NCA OTCC – Requirements
| Subdomain Support | Control Support | AIE Rules | AIE Alerts | Investigations | Summary Reports | Detailed Reports |
|---|---|---|---|---|---|---|
| 1.3.1 | 1.3.1.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Password Modified by Another User CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Backup Activity Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.3.1.2 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Password Modified by Another User CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Backup Activity Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| N/A | 1.3.1.3 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Password Modified by Another User CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Backup Activity Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.4.1 | 1.4.1.1 | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary | |
| 1.4.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| N/A | 1.4.1.3 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 1.4.1.4 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Backup Activity Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| 1.4.2 | N/A | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used CCF: Software Install CCF: Software Uninstall | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.5.1 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.5.2 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.5.3 | 1.5.3.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 1.5.3.2 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Software Install CCF: Software Uninstall | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary | |
| N/A | 1.5.3.3 | CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection CCF: Software Install CCF: Software Uninstall | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary | |
| N/A | 1.5.3.4 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 1.5.3.5 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.5.4 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.6.1 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 1.6.2 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Corroborated Account Anomalies CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.1.1 | 2.1.1.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.1.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.1.1.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.1.1.4 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary | |
| 2.1.1.5 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| 2.1.2 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.2.1 | 2.2.1.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.4 | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Misuse | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: Physical Access Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Object Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Audit Log Summary CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.5 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.6 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.7 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.10 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Critical Event After Attack CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.2.1.11 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.2.2 | N/A | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.3.1 | 2.3.1.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: FIM Information CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.3 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.4 | CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.5 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: FIM Information CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.7 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.8 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.9 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.10 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.11 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Corroborated Account Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.12 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.3.1.13 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.3.2 | N/A | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.4.1 | 2.4.1.1 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.2 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.3 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.6 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm CCF: Suspected Wireless Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: Suspected Wireless Attack Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Suspected Wireless Attack Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.8 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.9 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.10 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.11 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.12 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Corroborated Data Access Anomalies CCF: Software Uninstall CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Object Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.15 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Account Modification CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Account Modification Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Account Modification Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.4.1.16 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Denial Of Service Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.5.1 | 2.5.1.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Password Modified by Another User CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Backup Activity Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.5.1.2 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Critical Event After Attack CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Misuse CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: GeoIP Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Physical Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Physical Access Summary CCF: GeoIP Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.5.1.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.5.1.5 | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failure Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Misuse | CCF: LogRhythm Silent Log Source Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Misuse Summary | CCF: Host Access Granted And Revoked Detail |
| 2.5.2 | N/A | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary | |
| 2.6.1 | 2.6.1.1 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Abnormal Origin Location CCF: Attack then External Connection CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Backup Activity Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Social Media Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: Suspicious Users Inv CCF: Physical Access Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Backup Activity Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: Social Media Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Physical Access Summary CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.6.1.2 | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Abnormal Origin Location CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.6.1.3 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary | |
| N/A | 2.6.1.4 | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Audit Log Inv | CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Audit Log Summary | |
| 2.6.2 | N/A | CCF: Abnormal Amount of Data Transferred CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Blacklist Location Auth CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Config Modified CCF: Large Outbound Transfer CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Corroborated Data Access Anomalies CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Abnormal Origin Location CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Compromise Detected Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: FIM Delete Activity Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Audit Log Summary CCF: User Object Access Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Object Access Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.7.1 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Attack then External Connection | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary | |
| 2.7.2 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Attack then External Connection | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: LogRhythm Data Loss Defender Log Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: LogRhythm Data Loss Defender Log Summary | |
| 2.8.1 | 2.8.1.1 | CCF: Backup Information | CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Time Sync Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Critical Environment Error Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv | CCF: Critical Environment Error Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary | |
| N/A | 2.8.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | |
| N/A | 2.8.1.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | |
| N/A | 2.8.1.4 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | |
| 2.8.2 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Excessive Authentication Failure Rule CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Attack then External Connection | CCF: Backup Failure Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: FIM Delete Activity Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm | CCF: Critical Environment Error Inv CCF: Backup Activity Inv CCF: Physical Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Time Sync Error Inv CCF: Applications Accessed By User Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Excessive Authentication Failure Inv | CCF: Critical Environment Error Summary CCF: Backup Activity Summary CCF: Physical Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: User Object Access Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary | |
| 2.9.1 | 2.9.1.1 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.9.1.2 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Password Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.11.1 | 2.11.1.1 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.3 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.4 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Config Modified CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Blacklist Location Auth CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Local Account Created and Used CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Unknown User Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: User Object Access Inv CCF: Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.5 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.6 | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Concurrent VPN from Multiple Locations CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Abnormal Origin Location | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: User Object Access Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Escalation Inv CCF: Privileged Account Modification Inv CCF: Excessive Authentication Failure Inv CCF: Rogue Access Point Inv CCF: Audit Log Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Object Access Inv CCF: User Misuse Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: User Object Access Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: User Object Access Summary | CCF: Unknown User Account Detail CCF: Host Access Granted And Revoked Detail |
| N/A | 2.11.1.7 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Config Change After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.8 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Software Install CCF: Software Uninstall CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.9 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.11.1.10 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Disabled Account Auth Success CCF: Config Change After Attack CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Corroborated Account Anomalies CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.11.2 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Config Deleted/Disabled CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 2.12.1 | 2.12.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.12.1.2 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Social Media Event CCF: Config Change After Attack CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Blacklist Location Auth CCF: Backup Information CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Software Install CCF: Software Uninstall CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.12.1.3 | CCF: Abnormal Amount of Data Transferred CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Social Media Event CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Backup Information CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Large Outbound Transfer CCF: Corroborated Account Anomalies CCF: Disabled Account Auth Success CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Password Modified by Admin CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.12.1.8 | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Software Install CCF: Software Uninstall CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 2.13.1.2 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| N/A | 2.13.1.3 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| N/A | 2.13.1.5 | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| 2.13.2 | N/A | CCF: Excessive Authentication Failure Rule | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm | CCF: Physical Access Inv CCF: Audit Log Inv CCF: Excessive Authentication Failure Inv | CCF: Physical Access Summary CCF: Audit Log Summary | |
| 3.1.1 | 3.1.1.1 | CCF: Backup Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Local Account Created and Used CCF: Corroborated Account Anomalies CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Backup Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Backup Activity Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Social Media Inv | CCF: Backup Activity Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 3.1.1.2 | CCF: Backup Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Local Account Created and Used CCF: Corroborated Account Anomalies CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Backup Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Backup Activity Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Social Media Inv | CCF: Backup Activity Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 3.1.1.3 | CCF: Backup Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Local Account Created and Used CCF: Corroborated Account Anomalies CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Backup Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Backup Activity Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Social Media Inv | CCF: Backup Activity Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 3.1.1.4 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 3.1.1.5 | CCF: Backup Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Local Account Created and Used CCF: Corroborated Account Anomalies CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Backup Failure Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Backup Activity Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Social Media Inv | CCF: Backup Activity Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 3.1.1.6 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 3.1.2 | N/A | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| N/A | 4.1.1.4 | CCF: FIM Abnormal Activity CCF: FIM Add Activity CCF: FIM General Activity CCF: FIM Information CCF: Data Loss Prevention CCF: Data Destruction CCF: Data Exfiltration Observed CCF: Large Outbound Transfer CCF: Abnormal Amount of Data Transferred CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Social Media Event CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Backup Information CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Corroborated Account Anomalies CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: FIM Delete Activity Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Backup Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Compromises Detected Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| 4.1.2 | N/A | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Critical Event After Attack CCF: Config Deleted/Disabled CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Critical Event After Attack CCF: Disabled Account Auth Success CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Physical Access Inv CCF: Denial Of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Physical Access Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |