Skip to main content
Skip table of contents

NY DFS – Investigations

The Intelligent Indexing settings are recommendations. The default configuration is No.

Investigation Name

Investigation Description

Augmented RequirementsData SourceIntelligent IndexingClassificationsLog Sources

Investigation ID

CCF: Applications Accessed By User Inv

This investigation provides information about user accessed applications.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Data Processor(s)NoAuditAll Available Log Sources

689

CCF: Audit Log Inv

This investigation provides details around potential control failures around auditing systems.  This requires the configuration and enablement of the CCF: Audit Logging Stopped Alarm, CCF: Audit Log Cleared Alarm, CCF: Failed Audit Log Write Alarms.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesAuditAll Available Log Sources

701

CCF: Backup Activity Inv

This investigation provides detail around activity from backup events.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Data Processor(s)YesOperationsAll Available Log Sources

688

CCF: Compromises Detected Inv

This investigation provides a summary of detected compromises of security by Entity and Impacted Host.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17LogMart(s)YesSecurityAll Available Log Sources

690

CCF: Config/Policy Change Inv

This investigation provides a summary of the occurrence of configuration or policy changes across critical and production environments (entity structure).

500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16Data Processor(s)YesAuditAll Available Log Sources

675

CCF: Critical Environment Error Inv

This investigation provides summary details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures.

500.05, 500.06, 500.09, 500.13, 500.14, 500.16, 500.17Platform Manager(s)YesOperationsAll Available Log Sources

676

CCF: GeoIP Inv

This report summarizes GeoIP activity that is associated with AI Engine GeoIP rules, in the CCF compliance automation suite.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesSecurityAll Available Log Sources

696

CCF: Host Access Granted And Revoked Inv

This investigation details all access granted and revoked for production systems.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Data Processor(s)YesAuditAll Available Log Sources

691

CCF: LogRhythm Data Loss Defender Log Inv

This investigation provides information on data generated by the LogRhythm Data Loss Defender.  Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the investigation period.

500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16Data Processor(s)YesAuditAll Available Log Sources

692

CCF: Malware Detected Inv

This investigation provides a summary of malware activity by entity and impacted host within the organization's critical and production environments (entity structure).

500.05, 500.06, 500.09, 500.14, 500.16, 500.17Platform Manager(s)YesSecurityAll Available Log Sources

677

CCF: Object Access Inv

This investigation summarizes object access by Impacted Host.
 

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Data Processor(s)NoAuditAll Available Log Sources

693

CCF: Password Modification Inv

This investigation provides detail around password modification to accounts within the environment.

500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17Platform Manager(s)NoAuditAll Available Log Sources

702

CCF: Patch Activity Inv

This investigation provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed.

500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16Data Processor(s)YesSecurityAll Available Log Sources

678

CCF: Physical Access Inv

This investigation summarizes physical door access/authentication success and failures within the organization's physical security perimeter.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesAuditAll Available Log Sources

679

CCF: Privileged Account Escalation Inv

This investigation provides detail around privileged access escalation within a Linux and Windows OS.  This requires configuration and enablement of CCF: Windows RunAs Privilege Escalation & CCF: Linux sudo Privilege Escalation AIE rules.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesSecurityAll Available Log Sources

700

CCF: Privileged Account Modification Inv

This investigation provides details around modifications made to privileged accounts within the environment.  This investigation requires the CCF: Privileged Accounts (user list) to be established and updated periodically.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.16, 500.17Data Processor(s)YesAuditAll Available Log Sources

703

CCF: Rogue Access Point Inv

This investigation provides a summary of all detected rogue wireless access points by Impacted Host across critical, production, and online banking environments (entity structure).

500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesSecurityAll Available Log Sources

680

CCF: Signature Activity Inv

This investigation provides summary information on signature update activity across critical and production environments (entity structure).

500.05, 500.06, 500.07, 500.09, 500.14, 500.15, 500.16, 500.17LogMart(s)YesOperationsAll Available Log Sources

681

CCF: Social Media Inv

Summarizes the top URLs related to Social Media activity.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.16, 500.17Platform Manager(s)NoAuditAll Available Log Sources

695

CCF: Suspected Wireless Attack Inv

This investigation provides information on suspected wireless attacks at the internal boundary including the type of attack and impacted (targeted) host and application (if applicable).  This is based on Critical and Production environments (can be defined with entity structure).

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesSecurityAll Available Log Sources

682

CCF: Suspicious Users Inv

This investigation lists all users generating suspicious activity ordered by the number of events detected highest to lowest.

500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16Data Processor(s)YesSecurityAll Available Log Sources

685

CCF: Time Sync Error Inv

This investigation provides a summary of time sync errors occurring within critical and production environments (can be defined with entity structure).

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)YesOperationsAll Available Log Sources

683

CCF: Unknown User Account Inv

This investigation provides detail of activity from unknown user accounts, based off of CCF user lists.

500.05, 500.06, 500.07, 500.09, 500.14, 500.15, 500.16, 500.17Data Processor(s)YesSecurityAll Available Log Sources

697

CCF: Use Of Non-Encrypted Protocols Inv

This investigation lists any use of non-encrypted protocols.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17LogMart(s)YesAuditAll Available Log Sources

686

CCF: User Misuse Inv

This investigation summarizes detected misuse by user.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)NoSecurityAll Available Log Sources

687

CCF: Vulnerability Detected Inv

This investigation provides a summary of potential vulnerabilities detected across the critical and production environments (can be defined with entity structure).

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Data Processor(s)YesSecurityAll Available Log Sources

684

CCF: Enabled Account Inv

This investigation provides detailed information when any new accounts are granted (enabled) across any logged environments (entity structure).

500.05, 500.06, 500.07, 500.09, 500.14, 500.16, 500.17Platform Manager(s)YesAuditAll Available Log Sources

704

CCF: Disabled Account Inv

This investigation provides detailed information when any new accounts are revoked (disabled) across any logged environments (entity structure).

500.05, 500.06, 500.09, 500.13, 500.14, 500.15, 500.16, 500.17Platform Manager(s)NoAuditAll Available Log Sources

705

CCF: Deleted Account Inv

This investigation provides detailed information when any new accounts are deleted across any logged environments (entity structure).

500.05, 500.06, 500.07, 500.09, 500.14, 500.16, 500.17Platform Manager(s)YesAuditAll Available Log Sources

706

CCF: Denial of Service Inv

This investigation provides details of detected denial of service attempts.

500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17Data Processor(s)YesAuditAll Available Log Sources

707

CCF: Excessive Authentication Failure Inv

This investigation provides detailed information around excessive user account authentication failures (>10 authentication failures in 30 minutes) across any logged environments (entity structure).

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)NoAuditAll Available Log Sources

708

CCF: User Object Access Inv

This investigation summarizes successful object access activity by user.

500.05, 500.06, 500.07, 500.09, 500.14, 500.16, 500.17Data Processor(s)NoAuditAll Available Log Sources

694

CCF: Account Modification Inv

This investigation provides details around account modifications across the environment.

500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17Platform Manager(s)NoAuditAll Available Log Sources

709

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.