NY DFS – Reports (Summary and Detail)
Summary Reports
The Intelligent Indexing settings are recommendations. The default configuration is No.
Report Name | Report Description | Augmented Requirements | Data Source | Intelligent Indexing | Classification | Report ID |
|---|---|---|---|---|---|---|
CCF: Applications Accessed By User Summary | This report provides information about user accessed applications. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | No | Audit | 2063 |
CCF: Audit Log Summary | This report provides a summary of audit log clearing or write failures by Impacted Host. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Audit | 2076 |
CCF: Backup Activity Summary | This report provides a summary of activity from backup events. | 500.05, 500.06, 500.09, 500.13, 500.14, 500.16, 500.17 | Data Processor(s) | No | Operations | 2062 |
CCF: Compromises Detected Summary | This report provides a summary of detected compromises of security by Entity and Impacted Host. | 500.05, 500.06, 500.07, 500.09, 500.14, 500.16, 500.17 | Log Mart | Yes | Security | 2064 |
CCF: Config/Policy Change Summary | This report provides a summary of the occurrence of configuration or policy changes across critical and production environments (entity structure). | 500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17 | Log Mart | Yes | Audit | 2049 |
CCF: Critical Environment Error Summary | This report provides summary details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures. | 500.05, 500.06, 500.09, 500.13, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Operations | 2050 |
CCF: GeoIP Summary | This report summarizes GeoIP activity that is associated with AI Engine GeoIP rules, in the CCF compliance automation suite. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Security | 2069 |
CCF: LogRhythm Data Loss Defender Log Summary | This report provides summary information on data generated by the LogRhythm Data Loss Defender. Data is grouped by Entity, Impacted Host, Common Event, and Object with a count of how many times that condition has been experienced within the reporting period. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16, 500.17 | LogMart | Yes | Operations | 2066 |
CCF: Malware Detected Summary | This report provides a summary of malware activity by entity and impacted host within the organization's critical and production environments (entity structure). | 500.05, 500.06, 500.09, 500.14, 500.16, 500.17 | Platform Manager | Yes | Security | 2051 |
CCF: Object Access Summary | This report summarizes object access by Impacted Host. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | No | Audit | 2067 |
CCF: Patch Activity Summary | This report provides a summary of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed. | 500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Operations | 2052 |
CCF: Physical Access Summary | This report summarizes physical door access/authentication success and failures within the organization's physical security perimeter. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Audit | 2053 |
CCF: Priv Account Management Activity Summary | This report provides a summary of various access modifications to privileged accounts occurring within the defined environments. This report requires the CCF: Privileged Accounts (user list) be established and periodically updated. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Audit | 2080 |
CCF: Priv Authentication Activity Summary | This report provides summary information around privileged account authentication success and access success activity within the defined environment. This report relies on CCF: Privileged Accounts (user list) to be established and updated periodically. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Audit | 2079 |
CCF: Rogue Access Point Summary | This report provides a summary of all detected rogue wireless access points by Impacted Host across critical and production environments (entity structure). | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.16, 500.17 | Platform Manager | Yes | Security | 2054 |
CCF: Signature Activity Summary | This report provides summary information on signature update activity across critical and production environments (entity structure). | 500.05, 500.06, 500.09, 500.14, 500.15, 500.16, 500.17 | Log Mart | Yes | Operations | 2055 |
CCF: Social Media Summary | This report provides a summary of the the top URLs related to Social Media activity. | 500.05, 500.06, 500.07, 500.09, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2070 |
CCF: Suspected Wireless Attack Summary | This report provides summary information on suspected wireless attacks at the internal boundary including the type if attack and impacted (targeted) host and application (if applicable). To supplement this Summary Report consider running an Investigation to capture further information. This is based on Critical and Production environments (can be defined with entity structure). | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.16, 500.17 | Platform Manager | Yes | Security | 2056 |
CCF: Time Sync Error Summary | This report provides a summary of time sync errors occurring within critical and production environments (can be defined with entity structure). | 500.05, 500.06, 500.07, 500.09, 500.11, 500.13, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Operations | 2057 |
CCF: Top Suspicious Users | This report lists all users generating suspicious activity ordered by the number of events detected highest to lowest. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Security | 2059 |
CCF: Use Of Non-Encrypted Protocols Summary | This report lists any use of non-encrypted protocols. | 500.05, 500.06, 500.07, 500.09, 500.14, 500.15, 500.16, 500.17 | Log Mart | Yes | Audit | 2060 |
CCF: User Misuse Summary | This report summarizes detected misuse by user. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Security | 2061 |
CCF: User Priv Escalation (SU & SUDO) Summary | This report provides summary information specific to a user privilege level status on a Linux environment. This report is specific to Linux based on a search for the MPE rule of SU Session Opened (flat file, SUDO log, or syslog). | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Audit | 2078 |
CCF: User Priv Escalation (Windows) Summary | This report provides summary information around changes in privilege level status of a user on a critical server or workstation, specific to Windows based on event ID, security metadata field of 2. This type of log is generated when a new process is created on a Windows machine and the token type is recorded in the object metadata field. Audit privilege use and audit process tracking must be enabled on the Windows machine being audited. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Security | 2077 |
CCF: Vulnerability Detected Summary | This report provides a summary of potential vulnerabilities detected across the critical and production environments (can be defined with entity structure). | 500.05, 500.06, 500.07, 500.09, 500.14, 500.16, 500.17 | Platform Manager | Yes | Security | 2058 |
CCF: Account Disabled Summary | This report provides detailed information when an account has access revoked (disabled) across any logged environments. This should align with the organization's policies regarding disabled accounts. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Log Mart | No | Audit | 2084 |
CCF: Account Enabled Summary | This report provides detailed information when an account has access granted across to any logged environments. This should align with the organization's policies regarding enabled accounts. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | Yes | Audit | 2085 |
CCF: Account Deleted Summary | This report provides detailed information when an account has access revoked across to any logged environments. This should align with the organization's policies regarding deleted accounts. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2086 |
CCF: Account Modification Summary | This report provides summary information around account modifications across all logged environments.
| 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2092 |
CCF: Term Account Activity Summary | This report provides a summary of authentication successes and failures from terminated accounts (list) within any logged environments. This should align with the organization's termination policy. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Audit | 2087 |
CCF: Auth Failure Summary | This report provides summary information around account authentication failures across all logged environments | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2088 |
CCF: Access Failure Summary | This report provides summary information around account access failures across all logged environments. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2089 |
CCF: Auth Success Summary | This report provides summary information around account authentication successes across all logged environments. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2090 |
CCF: User Object Access Summary | This report summarizes successful object access activity by user. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Data Processor(s) | Yes | Audit | 2068 |
CCF: Access Success Summary | This report provides summary information around account access successes across all logged environments. | 500.05, 500.06, 500.07, 500.09, 500.11, 500.14, 500.15, 500.16, 500.17 | Platform Manager | No | Audit | 2091 |
Detail Reports
The Intelligent Indexing settings are recommendations. The default configuration is No.
Report Name | Report Description | Report ID |
|---|---|---|
CCF: Host Access Granted And Revoked Detail | This report details all access granted and revoked for production systems. | 2065 |
CCF: Unknown User Account Detail | This report provides detail of activity from unknown user accounts, based off CCF user lists. | 2071 |