|
AI Engine Rule Name |
Rule Description |
Alert |
Rule ID |
Notification Area |
Directly Meets Requirements |
Augment Requirements |
Alarming |
Classifications |
Log Sources |
|---|---|---|---|---|---|---|---|---|---|
|
CCF: Account Disabled/Locked Rule |
This AIE Rule creates events for disabled/locked accounts. |
No |
1106 |
Access Revoked |
N/A |
8.1.3.a, 8.1.4, 8.1.6.a, 8.1.6.b, 8.1.7 |
No |
Access Revoked |
CCF: All Log Sources |
|
CCF: Antivirus Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to antivirus. |
Yes |
1107 |
Operations : Error |
5.2.d, 10.8.b, A3.3.1.b |
5.1, 5.2.b, 5.2.c, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Operations : Error |
CCF: Network Security Systems |
|
CCF: Antivirus Information Rule |
This AIE Rule creates events for antivirus information. |
No |
1108 |
Information |
5.2.d |
5.1, 5.2.b, 5.2.c |
No |
Information |
CCF: Network Security Systems |
|
CCF: Attack Alert |
This AIE Rule alerts on the occurrence of any identified attack event. |
Yes |
1109 |
Security : Attack |
N/A |
A,6.6, 11.4.a, 11.4.b, 11.4.c, 12.10.5 |
Yes |
Security : Attack |
CCF: Network Security Systems |
|
CCF: Audit Log Cleared Alert |
This AIE Rule alerts on the occurrence of audit log clearing. |
Yes |
1110 |
Audit : Access Success |
N/A |
10.2.6 |
Yes |
Audit : Access Success |
CCF: All Log Sources |
|
CCF: Audit Log Write Failure Alert |
This AIE Rule alerts on the occurrence of audit log write failures. |
Yes |
1111 |
Audit : Other Audit Failure |
10.8.b, A3.3.1.b |
10.2.6, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Other Audit Failure |
CCF: All Log Sources |
|
CCF: Backup Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to backup software. |
Yes |
1114 |
Operations : Error |
N/A |
9.7.1, 12.10.5 |
Yes |
Operations : Error |
CCF: All Log Sources |
|
CCF: Backup Information Rule |
This AIE Rule creates events for information from backup software. |
No |
1115 |
Information |
N/A |
9.7.1, 12.10.5 |
No |
Information |
CCF: All Log Sources |
|
CCF: Compromise Alert |
This AIE Rule alerts on the occurrence of any identified compromise event. |
Yes |
1116 |
Security : Compromise |
N/A |
11.4.a, 11.4.b, 11.4.c, 12.10.5 |
Yes |
Security : Compromise |
CCF: Network Security Systems |
|
CCF: Critical/Error Alert |
This AIE Rule alerts on the occurrence of critical or error messages from a given host. |
Yes |
1117 |
Operations : Critical |
10.8.b, A3.3.1.b |
6.5.5, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Operations : Critical |
CCF: All Log Sources |
|
CCF: Database Authentication Rule |
This AIE Rule creates events for database authentication successes & failures from unauthorized accounts. |
No |
1118 |
Authentication Success |
10.2.1, 10.2.4, 10.8.b, A3.3.1.b |
8.7.a, 8.7.c, 8.7.d, 10.8.1.b, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
No |
Authentication Success |
CCF: Database Systems |
|
CCF: DB Account Auth Failure Alert |
This AIE Rule alerts on the occurrence of any database authentication failure from unauthorized accounts. |
Yes |
1120 |
Audit : Authentication Failure |
10.2.1, 10.2.4, 10.8.b, A3.3.1.b |
8.7.a, 8.7.c, 8.7.d, 10.8.1.b, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Authentication Failure |
CCF: Database Systems |
|
CCF: Denial Of Service Alert |
This AIE Rule alerts on the occurrence of any identified Denial of Service event. |
Yes |
1121 |
Security : Denial of Service |
N/A |
11.4.a, 11.4.b, 11.4.c, 12.10.5 |
Yes |
Security : Denial of Service |
CCF: Network Security Systems |
|
CCF: Denied CDE => Internet Comm Rule |
This AIE Rule creates events for denied communication from the cardholder data environment to the external internet. |
No |
1122 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.5), 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied DMZ => Internal Comm Rule |
This AIE Rule creates events for denied communication from the demilitarized zone to the internal network. |
No |
1123 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.4), 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Inet => Intrn Comm Rule |
This AIE Rule creates events for denied communication from the external internet to all internal environments. |
No |
1124 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 1.2.3.b, 1.3.1, 1.3.2, 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Internet => CDE Comm Rule |
This AIE Rule creates events for denied communication from the external internet to the cardholder data environment. |
No |
1125 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.5), 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Internet => DMZ Comm Rule |
This AIE Rule creates events for denied communication from the external internet to the demilitarized zone. |
No |
1126 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.4), 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Intrn => Inet Comm Rule |
This AIE Rule creates events for denied communication from the internal environment to the external internet. |
No |
1127 |
Network Deny |
N/A |
2.2.2.a, 2.2.2.b, 2.3.b, 4.1.c, 4.1.f |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Intrn => Intrn Comm Rule |
This AIE Rule creates events for denied communication from the internal environment to the internal environment. |
No |
1128 |
Network Deny |
N/A |
2.2.2.a, 2.2.2.b, 2.3.b, 4.1.c, 4.1.f |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Test => Internal Comm Rule |
This AIE Rule creates events for denied communication from the test environment to other internal environments. |
No |
1129 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 2.2.2.a, 2.2.2.b, 6.4.1.a, 6.4.1.b, 6.4.2 |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Test => Internet Comm AIE Rule |
This AIE Rule creates events for denied communication from the test environment to the external internet. |
No |
1130 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 2.2.2.a, 2.2.2.b, 6.4.1.a, 6.4.1.b, 6.4.2 |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Denied Wireless => CDE Comm Rule |
This AIE Rule creates events for denied communication from the test environment to the external internet. |
No |
1131 |
Network Deny |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 2.2.2.a, 2.2.2.b |
No |
Network Deny |
CCF: Network Security Systems |
|
CCF: Early TLS/SSL Alert |
This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event. |
Yes |
1132 |
|
N/A |
2.2.3.a, 2.2.3.b, 2.3.e, 4.1.g, 4.1.h, A2.1, A2.2, A2.3 |
Yes |
Security : Activity |
Include All Log Sources |
|
CCF: FIM Add Activity Rule |
This AIE Rule creates events for all file integrity monitoring add activity. |
No |
1133 |
Activity |
11.5.a, 11.5.b |
3.6.7.a, 10.2.7, A1.2.b, A1.2.c, A3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: FIM Delete Activity Rule |
This AIE Rule creates events for all file integrity monitoring delete activity. |
No |
1134 |
Activity |
11.5.a, 11.5.b |
3.6.7.a, 10.2.7, A1.2.b, A1.2.c, A3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: FIM Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to file integrity monitoring. |
Yes |
1135 |
Operations : Error |
10.8.b, 3.3.1.b |
10.8.1.b, 12.10.5, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Operations : Error |
CCF: File Integrity Monitors |
|
CCF: FIM Group Change Activity Rule |
This AIE Rule creates events all file integrity monitoring group change activity. |
No |
1136 |
Activity |
11.5.a, 11.5.b |
3.6.7.a, A1.2.b, A1.2.c, 3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: FIM Information Rule |
This AIE Rule creates events for information from file integrity monitoring software. |
No |
1137 |
Information |
N/A |
12.10.5 |
No |
Information |
CCF: File Integrity Monitors |
|
CCF: FIM Modify Activity Rule |
This AIE Rule creates events for all file integrity monitoring modify activity. |
No |
1138 |
Activity |
10.5.5, 11.5.a, 11.5.b |
3.6.7.a, A1.2.b, A1.2.c, 3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: FIM Owner Change Activity Rule |
This AIE Rule creates events for all file integrity monitoring owner change activity. |
No |
1139 |
Activity |
11.5.a, 11.5.b |
3.6.7.a, A1.2.b, A1.2.c, 3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: FIM Permission Activity Rule |
This AIE Rule creates events for all file integrity monitoring permission change activity. |
No |
1140 |
Activity |
11.5.a, 11.5.b |
3.6.7.a, A1.2.b, A1.2.c, 3.2.5.b |
No |
Activity |
CCF: File Integrity Monitors |
|
CCF: Firewall Policy Synch Information Rule |
This AIE Rule creates events for all firewall policy synchronization information. |
No |
1141 |
Information |
N/A |
1.2.2.a, 1.2.2.b |
No |
Information |
CCF: Network Security Systems |
|
CCF: FW Policy Synch Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to firewall policy synchronization. |
Yes |
1142 |
Operations : Error |
10.8.b, 3.3.1.b |
1.2.2.a, 1.2.2.b, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Operations : Error |
CCF: Network Security Systems |
|
CCF: Host Firewall Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to host firewalls. |
Yes |
1143 |
Operations : Error |
10.8.b, A3.3.1.b |
1.4.a, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Operations : Error |
CCF: All Log Sources |
|
CCF: Host Firewall Information Rule |
This AIE Rule creates events for host firewall information. |
No |
1144 |
Information |
N/A |
1.4.a |
No |
Information |
CCF: All Log Sources |
|
CCF: Invalid Account Usage Rule |
This AIE Rule creates events for authentication successes and failures from unauthorized accounts. |
Yes |
1145 |
Authentication Success |
2.1.a, 2.1.b, 10.2.1, 10.2.4, 10.8.b, 3.3.1.b |
8.1.3.a, 8.1.4, 8.5.c, 10.8.1.b, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
Yes |
Security |
CCF: All Log Sources |
|
CCF: Invalid Act Auth Failure Alert |
This AIE Rule alerts on the occurrence of any authentication failure attempts from unauthorized accounts (default /disabled/terminated) in direct support of PCI-DSS Controls: 2.1.b, 10.1, 10.2.1, 10.2.2, 10.2.4 and supplemental support of PCI- DSS controls: 8.1.3.a, 8.1.4, 8.5.c |
Yes |
1146 |
Audit : Authentication Failure |
2.1.a, 2.1.b,10.1, 10.2.1, 10.2.2, 10.2.4, 10.8.b, A3.3.1.b, 10.8.b, A3.3.1.b |
8.1.3.a, 8.1.4, 8.5.c, 10.8.1.b, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Authentication Failure |
CCF: All Log Sources |
|
CCF: Invalid CDE => Internet Comm Rule |
This AIE Rule creates events for un-allowed communication from the cardholder data environment to the external internet. |
Yes |
1147 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.5), 2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid DMZ => Internal Comm Rule |
This AIE Rule creates events for un-allowed communication from the demilitarized zone to the internal network. |
Yes |
1148 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.4), 2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Inet => Intrn Comm Rule |
This AIE Rule creates events for un-allowed communication from the external internet to all internal environments. |
Yes |
1149 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 1.2.3.b, 1.3.1, 1.3.2, 2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Internet => CDE Comm Rule |
This AIE Rule creates events for un-allowed communication from the external internet to the cardholder data environment in supplemental support of PCI-DSS Controls: 1.2.1.a-c, 1.3.3, 1.3.5, & 2.2.2.a-b |
Yes |
1150 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.5), 2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Internet => DMZ Comm Rule |
This AIE Rule creates events for un-allowed communication from the external internet to the demilitarized zone. |
Yes |
1151 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, (PCI 3.1 - 1.3.3), 1.3.4 (PCI 3.1 - 1.3.4), 2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Intrn => Inet Comm Rule |
This AIE Rule creates events for un-allowed communication from the internal environment to the external internet. |
Yes |
1152 |
Network Allow |
N/A |
2.2.2.a, 2.2.2.b, 2.3.b, 4.1.c, 4.1.f |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Intrn => Intrn Comm Rule |
This AIE Rule creates events for un-allowed communication from the internal environment to the internal environment. |
Yes |
1153 |
Network Allow |
N/A |
2.2.2.a, 2.2.2.b, 2.3.b, 4.1.c, 4.1.f |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Test => Internal Comm Rule |
This AIE Rule creates events for un-allowed communication from the test environment to other internal environments. |
Yes |
1154 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 2.2.2.a, 2.2.2.b, 6.4.1.a, 6.4.1.b, 6.4.2 |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Test => Internet Comm Rule |
This AIE Rule creates events for un-allowed communication from the test environment to the external internet. |
Yes |
1155 |
Network Allow |
N/A |
1.2.1.a, 1.2.1.b, 1.2.1.c, 2.2.2.a, 2.2.2.b, 6.4.1.a, 6.4.1.b, 6.4.2 |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Invalid Wireless => CDE Comm Rule |
This AIE Rule creates events for un-allowed communication from the wireless environment to the internal card holder data environment. |
Yes |
1156 |
Network Allow |
N/A |
2.2.2.a, 2.2.2.b |
Yes |
Network Allow |
CCF: Network Security Systems |
|
CCF: Malware Alert Rule |
This AIE Rule alerts on the occurrence of any identified Malware event. |
Yes |
1157 |
Security : Malware |
5.2.d |
11.4.a, 11.4.b, 11.4.c, 12.10.5 |
Yes |
Security : Malware |
CCF: Network Security Systems |
|
CCF: Object Disposal Failure Alert Rule |
This AIE Rule alerts on the occurrence of any object deletion/removal failure. |
Yes |
1158 |
Audit : Access Failure |
10.8.b, A3.3.1.b |
10.2.7, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Access Failure |
CCF: All Log Sources |
|
CCF: Physical Access Failure Alert |
This AIE Rule alerts on the occurrence of any critical failure or error to the physical access system. |
Yes |
1159 |
Audit : Access Failure |
10.8.b, A3.3.1.b |
8.1.3.b,9.1, 9.1.1.a, 9.1.2, 9.3.c, 10.8.1.b, A1.3, A3.3.1.a, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Access Failure |
CCF: Physical Security Systems |
|
CCF: Physical Access Usage Rule |
This AIE Rule creates events of physical security authentication success and failures. |
No |
1160 |
Authentication Success |
N/A |
8.1.3.b, 9.1, 9.1.1.a, 9.1.2, 9.3.c |
No |
Authentication Success |
CCF: Physical Security Systems |
|
CCF: Priv Acct Auth Failure Alert |
This AIE Rule alerts on the occurrence of any authentication failure attempt from privileged accounts. |
Yes |
1161 |
Audit : Authentication Failure |
10.1, 10.2.1, 10.2.2, 10.2.4, 10.2.5.a, 10.8.b, A3.3.1.b |
7.1.1, 10.8.1.b, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Authentication Failure |
CCF: All Log Sources |
|
CCF: Reconnaissance Activity Alert |
This AIE Rule alerts on the occurrence of any reconnaissance activity. |
Yes |
1162 |
Security : Reconnaissance |
N/A |
2.2.3.a, 2.2.3.b, 2.3.e, 4.1.g, 4.1.h, A2.1, A2.2, A2.3 |
Yes |
Security : Activity |
Include All Log Sources |
|
CCF: Remote Session Timeout Rule |
This AIE Rule creates events for remote session timeouts. |
No |
1163 |
Information |
N/A |
11.4.a, 11.4.b, 11.4.c, 12.10.5 |
Yes |
Security : Reconnaissance |
CCF: Network Security Systems |
|
CCF: Rouge WAP Detected Alert |
This AIE Rule alerts on the occurrence of any rogue access point detection events. |
Yes |
1164 |
Security : Suspicious |
N/A |
12.3.8.b |
No |
Information |
CCF: Network Security Systems |
|
CCF: Signature Update Failure Alert |
This AIE Rule alerts on the occurrence of signature update failures. |
Yes |
1165 |
Audit : Configuration |
N/A |
11.1.b, 11.1.d, 12.10.5 |
Yes |
Security : Suspicious |
CCF: Network Security Systems |
|
CCF: Software Update Failure Alert |
This AIE Rule alerts on the occurrence of software update failures. |
Yes |
1166 |
Audit : Configuration |
6.2.b |
11.4.a, 11.4.b, 11.4.c, 12.11.a, A3.2.5.b |
Yes |
Audit : Configuration |
CCF: Network Security Systems |
|
CCF: Suspicious Activity Alert |
This AIE Rule alerts on the occurrence of suspicious activity. |
Yes |
1167 |
Security : Suspicious |
6.2.b |
12.11.a, A3.2.5.b |
Yes |
Audit : Configuration |
CCF: All Log Sources |
|
CCF: SSL Activity |
This AIE Rule triggers on the occurrence of any identified SSL LogRhythm Network Monitor event. |
No |
1168 |
|
N/A |
2.2.3.a, 2.2.3.b, 2.3.e, 4.1.g, 4.1.h, A2.1, A2.2, A2.3 |
No |
Security : Activity |
Include All Log Sources |
|
CCF: Potential New TLS/SSL Implementation |
This AIE Rule is designed to evaluate environments with two weeks of no TLS/SSL logging, and alarm if unexpected TLS/SSL activity shows up over that two-week window. |
Yes |
1169 |
|
N/A |
11.4.a, 11.4.b, 11.4.c |
Yes |
Security : Suspicious |
CCF: Network Security Systems |
|
CCF: Time Sync Error |
This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source. |
Yes |
1170 |
Operations : Warning |
N/A |
10.4.2.b |
Yes |
Operations : Warning |
CCF: All Log Sources |
|
CCF: TLS Activity |
This AIE Rule triggers on the occurrence of any identified TLS LogRhythm Network Monitor event. |
No |
1171 |
|
N/A |
2.2.3.a, 2.2.3.b, 2.3.e, 4.1.g, 4.1.h, A2.1, A2.2, A2.3 |
No |
Security : Activity |
Include All Log Sources |
|
CCF: Vendor Account Enabled Alert |
This AIE Rule alerts on the occurrence of any access granting to vendor accounts. |
Yes |
1172 |
Audit : Access Granted |
N/A |
8.1.5.a, 8.1.5.b, 8.1.6.b, 12.3.9 |
Yes |
Audit : Access Granted |
CCF: All Log Sources |
|
CCF: Vendor Act Access Fail Alert |
This AIE Rule alerts on vendor account access failure within the environment. |
Yes |
1173 |
Audit : Access Failure |
10.2.1, 10.2.4, 10.8.b, A3.3.1.b |
8.1.5.b, 10.8.1.b, 12.3.9, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Access Failure |
CCF: All Log Sources |
|
CCF: Vendor Auth Activity Rule |
This AIE Rule creates events for vendor account activity. |
No |
1174 |
Authentication Success |
10.2.1, 10.2.4, 10.8.b, A3.3.1.b |
8.1.5.a, 8.1.5.b, 8.1.6.b, 10.8.1.b, 12.3.9, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
No |
Authentication Success |
CCF: Network Security Systems |
|
CCF: Vendor Auth Failure Alert |
This AIE Rule alerts on the occurrence of any vendor account use of remote access. |
Yes |
1175 |
Audit : Authentication Failure |
10.2.1, 10.2.4, 10.8.b, A3.3.1.b |
8.1.5.a, 8.1.5.b, 8.1.6.b, 10.8.1.b, 12.3.9, A1.1, A1.3, A3.3.1.a, A3.4.1, A3.5.1.a, A3.5.1.b |
Yes |
Audit : Authentication Failure |
CCF: Network Security Systems |
|
CCF: Vulnerability Alert |
This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment. |
Yes |
1176 |
Security : Vulnerability |
N/A |
6.5.1, 6.5.2, 6.5.4, 6.5.5, 6.5.6, 6.5.7, A, 6.5.9,6.6, 12.10.5 |
Yes |
Security : Vulnerability |
CCF: Network Security Systems |
|
CCF: Patch Update Failure Alert |
This AIE rule creates an alert any time a patch fails to apply to environments (entity structure). |
Yes |
1184 |
|
6.2.b |
12.11.a, A3.2.5.b |
Yes |
Operations : Error |
CCF: All Log Sources |
|
CCF: Personnel Login Authentication Method Event |
This rule can be used to gather event data for review with drilldowns. Any authentication event identified within an environment should be added to the criteria of Rule Block 1. |
No |
1185 |
|
N/A |
8.3.1.b, A3.4.1 |
No |
Security : Activity |
CCF: All Log Sources |
|
CCF: Configuration Change Rule |
This AIE Rule provides details on configuration changes. |
Yes |
1186 |
|
N/A |
6.4.6 |
No |
Audit : Configuration |
CCF: All Log Sources |
|
CCF: Change Record Statistics |
This AIE Rule provides custom statistics on configuration change record events. Default expressions are to be modified accordingly. |
No |
1187 |
|
6.2.b |
12.11.a, A3.2.5.b |
Yes |
Audit : Configuration |
CCF: All Log Sources |