QCF – Requirements
| Control Number | Control Wording | Support Detail | AIE Rules | AIE Alerts | Investigations | Summary Reports |
|---|---|---|---|---|---|---|
| 1.05 | Map entity’s critical information assets with defined cybersecurity capabilities in the framework | Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. The lists enabled for this module will contain an entity's critical assets thereby enabling the defined capabilities in the framework supported by the rules, reports, and investigations that have been mapped. | ||||
| 1.29 | Assess training gaps for cybersecurity capabilities | CCF: Top Suspicious Users | ||||
| 1.31 | Conduct post trainings evaluation | CCF: Top Suspicious Users | ||||
| 1.33 | Measure current cybersecurity awareness levels in the entity | CCF: Top Suspicious Users | ||||
| 2.01 | Implement and enforce endpoint security configurations by applying it on operating system, application and network layers | CCF: Excessive Authentication Failures Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Time Sync Error Alarm | CCF: User Object Access Inv CCF: Physical Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Time Sync Error Inv | CCF: User Object Access Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Time Sync Error Summary | |
| 2.03 | Ensure that best practice security configurations are applied on endpoints | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv CCF: Physical Access Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 2.04 | Track asset inventory of endpoint devices on asset repository by gathering all the details of hardware, operating systems, and applications changing and configurations | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 2.05 | Ensure that endpoint changes, patches and configuration go through a controlled change management process to continuously log and track security requirements | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 2.06 | Install security applications on endpoint devices to ensure adequate protection is applied | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 2.09 | Identify, track and detect abnormal behaviours or malicious activities through incident handling | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 2.1 | Ensure endpoint protection is applied on hardware and software | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 3.04 | Test the application with the selected application security method | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 3.05 | The development and testing environments are separate from the production environment | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.03 | A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality) | CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Object Access Inv CCF: User Object Access Inv | CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.04 | Network integrity is protected (e.g., network segregation, network segmentation) | Netmon | Netmon | Netmon | Netmon | |
| 4.05 | Configuration change control processes are in place | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.06 | Communications and control networks are protected | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.07 | Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations | CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Config Modified CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Local Account Created and Used CCF: Corroborated Account Anomalies CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Social Media Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Backup Activity Summary | |
| 4.08 | A baseline of network operations and expected data flows for users and systems is established and managed | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Abnormal amount of Data Transferrred CCF: Abnormal Origin Location | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.09 | Vulnerability scans are performed in collaboration with Security Monitoring and Operations (refer Security Monitoring and Operations capability chapter) | CCF: Config Change After Attack CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.1 | Management and dashboard reporting of identified network configuration deviations. | The LogRhythm Web Console allows you to monitor log activity. To support the most common end-user activities, the Web Console offers a customizable user interface with colorful visualizations and a range of powerful analytical and forensic features including multiple real-time, interchangeable dashboard layouts and Direct web access to authorized report packages. download available reports in PDF format or create and run new searches based on their reporting filters. | ||||
| 4.11 | Event detection information is communicated to appropriate parties * In case of Alert, Network Security Team will execute response actions * In case of Incident/Breach, Incident Response Team will execute response actions | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | |
| 4.15 | Physical and network access to assets is managed and protected | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.16 | Remote access of users and devices are managed | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Abnormal Origin Location CCF: Corroborated Data Access Anomalies CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Misuse CCF: Social Media Event CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Time Sync Error Alarm CCF: Rogue Access Point Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Excessive Authentication Failure Inv CCF: Rogue Access Point Inv CCF: Audit Log Inv CCF: User Misuse Inv CCF: Time Sync Error Inv CCF: User Object Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Privileged Account Escalation Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Social Media Inv | CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Social Media Summary | |
| 4.17 | Network integrity is protected (e.g., network segregation, network segmentation) | CCF: Excessive Authentication Failures Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Time Sync Error Alarm | CCF: User Object Access Inv CCF: Physical Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Audit Log Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Time Sync Error Inv | CCF: User Object Access Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Time Sync Error Summary | |
| 4.18 | Data-at-rest is protected | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.19 | Data-in-transit is protected | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.2 | Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Abnormal Origin Location | CCF: Applications Accessed By User Inv CCF: GeoIP Inv | CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: User Misuse Summary CCF: GeoIP Summary | ||
| 4.21 | Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks) | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Abnormal Origin Location CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failures Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Auth After Numerous Failed Auths CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: User Object Access Inv CCF: Physical Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: GeoIP Inv | CCF: User Object Access Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Time Sync Error Summary CCF: GeoIP Summary | |
| 4.22 | Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Abnormal Origin Location CCF: Corroborated Data Access Anomalies CCF: Excessive Authentication Failures Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Multiple Account Passwords Modified by Admin CCF: Auth After Numerous Failed Auths CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: User Object Access Inv CCF: Physical Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: GeoIP Inv | CCF: User Object Access Summary CCF: Physical Access Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Object Access Summary CCF: Time Sync Error Summary CCF: GeoIP Summary | |
| 4.24 | A baseline of network operations and expected data flows for users and systems is established and managed | Netmon/ Could include any baseline related rules | Netmon/ Could include any baseline related rules | Netmon/ Could include any baseline related rules | Netmon/ Could include any baseline related rules | |
| 4.25 | Vulnerability scans are performed in collaboration with team responsible for Security Monitoring and Operations | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.26 | Management and dashboard reporting of identified access control deviations. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 4.27 | Event detection information is communicated to appropriate parties * In case of Alert, Network Security Team will execute response actions * In case of Incident/Breach, Incident Response Team will execute response actions | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | |
| 4.28 | Physical devices and systems within the organization are inventoried | Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. These lists are 'living' in that they can and should be updated often. LR will not be able to identify these asset changes for you, but can assist with tracking those changes. | ||||
| 4.3 | External network systems are catalogued | Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. These lists are 'living' in that they can and should be updated often. LR will not be able to identify these asset changes for you, but can assist with tracking those changes. | ||||
| 4.31 | Adequate capacity to ensure availability is maintained | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.32 | Detected events are analysed to understand attack targets and methods | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.33 | Event data are collected and correlated from multiple sources and sensors | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.34 | Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment. | ||||
| 4.35 | Network Vulnerability scans are performed in collaboration with team responsible for Security Monitoring and Operations | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 4.37 | Network Audit/log records are determined, documented, implemented, and reviewed | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment. | ||||
| 4.38 | Notifications from detection systems are investigated | Case Management | Case Management | Case Management | Case Management | |
| 4.4 | Event detection information is communicated to appropriate parties * In case of Alert, Network Security Team will execute response actions * In case of Incident/Breach, Incident Response Team will execute response actions | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | SIEM/Web Console | |
| 4.41 | Recovery plan is executed during or after a cybersecurity incident | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |||
| 4.42 | Incidents are contained | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.43 | Incidents are mitigated | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 4.44 | Newly identified vulnerabilities are mitigated or documented | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 5.06 | Protect data based on its classification, with the highest protections afforded to the most sensitive data | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 5.07 | Understand how data is used and identify existing behaviour that puts data at risk | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 5.08 | Monitor all data movement to gain visibility into sensitive data movement and determine the issues that need to be addressed | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: FIM Delete Activity Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv | CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary | |
| 5.09 | Continuously improve and remediate identified errors and processes | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv CCF: Physical Access Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 6.02 | Secure communication channels are established and maintained for communicating change, configuration, and patch requirements | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 6.08 | Establish a process to notify stakeholders in the event of breach and downtime resulting from changes, configuration, and patch deployment | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 6.11 | Define authorization mechanisms to ensure change, patch, and required configurations activities are consistent and inline security/business requirements | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 6.14 | Establish and maintain secure communication channels to communicate, agree, and approve service outage and business outage resulting from change, configuration, and patch deployment activities within the change control committee | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 6.15 | Establish a process to define and document change, configuration, and patch deployment plans | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 6.18 | Define mechanisms to alert/notify respective teams for change, configuration, and patch deployment and monitoring activities | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 6.23 | Establish a process to log and track issues and risks associated with the changes, configurations, and patches are communicated and audited/reviewed by respective stakeholders | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 6.24 | Establish a process to capture, log, and report change, configuration, and patch deployment outcomes are correctly distributed among respective stakeholders | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 7.01 | Security audit/log records are determined, documented, implemented, and reviewed in accordance with policy | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.03 | Detection activities comply with all applicable requirements | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.04 | Cyber threat intelligence is received from information sharing forums and sources | TIS | TIS | TIS | TIS | |
| 7.05 | Event data are aggregated and correlated from multiple sources and sensors | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.06 | Malicious code is detected | CCF: Config Change After Attack CCF: Software Install CCF: Critical Event After Attack | CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 7.07 | Unauthorized mobile code is detected | CCF: Config Change After Attack CCF: Software Install CCF: Critical Event After Attack | CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 7.08 | Detected events are analysed to understand attack targets and methods; accordingly, triage is conducted | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.09 | Impact of events is determined | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.1 | Incident alert thresholds are established | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An alarm is a record of an event, or series of events, that triggered an alarm rule that can be managed. In LogRhythm Enterprise, alarm rules watch for certain conditions such as attacks on the network, compliance issues, system errors, and so on. For example, if log data reveals that a Trojan attempted to enter the network, an alarm rule such as "Alarm on Malware" is triggered that notifies administrators. | ||||
| 7.11 | Monitoring for unauthorized personnel, connections, devices, and software is performed | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment. | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Corroborated Data Access Anomalies CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Physical Access Summary |
| 7.12 | The network is monitored to detect potential cybersecurity events | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.13 | The physical environment is monitored to detect potential cybersecurity events | CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event | CCF: User Object Access Inv CCF: Audit Log Inv CCF: Physical Access Inv | CCF: User Object Access Summary CCF: Audit Log Summary CCF: Physical Access Summary | ||
| 7.14 | Personnel activity is monitored to detect potential cybersecurity events | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.15 | Vulnerability scans are performed | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 7.16 | External service provider activity is monitored to detect potential cybersecurity events | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.17 | Event detection information is communicated to appropriate parties | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 7.19 | Detection processes are continuously improved | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. LogRhythm Labs team are constantly evaluating and improving content for modules. When LogRhythm Labs sends out periodic updates or new content for the Knowledge Base, administrators can choose when or if a module should be updated. | ||||
| 8.03 | Automate the collection to a central logging system (ideally within layer 3 as per the ISA99/IEC62443 model) | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 8.04 | Fine tune the collected logs and apply enriching techniques such as linking the OT asset management system | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 8.05 | Automate a process of collecting IOCs and threat intelligence | TIS | TIS | TIS | TIS | |
| 8.06 | Subscribe to and collect threat feeds from public and community sources (free as well as commercial) | TIS | TIS | TIS | TIS | |
| 8.09 | Set up use cases and rules as per planned policies | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 8.1 | Ingest OT IOCs and Attack signatures | TIS | TIS | TIS | TIS | |
| 8.12 | Investigate alerts and conduct triage | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 8.13 | Analyse deviations from the agreed network baseline (Cyber analytics) | CCF: FIM Abnormal Activity CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Corroborated Account Anomalies CCF: Abnormal Origin Location | ||||
| 8.14 | Analyse new OT threat feeds and verify applicability to your systems and environment | TIS | TIS | TIS | TIS | |
| 8.15 | Escalation of alerts | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | ||||
| 8.16 | OT Incident containment and management in alignment with operational and plant safety requirements | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 8.17 | Reporting channels horizontally and vertically | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |||
| 8.18 | Vendor secure communication | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 9.01 | Incident Response plans are prepared, in place and managed | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An alarm is a record of an event, or series of events, that triggered an alarm rule that can be managed. In LogRhythm Enterprise, alarm rules watch for certain conditions such as attacks on the network, compliance issues, system errors, and so on. For example, if log data reveals that a Trojan attempted to enter the network, an alarm rule such as "Alarm on Malware" is triggered that notifies administrators. LogRhythm Labs team are constantly evaluating and improving content for modules. When LogRhythm Labs sends out periodic updates or new content for the Knowledge Base, administrators can choose when or if a module should be updated. | ||||
| 9.04 | Define a secure way of communication such as encryption software (Rights Management Servers/PGP Keys/Digital Certificates) for communication among stakeholders | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 9.05 | Response and recovery plans are tested | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An important element of response and recovery is observing what happened in your environment that caused the incident. SIEM data is instrumental in taking this look back. | ||||
| 9.07 | Events are reported consistent with established criteria | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.08 | Notifications from detection systems are investigated and conduct triage is conducted | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.09 | Incident Response plan is executed during or after an event | SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An important element of response and recovery is observing what happened in your environment that caused the incident. SIEM data is instrumental in taking this look back. | ||||
| 9.1 | Incidents are categorized and assigned a criticality level consistent with response plans | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.11 | The impact of the incident is understood | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.12 | Malicious code is detected which have been identified as a part of analysis | CCF: Config Change After Attack CCF: Software Install CCF: Software Uninstall CCF: Critical Event After Attack | CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Privilege Escalation After Attack Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 9.13 | Forensics are performed, where required, after getting authorization approval from management | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.14 | Newly identified vulnerabilities are mitigated or documented as accepted risks | Case Management | Case Management | Case Management | Case Management | |
| 9.16 | Mechanisms shall be put in place to monitor and quantify the types and volumes of cyber security incidents | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 9.17 | Processes are established to receive, analyse and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers) | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Backup Information CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Critical Event After Attack CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Social Media Event CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Distributed Brute Force CCF: External Brute Force Auths CCF: Concurrent VPN from Multiple Locations CCF: Software Install CCF: Software Uninstall CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Backup Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Rogue Access Point Alarm CCF: Suspected Wireless Attack Alarm CCF: Malware Alarm CCF: Vulnerability Detected Alarm CCF: Compromise Detected Alarm CCF: Denial of Service Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Config/Policy Change Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Backup Activity Inv CCF: Time Sync Error Inv CCF: Social Media Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Social Media Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Backup Activity Summary CCF: Physical Access Summary | |
| 10.12 | Evaluation and the identification of the improvements of recovery and continuity capability. These review’s and updates are obligatory when a change takes place in the entity (in terms of services /works or people) | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |||
| 10.16 | Review of Recovery and Continuity program against established Performance matrices and key performance indicators | CCF: Physical Access Inv CCF: Host Access Granted And Revoked Inv CCF: Use Of Non-Encrypted Protocols Inv CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Object Access Inv CCF: User Object Access Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Rogue Access Point Inv CCF: Suspected Wireless Attack Inv CCF: Malware Detected Inv CCF: Vulnerability Detected Inv CCF: Social Media Inv CCF: Critical Environment Error Inv CCF: Signature Activity Inv CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Backup Activity Inv CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Compromises Detected Inv CCF: Denial of Service Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Physical Access Summary CCF: Use Of Non-Encrypted Protocols Summary CCF: Applications Accessed By User Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Top Suspicious Users CCF: Object Access Summary CCF: User Object Access Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: Compromises Detected Summary CCF: Rogue Access Point Summary CCF: Suspected Wireless Attack Summary CCF: Malware Detected Summary CCF: Vulnerability Detected Summary CCF: Social Media Summary CCF: Critical Environment Error Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Patch Activity Summary CCF: Time Sync Error Summary CCF: Backup Activity Summary CCF: Audit Log Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |||
| 11.1 | Keep records regarding data processing | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Corroborated Account Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Host Access Granted And Revoked Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Time Sync Error Summary | |
| 11.11 | Implement controls to protect personal data to prevent and detect data attacks and breaches | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Corroborated Account Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer CCF: Excessive Authentication Failures Rule CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths | CCF: FIM Delete Activity Alarm CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Priv Group Access Granted Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Time Sync Error Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Host Access Granted And Revoked Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Time Sync Error Summary | |
| 11.13 | Conduct periodic audits and performance reviews of the Privacy Management Framework | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Host Access Granted And Revoked Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Audit Log Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Applications Accessed By User Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Audit Log Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Time Sync Error Summary | |||
| 12.01 | Processes and tools to manage identities of users during onboarding, transfer, and off-boarding across platforms and applications | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.02 | Unique ID generation | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.03 | Identity profile management | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.05 | Establish processes and tools to create, modify, delete and monitor user accounts and entitlements | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.06 | Provisioning Workflow (On-Board, Move/Update, Revoke) | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.07 | Privileged access management | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.08 | Credential management (Password Management) | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.09 | Role management: managing access based on job functions/responsibilitie s and related permissions. | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.1 | Fine-grained access policy administration | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.11 | Processes and tools used to control users’ access to protected resources by various authentication and authorization mechanisms | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Multiple Object Access Falures | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.14 | Identity federation | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.15 | Fine-grained access policy enforcement | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.17 | Log consolidation and analysis | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.18 | Identity and access monitoring | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.19 | Privileged access monitoring | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.2 | Processes and tools to understand the health of the various IAM components | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.21 | Identify opportunities for improvement in processes | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |||
| 12.22 | Provide evidence for access reviews, audit activities | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.25 | Policy compliance monitoring | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 12.26 | Role and definition certification | CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: Priv Group Access Granted Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Unknown User Account Inv CCF: Privileged Account Escalation Inv CCF: Password Modification Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary | |
| 13.07 | Authentication of management and monitoring assets (including workforce); Integrity verification of asset changes, asset monitoring solutions and asset Updates; Maintaining integrity of logs and reports | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: GeoIP Summary | |
| 13.08 | Holistic assessment of data integrity in its lifecycle across the entire IoT system; Architectural integrity evaluation; Enforcing principle of least privilege; Access control | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: GeoIP Summary | |
| 13.09 | Encrypted data storage | CCF: Data Destruction CCF: Data Loss Prevention CCF: Data Exfiltration Observed CCF: Corroborated Data Access Anomalies CCF: Abnormal Amount of Data Transferred CCF: Large Outbound Transfer | CCF: Non-Encrypted Protocol Alarm CCF: Early TLS/SSL Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm | CCF: Use Of Non-Encrypted Protocols Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 13.1 | Encrypted communication | CCF: Early TLS/SSL Alarm | CCF: Use Of Non-Encrypted Protocols Inv | CCF: Use Of Non-Encrypted Protocols Summary | ||
| 13.11 | Architectural confidentiality evaluation; Enforcing principle of least privilege; Access control | CCF: FIM General Activity CCF: FIM Add Activity CCF: FIM Abnormal Activity CCF: FIM Information CCF: Corroborated Data Access Anomalies CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: FIM Delete Activity Alarm CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: GeoIP Summary | |
| 13.12 | Sandboxing (application); Fine-grained data- centric access control (middleware); Separation kernels (OS); Trusted computing environments (hardware) | CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Attack then External Connection CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Config Modified CCF: Password Modified by Another User | CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Physical Access Inv CCF: Password Modification Inv | CCF: Use Of Non-Encrypted Protocols Summary CCF: LogRhythm Data Loss Defender Log Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Physical Access Summary | |
| 13.14 | Access control for monitoring, logging and managing assets (e.g. endpoints, communication, data, workforce); Control procedures for managing and monitoring operations; Controlling access to data that is fed into analytics solutions; Separation of duties; Role-based access control (RBAC) | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: GeoIP Summary | |
| 13.15 | Access control within endpoints, communication, management and monitoring. Holistic security evaluation methodology; Domain-specific expertise. Granular access control policies | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Misuse CCF: Corroborated Account Anomalies CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Local Account Created and Used CCF: Blacklist Location Auth CCF: Concurrent VPN from Multiple Locations CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Account Modification CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Auth After Numerous Failed Auths CCF: Auth After Security Event CCF: Abnormal Origin Location CCF: Password Modified by Admin CCF: Multiple Account Passwords Modified by Admin CCF: Admin Password Modified CCF: Password Modified by Another User CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Time Sync Error Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Unknown User Account Alarm CCF: Blacklisted Account Alarm CCF: Priv Group Access Granted Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Privilege Escalation After Attack Alarm | CCF: Object Access Inv CCF: User Object Access Inv CCF: Audit Log Inv CCF: Config/Policy Change Inv CCF: Signature Activity Inv CCF: Patch Activity Inv CCF: Time Sync Error Inv CCF: Host Access Granted And Revoked Inv CCF: Applications Accessed By User Inv CCF: Suspicious Users Inv CCF: User Misuse Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Privileged Account Modification Inv CCF: Privileged Account Escalation Inv CCF: Excessive Authentication Failure Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Password Modification Inv | CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: GeoIP Summary | |
| 14.01 | Removing unnecessary software apps | CCF: Software Install CCF: Software Uninstall | CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm | CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Audit Log Summary CCF: Time Sync Error Summary | |
| 14.02 | Disabling or removing unnecessary usernames and credentials | CCF: GeoIP General Activity CCF: GeoIP Blacklisted Region Activity CCF: Concurrent VPN from Multiple Locations CCF: Blacklist Location Auth CCF: Corroborated Account Anomalies CCF: Concurrent VPN from Single User CCF: Excessive Authentication Failures Rule CCF: Abnormal Origin Location CCF: Corroborated Data Access Anomalies CCF: Account Enabled Rule CCF: Account Disabled Rule CCF: Account Deleted Rule CCF: Account Modification CCF: Password Modified by Admin CCF: Admin Password Modified CCF: Multiple Account Passwords Modified by Admin CCF: Password Modified by Another User CCF: Auth After Numerous Failed Auths CCF: Windows RunAs Privilege Escalation CCF: Linux sudo Privilege Escalation CCF: Misuse CCF: Social Media Event CCF: Local Account Created and Used | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: Unknown User Account Alarm CCF: Early TLS/SSL Alarm CCF: Non-Encrypted Protocol Alarm CCF: Blacklisted Account Alarm CCF: Time Sync Error Alarm CCF: Rogue Access Point Alarm CCF: Priv Group Access Granted Alarm CCF: Blacklisted Account Alarm | CCF: Applications Accessed By User Inv CCF: LogRhythm Data Loss Defender Log Inv CCF: Suspicious Users Inv CCF: Unknown User Account Inv CCF: GeoIP Inv CCF: Excessive Authentication Failure Inv CCF: Rogue Access Point Inv CCF: Audit Log Inv CCF: User Misuse Inv CCF: Time Sync Error Inv CCF: User Object Access Inv CCF: Applications Accessed By User Inv CCF: Privileged Account Modification Inv CCF: Account Modification Inv CCF: Enabled Account Inv CCF: Disabled Account Inv CCF: Deleted Account Inv CCF: Host Access Granted And Revoked Inv CCF: Privileged Account Escalation Inv CCF: Object Access Inv CCF: Password Modification Inv CCF: Social Media Inv | CCF: Applications Accessed By User Summary CCF: Top Suspicious Users CCF: GeoIP Summary CCF: Rogue Access Point Summary CCF: Audit Log Summary CCF: Time Sync Error Summary CCF: Object Access Summary CCF: User Object Access Summary CCF: Audit Log Summary CCF: User Misuse Summary CCF: GeoIP Summary CCF: User Priv Escalation (Windows) Summary CCF: User Priv Escalation (SU & SUDO) Summary CCF: Priv Authentication Activity Summary CCF: Priv Account Management Activity Summary CCF: Rogue Access Point Summary CCF: Auth Failure Summary CCF: Access Failure Summary CCF: Auth Success Summary CCF: Access Success Summary CCF: Account Enabled Summary CCF: Account Disabled Summary CCF: Account Deleted Summary CCF: Account Modification Summary CCF: Term Account Activity Summary CCF: Social Media Summary | |
| 14.03 | Disabling or removing unnecessary services and ports | CCF: Port Misuse 53 CCF: Port Misuse 80 CCF: Blacklisted Ingress Port Observed CCF: Blacklisted Egress Port Observed CCF: New Network Host CCF: New Wireless Host | CCF: Rogue Access Point Alarm | |||
| 14.04 | Applying security and functionality patches (Covering operating system and all approved applications) | CCF: Config Modified CCF: Config Change After Attack CCF: Config Change then Critical Error CCF: Config Deleted/Disabled CCF: Software Install CCF: Software Uninstall | CCF: LogRhythm Silent Log Source Error Alarm CCF: Audit Logging Stopped Alarm CCF: Audit Log Cleared Alarm CCF: Failed Audit Log Write Alarm CCF: PRD Envir Config/Policy Change Alarm CCF: Critical/PRD Envir Patch Failure Alarm CCF: PRD Envir Signature Failure Alarm CCF: Software Install Fail Alarm CCF: Software Uninstall Fail Alarm CCF: Time Sync Error Alarm | CCF: Config/Policy Change Inv CCF: Patch Activity Inv CCF: Signature Activity Inv CCF: Critical Environment Error Inv CCF: Audit Log Inv CCF: Time Sync Error Inv | CCF: Patch Activity Summary CCF: Signature Activity Summary CCF: Config/Policy Change Summary CCF: Critical Environment Error Summary CCF: Audit Log Summary CCF: Time Sync Error Summary |