SOX – Investigations
Investigation Name | Investigation Description | Investigation ID | Data Source | Classification | Intelligent Indexing | Log Sources |
|---|---|---|---|---|---|---|
SOX: FIM Critical/Error/Information Inv | This investigation provides details of critical failures, errors, and information from file integrity monitoring software across Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: APO01.03, APO01.06, BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS05.07, DSS06.06 | 371 | Event Manager | Critical, Error | Yes | SOX: File Integrity Monitors |
SOX: Non-Encrypted Protocol Inv | This investigation provides details of unencrypted applications being utilized within the Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: APO01.03, APO01.06, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS05.07, DSS06.06 | 372 | Log Manager | Operations: Information | Yes | All Log Sources |
SOX: Physical Access Inv | This investigation provides details of physical access success and failure activity for Critical and Production environments (entity structure).
Direct: DSS05.05
Augment: APO01.03, APO01.06, DSS05.06, DSS06.06 | 373 | Log Manager | Access Failure, Access Success, Authentication Failure, Authentication Success | Yes, No, Yes, No | SOX: Physical Security Systems |
SOX: Data Loss Prevention Inv | This investigation provides detailed information regarding data loss prevention activities identified through configured AIE rules.
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: APO01.03, APO01.06, BAI04.03, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS05.07, DSS06.06 | 374 | Event Manager | Operations : Information Security : Compromise | Yes | All Log Sources |
SOX: Acct Created, Used, Deleted Inv | The following investigation provides detail information around the configured AIE rule identifying accounts created, used and deleted within the Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: APO07.05, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.07, DSS06.03 | 376 | Event Manager | Security : Suspicious | Yes | All Log Sources |
SOX: Account Created Inv | This investigation provides detailed information pertaining to any account created that has not been allocated to a defined SOX user account list in Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 377 | Event Manager | Account Created | Yes | All Log Sources |
SOX: Priv Acct Auth Failure Inv | This investigation provides detailed information around privileged account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 378 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: Priv Acct Auth Success Inv | This investigation provides detailed information around privileged account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 379 | Log Manager | Authentication Success | No | All Log Sources |
SOX: Priv Acct UAM Inv | This investigation provides detail of various access modifications to privileged accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 380 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: Priv Acct Access Success Inv | This investigation provides detailed information around access success for privileged accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 381 | Log Manager | Access Success | No | All Log Sources |
SOX: Priv Acct Access Failure Inv | This investigation provides detailed information around access failures for privileged accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 382 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: Priv Acct Disabled/Enabled Inv | This investigation provides detailed information when a privileged account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 383 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: Vendor Acct Authentication Failure Inv | This investigation provides detailed information around vendor account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 384 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: Vendor Acct Authentication Success Inv | This investigation provides detailed information around vendor account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 385 | Log Manager | Authentication Success | No | All Log Sources |
SOX: Vendor Acct Access Failure Inv | This investigation provides detailed information around access failures for vendor accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 386 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: Shared Acct Access Success Inv | This investigation provides detailed information around access success for shared accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 387 | Log Manager | Access Success | No | All Log Sources |
SOX: Vendor Acct Access Success Inv | This investigation provides detailed information around access success for vendor accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 388 | Log Manager | Access Success | No | All Log Sources |
SOX: Vendor Acct Disabled/Enabled Inv | This investigation provides detailed information when a vendor account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 389 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: Default Acct Disabled/Enabled Inv | This investigation provides detailed information when a default and generic account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 390 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: Vendor Acct UAM Inv | This investigation provides detail of various access modifications to vendor accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, APO10.03, APO10.04, APO10.05, DSS01.02, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 391 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: Default Acct Authentication Failure Inv | This investigation provides detailed information around default and generic account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 392 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: Default Acct Authentication Success Inv | This investigation provides detailed information around vendor account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 393 | Log Manager | Authentication Success | No | All Log Sources |
SOX: Default Acct Access Failure Inv | This investigation provides detailed information around access failures for default and generic accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 394 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: Default Acct Access Success Inv | This investigation provides detailed information around access success for default and generic accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 395 | Log Manager | Access Success | No | All Log Sources |
SOX: Default Acct UAM Inv | This investigation provides detail of various access modifications to default and generic accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 396 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: Shared Acct Authentication Failure Inv | This investigation provides detailed information around shared account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 397 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: Shared Acct Authentication Success Inv | This investigation provides detailed information around shared account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 398 | Log Manager | Authentication Success | No | All Log Sources |
SOX: Shared Acct Access Failure Inv | This investigation provides detailed information around access failures for shared accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 399 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: Shared Acct Disabled/Enabled Inv | This investigation provides detailed information when a shared account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 400 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: Shared Acct UAM Inv | This investigation provides detail of various access modifications to shared accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 401 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: BU Acct Authentication Failure Inv | This investigation provides detailed information around business user account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 402 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: BU Acct Authentication Success Inv | This investigation provides detailed information around business user account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 403 | Log Manager | Authentication Success | No | All Log Sources |
SOX: BU Acct Access Failure Inv | This investigation provides detailed information around access failures for business user accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 404 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: HR Payroll Acct Accs Failure Inv | This investigation provides detailed information around access failures for HR or payroll accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 405 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: BU Acct Access Success Inv | This investigation provides detailed information around access success for business user accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 406 | Log Manager | Access Success | No | All Log Sources |
SOX: BU Acct Disabled/Enabled Inv | This investigation provides detailed information when a business user account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 407 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: BU Acct UAM Inv | This investigation provides detail of various access modifications to business user accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 408 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: IT Acct Authentication Failure Inv | This investigation provides detailed information around IT user account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 409 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: IT Acct Authentication Success Inv | This investigation provides detailed information around IT user account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 410 | Log Manager | Authentication Success | No | All Log Sources |
SOX: IT Acct Access Failure Inv | This investigation provides detailed information around access failures for IT user accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 411 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: IT Acct Access Success Inv | This investigation provides detailed information around access success for business user accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 412 | Log Manager | Access Success | No | All Log Sources |
SOX: IT Acct Disabled/Enabled Inv | This investigation provides detailed information when a IT user account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 413 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: IT Acct UAM Inv | This investigation provides detail of various access modifications to IT user accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 414 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: Terminated User Authentication Activity Inv | This investigation provides detailed information around access success and failures for terminated accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 415 | Event Manager | Authentication Failure, Authentication Success | Yes, No | All Log Sources |
SOX: Terminated User Access Activity Inv | This investigation provides detailed information around terminated account access successes and failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 416 | Log Manager | Access Failure, Access Success | Yes, No | All Log Sources |
SOX: HR Payroll Acct Auth Failure Inv | This investigation provides detailed information around HR or payroll account authentication failures across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 417 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: HR Payroll Acct Auth Success Inv | This investigation provides detailed information around HR or payroll account authentication successes across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 418 | Log Manager | Authentication Success | No | All Log Sources |
SOX: HR Payroll Acct Accs Success Inv | This investigation provides detailed information around access success for HR or payroll accounts (list) within the Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 419 | Log Manager | Access Success | No | All Log Sources |
SOX: HR Payroll Acct Disable/Enable Inv | This investigation provides detailed information when an HR or payroll account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 420 | Event Manager | Access Granted, Access Revoked | Yes | SOX: Network Access Control Systems |
SOX: HR Payroll Acct UAM Inv | This investigation provides detail of various access modifications to HR or payroll accounts (list) occurring within Critical or Production environments (entity structure).
Augment: APO07.05, DSS02.01, DSS05.04, DSS05.07, DSS06.03 | 421 | Log Manager | Audit : Account Modified | Yes | SOX: Network Access Control Systems |
SOX: TST Environment Error Inv | This investigation provides details around critical or error messages received from test servers or systems (entity structure) to support change management procedures.
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 422 | Event Manager | Critical, Error | Yes | All Log Sources |
SOX: TST Authentication Success Inv | This investigation provides detailed information around account authentication successes across Test environments (entity structure).
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 423 | Log Manager | Authentication Success | No | All Log Sources |
SOX: TST Authentication Failure Inv | This investigation provides detailed information around account authentication failures across Test environments (entity structure).
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 424 | Event Manager | Authentication Failure | Yes | All Log Sources |
SOX: TST Access Success Inv | This investigation provides detailed information around access success for accounts (list) within the Test environments (entity structure).
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 425 | Log Manager | Access Success | No | All Log Sources |
SOX: TST Access Failure Inv | This investigation provides detailed information around access failures for accounts (list) within the Test environments (entity structure).
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 426 | Log Manager | Access Failure | Yes | All Log Sources |
SOX: TST Priv Acct Authentication Inv | This investigation provides detailed information around account authentication successes and failures across Test environments (entity structure).
Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 427 | Log Manager | Authentication Success, Authentication Failure | No, Yes | All Log Sources |
SOX: Critical Environment Error Inv | This investigation provides details around critical or error messages received from critical servers or systems (entity structure) to support change management procedures.
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06
Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 428 | Event Manager | Critical, Error | Yes | All Log Sources |
SOX: Production Environment Error Inv | This investigation provides details around critical or error messages received from production servers or systems (entity structure) to support change management procedures.
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06
Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 429 | Event Manager | Critical, Error | Yes | All Log Sources |
SOX: LogRhythm Silent Log Source Error Inv | This investigation provides detailed information when a LogRhythm Log Source has not received logs during the defined error period, for critical and production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: BAI04.01, BAI04.03, BAI04.04, BAI04.05, BAI07.06, BAI07.07, BAI07.08, BAI10.02, BAI10.03, BAI10.04, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 430 | Event Manager | Critical, Error | Yes | All Log Sources |
SOX: Backup Failure/Error Inv | This investigation provides detail of critical and error messages received from backup software (log source list) across critical and production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06
Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS04.07 | 431 | Event Manager | Critical, Error | Yes | SOX: Backup Servers- Systems |
SOX: Backup Activity Inv | This investigation provides detail of activity from backup software (log source list) across critical and production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06
Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS04.07 | 432 | Log Manager | Operations | Yes | SOX: Backup Servers- Systems |
SOX: FIM Activity Inv | This investigation provides detail of file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The File Integrity Monitoring log source can be established from LogRhythm's FIM or other FIM solutions.
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: APO01.03, APO01.06, BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS05.07, DSS06.06 | 433 | Log Manager | Operations : Access Success | Yes for FIM | SOX: File Integrity Monitors |
SOX: Config/Policy Change Inv | This investigation provides details of the occurrence of configuration or policy changes within Critical and Production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 434 | Log Manager | Configuration, Policy | Yes | All Log Sources |
SOX: *NIX Hosts Configuration Change Inv | This investigation provides detail of configuration changes and policy modifications on production *NIX hosts across critical and production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 435 | Log Manager | Configuration | Yes | All Log Sources |
SOX: Windows Hosts Configuration Change Inv | This investigation provides detail of configuration changes and policy modifications on Windows hosts across critical and production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 436 | Log Manager | Configuration | Yes | All Log Sources |
SOX: Patch Applied Inv | This investigation provides detail of applied patches grouped by Origin Host. It can demonstrate that all system components have the latest security patches installed.
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 437 | Log Manager | Operations : Information | Yes | All Log Sources |
SOX: Patch Failure Inv | This investigation provides detailed information around patch failure log messages received across Critical and Production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 438 | Event Manager | Operations : Information | Yes | All Log Sources |
SOX: Signature Update Inv | This investigation provides details on signature update activity across Critical and Production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 439 | Log Manager | Operations : Information | Yes | All Log Sources |
SOX: Signature Failure Inv | This investigation provides details of signature failure messages received from Critical and Production environments (entity structure).
Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 440 | Event Manager | Operations : Information | Yes | All Log Sources |
SOX: Time Sync Error Inv | This investigation provides details of time sync errors occurring within Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06
Augment: BAI04.04, BAI04.05, DSS01.01, DSS01.03, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 441 | Event Manager | Operations: Warning | Yes | All Log Sources |
SOX: Malware Detected Inv | This investigation provides detail of malware activity by entity and impacted host within the organization's Critical and Production environments.
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 442 | Event Manager | Malware, Failed Malware | Yes | SOX: Malware Prevention Systems |
SOX: Vulnerability Detected Inv | This investigation provides detail of potential vulnerabilities detected across the Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 443 | Event Manager | Vulnerability, Suspicious, Failed Suspicious | Yes | SOX: Network Security Systems |
SOX: Attack Detected Inv | This investigation provides detailed information on suspected attacks at the boundary including the type of attack and impacted (targeted) host and application (if applicable). This spans across critical and production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 444 | Event Manager | Security: Activity, Attack, Compromise, Denial Of Service, Failed Activity, Failed Attack, Failed Denial of Service, Failed Misuse, Misuse, Reconnaissance | Yes | SOX: Network Security Systems |
SOX: Rogue Access Point Inv | This investigation provides detail of all detected rogue wireless access points by Impacted Host across Critical and Production environments (entity structure).
Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01
Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 445 | Event Manager | Security : Suspicious | Yes | SOX: Network Security Systems |