Skip to main content
Skip table of contents

KSA-ECC – Requirements

Control NameRulesAIE AlertsInvestigationsSummary Reports
1.6.2
AIE: CCF:   Vulnerability Detected AlarmCCF: Vulnerability Detected InvCCF: Vulnerability Detected Summary
1.6.3
AIE: CCF:   Vulnerability Detected Alarm
AIE: CCF:   Critical/PRD Envir Patch Failure Alarm
AIE: CCF:   Critical/PRD Envir Signature Failure Alarm
CCF: Vulnerability Detected Inv
CCF: Signature Activity Inv
CCF: Patch Applied Inv
CCF: Vulnerability Detected Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
1.8.3

CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Vulnerability Detected Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Audit Log Inv
CCF: Physical Access Inv
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Vulnerability Detected Summary
CCF: GeoIP Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Patch Activity Summary
CCF: Physical Access Inv
CCF: Audit Log Summary
CCF: Physical Access Summary
CCF: Time Sync Error Summary
1.9.5CCF: Disabled Account Auth Success


2.2.3CCF: Abnormal Origin Location
CCF: Account Deleted Rule
CCF: Account Disabled Rule
CCF: Account Enabled Rule
CCF: Account Modification
CCF: Admin Password Modified
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Corroborated Account Anomalies
CCF: Corroborated Data Access Anomalies
CCF: Disabled Account Auth Success
CCF: Excessive Authentication Failure Rule
CCF: GeoIP Blacklisted Region Activity
CCF: GeoIP General Activity
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Admin
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
AIE: CCF:  Blacklisted Account Alarm
AIE: CCF:  Priv Group Access Granted Alarm
AIE: CCF:  Privilege Escalation After Attack Alarm
AIE: CCF:  Unknown User Account Alarm
CCF: GeoIP Inv
CCF: Host Access Granted And Revoked Inv
CCF: Host Access Granted And Revoked Inv
CCF: Password Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: User Misuse Inv
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
2.3.3CCF: Abnormal Amount of Data Transferred
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical Event After Attack
CCF: Data Destruction
CCF: Data Exfiltration Observed
CCF: Data Loss Prevention
CCF: Denial Of Service Alert
CCF: Distributed Brute Force
CCF: Large Outbound Transfer
CCF: Software Install Rule
CCF: Software Uninstall Rule
AIE: CCF:   Backup Failure Alarm
AIE: CCF:   Compromise Detected Alarm
AIE: CCF:   Critical/PRD Envir Patch Failure Alarm
AIE: CCF:   Critical/PRD Envir Signature Failure Alarm
AIE: CCF:   Critical/PRD Envir Config/Policy Change Alarm
AIE: CCF:   Early TLS/SSL Alarm
AIE: CCF:   LogRhythm Silent Log Source Error Alarm
AIE: CCF:   Malware Alarm
AIE: CCF:   Non-Encrypted Protocol Alarm
AIE: CCF:   Rogue Access Point Alarm
AIE: CCF:   Software Install Failure Alarm
AIE: CCF:   Software Uninstall Failure Alarm
AIE: CCF:   Suspected Wireless Attack Alarm
AIE: CCF:   Vulnerability Detected Alarm
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Vulnerability Detected Inv
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Vulnerability Detected Summary
2.4.3CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
AIE: CCF:   Critical/PRD Envir Patch Failure Alarm
AIE: CCF:   Critical/PRD Envir Signature Failure Alarm
AIE: CCF:   Critical/PRD Envir Config/Policy Change Alarm
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
2.5.3CCF: Distributed Brute Force
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Critical Event After Attack
CCF: Corroborated Account Anomalies
CCF: Abnormal Origin Location
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
AIE: CCF:   Early TLS/SSL Alarm
AIE: CCF:   Non-Encrypted Protocol Alarm
AIE: CCF:   Rogue Access Point Alarm
AIE: CCF:   Vulnerability Detected Alarm
AIE: CCF:   Blacklisted Account Alarm
AIE: CCF:   Compromise Detected Alarm
AIE: AIE: CCF:   Attack then External Connection Alarm
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: GeoIP Inv
CCF: Signature Activity Inv
CCF: Suspected Wireless Attack Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: GeoIP Summary
CCF: Signature Activity Summary
CCF: Suspected Wireless Attack Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Vulnerability Detected Summary
2.7.3CCF: Data Exfiltration Observed
CCF: Large Outbound Transfer
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: FIM Information
CCF: Abnormal Amount of Data Transferred
CCF: Data Loss Prevention
CCF: FIM Abnormal Activity
CCF: FIM Add Activity
CCF: FIM General Activity
AIE: CCF:  Non-Encrypted Protocol Alarm
AIE: CCF:  FIM Delete Activity Alarm
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
2.8.3
AIE: CCF:  Early TLS/SSL Alarm
AIE: CCF:  Non-Encrypted Protocol Alarm
CCF: Config/Policy Change Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Config/Policy Change Summary
CCF: Use Of Non-Encrypted Protocols Summary
2.9.3CCF: Backup InformationAIE: CCF:  Backup Failure AlarmCCF: Backup Activity InvCCF: Backup Activity Summary
2.10.3CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical Event After Attack
CCF: Software Install Rule
CCF: Software Uninstall Rule
AIE: CCF:  Critical/PRD Envir Patch Failure Alarm
AIE: CCF:  Critical/PRD Envir Signature Failure Alarm
AIE: CCF:  Software Install Failure Alarm
AIE: CCF:  Software Uninstall Failure Alarm
AIE: CCF:  Early TLS/SSL Alarm
AIE: CCF:  Non-Encrypted Protocol Alarm
AIE: CCF:  Rogue Access Point Alarm
AIE: CCF:  Vulnerability Detected Alarm
AIE: CCF:  Critical/PRD Envir Config/Policy Change Alarm
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Malware Detected Inv
CCF: Patch Activity Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Malware Detected Summary
CCF: Patch Activity Summary
CCF: Vulnerability Detected Summary
2.12.3



2.13.3CCF: Attack then External Connection
CCF: Auth After Security Event
CCF: Denial Of Service Alert
CCF: Distributed Brute Force
CCF: External Brute Force Auths
AIE: CCF:  Compromise Detected Alarm
AIE: CCF:  Malware Alarm
AIE: CCF:  Suspected Wireless Attack Alarm
CCF: Compromises Detected Inv
CCF: Malware Detected Inv
CCF: Suspected Wireless Attack Inv
CCF: Compromises Detected Summary
CCF: Malware Detected Summary
CCF: Suspected Wireless Attack Summary
2.14.3CCF: Physical Access Rule
CCF: Physical Access InvCCF: Physical Access Summary
2.15.3CCF: External Brute Force Auths
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Corroborated Data Access Anomalies
CCF: Distributed Brute Force
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Abnormal Origin Location
CCF: Config Deleted/Disabled
CCF: Config Modified
AIE: CCF:  Critical/PRD Envir Config/Policy Change Alarm
AIE: CCF:  Non-Encrypted Protocol Alarm
AIE: CCF:  Compromise Detected Alarm
AIE: CCF:  Non-Encrypted Protocol Alarm
AIE: CCF:  Compromise Detected Alarm
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Use Of Non-Encrypted Protocols Inv

CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Use Of Non-Encrypted Protocols Summary
3.1.3CCF: Data Exfiltration Observed
CCF: Disabled Account Auth Success
CCF: Large Outbound Transfer
CCF: Local Account Created and Used
CCF: External Brute Force Auths
CCF: Corroborated Data Access Anomalies
CCF: Data Destruction
CCF: Distributed Brute Force
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Critical Event After Attack
CCF: Corroborated Account Anomalies
CCF: Abnormal Origin Location
CCF: Attack then External Connection
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
AIE: CCF:  Critical/PRD Envir Config/Policy Change Alarm
AIE: CCF:  Critical/PRD Envir Patch Failure Alarm
AIE: CCF:  Critical/PRD Envir Signature Failure Alarm
AIE: CCF:  Malware Alarm
AIE: CCF:  Vulnerability Detected Alarm
AIE: CCF:  Rogue Access Point Alarm
AIE: CCF:  Suspected Wireless Attack Alarm
AIE: CCF:  Early TLS/SSL Alarm
AIE: CCF:  Audit Logging Stopped Alarm
AIE: CCF:  Privilege Escalation After Attack Alarm
AIE: CCF:  Blacklisted Account Alarm
AIE: CCF:  Compromise Detected Alarm 
CCF: Audit Log Inv
CCF: Backup Activity Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Signature Activity Inv
CCF: Social Media Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: User Misuse Inv
CCF: Vulnerability Detected Inv
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Backup Activity Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Signature Activity Summary
CCF: Social Media Summary
CCF: Suspected Wireless Attack Summary
CCF: Time Sync Error Summary
CCF: Top Suspicious Users
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary
4.2.3AIE: CCF: GeoIP General Activity
AIE: CCF: GeoIP Blacklisted Region Activity

CCF: GeoIP InvCCF: GeoIP Summary
5.1.3CCF: External Brute Force Auths
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Distributed Brute Force
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Critical Event After Attack
CCF: Corroborated Account Anomalies
CCF: Abnormal Origin Location
CCF: Attack then External Connection
CCF: Config Change After Attack
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Windows RunAs Privilege Escalation
AIE: CCF:  Critical/PRD Envir Config/Policy Change Alarm
AIE: CCF:  Critical/PRD Envir Patch Failure Alarm
AIE: CCF:  Critical/PRD Envir Signature Failure Alarm
AIE: CCF:  Malware Alarm
AIE: CCF:  Vulnerability Detected Alarm
AIE: CCF:  Rogue Access Point Alarm
AIE: CCF:  Non-Encrypted Protocol Alarm
AIE: CCF:  Suspected Wireless Attack Alarm
AIE: CCF:  Early TLS/SSL Alarm
AIE: CCF:  Priv Group Access Granted Alarm
AIE: CCF:  Audit Logging Stopped Alarm
AIE: CCF:  Blacklisted Account Alarm
AIE: CCF:  Compromise Detected Alarm
CCF: Applications Accessed By User Inv
CCF: Audit Log Inv
CCF: Compromises Detected Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Malware Detected Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Patch Activity Inv
CCF: Physical Access Inv
CCF: Privileged Account Escalation Inv
CCF: Privileged Account Modification Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Suspicious Users Inv
CCF: Vulnerability Detected Inv
CCF: Applications Accessed By User Summary
CCF: Audit Log Summary
CCF: Compromises Detected Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Malware Detected Summary
CCF: Object Access Summary
CCF: Patch Activity Summary
CCF: Physical Access Summary
CCF: Priv Account Management Activity Summary
CCF: Priv Authentication Activity Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: User Priv Escalation (Windows) Summary
CCF: Vulnerability Detected Summary
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.