NCSC - Investigations
In the table below, there is a “CAF 4.0 Migration Mapping” column. When cloning each Knowledge Base item for CAF 4.0 implementation, add the corresponding mappings represented below to your LogRhythm deployment’s Knowledge Base items.
With this cloning guidance in mind, proceed from here using the table below to identify the appropriate CAF 4.0 mapping recommendations.
For more information on CAF 4.0 and the differences implemented with its August 2025 release, refer to the NCSC CAF front page.
Name | Description | Investigation ID | NCSC Control Support | NCSC CAF 4.0 Migration Mapping | Data Source | Classifications | Log Sources |
|---|---|---|---|---|---|---|---|
CCF: Account Modification Inv | This investigation provides details around account modifications across the environment. | 709 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | No changes. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Applications Accessed By User Inv | This investigation provides information about user-accessed applications. | 689 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW – Behavior & TI integration); supports CAF 4.0’s added behavioral monitoring expectations. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Audit Log Inv | This investigation provides details around potential control failures around auditing systems. This requires the configuration and enablement of the CCF: Audit Logging Stopped Alarm, CCF: Audit Log Cleared Alarm, and CCF: Failed Audit Log Write Alarms. | 701 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | No changes. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Backup Activity Inv | This investigation provides details around activity from backup events. | 688 | B4.a.04, B5.c.01, B5.c.03, D1.b.04 | No changes. | Data Processor(s) | Operations | All Available Log Sources |
CCF: Compromises Detected Inv | This investigation provides a summary of detected compromises of security by Entity and Impacted Host. | 690 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavior+TI context; C2.b (expanded: Threat Hunting) to formalize structured hunts around compromise indicators. | LogMart(s) | Security | All Available Log Sources |
CCF: Config/Policy Change Inv | This investigation provides a summary of the occurrence of configuration or policy changes across critical and production environments (entity structure). | 675 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Critical Environment Error Inv | This investigation provides summary details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures. | 676 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | No changes. | Platform Manager(s) | Operations | All Available Log Sources |
CCF: Deleted Account Inv | This investigation provides detailed information when any new accounts are deleted across any logged environments (entity structure). | 706 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to reflect behavioral account lifecycle monitoring in CAF 4.0. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Denial of Service Inv | This investigation provides details of detected denial of service attempts. | 707 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | Data Processor(s) | Security | All Available Log Sources |
CCF: Disabled Account Inv | This investigation provides detailed information when any new accounts are revoked (disabled) across any logged environments (entity structure). | 705 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to incorporate user/system behavior baselining. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Enabled Account Inv | This investigation provides detailed information when any new accounts are granted (enabled) across any logged environments (entity structure). | 704 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavior‑aware monitoring in CAF 4.0. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Excessive Authentication Failure Inv | This investigation provides detailed information around excessive user account authentication failures (>10 authentication failures in 30 minutes) across any logged environments (entity structure). | 708 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavioral deviations; C2.b (expanded) to reflect structured hunting around auth‑failure campaigns. | Platform Manager(s) | Security | All Available Log Sources |
CCF: GeoIP Inv | This report summarizes GeoIP activity that is associated with AI Engine GeoIP rules, in the CCF compliance automation suite. | 696 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | C1.f (NEW) to incorporate behavior context and TI into geo‑anomaly monitoring. | Platform Manager(s) | Security | All Available Log Sources |
CCF: Host Access Granted And Revoked Inv | This investigation details all access granted and revoked for production systems. | 691 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to reflect behavioral access baselines and anomalies in CAF 4.0. | Data Processor(s) | Audit | All Available Log Sources |
CCF: LogRhythm Data Loss Defender Log Inv | This investigation provides information on data generated by the LogRhythm Data Loss Defender. Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the investigation period. | 692 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04 | No changes. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Malware Detected Inv | This investigation provides a summary of malware activity by entity and impacted host within the organization's critical and production environments (entity structure). | 677 | B4.c.03 | No changes. | Platform Manager(s) | Security | All Available Log Sources |
CCF: Object Access Inv | This investigation summarizes object access by Impacted Host. | 693 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04 | C1.f (NEW) to include host‑behavior baselining (system behavior) under CAF 4.0. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Password Modification Inv | This investigation provides detail around password modification to accounts within the environment. | 702 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavior‑driven password change monitoring. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Patch Activity Inv | This investigation provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed. | 678 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | A4.b (NEW – Secure Software Development & Support) to reflect secure software lifecycle/maintenance expectations added in CAF 4.0. | Data Processor(s) | Security | All Available Log Sources |
CCF: Physical Access Inv | This investigation summarizes physical door access/authentication success and failures within the organization's physical security perimeter. | 679 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | No changes. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Privileged Account Escalation Inv | This investigation provides detail around privileged access escalation within a Linux and Windows OS. This requires configuration and enablement of CCF: Windows RunAs Privilege Escalation and CCF: Linux sudo Privilege Escalation AIE rules. | 700 | B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavior baselining of privileged actions; C2.b (expanded) to align with structured threat‑hunting on privilege escalation patterns. | Platform Manager(s) | Security | All Available Log Sources |
CCF: Privileged Account Modification Inv | This investigation provides details around modifications made to privileged accounts within the environment. This investigation requires the CCF: Privileged Accounts (user list) to be established and updated periodically. | 703 | B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to incorporate behavior‑focused monitoring of privileged changes. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Rogue Access Point Inv | This investigation provides a summary of all detected rogue wireless access points by Impacted Host across critical, production, and online banking environments (entity structure). | 680 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | Platform Manager(s) | Security | All Available Log Sources |
CCF: Signature Activity Inv | This investigation provides summary information on signature update activity across critical and production environments (entity structure). | 681 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | LogMart(s) | Operations | All Available Log Sources |
CCF: Suspected Wireless Attack Inv | This investigation provides information on suspected wireless attacks at the internal boundary, including the type of attack and impacted (targeted) host and application (if applicable). This is based on Critical and Production environments (can be defined with entity structure). | 682 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | Platform Manager(s) | Security | All Available Log Sources |
CCF: Suspicious Users Inv | This investigation lists all users generating suspicious activity ordered by the number of events detected, from highest to lowest. | 685 | B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) for behavior analytics; C2.b (expanded) to reflect formalized hunting of anomalous users. | Data Processor(s) | Security | All Available Log Sources |
CCF: Time Sync Error Inv | This investigation provides a summary of time sync errors occurring within critical and production environments (can be defined with entity structure). | 683 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | No changes. | Platform Manager(s) | Audit | All Available Log Sources |
CCF: Unknown User Account Inv | This investigation provides detail of activity from unknown user accounts, based off of CCF user lists. | 697 | B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to incorporate behavior baselining for unknown/unsanctioned accounts. | Data Processor(s) | Security | All Available Log Sources |
CCF: Use Of Non-Encrypted Protocols Inv | This investigation lists any use of non-encrypted protocols. | 686 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04 | No changes. | LogMart(s) | Audit | All Available Log Sources |
CCF: User Misuse Inv | This investigation summarizes detected misuse by user. | 687 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04 | No changes. | Platform Manager(s) | Security | All Available Log Sources |
CCF: User Object Access Inv | This investigation summarizes successful object access activity by user. | 694 | B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03 | C1.f (NEW) to reflect user/system behavior understanding in CAF 4.0. | Data Processor(s) | Audit | All Available Log Sources |
CCF: Vulnerability Detected Inv | This investigation provides a summary of potential vulnerabilities detected across the critical and production environments (can be defined with entity structure). | 684 | B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.d.03 | A4.b (NEW) to capture CAF 4.0’s SDLC & supplier security expectations tied to vulnerability management. | Platform Manager(s) | Security | All Available Log Sources |
*NCSC Control Key | |
|---|---|
Control Format | Definition |
xx.x.xx | Objective & Principal, Sub-Objective, Indicators of Good Practice (IGP) |