: CCF: Blacklisted Account Alarm AIE: CCF: Compromise Detected Alarm AIE: AIE: CCF: Attack then External Connection Alarm | CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: GeoIP Inv CCF: Signature Activity Inv CCF: Suspected Wireless Attack Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: GeoIP Summary CCF: Signature Activity Summary CCF: Suspected Wireless Attack Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Vulnerability Detected Summary |
| 2.7.3 | CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: FIM Information CCF: Abnormal Amount of Data Transferred CCF: Data Loss Prevention CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity | AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: FIM Delete Activity Alarm | CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv | CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary |
| 2.8.3 | AIE: CCF: Early TLS/SSL Alarm AIE: CCF: Non-Encrypted Protocol Alarm | CCF: Config/Policy Change Inv CCF: Use Of Non-Encrypted Protocols Inv | CCF: Config/Policy Change Summary CCF: Use Of Non-Encrypted Protocols Summary | |
| 2.9.3 | CCF: Backup Information | AIE: CCF: Backup Failure Alarm | CCF: Backup Activity Inv | CCF: Backup Activity Summary |
| 2.10.3 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Software Install Rule CCF: Software Uninstall Rule | AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm AIE: CCF: Software Install Failure Alarm AIE: CCF: Software Uninstall Failure Alarm AIE: CCF: Early TLS/SSL Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Rogue Access Point Alarm AIE: CCF: Vulnerability Detected Alarm AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm | CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Malware Detected Inv CCF: Patch Activity Inv CCF: Vulnerability Detected Inv | CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Malware Detected Summary CCF: Patch Activity Summary CCF: Vulnerability Detected Summary |
| 2.12.3 | ||||
| 2.13.3 | CCF: Attack then External Connection CCF: Auth After Security Event CCF: Denial Of Service Alert CCF: Distributed Brute Force CCF: External Brute Force Auths | AIE: CCF: Compromise Detected Alarm AIE: CCF: Malware Alarm AIE: CCF: Suspected Wireless Attack Alarm | CCF: Compromises Detected Inv CCF: Malware Detected Inv CCF: Suspected Wireless Attack Inv | CCF: Compromises Detected Summary CCF: Malware Detected Summary CCF: Suspected Wireless Attack Summary |
| 2.14.3 | CCF: Physical Access Rule | CCF: Physical Access Inv | CCF: Physical Access Summary | |
| 2.15.3 | CCF: External Brute Force Auths CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Corroborated Data Access Anomalies CCF: Distributed Brute Force CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Abnormal Origin Location CCF: Config Deleted/Disabled CCF: Config Modified | AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Compromise Detected Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Compromise Detected Alarm | CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Use Of Non-Encrypted Protocols Inv | CCF: Audit Log Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Use Of Non-Encrypted Protocols Summary |
| 3.1.3 | CCF: Data Exfiltration Observed CCF: Disabled Account Auth Success CCF: Large Outbound Transfer CCF: Local Account Created and Used CCF: External Brute Force Auths CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Distributed Brute Force CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Critical Event After Attack CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm AIE: CCF: Malware Alarm AIE: CCF: Vulnerability Detected Alarm AIE: CCF: Rogue Access Point Alarm AIE: CCF: Suspected Wireless Attack Alarm AIE: CCF: Early TLS/SSL Alarm AIE: CCF: Audit Logging Stopped Alarm AIE: CCF: Privilege Escalation After Attack Alarm AIE: CCF: Blacklisted Account Alarm AIE: CCF: Compromise Detected Alarm | CCF: Audit Log Inv CCF: Backup Activity Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Host Access Granted And Revoked Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Signature Activity Inv CCF: Social Media Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: User Misuse Inv CCF: Vulnerability Detected Inv | CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Backup Activity Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Signature Activity Summary CCF: Social Media Summary CCF: Suspected Wireless Attack Summary CCF: Time Sync Error Summary CCF: Top Suspicious Users CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary |
| 4.2.3 | AIE: CCF: GeoIP General Activity AIE: CCF: GeoIP Blacklisted Region Activity | CCF: GeoIP Inv | CCF: GeoIP Summary | |
| 5.1.3 | CCF: External Brute Force Auths CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Distributed Brute Force CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Critical Event After Attack CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Config Change After Attack CCF: Config Deleted/Disabled CCF: Config Modified CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Windows RunAs Privilege Escalation | AIE: CCF: Critical/PRD Envir Config/Policy Change Alarm AIE: CCF: Critical/PRD Envir Patch Failure Alarm AIE: CCF: Critical/PRD Envir Signature Failure Alarm AIE: CCF: Malware Alarm AIE: CCF: Vulnerability Detected Alarm AIE: CCF: Rogue Access Point Alarm AIE: CCF: Non-Encrypted Protocol Alarm AIE: CCF: Suspected Wireless Attack Alarm AIE: CCF: Early TLS/SSL Alarm AIE: CCF: Priv Group Access Granted Alarm AIE: CCF: Audit Logging Stopped Alarm AIE: CCF: Blacklisted Account Alarm AIE: CCF: Compromise Detected Alarm | CCF: Applications Accessed By User Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Malware Detected Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Patch Activity Inv CCF: Physical Access Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Suspicious Users Inv CCF: Vulnerability Detected Inv | CCF: Applications Accessed By User Summary CCF: Audit Log Summary CCF: Compromises Detected Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Malware Detected Summary CCF: Object Access Summary CCF: Patch Activity Summary CCF: Physical Access Summary CCF: Priv Account Management Activity Summary CCF: Priv Authentication Activity Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: User Priv Escalation (Windows) Summary CCF: Vulnerability Detected Summary |