NCA OTCC – Reports and Reporting Packages
Summary Reports
Report Name | Report Description | Report ID | Subdomain Control Support | Intelligent Indexing | Classification | Data Source | Log Sources |
|---|---|---|---|---|---|---|---|
| CCF: Access Failure Summary | This report provides summary information around account access failures across all logged environments. | 2089 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Access Success Summary | This report provides summary information around account access successes across all logged environments. | 2091 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Account Deleted Summary | This report provides detailed information when an account has access revoked (deleted) across to any logged environments. This should align with the organization's policies regarding deleted accounts. | 2086 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Account Disabled Summary | This report provides detailed information when an account has access revoked (disabled) across any logged environments. This should align with the organization's policies regarding disabled accounts. | 2084 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | LogMart | All Available Log Sources |
| CCF: Account Enabled Summary | This report provides detailed information when an account as access granted (enabled) across to any logged environments. This should align with the organization's policies regarding enabled accounts. | 2085 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | Yes | Audit | Platform Manager | All Available Log Sources |
| CCF: Account Modification Summary | This report provides summary information around account modifications across all logged environments. | 2092 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Applications Accessed By User Summary | This report provides information about user accessed applications. | 2063 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Operations | Data Processor(s) | All Available Log Sources |
| CCF: Audit Log Summary | This report provides a summary of audit log clearing or write failures by Impacted Host. | 2076 | 1.3.1, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.2, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.8.1, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 2.13.2, 3.1.1, 3.1.2, 4.1.2 | Yes | Audit | Platform Manager | All Available Log Sources |
| CCF: Auth Failure Summary | This report provides summary information around account authentication failures across all logged environments. | 2088 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2 ,4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Auth Success Summary | This report provides summary information around account authentication successes across all logged environments. | 2090 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Backup Activity Summary | This report provides a summary of activity from backup events. | 2062 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.8.1, 2.8.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2 | No | Operations | Data Processor(s) | All Available Log Sources |
| CCF: Compromises Detected Summary | This report provides a summary of detected compromises of security by Entity and Impacted Host. | 2064 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | LogMart | All Available Log Sources |
| CCF: Config/Policy Change Summary | This report provides a summary of the occurrence of configuration or policy changes across critical and production environments (entity structure). | 2049 | 1.3.1, 1.3.1, 1.4.1, 1.4.2, 1.5.1,1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.1, 2.5.2, 2.6.2, 2.7.1, 2.7.2, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.11.2, 2.12.1, 3.1.2, 4.1.2, 4.1.2 | Yes | Audit | LogMart | All Available Log Sources |
| CCF: Critical Environment Error Summary | This report provides summary details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures. | 2050 | 1.3.1, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.5.1, 2.8.1, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Operations | Platform Manager | All Available Log Sources |
| CCF: GeoIP Summary | This report summarizes GeoIP activity that is associated with AI Engine GeoIP rules, in the CCF compliance automation suite. | 2069 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1 ,2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | Platform Manager | All Available Log Sources |
| CCF: LogRhythm Data Loss Defender Log Summary | This report provides summary information on data generated by the LogRhythm Data Loss Defender. Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the reporting period. | 2066 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Operations | LogMart | All Available Log Sources |
| CCF: Malware Detected Summary | This report provides a summary of malware activity by entity and impacted host within the organization's critical and production environments (entity structure). | 2051 | 1.3.1, 1.4.2,1 .5.1, 1.5.2, 1.5.3,1 .5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | Platform Manager | All Available Log Sources |
| CCF: Object Access Summary | This report summarizes object access by Impacted Host. | 2067 | 1.3.1, 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.1,2 .6.1, 2.6.2, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Data Processor(s) | All Available Log Sources |
| CCF: Patch Activity Summary | This report provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed. | 2052 | 1.3.1, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.2, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Operations | Data Processor(s) | All Available Log Sources |
| CCF: Physical Access Summary | This report summarizes physical door access/authentication success and failures within the organization's physical security perimeter. | 2053 | 1.4.2, 1.5.1, 1.5.2, 1.5.3,1.5.4,1.6.1,1.6.2, 2.2.2, 2.3.1, 2.3.2, 2.6.1, 2.6.1, 2.8.2, 2.9.1, 2.12.1, 2.13.2, 3.1.2, 4.1.2 | Yes | Audit | Platform Manager | All Available Log Sources |
| CCF: Priv Account Management Activity Summary | This report provides a summary of various access modifications to privileged accounts occurring within the defined environments. This report requires the CCF: Privileged Accounts (user list) be established and periodically updated. | 2080 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3 1.5.4 1.6.1 1.6.2 2.1.1 2.1.2 2.2.1 2.2.2 2.3.1 2.3.2 2.5.1 2.6.1 2.6.2 2.9.1 2.11.1 2.11.2 2.12.1 3.1.2 4.1.2 | Yes | Audit | Data Processor(s) | All Available Log Sources |
| CCF: Priv Authentication Activity Summary | This report provides summary information around privileged account authentication success and access success activity within the defined environment. This report relies on CCF: Privileged Accounts (user list) to be established and updated periodically. | 2079 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | Yes | Audit | Platform Manager | All Available Log Sources |
| CCF: Rogue Access Point Summary | This report provides a summary of all detected rogue wireless access points by Impacted Host across critical and production environments (entity structure). | 2054 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | Platform Manager | All Available Log Sources |
| CCF: Signature Activity Summary | This report provides summary information on signature update activity across critical and production environments (entity structure). | 2055 | 1.3.1, 1.4.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.2, 2.6.2, 2.9.1, 2.11.1, 2.11.2 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Operations | LogMart | All Available Log Sources |
| CCF: Social Media Summary | Summarizes the top URLs related to Social Media activity. | 2070 | 1.3.1, 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.2, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | No | Audit | Platform Manager | All Available Log Sources |
| CCF: Suspected Wireless Attack Summary | This report provides summary information on suspected wireless attacks at the internal boundary including the type if attack and impacted (targeted) host and application (if applicable). To supplement this Summary Report consider running an Investigation to capture further information. This is based on Critical and Production environments (can be defined with entity structure). | 2056 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | Platform Manager | All Available Log Sources |
| CCF: Term Account Activity Summary | This report provides a summary of authentication successes and failures from terminated accounts (list) within any logged environments. This should align with the organization's termination policy. | 2087 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | Yes | Audit | Data Processor(s) | All Available Log Sources |
| CCF: Time Sync Error Summary | This report provides a summary of time sync errors occurring within critical and production environments (can be defined with entity structure). | 2057 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.5.1, 2.8.1, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Operations | Platform Manager | All Available Log Sources |
| CCF: Use Of Non-Encrypted Protocols Summary | This report lists any use of non-encrypted protocols. | 2060 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.7.1, 2.7.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Audit | LogMart | All Available Log Sources |
| CCF: User Misuse Summary | This report summarizes detected misuse by user. | 2061 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | No | Security | Platform Manager | All Available Log Sources |
| CCF: User Object Access Summary | This report summarizes successful object access activity by user. | 2068 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.8.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (SU & SUDO) Summary | This report provides summary information specific to a user privilege level status on a Linux environment. This report is specific to Linux based on a search for the MPE rule of SU Session Opened (flat file, SUDO log, or syslog). | 1946 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | No | Audit | Data Processor(s) | All Available Log Sources |
| CCF: User Priv Escalation (Windows) Summary | This report provides summary information around changes in privilege level status of a user on a critical server or workstation, specific to Windows based on event ID, security metadata field of 2. This type of log is generated when a new process is created on a Windows machine and the token type is recorded in the object metadata field. Audit privilege use and audit process tracking must be enabled on the Windows machine being audited. | 2077 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.2, 4.1.2 | Yes | Audit | Data Processor(s) | All Available Log Sources |
| CCF: Vulnerability Detected Summary | This report provides a summary of potential vulnerabilities detected across the critical and production environments (can be defined with entity structure). | 2058 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1 2.6.2, 2.9.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Security | Platform Manager | All Available Log Sources |
Detail Reports
Report Name | Report Description | Report ID | Subdomain Control | Intelligent Indexing | Classification | Data Source | Log Sources |
|---|---|---|---|---|---|---|---|
| CCF: Host Access Granted And Revoked Detail | This report details all access granted and revoked for production systems. | 2065 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Audit | Data Processor(s) | All Available Log Sources |
| CCF: Unknown User Account Detail | This report provides detail of activity from unknown user accounts, based off CCF user lists. | 2071 | 1.3.1, 1.4.2, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.6.1, 1.6.2, 2.1.1, 2.1.2, 2.2.1, 2.2.2, 2.3.1, 2.3.2, 2.4.1, 2.5.1, 2.6.1, 2.6.2, 2.9.1, 2.11.1, 2.11.2, 2.12.1, 3.1.1, 3.1.2, 4.1.2 | Yes | Audit | Data Processor(s) | All Available Log Sources |
Reporting Packages
Reporting Package | Description |
|---|---|
CCF: Weekly IT Operations AIE Report Package | These are reports IT Operations should run and review on a weekly basis. |
CCF: Daily IT Operations Report Package | These are reports IT Operations should run and review on a daily basis. |
CCF: Daily IT Security Report Package | These are reports Security Operations should run and review on a daily basis. |
CCF: Weekly Audit Report Package | These are reports Audit should run and review on a weekly basis. |
CCF: Monthly Executive Report Package | These are reports Executive Management should run and review on a monthly basis. |
CCF: Weekly IT Security AIE Report Package | These are reports Security Management should run and review on a weekly basis. |