Skip to main content
Skip table of contents

NIST User Guide – Investigations

Investigations can further assist in gathering vital information about security events and provide basic information about an environment and the processes and activities within it. NIST investigations can be part of a change control process in identifying configuration changes and trying to understand the nature of them to determine whether they are appropriate, along with their implications for NIST compliance. Investigations can also be run to leverage defined user lists and examine any suspicious or potentially malicious activities surrounding accounts within the environment. Custom investigations can be configured, in addition to those included within this module.

Log Requirements

The CCF: Vulnerability Detected Inv and other investigations related to potential malicious activity cover all log sources in your environment but specifically require logs from network security systems such as anti-malware systems, security enforcing devices, and vulnerability detection systems. After they are configured correctly, investigations allow IT and security operations to not only deep dive into potential security events but also to learn more about and continuously improve your overall compliance and cyber security program.

Further, various changes within data storage, security, and production environments must follow change control procedures to ensure business continuity and ensure that appropriate security protocols are not negatively impacted.

Sample Knowledge Base Content

ID

Name

675

CCF: Config/Policy Change Inv

677

CCF: Malware Detected Inv

678

CCF: Patch Activity Inv

681

CCF: Signature Activity Inv

684

CCF: Vulnerability Detected Inv

685

CCF: Suspicious Users Inv

686

CCF: Use of Non-Encrypted Protocols Inv

690

CCF: Compromises Detected Inv

695

CCF: Social Media Inv

Recommended Actions

Investigations are used to pull additional details from log sources related to events of interest. The NIST Investigations can be used to monitor potential malicious activity to assist in reducing the mean time to detection and learning about vulnerabilities or exposure points within the environment. IT Security Operations and Management should look to leverage these investigations as a learning mechanism and a means to gather vulnerability data to implement controls, reducing the risk exposure.

On the change control side, the goal is to support IT Operations & Security to ensure adherence to change control procedures. Deep diving into patch and signature management helps determine appropriate security protocols that are updated to foster business continuity and begin to establish a stronger security posture as an organization.


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.