NCSC - Requirements
| Control ID | Support Summary | AIE Rules | AIE Alerts | Investigations | Summary Reports | Detailed Report |
|---|---|---|---|---|---|---|
| A1.a.02 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A1.c.03 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A2.a.01 | CCF: Top Suspicious Users CCF: GeoIP Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A2.a.03 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A2.a.04 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A2.a.08 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| A2.b.01 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| B1.a.01 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| B2.a.01 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.a.02 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.a.03 | CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule | |||||
| B2.a.04 | CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule | |||||
| B2.a.05 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | |||||
| B2.a.06 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | |||||
| B2.c.01 | CCF: Linux sudo Privilege Escalation CCF: Admin Password Modified | CCF: Priv Group Access Granted Alarm | CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.c.02 | CCF: Linux sudo Privilege Escalation CCF: Admin Password Modified | CCF: Priv Group Access Granted Alarm | CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv | CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.c.03 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | |||||
| B2.c.04 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.c.05 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.c.06 | CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary | |||||
| B2.c.07 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | |||||
| B2.c.08 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.d.02 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.d.03 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B2.d.04 | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | |||||
| B2.d.05 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| B3.b.02 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B3.c.02 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B3.c.03 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B3.c.04 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B3.c.05 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B3.d.01 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B4.a.04 | CCF: Backup Information | CCF: Backup Failure Alarm | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ||
| B4.b.02 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B4.b.03 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B4.b.04 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Physical Access Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Audit Log Summary CCF: Suspected Wireless Attack Summary CCF: Rogue Access Point Summary | ||
| B4.b.05 | CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | ||||
| B4.c.03 | CCF: Malware Event CCF: Software Install CCF: Software Uninstall | CCF: Malware Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Malware Detected Inv | CCF: Malware Detected Summary | ||
| B4.d.02 | CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary | |||
| B5.a.02 | ||||||
| B5.c.01 | CCF: Backup Information | CCF: Backup Failure Alarm | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ||
| B5.c.03 | CCF: Backup Information | CCF: Backup Failure Alarm | CCF: Backup Activity Inv | CCF: Backup Activity Summary | ||
| C1.a.01 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.a.02 | LogRhythm SIEM provides detailed log normalization for many log sources out of the box and supports customers creating policies for themselves supporting the level of detail necessary to aid in the detection of security incidents. | |||||
| C1.a.03 | LogRhythm SIEM makes it possible to detect in real time lateral movement, exfiltration, malware compromise, ransomware and other IoC's allowing you to demonstrate compliance with this objective. | |||||
| C1.a.04 | CCF: Disabled Account Auth Success CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.a.05 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.a.06 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.b.01 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.02 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.03 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.04 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.05 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.06 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.b.07 | LogRhythm SIEM protects data and provides auditable information over logging environment to ensure accuracy and reliability of log data. See deployment security in LR docs for more information. | |||||
| C1.c.01 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.c.02 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.c.03 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.c.04 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.c.05 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.c.06 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.d.01 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.d.02 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.d.03 | CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm | CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary | |||
| C1.d.04 | LogRhythm SIEM provides a robust case management feature which is a collaborative forensic tool for creating cases to track and document suspicious logs and alarms that are believed to be related to the same threat. | |||||
| C1.e.01 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.e.03 | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail | |
| C1.e.05 | LogRhythm SIEM Platform provides holistic visibility into your network and improves detection and response capabilities. Paired with LogRhythm’s compliance automation modules, your team can comply with necessary mandates more efficiently and effectively | |||||
| C1.e.06 | LogRhythm SIEM provides robust collection and normalization of data to enable accurate and reliable analysis | |||||
| C2.a.01 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| C2.a.02 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| C2.a.03 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| C2.a.04 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| C2.b.01 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| D1.b.04 | Yes | CCF: Backup Information | CCF: Backup Failure Alarm | CCF: Backup Activity Inv | CCF: Backup Activity Summary | |
| D2.a.01 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| D2.a.02 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |
| D2.a.03 | Yes | CCF: FIM Information CCF: Data Loss Prevention CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: Disabled Account Auth Success CCF: GeoIP General Activity CCF: Corroborated Data Access Anomalies CCF: GeoIP Blacklisted Region Activity CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Abnormal Origin Location CCF: Auth After Security Event CCF: Large Outbound Transfer CCF: Data Exfiltration Observed CCF: Data Destruction CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Same User CCF: Excessive Authentication Failure Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Abnormal Amount of Data Transferred CCF: Misuse CCF: Config Change After Attack CCF: Social Media Event CCF: Config Modified CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Software Install CCF: Software Uninstall CCF: Backup Information CCF: Attack then External Connection CCF: Distributed Brute Force CCF: External Brute Force Auths | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm CCF: Privilege Escalation After Attack Alarm CCF: FIM Delete Activity Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Backup Failure Alarm CCF: Time Sync Error Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial Of Service Alarm | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: User Object Access Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv | CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: User Object Access Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Term Account Activity Summary CCF: Account Deleted Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Modification Summary CCF: Object Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: User Misuse Summary CCF: Rogue Access Point Summary | CCF: Host Access Granted And Revoked Detail CCF: Unknown User Account Detail |