Skip to main content
Skip table of contents

NIST – AI Engine Rules

AI Engine Rule Name

Rule Description

ClassificationAugmented RequirementsLog SourceCorresponding Investigation

Alert

Rule ID

CCF: Data Exfiltration Observed

External attack or compromise followed by data leaving the same system.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7

1. Include All Log Sources

2. Include All Log Sources

CCF: LogRhythm Data Loss Defender Log Inv

No

1193

CCF: Disabled Account Auth Success

Recently disabled or deleted account authenticates or accesses resources on the network.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.9.2, AC-16, AC-17, AC-18, AC-2, AC-20, AC-23, AC-3, AU-15, AU-3, CP-13, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.DP-2, DE.DP-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, IR-4, PA-3, PL-4, PL-9, PM-12, PM-17, PM-26, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.PT-4, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-2, SC-3, SC-36, SC-38, SC-4, SC-7, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1194

CCF: Large Outbound Transfer

Single host is seen sending over 1GB of data within 30 minutes out of the network.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

No

1195

CCF: Local Account Created and Used

An account is created on a host and then used shortly thereafter on the same host.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SI-14, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1196

CCF: External Brute Force Auths

Successful authentication after multiple failed attempts from different external origin hosts to the same impacted host.

Security : Compromise

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AC-7, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1197

CCF: Auth After Numerous Failed Auths

Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1199

CCF: Auth After Security Event

An observed attack, compromise, or other security event followed by successful access or authentication from the attacking host.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1200

CCF: Corroborated Data Access Anomalies

2 or more unique behavioral anomalies for data within a 3 hour periods. The alarm requires rule IDs 300-302 be turned on for this alarm to trigger.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-18, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-3, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: Suspicious Users Inv

No

1201

CCF: Data Destruction

Attack event followed by a FIM delete/modify event on the same host.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: LogRhythm Data Loss Defender Log Inv

No

1202

CCF: Distributed Brute Force

A successful brute force authentication -- multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.

Security : Compromise

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AC-7, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1203

CCF: Blacklist Location Auth

Authentication success from a blacklisted location.


Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

No

1204

CCF: Concurrent VPN from Multiple Locations

Multiple VPN authentication successes from the same origin login are observed from different regions within a given time period (default 3 hours).

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

N/A

No

1205

CCF: Critical Event After Attack

An external attack or compromise followed by a critical event on the same host.

Action: This alarm can identify when an error message is generated as the result of a successful attack. This can be unexpected process termination or a hardware fail

Audit : Other Audit Success

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.6.1, 3.6.2, 3.6.3, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-11, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.IP-4, PR.IP-9, PR.PT-1, PR.PT-2, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-12, SI-14, SI-16, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1206

CCF: Corroborated Account Anomalies

3 or more unique behavioral anomalies for a given user within a 3 hour period. This rule requires Rule IDs 285 - 289 be turned on.

Use Case : An account has been compromised.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Suspicious Users Inv

No

1207

CCF: Abnormal Origin Location

First tracks geographic locations for VPN logins. Afterwards, triggers when a new origin location is seen for a user.

Security : Attack

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1208

CCF: LogRhythm Silent Log Source Error Alarm

This AIE Rule creates an alert and provides information when a LogRhythm Log Source has not received logs from a critical or production server-system during the defined error period.

Operations : Warning

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.10, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.6, 3.8.1, 3.8.2, 3.8.5, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AC-7, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-3, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PL-4, PL-8, PL-9, PM-12, PM-14, PM-17, PM-23, PM-26, PM-6, PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-5, SC-7, SC-8, SI-11, SI-12, SI-14, SI-16, SI-17, SI-18, SI-19, SI-2, SI-20, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Audit Log Inv

Yes

1209

CCF: Critical/PRD Envir Config/Policy Change Alarm

This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure).

Audit : Policy

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-10, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, MA-2, MA-3, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-2, SC-36, SC-38, SC-4, SC-7, SI-11, SI-16, SI-2, SI-3, SI-4, SI-5, SI-7CCF: Production Servers

CCF: Config/Policy Change Inv

Yes

1210

CCF: Attack then External Connection

An observed external attack or compromise followed by data leaving the system and going to the attacker.

Security : Compromise

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.6.1, 3.6.2, 3.6.3, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-11, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.IP-4, PR.IP-9, PR.PT-1, PR.PT-2, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SI-11, SI-12, SI-14, SI-16, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1211

CCF: Critical/PRD Envir Patch Failure Alarm

This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure).

Operations : Error

Augment: 3.1.10, 3.1.12, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-16, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: Critical Environment Error Inv

Yes

1212

CCF: Critical/PRD Envir Signature Failure Alarm

This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure).

Operations : Error

Augment: 3.1.10, 3.1.12, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-16, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: Critical Environment Error Inv

Yes

1213

CCF: Config Change After Attack

Attack event on a host followed by a configuration change made to that host within 3 minutes.

Audit : Policy

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, AC-16, AC-18, AC-20, AC-23, AC-4, AU-10, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-8, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-3, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-4, SC-7, SI-11, SI-12, SI-14, SI-16, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

CCF: Config/Policy Change Inv

No

1214

CCF: Time Sync Error Alarm

This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source.

Operations : Warning

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-21, AC-23, AU-11, AU-12, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, CA-2, CA-7, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-14, PM-17, PM-26, PM-6, PR.DS-4, PR.DS-6, PR.IP-4, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SC-16, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-17, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: Time Sync Error Inv

Yes

1215

CCF: Config Change then Critical Error

Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise.

Audit : Policy

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-12, SI-14, SI-16, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8

1. Include All Log Sources

2. Include All Log Sources

CCF: Config/Policy Change Inv

No

1216

CCF: Malware Alarm

This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied.

Security : Malware

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Malware Detected Inv

Yes

1217

CCF: Vulnerability Detected Alarm

This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment.

Security : Vulnerability

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Vulnerability Detected Inv

Yes

1218

CCF: Config Deleted/Disabled

Configuration deleted or disabled within the organization infrastructure.  

Audit : Policy

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PL-8, PL-9, PM-12, PM-17, PM-26, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-12, SI-14, SI-16, SI-17, SI-2, SI-3, SI-4, SI-5, SI-7, SI-8CCF: Production Servers

CCF: Config/Policy Change Inv

No

1219

CCF: Rogue Access Point Alarm

This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment.

Security : Suspicious

Augment: 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, 3.8.1, 3.8.2, AC-16, AC-18, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-5, PR.IP-9, PR.PT-1, PR.PT-2, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Rogue Access Point Inv

Yes

1220

CCF: Config Modified

Configuration modified within the organization infrastructure.

Audit : Policy

Augment: 3.1.10, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.14.4, 3.3.7, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-4, AU-8, AU-9, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, IA-2, IA-3, IA-4, IA-5, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PR.AC-5, PR.AC-7, PR.DS-3, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-2, PR.PT-3, SA-3, SA-4, SA-5Include All Log Sources

CCF: Config/Policy Change Inv

No

1221

CCF: Non-Encrypted Protocol Alarm

This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure).

Operations : Information

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.10, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-10, AC-16, AC-17, AC-18, AC-20, AC-21, AC-23, AC-24, AC-25, AC-4, AC-6, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-3, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-28, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: Use Of Non-Encrypted Protocols Inv

Yes

1222

CCF: Suspected Wireless Attack Alarm

This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices.

Security : Attack

Augment: 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, 3.8.1, 3.8.2, AC-16, AC-18, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-5, PR.IP-9, PR.PT-1, PR.PT-2, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8CCF: Wireless IDS

CCF: Suspected Wireless Attack Inv

Yes

1223

CCF: FIM Information

This AIE Rule creates events for general file integrity monitoring information.

Operations : Information

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

No

1229

CCF: Abnormal Amount of Data Transferred

This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host.

Operations : Warning

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1230

CCF: Misuse

This AIE Rule provides details on misuse activity.

Security : Misuse

Augment: 3.1.10, 3.1.12, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.6.1, 3.6.2, 3.6.3, 3.8.1, 3.8.2, AC-10, AC-16, AC-17, AC-18, AC-20, AC-21, AC-23, AC-24, AC-25, AC-6, AU-10, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-3, PR.AC-7, PR.DS-1, PR.DS-2, PR.IP-9, PR.PT-1, PR.PT-2, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-4, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: User Misuse Inv

No

1231

CCF: Data Loss Prevention

This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured.

Operations : Information

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

CCF: LogRhythm Data Loss Defender Log Inv

No

1232

CCF: FIM Abnormal Activity

This AIE Rule creates events for all abnormal file integrity monitoring activity.

Security: Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7

1. Include All Log Sources

2. Include All Log Sources

N/A

No

1233

CCF: FIM Add Activity

This AIE Rule creates events for all file integrity monitoring add activity.

Security: Activity

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

No

1234

CCF: FIM Delete Activity Alarm

This AIE Rule alarms on file integrity monitoring delete activity.

Security: Activity

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

Yes

1235

CCF: Backup Failure Alarm

More than 10 backup failure events are detected.

Operations : Error

Augment: 3.1.10, 3.1.12, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.6.1, 3.6.2, 3.6.3, 3.8.9, AC-16, AC-20, AC-21, AC-23, AU-11, AU-12, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.DS-1, PR.DS-2, PR.DS-4, PR.IP-4, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-4, SC-7, SI-11, SI-17, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Backup Activity Inv

Yes

1236

CCF: Backup Information

This AIE Rule creates events for information from backup software.

Operations : Information

Augment: 3.1.10, 3.1.12, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.6.1, 3.6.2, 3.6.3, 3.8.9, AC-16, AC-20, AC-21, AC-23, AU-11, AU-12, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.DS-1, PR.DS-2, PR.DS-4, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SC-2, SC-28, SC-36, SC-38, SC-4, SC-7, SI-17, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Backup Activity Inv

No

1237

CCF: Early TLS/SSL Alarm

This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event.

Security : Activity

Augment: 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.10, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, AC-10, AC-16, AC-17, AC-18, AC-20, AC-21, AC-23, AC-24, AC-25, AC-4, AC-6, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-3, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-28, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

Yes

1238

CCF: FIM General Activity

This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions.

Operations : Information

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.8.7, 3.8.8, 3.8.9, AC-16, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IA-7, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-3, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-23, PM-26, PM-6, PR.AC-5, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-31, SC-36, SC-38, SC-7, SI-12, SI-16, SI-18, SI-19, SI-20, SI-3, SI-4, SI-5, SI-7Include All Log Sources

N/A

No

1239

CCF: GeoIP General Activity

This rule is designed to use with the Data Processor's GeoIP functionality, to represent general GeoIP activity.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: GeoIP Inv

No

1240

CCF: GeoIP Blacklisted Region Activity

This rule tracks activity associated with Blacklisted Regions (list).

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: GeoIP Inv

No

1241

CCF: Social Media Event

This rule tracks social media activity, to help identify if private or personal data that should not be in transmission is present within the environment's traffic.

Security : Suspicious

Augment: 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.4.2, 3.4.3, 3.4.6, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, AC-16, AC-20, AC-21, AC-23, AC-4, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, ID.AM-5, ID.RA-3, ID.SC-4, IR-10, IR-4, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-8, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SC-2, SC-28, SC-36, SC-38, SC-4, SC-7, SI-12, SI-16, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Social Media Inv

No

1242

CCF: Unknown User Account Alarm

This rule identifies activity originating from unknown user accounts, based off of the CCF user lists.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Unknown User Account Inv

Yes

1243

CCF: Windows RunAs Privilege Escalation

User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-28, SC-3, SC-36, SC-38, SC-4, SC-7, SC-8, SI-2, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Privileged Account Escalation Inv

No

1321

CCF: Priv Group Access Granted Alarm

This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure.

Audit: Access Granted

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-28, SC-3, SC-36, SC-38, SC-4, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7Include All Log Sources

CCF: Privileged Account Modification Inv

Yes

1324

CCF: Password Modified by Admin

Privileged user changes the password of another account.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Password Modified Inv

No

1325

CCF: Admin Password Modified

User changes the password of a different privileged user account.

Security: Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Password Modified Inv

No

1326

CCF: Multiple Account Passwords Modified by Admin

An observed login by a user in the privileged user list followed by the change of two or more other account passwords.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Password Modified Inv

No

1327

CCF: Audit Logging Stopped Alarm

This AIE Rule provides details on audit logging being stopped.

Audit : Configuration

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.10, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.6, 3.8.1, 3.8.2, 3.8.5, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AC-7, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-3, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PL-4, PL-8, PL-9, PM-12, PM-14, PM-17, PM-23, PM-26, PM-6, PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-5, SC-7, SC-8, SI-11, SI-12, SI-14, SI-16, SI-17, SI-18, SI-19, SI-2, SI-20, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Audit Log Inv

Yes

1328

CCF: Privilege Escalation After Attack Alarm

Compromised host event followed by a new account created or account modified on the same host.

Security : Compromise

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Privileged Account Modification Inv

Yes

1329

CCF: Linux sudo Privilege Escalation

User not in the LogRhythm list "CCF: Privileged Accounts" and not in the local 'sudoers' file tries to use sudo on a Linux host.

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-28, SC-3, SC-36, SC-38, SC-4, SC-7, SC-8, SI-2, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Privileged Account Escalation Inv

No

1330

CCF: Audit Log Cleared Alarm

This AIE Rule provides details on audit log clearing.

Audit : Access Success

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.10, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.6, 3.8.1, 3.8.2, 3.8.5, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AC-7, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-3, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PL-4, PL-8, PL-9, PM-12, PM-14, PM-17, PM-23, PM-26, PM-6, PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-5, SC-7, SC-8, SI-11, SI-12, SI-14, SI-16, SI-17, SI-18, SI-19, SI-2, SI-20, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Audit Log Inv

Yes

1331

CCF: Failed Audit Log Write Alarm

This AIE Rule provides details on audit log write failures.

Audit : Other Audit Failure

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.13, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.21, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.15, 3.13.16, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.7, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.10, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.6, 3.8.1, 3.8.2, 3.8.5, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AC-7, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-4, AU-5, AU-6, AU-7, AU-8, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-3, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-6, MP-7, MP-8, PA-3, PA-4, PE-17, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PL-4, PL-8, PL-9, PM-12, PM-14, PM-17, PM-23, PM-26, PM-6, PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-3, PR.DS-4, PR.DS-5, PR.DS-6, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-6, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SA-9, SC-13, SC-16, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-5, SC-7, SC-8, SI-11, SI-12, SI-14, SI-16, SI-17, SI-18, SI-19, SI-2, SI-20, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Audit Log Inv

Yes

1332

CCF: Password Modified by Another User

User changes the password of another account (not their own).

Audit: Account Modified

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Password Modified Inv

No

1333

CCF: Blacklisted Account Alarm

This AIE creates an alarm when a blacklisted account activity occurs within the environment. This requires the CCF: User Blacklist to be populated and updated regularly.

Audit : Other Audit Success

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

N/A

Yes

1334

CCF: Compromise Detected Alarm

This AIE rule creates an event and alerts on potential compromises across the environment.

Security : Compromise

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AU-10, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Compromises Detected Inv

Yes

1335

CCF: Account Deleted Rule

This rule provides details of accounts that have been deleted

Audit : Account Deleted

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Deleted Account Inv

No

1367

CCF: Account Enabled Rule

This AIE Rule alerts on the occurrence of any access granting to accounts.

Audit : Access Granted

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Enabled Account Inv

Yes

1368

CCF: Account Disabled Rule

This AIE Rule alerts on the occurrence of any access revoking to accounts.

Audit : Access Revoked

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Disabled Account Inv

No

1369

CCF: Account Modification

This AIE Rule creates a common event and provides detail around account modification activity.

Audit : Account Modified

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Account Modification Inv

No

1377

CCF: Excessive Authentication Failure Rule

This AIE Rule supports alerting on > 10 authentication failures in 30 minutes (login failures). Match this threshold to your organization's specific authentication failure policies.

Audit : Authentication Failure

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.10.1, 3.10.2, 3.10.3, 3.10.4, 3.10.5, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.8, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.7.6, 3.8.1, 3.8.2, 3.8.5, 3.8.7, 3.8.8, 3.8.9, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AC-7, AU-10, AU-11, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, AU-9, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-6, CP-7, CP-9, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-2, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PE-2, PE-3, PE-4, PE-5, PE-6, PE-7, PE-8, PL-4, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-2, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-4, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-4, PS-5, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-14, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

CCF: Excessive Authentication Failure Inv

Yes

1370

CCF: Software Install Rule

This AIE rule creates an event and alerts on any software installation activity across the environment.

Audit : Configuration

Augment: 3.1.10, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.2, 3.14.4, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.7.1, 3.7.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IR-4, IR-6, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PL-8, PL-9, PM-12, PM-17, PM-26, PR.AC-5, PR.DS-3, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-3, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SC-18, SC-2, SC-24, SC-27, SC-31, SC-38, SC-4, SC-7, SI-11, SI-16, SI-17, SI-2, SI-3, SI-4, SI-7Include All Log Sources

N/A

No

1371

CCF: Software Uninstall Rule

This AIE rule creates an event and alerts on any software uninstallation activity across the environment.

Audit : Configuration

Augment: 3.1.10, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.2, 3.14.4, 3.3.8, 3.4.2, 3.4.3, 3.4.6, 3.7.1, 3.7.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IR-4, IR-6, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PL-8, PL-9, PM-12, PM-17, PM-26, PR.AC-5, PR.DS-3, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-3, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SA-4, SA-5, SC-18, SC-2, SC-24, SC-27, SC-31, SC-38, SC-4, SC-7, SI-11, SI-16, SI-17, SI-2, SI-3, SI-4, SI-7Include All Log Sources

N/A

No

1372

CCF: Concurrent VPN from Same User

This AIE Rule alerts on the occurrence of concurrent VPN from the same user

Security : Suspicious

Augment: 3.1.1, 3.1.10, 3.1.12, 3.1.14, 3.1.15, 3.1.16, 3.1.17, 3.1.18, 3.1.19, 3.1.2, 3.1.20, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.1, 3.13.15, 3.13.2, 3.13.4, 3.13.8, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.3.9, 3.4.2, 3.4.3, 3.4.6, 3.5.1, 3.5.2, 3.5.3, 3.6.1, 3.6.2, 3.6.3, 3.7.1, 3.7.2, 3.8.1, 3.8.2, 3.9.2, AC-10, AC-16, AC-17, AC-18, AC-2, AC-20, AC-21, AC-23, AC-24, AC-25, AC-3, AC-4, AC-6, AU-10, AU-12, AU-13, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CM-12, CM-3, CM-5, CM-6, CM-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, IA-10, IA-12, IA-2, IA-3, IA-4, IA-5, IA-7, IA-8, IA-9, ID.AM-4, ID.AM-5, ID.SC-3, ID.SC-4, IP-2, IP-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PA-3, PA-4, PE-17, PL-8, PL-9, PM-12, PM-17, PM-26, PM-6, PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.DS-1, PR.DS-2, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.IP-9, PR.MA-1, PR.MA-2, PR.PT-1, PR.PT-2, PR.PT-3, PR.PT-4, PS-7, PS-8, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-4, SA-5, SA-9, SC-18, SC-2, SC-24, SC-27, SC-28, SC-3, SC-31, SC-36, SC-38, SC-4, SC-40, SC-7, SC-8, SI-3, SI-4, SI-5, SI-6, SI-7, SI-8Include All Log Sources

N/A

No

1373

CCF: Software Uninstall Failure Alarm

This alerts on failed or interrupted software uninstallations.

Audit : Configuration

Augment: 3.1.10, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.2, 3.14.4, 3.4.2, 3.4.3, 3.7.1, 3.7.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IR-4, IR-6, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PL-8, PL-9, PM-12, PM-17, PM-26, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-3, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SC-18, SC-2, SC-38, SC-4, SC-7, SI-11, SI-16, SI-17, SI-2, SI-3, SI-4, SI-7Include All Log Sources

N/A

Yes

1374

CCF: Software Install Failure Alarm

This alerts on failed and incomplete updates attempts to update or install in the organization.

Audit : Configuration

Augment: 3.1.10, 3.1.2, 3.1.3, 3.1.5, 3.1.6, 3.1.7, 3.1.8, 3.13.2, 3.14.4, 3.4.2, 3.4.3, 3.7.1, 3.7.2, 3.8.7, 3.8.8, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-5, AU-6, AU-7, AU-9, CA-2, CA-7, CM-11, CM-12, CM-3, CM-5, CM-6, CM-7, CM-8, CP-13, CP-7, CP-9, DE.CM-7, DE.DP-2, DE.DP-5, IA-2, IA-3, IA-4, IA-5, IR-4, IR-6, IR-9, MA-2, MA-3, MA-4, MA-5, MA-6, MP-2, MP-4, MP-7, MP-8, PL-8, PL-9, PM-12, PM-17, PM-26, PR.DS-5, PR.DS-8, PR.IP-1, PR.IP-3, PR.MA-1, PR.MA-2, PR.PT-3, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-10, SA-18, SA-19, SA-3, SC-18, SC-2, SC-38, SC-4, SC-7, SI-11, SI-16, SI-17, SI-2, SI-3, SI-4, SI-7Include All Log Sources

N/A

Yes

1375

CCF: Denial Of Service Alert

This AIE Rule alerts on the occurrence of any identified Denial of Service event.

Security : Denial Of Service

Augment: 3.1.12, 3.1.3, 3.13.1, 3.13.15, 3.13.2, 3.14.1, 3.14.2, 3.14.3, 3.14.6, 3.14.7, 3.3.1, 3.3.2, 3.3.3, 3.3.4, 3.3.5, 3.3.6, 3.6.1, 3.6.2, 3.6.3, AC-16, AC-20, AC-23, AC-4, AU-12, AU-14, AU-15, AU-3, AU-6, AU-7, CA-2, CA-7, CP-13, CP-7, DE.AE-2, DE.AE-3, DE.AE-4, DE.AE-5, DE.CM-1, DE.CM-3, DE.CM-4, DE.CM-6, DE.CM-7, DE.DP-2, DE.DP-5, ID.AM-5, ID.RA-3, ID.SC-3, ID.SC-4, IR-10, IR-4, IR-5, IR-6, IR-7, IR-9, PL-8, PL-9, PM-12, PM-17, PM-26, PR.AC-5, PR.DS-5, PR.IP-9, PR.PT-1, RA-2, RA-3, RA-7, RC.RP-1, RS.AN-1, RS.AN-3, RS.AN-4, RS.CO-2, RS.MI-2, RS.MI-3, RS.RP-1, SA-18, SA-19, SA-9, SC-18, SC-2, SC-24, SC-27, SC-31, SC-36, SC-38, SC-4, SC-5, SC-7, SI-14, SI-3, SI-4, SI-5, SI-7, SI-8Include All Log Sources

CCF: Denial of Service Inv

Yes

1376

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.