|
Control Number
|
Control Wording
|
Support Detail
|
AIE Rules
|
AIE Alerts
|
Investigations
|
Summary Reports
|
|
1.05
|
Map entity’s critical information assets with defined cybersecurity capabilities in the framework
|
Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. The lists enabled for this module will contain an entity's critical assets thereby enabling the defined capabilities in the framework supported by the rules, reports, and investigations that have been mapped.
|
|
|
|
|
|
1.29
|
Assess training gaps for cybersecurity capabilities
|
|
|
|
|
CCF: Top Suspicious Users
|
|
1.31
|
Conduct post trainings evaluation
|
|
|
|
|
CCF: Top Suspicious Users
|
|
1.33
|
Measure current cybersecurity awareness levels in the entity
|
|
|
|
|
CCF: Top Suspicious Users
|
|
2.01
|
Implement and enforce endpoint security configurations by applying it on operating system, application and network layers
|
|
CCF: Excessive Authentication Failures Rule
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: Priv Group Access Granted Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Time Sync Error Alarm
|
CCF: User Object Access Inv
CCF: Physical Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Time Sync Error Inv
|
CCF: User Object Access Summary
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Time Sync Error Summary
|
|
2.03
|
Ensure that best practice security configurations are applied on endpoints
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
2.04
|
Track asset inventory of endpoint devices on asset repository by gathering all the details of hardware, operating systems, and applications changing and configurations
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
2.05
|
Ensure that endpoint changes, patches and configuration go through a controlled change management process to continuously log and track security requirements
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
2.06
|
Install security applications on endpoint devices to ensure adequate protection is applied
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
2.09
|
Identify, track and detect abnormal behaviours or malicious activities through incident handling
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
2.1
|
Ensure endpoint protection is applied on hardware and software
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
3.04
|
Test the application with the selected application security method
|
|
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Software Install
CCF: Software Uninstall
|
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
3.05
|
The development and testing environments are separate from the production environment
|
|
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Software Install
CCF: Software Uninstall
|
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.03
|
A baseline configuration of information technology/industrial control systems is created and maintained incorporating security principles (e.g. concept of least functionality)
|
|
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Software Install
CCF: Software Uninstall
|
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Object Access Inv
CCF: User Object Access Inv
|
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.04
|
Network integrity is protected
(e.g., network segregation, network segmentation)
|
|
Netmon
|
Netmon
|
Netmon
|
Netmon
|
|
4.05
|
Configuration change control processes are in place
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.06
|
Communications and control networks are protected
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.07
|
Mechanisms (e.g., failsafe, load balancing, hot swap) are implemented to achieve resilience requirements in normal and adverse situations
|
|
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Config Modified
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Local Account Created and Used
CCF: Corroborated Account Anomalies
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Social Media Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Backup Activity Summary
|
|
4.08
|
A baseline of network operations and expected data flows for users and systems is established and managed
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Abnormal amount of Data Transferrred
CCF: Abnormal Origin Location
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.09
|
Vulnerability scans are performed in collaboration with Security Monitoring and Operations (refer Security Monitoring and Operations capability chapter)
|
|
CCF: Config Change After Attack
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.1
|
Management and dashboard reporting of identified network configuration deviations.
|
The LogRhythm Web Console allows you to monitor log activity. To support the most common end-user activities, the Web Console offers a customizable user interface with colorful visualizations and a range of powerful analytical and forensic features including multiple real-time, interchangeable dashboard layouts and Direct web access to authorized report packages. download available reports in PDF format or create and run new searches based on their reporting filters.
|
|
|
|
|
|
4.11
|
Event detection information is communicated to appropriate parties
* In case of Alert, Network Security Team will execute response actions
* In case of Incident/Breach, Incident Response Team will execute response actions
|
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
|
4.15
|
Physical and network access to assets is managed and protected
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.16
|
Remote access of users and devices are managed
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Abnormal Origin Location
CCF: Corroborated Data Access Anomalies
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Misuse
CCF: Social Media Event
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Time Sync Error Alarm
CCF: Rogue Access Point Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Excessive Authentication Failure Inv
CCF: Rogue Access Point Inv
CCF: Audit Log Inv
CCF: User Misuse Inv
CCF: Time Sync Error Inv
CCF: User Object Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Privileged Account Escalation Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Social Media Inv
|
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Social Media Summary
|
|
4.17
|
Network integrity is protected (e.g., network segregation, network segmentation)
|
|
CCF: Excessive Authentication Failures Rule
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: Priv Group Access Granted Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Time Sync Error Alarm
|
CCF: User Object Access Inv
CCF: Physical Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Audit Log Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Time Sync Error Inv
|
CCF: User Object Access Summary
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Time Sync Error Summary
|
|
4.18
|
Data-at-rest is protected
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.19
|
Data-in-transit is protected
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.2
|
Remote maintenance of organizational assets is approved, logged, and performed in a manner that prevents unauthorized access
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Abnormal Origin Location
|
|
CCF: Applications Accessed By User Inv
CCF: GeoIP Inv
|
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
|
|
4.21
|
Users, devices, and other assets are authenticated (e.g., single-factor, multi-factor) commensurate with the risk of the transaction (e.g., individuals’ security and privacy risks and other organizational risks)
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Abnormal Origin Location
CCF: Corroborated Data Access Anomalies
CCF: Excessive Authentication Failures Rule
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Auth After Numerous Failed Auths
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: User Object Access Inv
CCF: Physical Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: GeoIP Inv
|
CCF: User Object Access Summary
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Time Sync Error Summary
CCF: GeoIP Summary
|
|
4.22
|
Access permissions and authorizations are managed, incorporating the principles of least privilege and separation of duties
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Abnormal Origin Location
CCF: Corroborated Data Access Anomalies
CCF: Excessive Authentication Failures Rule
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Multiple Account Passwords Modified by Admin
CCF: Auth After Numerous Failed Auths
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: User Object Access Inv
CCF: Physical Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: GeoIP Inv
|
CCF: User Object Access Summary
CCF: Physical Access Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Object Access Summary
CCF: Time Sync Error Summary
CCF: GeoIP Summary
|
|
4.24
|
A baseline of network operations and expected data flows for users and systems is established and managed
|
|
Netmon/ Could include any baseline related rules
|
Netmon/ Could include any baseline related rules
|
Netmon/ Could include any baseline related rules
|
Netmon/ Could include any baseline related rules
|
|
4.25
|
Vulnerability scans are performed in collaboration with team responsible for Security Monitoring and Operations
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.26
|
Management and dashboard reporting of identified access control deviations.
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
4.27
|
Event detection information is communicated to appropriate parties
* In case of Alert, Network Security Team will execute response actions
* In case of Incident/Breach, Incident Response Team will execute response actions
|
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
|
4.28
|
Physical devices and systems within the organization are inventoried
|
Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. These lists are 'living' in that they can and should be updated often. LR will not be able to identify these asset changes for you, but can assist with tracking those changes.
|
|
|
|
|
|
4.3
|
External network systems are catalogued
|
Lists provide a mechanism for organizing and saving common search criteria used within filters throughout the Application – such as within Investigations, Reports, Alarm Rules, and AI Engine Rules. These lists are 'living' in that they can and should be updated often. LR will not be able to identify these asset changes for you, but can assist with tracking those changes.
|
|
|
|
|
|
4.31
|
Adequate capacity to ensure availability is maintained
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.32
|
Detected events are analysed to understand attack targets and methods
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.33
|
Event data are collected and correlated from multiple sources and sensors
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.34
|
Maintenance and repair of organizational assets are performed and logged, with approved and controlled tools
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment.
|
|
|
|
|
|
4.35
|
Network Vulnerability scans are performed in collaboration with team responsible for Security Monitoring and Operations
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
4.37
|
Network Audit/log records are determined, documented, implemented, and reviewed
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment.
|
|
|
|
|
|
4.38
|
Notifications from detection systems are investigated
|
|
Case Management
|
Case Management
|
Case Management
|
Case Management
|
|
4.4
|
Event detection information is communicated to appropriate parties
* In case of Alert, Network Security Team will execute response actions
* In case of Incident/Breach, Incident Response Team will execute response actions
|
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
SIEM/Web Console
|
|
4.41
|
Recovery plan is executed during or after a cybersecurity incident
|
|
|
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.42
|
Incidents are contained
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.43
|
Incidents are mitigated
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
4.44
|
Newly identified vulnerabilities are mitigated or documented
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
5.06
|
Protect data based on its classification, with the highest protections afforded to the most sensitive data
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
5.07
|
Understand how data is used and identify existing behaviour that puts data at risk
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
5.08
|
Monitor all data movement to gain visibility into sensitive data movement and determine the issues that need to be addressed
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: FIM Delete Activity Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
|
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
|
|
5.09
|
Continuously improve and remediate identified errors and processes
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
CCF: Physical Access Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
6.02
|
Secure communication channels are established and maintained for communicating change, configuration, and patch requirements
|
|
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
|
|
6.08
|
Establish a process to notify stakeholders in the event of breach and downtime resulting from changes, configuration, and patch deployment
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
6.11
|
Define authorization mechanisms to ensure change, patch, and required configurations activities are consistent and inline security/business requirements
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
6.14
|
Establish and maintain secure communication channels to communicate, agree, and approve service outage and business outage resulting from change, configuration, and patch deployment activities within the change control committee
|
|
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
|
|
6.15
|
Establish a process to define and document change, configuration, and patch deployment plans
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
6.18
|
Define mechanisms to alert/notify respective teams for change, configuration, and patch deployment and monitoring activities
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
6.23
|
Establish a process to log and track issues and risks associated with the changes, configurations, and patches are communicated and audited/reviewed by respective stakeholders
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
6.24
|
Establish a process to capture, log, and report change, configuration, and patch deployment outcomes are correctly distributed among respective stakeholders
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
7.01
|
Security audit/log records are determined, documented, implemented, and reviewed in accordance with policy
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.03
|
Detection activities comply with all applicable requirements
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.04
|
Cyber threat intelligence is received from information sharing forums and sources
|
|
TIS
|
TIS
|
TIS
|
TIS
|
|
7.05
|
Event data are aggregated and correlated from multiple sources and sensors
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.06
|
Malicious code is detected
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Critical Event After Attack
|
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
7.07
|
Unauthorized mobile code is detected
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Critical Event After Attack
|
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
7.08
|
Detected events are analysed to understand attack targets and methods; accordingly, triage is conducted
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.09
|
Impact of events is determined
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.1
|
Incident alert thresholds are established
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An alarm is a record of an event, or series of events, that triggered an alarm rule that can be managed. In LogRhythm Enterprise, alarm rules watch for certain conditions such as attacks on the network, compliance issues, system errors, and so on. For example, if log data reveals that a Trojan attempted to enter the network, an alarm rule such as "Alarm on Malware" is triggered that notifies administrators.
|
|
|
|
|
|
7.11
|
Monitoring for unauthorized personnel, connections, devices, and software is performed
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. Use of LR and this module augments this control by support of logging in your environment.
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Corroborated Data Access Anomalies
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Physical Access Summary
|
|
7.12
|
The network is monitored to detect potential cybersecurity events
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.13
|
The physical environment is monitored to detect potential cybersecurity events
|
|
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
|
|
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Physical Access Inv
|
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Physical Access Summary
|
|
7.14
|
Personnel activity is monitored to detect potential cybersecurity events
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.15
|
Vulnerability scans are performed
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
7.16
|
External service provider activity is monitored to detect potential cybersecurity events
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.17
|
Event detection information is communicated to appropriate parties
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
7.19
|
Detection processes are continuously improved
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. LogRhythm Labs team are constantly evaluating and improving content for modules. When LogRhythm Labs sends out periodic updates or new content for the Knowledge Base, administrators can choose when or if a module should be updated.
|
|
|
|
|
|
8.03
|
Automate the collection to a central logging system (ideally within layer 3 as per the ISA99/IEC62443 model)
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.04
|
Fine tune the collected logs and apply enriching techniques such as linking the OT asset management system
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.05
|
Automate a process of collecting IOCs and threat intelligence
|
|
TIS
|
TIS
|
TIS
|
TIS
|
|
8.06
|
Subscribe to and collect threat feeds from public and community sources (free as well as commercial)
|
|
TIS
|
TIS
|
TIS
|
TIS
|
|
8.09
|
Set up use cases and rules as per planned policies
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.1
|
Ingest OT IOCs and Attack signatures
|
|
TIS
|
TIS
|
TIS
|
TIS
|
|
8.12
|
Investigate alerts and conduct triage
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.13
|
Analyse deviations from the agreed network baseline (Cyber analytics)
|
|
CCF: FIM Abnormal Activity
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Corroborated Account Anomalies
CCF: Abnormal Origin Location
|
|
|
|
|
8.14
|
Analyse new OT threat feeds and verify applicability to your systems and environment
|
|
TIS
|
TIS
|
TIS
|
TIS
|
|
8.15
|
Escalation of alerts
|
|
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
|
|
|
8.16
|
OT Incident containment and management in alignment with operational and plant safety requirements
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.17
|
Reporting channels horizontally and vertically
|
|
|
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
8.18
|
Vendor secure communication
|
|
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
|
|
9.01
|
Incident Response plans are prepared, in place and managed
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An alarm is a record of an event, or series of events, that triggered an alarm rule that can be managed. In LogRhythm Enterprise, alarm rules watch for certain conditions such as attacks on the network, compliance issues, system errors, and so on. For example, if log data reveals that a Trojan attempted to enter the network, an alarm rule such as "Alarm on Malware" is triggered that notifies administrators. LogRhythm Labs team are constantly evaluating and improving content for modules. When LogRhythm Labs sends out periodic updates or new content for the Knowledge Base, administrators can choose when or if a module should be updated.
|
|
|
|
|
|
9.04
|
Define a secure way of communication such as encryption software (Rights Management Servers/PGP Keys/Digital Certificates) for communication among stakeholders
|
|
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
|
|
9.05
|
Response and recovery plans are tested
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An important element of response and recovery is observing what happened in your environment that caused the incident. SIEM data is instrumental in taking this look back.
|
|
|
|
|
|
9.07
|
Events are reported consistent with established criteria
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.08
|
Notifications from detection systems are investigated and conduct triage is conducted
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.09
|
Incident Response plan is executed during or after an event
|
SIEM stands for security, information, and event management. SIEM technology aggregates log data, security alerts, and events into a centralized platform to provide real-time analysis for security monitoring. An important element of response and recovery is observing what happened in your environment that caused the incident. SIEM data is instrumental in taking this look back.
|
|
|
|
|
|
9.1
|
Incidents are categorized and assigned a criticality level consistent with response plans
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.11
|
The impact of the incident is understood
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.12
|
Malicious code is detected which have been identified as a part of analysis
|
|
CCF: Config Change After Attack
CCF: Software Install
CCF: Software Uninstall
CCF: Critical Event After Attack
|
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Privilege Escalation After Attack Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
9.13
|
Forensics are performed, where required, after getting authorization approval from management
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.14
|
Newly identified vulnerabilities are mitigated or documented as accepted risks
|
|
Case Management
|
Case Management
|
Case Management
|
Case Management
|
|
9.16
|
Mechanisms shall be put in place to monitor and quantify the types and volumes of cyber security incidents
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
9.17
|
Processes are established to receive, analyse and respond to vulnerabilities disclosed to the organization from internal and external sources (e.g. internal testing, security bulletins, or security researchers)
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Backup Information
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Critical Event After Attack
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Social Media Event
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Distributed Brute Force
CCF: External Brute Force Auths
CCF: Concurrent VPN from Multiple Locations
CCF: Software Install
CCF: Software Uninstall
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Backup Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Rogue Access Point Alarm
CCF: Suspected Wireless Attack Alarm
CCF: Malware Alarm
CCF: Vulnerability Detected Alarm
CCF: Compromise Detected Alarm
CCF: Denial of Service Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Config/Policy Change Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Backup Activity Inv
CCF: Time Sync Error Inv
CCF: Social Media Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Social Media Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Backup Activity Summary
CCF: Physical Access Summary
|
|
10.12
|
Evaluation and the identification of the improvements of recovery and continuity capability. These review’s and updates are obligatory when a change takes place in the entity (in terms of services /works or people)
|
|
|
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
10.16
|
Review of Recovery and Continuity program against established Performance matrices and key performance indicators
|
|
|
|
CCF: Physical Access Inv
CCF: Host Access Granted And Revoked Inv
CCF: Use Of Non-Encrypted Protocols Inv
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Rogue Access Point Inv
CCF: Suspected Wireless Attack Inv
CCF: Malware Detected Inv
CCF: Vulnerability Detected Inv
CCF: Social Media Inv
CCF: Critical Environment Error Inv
CCF: Signature Activity Inv
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Backup Activity Inv
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Compromises Detected Inv
CCF: Denial of Service Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Physical Access Summary
CCF: Use Of Non-Encrypted Protocols Summary
CCF: Applications Accessed By User Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Top Suspicious Users
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: Compromises Detected Summary
CCF: Rogue Access Point Summary
CCF: Suspected Wireless Attack Summary
CCF: Malware Detected Summary
CCF: Vulnerability Detected Summary
CCF: Social Media Summary
CCF: Critical Environment Error Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Patch Activity Summary
CCF: Time Sync Error Summary
CCF: Backup Activity Summary
CCF: Audit Log Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
11.1
|
Keep records regarding data processing
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Corroborated Account Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Host Access Granted And Revoked Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Time Sync Error Summary
|
|
11.11
|
Implement controls to protect personal data to prevent and detect data attacks and breaches
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Corroborated Account Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
CCF: Excessive Authentication Failures Rule
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
|
CCF: FIM Delete Activity Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Priv Group Access Granted Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Time Sync Error Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Host Access Granted And Revoked Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Time Sync Error Summary
|
|
11.13
|
Conduct periodic audits and performance reviews of the Privacy Management Framework
|
|
|
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Host Access Granted And Revoked Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Audit Log Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Applications Accessed By User Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Audit Log Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Time Sync Error Summary
|
|
12.01
|
Processes and tools to manage identities of users during onboarding, transfer, and off-boarding across platforms and applications
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.02
|
Unique ID generation
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.03
|
Identity profile management
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.05
|
Establish processes and tools to create, modify, delete and monitor user accounts and entitlements
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.06
|
Provisioning Workflow (On-Board, Move/Update, Revoke)
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.07
|
Privileged access management
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.08
|
Credential management (Password Management)
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.09
|
Role management: managing access based on job functions/responsibilitie s and related permissions.
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.1
|
Fine-grained access policy administration
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.11
|
Processes and tools used to control users’ access to protected resources by various authentication and authorization mechanisms
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Multiple Object Access Falures
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.14
|
Identity federation
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.15
|
Fine-grained access policy enforcement
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.17
|
Log consolidation and analysis
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.18
|
Identity and access monitoring
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.19
|
Privileged access monitoring
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.2
|
Processes and tools to understand the health of the various IAM components
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.21
|
Identify opportunities for improvement in processes
|
|
|
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.22
|
Provide evidence for access reviews, audit activities
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.25
|
Policy compliance monitoring
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
12.26
|
Role and definition certification
|
|
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: Priv Group Access Granted Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Unknown User Account Inv
CCF: Privileged Account Escalation Inv
CCF: Password Modification Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
|
|
13.07
|
Authentication of management and monitoring assets (including workforce); Integrity verification of asset changes, asset monitoring solutions and asset Updates; Maintaining integrity of logs and reports
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: GeoIP Summary
|
|
13.08
|
Holistic assessment of data integrity in its lifecycle across the entire IoT system; Architectural integrity evaluation; Enforcing principle of least privilege; Access control
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: GeoIP Summary
|
|
13.09
|
Encrypted data storage
|
|
CCF: Data Destruction
CCF: Data Loss Prevention
CCF: Data Exfiltration Observed
CCF: Corroborated Data Access Anomalies
CCF: Abnormal Amount of Data Transferred
CCF: Large Outbound Transfer
|
CCF: Non-Encrypted Protocol Alarm
CCF: Early TLS/SSL Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
13.1
|
Encrypted communication
|
|
|
CCF: Early TLS/SSL Alarm
|
CCF: Use Of Non-Encrypted Protocols Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
|
|
13.11
|
Architectural confidentiality evaluation; Enforcing principle of least privilege; Access control
|
|
CCF: FIM General Activity
CCF: FIM Add Activity
CCF: FIM Abnormal Activity
CCF: FIM Information
CCF: Corroborated Data Access Anomalies
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: FIM Delete Activity Alarm
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: GeoIP Summary
|
|
13.12
|
Sandboxing (application); Fine-grained data- centric access control (middleware); Separation kernels (OS); Trusted computing environments (hardware)
|
|
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Attack then External Connection
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Config Modified
CCF: Password Modified by Another User
|
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Physical Access Inv
CCF: Password Modification Inv
|
CCF: Use Of Non-Encrypted Protocols Summary
CCF: LogRhythm Data Loss Defender Log Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Physical Access Summary
|
|
13.14
|
Access control for monitoring, logging and managing assets (e.g. endpoints, communication, data, workforce); Control procedures for managing and monitoring operations; Controlling access to data that is fed into analytics solutions; Separation of duties; Role-based access control (RBAC)
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: GeoIP Summary
|
|
13.15
|
Access control within endpoints, communication, management and monitoring. Holistic security evaluation methodology; Domain-specific expertise. Granular access control policies
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Misuse
CCF: Corroborated Account Anomalies
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Local Account Created and Used
CCF: Blacklist Location Auth
CCF: Concurrent VPN from Multiple Locations
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Account Modification
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Auth After Numerous Failed Auths
CCF: Auth After Security Event
CCF: Abnormal Origin Location
CCF: Password Modified by Admin
CCF: Multiple Account Passwords Modified by Admin
CCF: Admin Password Modified
CCF: Password Modified by Another User
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Time Sync Error Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Unknown User Account Alarm
CCF: Blacklisted Account Alarm
CCF: Priv Group Access Granted Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Privilege Escalation After Attack Alarm
|
CCF: Object Access Inv
CCF: User Object Access Inv
CCF: Audit Log Inv
CCF: Config/Policy Change Inv
CCF: Signature Activity Inv
CCF: Patch Activity Inv
CCF: Time Sync Error Inv
CCF: Host Access Granted And Revoked Inv
CCF: Applications Accessed By User Inv
CCF: Suspicious Users Inv
CCF: User Misuse Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Privileged Account Modification Inv
CCF: Privileged Account Escalation Inv
CCF: Excessive Authentication Failure Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Password Modification Inv
|
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: GeoIP Summary
|
|
14.01
|
Removing unnecessary software apps
|
|
CCF: Software Install
CCF: Software Uninstall
|
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
|
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
|
14.02
|
Disabling or removing unnecessary usernames and credentials
|
|
CCF: GeoIP General Activity
CCF: GeoIP Blacklisted Region Activity
CCF: Concurrent VPN from Multiple Locations
CCF: Blacklist Location Auth
CCF: Corroborated Account Anomalies
CCF: Concurrent VPN from Single User
CCF: Excessive Authentication Failures Rule
CCF: Abnormal Origin Location
CCF: Corroborated Data Access Anomalies
CCF: Account Enabled Rule
CCF: Account Disabled Rule
CCF: Account Deleted Rule
CCF: Account Modification
CCF: Password Modified by Admin
CCF: Admin Password Modified
CCF: Multiple Account Passwords Modified by Admin
CCF: Password Modified by Another User
CCF: Auth After Numerous Failed Auths
CCF: Windows RunAs Privilege Escalation
CCF: Linux sudo Privilege Escalation
CCF: Misuse
CCF: Social Media Event
CCF: Local Account Created and Used
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: Unknown User Account Alarm
CCF: Early TLS/SSL Alarm
CCF: Non-Encrypted Protocol Alarm
CCF: Blacklisted Account Alarm
CCF: Time Sync Error Alarm
CCF: Rogue Access Point Alarm
CCF: Priv Group Access Granted Alarm
CCF: Blacklisted Account Alarm
|
CCF: Applications Accessed By User Inv
CCF: LogRhythm Data Loss Defender Log Inv
CCF: Suspicious Users Inv
CCF: Unknown User Account Inv
CCF: GeoIP Inv
CCF: Excessive Authentication Failure Inv
CCF: Rogue Access Point Inv
CCF: Audit Log Inv
CCF: User Misuse Inv
CCF: Time Sync Error Inv
CCF: User Object Access Inv
CCF: Applications Accessed By User Inv
CCF: Privileged Account Modification Inv
CCF: Account Modification Inv
CCF: Enabled Account Inv
CCF: Disabled Account Inv
CCF: Deleted Account Inv
CCF: Host Access Granted And Revoked Inv
CCF: Privileged Account Escalation Inv
CCF: Object Access Inv
CCF: Password Modification Inv
CCF: Social Media Inv
|
CCF: Applications Accessed By User Summary
CCF: Top Suspicious Users
CCF: GeoIP Summary
CCF: Rogue Access Point Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
CCF: Object Access Summary
CCF: User Object Access Summary
CCF: Audit Log Summary
CCF: User Misuse Summary
CCF: GeoIP Summary
CCF: User Priv Escalation (Windows) Summary
CCF: User Priv Escalation (SU & SUDO) Summary
CCF: Priv Authentication Activity Summary
CCF: Priv Account Management Activity Summary
CCF: Rogue Access Point Summary
CCF: Auth Failure Summary
CCF: Access Failure Summary
CCF: Auth Success Summary
CCF: Access Success Summary
CCF: Account Enabled Summary
CCF: Account Disabled Summary
CCF: Account Deleted Summary
CCF: Account Modification Summary
CCF: Term Account Activity Summary
CCF: Social Media Summary
|
|
14.03
|
Disabling or removing unnecessary services and ports
|
|
CCF: Port Misuse 53
CCF: Port Misuse 80
CCF: Blacklisted Ingress Port Observed
CCF: Blacklisted Egress Port Observed
CCF: New Network Host
CCF: New Wireless Host
|
CCF: Rogue Access Point Alarm
|
|
|
|
14.04
|
Applying security and functionality patches (Covering operating system and all approved applications)
|
|
CCF: Config Modified
CCF: Config Change After Attack
CCF: Config Change then Critical Error
CCF: Config Deleted/Disabled
CCF: Software Install
CCF: Software Uninstall
|
CCF: LogRhythm Silent Log Source Error Alarm
CCF: Audit Logging Stopped Alarm
CCF: Audit Log Cleared Alarm
CCF: Failed Audit Log Write Alarm
CCF: PRD Envir Config/Policy Change Alarm
CCF: Critical/PRD Envir Patch Failure Alarm
CCF: PRD Envir Signature Failure Alarm
CCF: Software Install Fail Alarm
CCF: Software Uninstall Fail Alarm
CCF: Time Sync Error Alarm
|
CCF: Config/Policy Change Inv
CCF: Patch Activity Inv
CCF: Signature Activity Inv
CCF: Critical Environment Error Inv
CCF: Audit Log Inv
CCF: Time Sync Error Inv
|
CCF: Patch Activity Summary
CCF: Signature Activity Summary
CCF: Config/Policy Change Summary
CCF: Critical Environment Error Summary
CCF: Audit Log Summary
CCF: Time Sync Error Summary
|
