|
Control ID
|
Support Summary
|
AIE Rules
|
AIE Alerts
|
Investigations
|
Summary Reports
|
Detailed Report
|
|
A1.a.02
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A1.c.03
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A2.a.01
|
|
|
|
|
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A2.a.03
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A2.a.04
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A2.a.08
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
A2.b.01
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
B1.a.01
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
B2.a.01
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.a.02
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.a.03
|
|
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
|
|
|
|
|
|
B2.a.04
|
|
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
|
|
|
|
|
|
B2.a.05
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
|
|
B2.a.06
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
|
|
B2.c.01
|
|
CCF: Linux sudo Privilege Escalation
CCF: Admin Password Modified
|
CCF: Priv Group Access Granted Alarm
|
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
|
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.c.02
|
|
CCF: Linux sudo Privilege Escalation
CCF: Admin Password Modified
|
CCF: Priv Group Access Granted Alarm
|
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
|
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.c.03
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
|
|
B2.c.04
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.c.05
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.c.06
|
|
|
|
|
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
|
|
|
B2.c.07
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
|
|
B2.c.08
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.d.02
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.d.03
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B2.d.04
|
|
|
|
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
|
|
B2.d.05
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
B3.b.02
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B3.c.02
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B3.c.03
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B3.c.04
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B3.c.05
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B3.d.01
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B4.a.04
|
|
CCF: Backup Information
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv
|
CCF: Backup Activity Summary
|
|
|
B4.b.02
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B4.b.03
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B4.b.04
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Physical Access Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Audit Log Summary
CCF: Suspected Wireless Attack Summary
CCF: Rogue Access Point Summary
|
|
|
B4.b.05
|
|
CCF: Software Install
CCF: Software Uninstall
|
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
|
|
|
|
|
B4.c.03
|
|
CCF: Malware Event
CCF: Software Install
CCF: Software Uninstall
|
CCF: Malware Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
|
CCF: Malware Detected Inv
|
CCF: Malware Detected Summary
|
|
|
B4.d.02
|
|
|
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
|
|
|
B5.a.02
|
|
|
|
|
|
|
|
B5.c.01
|
|
CCF: Backup Information
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv
|
CCF: Backup Activity Summary
|
|
|
B5.c.03
|
|
CCF: Backup Information
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv
|
CCF: Backup Activity Summary
|
|
|
C1.a.01
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.a.02
|
LogRhythm SIEM provides detailed log normalization for many log sources out of the box and supports customers creating policies for themselves supporting the level of detail necessary to aid in the detection of security incidents.
|
|
|
|
|
|
|
C1.a.03
|
LogRhythm SIEM makes it possible to detect in real time lateral movement, exfiltration, malware compromise, ransomware and other IoC's allowing you to demonstrate compliance with this objective.
|
|
|
|
|
|
|
C1.a.04
|
|
CCF: Disabled Account Auth Success
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.a.05
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.a.06
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.b.01
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.02
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.03
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.04
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.05
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.06
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.b.07
|
LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information.
|
|
|
|
|
|
|
C1.c.01
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.c.02
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.c.03
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.c.04
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.c.05
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.c.06
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.d.01
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.d.02
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.d.03
|
|
|
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
|
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
|
|
|
C1.d.04
|
LogRhythm SIEM provides a robust case management feature which is a collaborative forensic tool for creating cases to track and document suspicious logs and alarms that are believed to be related to the same threat.
|
|
|
|
|
|
|
C1.e.01
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.e.03
|
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C1.e.05
|
LogRhythm SIEM Platform provides holistic visibility into your network and improves detection and response capabilities. Paired with LogRhythm’s compliance automation modules, your team can comply with necessary mandates more efficiently and effectively
|
|
|
|
|
|
|
C1.e.06
|
LogRhythm SIEM provides robust collection and normalization of data to enable accurate and reliable analysis
|
|
|
|
|
|
|
C2.a.01
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C2.a.02
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C2.a.03
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C2.a.04
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
C2.b.01
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
D1.b.04
|
Yes
|
CCF: Backup Information
|
CCF: Backup Failure Alarm
|
CCF: Backup Activity Inv
|
CCF: Backup Activity Summary
|
|
|
D2.a.01
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
D2.a.02
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
|
D2.a.03
|
Yes
|
CCF: FIM Information
CCF: Data Loss Prevention
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: Disabled Account Auth Success
CCF: GeoIP General Activity
CCF: Corroborated Data Access Anomalies
CCF: GeoIP Blacklisted Region Activity
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Abnormal Origin Location
CCF: Auth After Security Event
CCF: Large Outbound Transfer
CCF: Data Exfiltration Observed
CCF: Data Destruction
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Same User
CCF: Excessive Authentication Failure Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Abnormal Amount of Data Transferred
CCF: Misuse
CCF: Config Change After Attack
CCF: Social Media Event
CCF: Config Modified
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Backup Information
CCF: Attack then External Connection
CCF: Distributed Brute Force
CCF: External Brute Force Auths
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: FIM Delete Activity Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Backup Failure Alarm
CCF: Time Sync Error Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial Of Service Alarm
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: User Object Access Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
|
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: User Object Access Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Term Account Activity Summary
CCF: Account Deleted Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Modification Summary
CCF: Object Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: User Misuse Summary
CCF: Rogue Access Point Summary
|
CCF: Host Access Granted And Revoked Detail
CCF: Unknown User Account Detail
|
