From a7de3044eb71a26b159f77c8ced899bff0cc7b44 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Fri, 11 Apr 2025 10:59:18 -0500 Subject: [PATCH 1/6] feat: add new compliance reports --- .../20250407001_add_compliance_report.xml | 1206 +++++++++-------- 1 file changed, 615 insertions(+), 591 deletions(-) diff --git a/backend/src/main/resources/config/liquibase/changelog/20250407001_add_compliance_report.xml b/backend/src/main/resources/config/liquibase/changelog/20250407001_add_compliance_report.xml index 847403096..2fa4ffc84 100644 --- a/backend/src/main/resources/config/liquibase/changelog/20250407001_add_compliance_report.xml +++ b/backend/src/main/resources/config/liquibase/changelog/20250407001_add_compliance_report.xml @@ -69,11 +69,40 @@ -- # Insert new records into the utm_compliance_standard_section table -- ################################################################## - INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (808, 800, 'Authentication, Identification and Access Control', 'This section assesses compliance with PCI DSS requirements for user identification and authentication, ensuring that accounts are unique, securely managed, and with appropriate controls. It verifies the implementation of strong authentication, credential protection, and proper account lifecycle management, including revocation and access control.'); - INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (809, 800, 'Cardholder Data Recording and Monitoring', 'This section verifies compliance with controls related to the recording, monitoring, and protection of cardholder data. It assesses the implementation of audit trails, the integrity and availability of logs, the periodic review of security events, and the response to control system failures. It also analyzes time synchronization and proper management of access to records, ensuring that critical activities are monitored and any anomalies are detected and addressed in accordance with PCI DSS requirements.'); - INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (810, 800, 'Network Security and Protection', 'This section establishes the controls and mechanisms necessary to assess and strengthen network security, ensuring the detection and mitigation of vulnerabilities and threats. Compliance ensures the protection of the cardholder data environment, preventing unauthorized access and maintaining the integrity of the systems.'); - INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (811, 800, 'Security and Risk Management Policy', 'This section establishes procedures for assessing ongoing compliance with PCI DSS requirements, including the review and validation of implemented security policies, controls, and practices. It focuses on measuring the effectiveness of security controls, identifying potential compliance gaps, and evaluating the adequacy of processes to mitigate risks.'); - INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (812, 800, 'Security and Separation in Multi-Tenant Environments', 'This section assesses compliance with security controls and data separation in multi-tenant environments, ensuring that each customer has exclusive and protected access to their own information. Measures implemented for environment segregation, data protection, and access integrity are examined, in accordance with PCI DSS requirements.'); + UPDATE utm_compliance_standard_section + SET standard_section_name = '2. Secure Configuration of System Components' + WHERE id = 801; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '3. Protection and Secure Management of Stored Account Data' + WHERE id = 802; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '4. Cardholder Data Protection During Transmission' + WHERE id = 803; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '5. Malware and Phishing Protection' + WHERE id = 804; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '7. Access Control Management' + WHERE id = 805; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '6. Secure Development and Maintenance of Systems and Software' + WHERE id = 806; + + UPDATE utm_compliance_standard_section + SET standard_section_name = '1. Implementation and Maintenance of Network Security Controls' + WHERE id = 807; + + + INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (808, 800, '8. Authentication, Identification and Access Control', 'This section assesses compliance with PCI DSS requirements for user identification and authentication, ensuring that accounts are unique, securely managed, and with appropriate controls. It verifies the implementation of strong authentication, credential protection, and proper account lifecycle management, including revocation and access control.'); + INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (809, 800, '10. Cardholder Data Recording and Monitoring', 'This section verifies compliance with controls related to the recording, monitoring, and protection of cardholder data. It assesses the implementation of audit trails, the integrity and availability of logs, the periodic review of security events, and the response to control system failures. It also analyzes time synchronization and proper management of access to records, ensuring that critical activities are monitored and any anomalies are detected and addressed in accordance with PCI DSS requirements.'); + INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (810, 800, '11. Network Security and Protection', 'This section establishes the controls and mechanisms necessary to assess and strengthen network security, ensuring the detection and mitigation of vulnerabilities and threats. Compliance ensures the protection of the cardholder data environment, preventing unauthorized access and maintaining the integrity of the systems.'); + INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (811, 800, '12. Security and Risk Management Policy', 'This section establishes procedures for assessing ongoing compliance with PCI DSS requirements, including the review and validation of implemented security policies, controls, and practices. It focuses on measuring the effectiveness of security controls, identifying potential compliance gaps, and evaluating the adequacy of processes to mitigate risks.'); + INSERT INTO utm_compliance_standard_section (id, standard_id, standard_section_name, standard_section_description) VALUES (812, 800, 'A. Security and Separation in Multi-Tenant Environments', 'This section assesses compliance with security controls and data separation in multi-tenant environments, ensuring that each customer has exclusive and protected access to their own information. Measures implemented for environment segregation, data protection, and access integrity are examined, in accordance with PCI DSS requirements.'); ]]> @@ -91,46 +120,7 @@ -- # Insert new records into the utm_compliance_report_config table -- ################################################################## - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (801, 'This report compiles relevant information from the Windows logs generated by event 4726, which is triggered when a user account is deleted from the system. This event is crucial for compliance with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4726 provides details about deleting user accounts, which is an important activity to identify suspicious or malicious behavior on the system. Deleting user accounts without proper authorization could be an indication that a malicious actor has compromised the infrastructure and is attempting to remove traces of their activity or restrict access to legitimate users, which could facilitate the spread of malware or interfere with incident response capacity.

Monitoring user account deletion can detect unusual activities that could be related to malicious manipulation of system settings. This visibility is essential to prevent account deletion from being used as a tactic to destabilize the organization''s security or to hide evidence of the presence of malware.

This report helps security teams maintain tight control over user accounts, ensuring deletion processes are legitimate and properly managed. Additionally, it contributes to compliance with CMMC Level 3 control SI.3.219, ensuring that endpoint monitoring is properly configured to effectively detect and mitigate potential malware threats.', null, null, null, null, null, null, null, null, null, 507, true, 272, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (795, 'This report compiles relevant information from the Windows logs generated by event 4719, which is activated when a modification is made to the system audit policy. This event is important for identifying unauthorized changes that may be related to disabling security auditing or attempts to hide traces of malware infections. It is key to complying with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 4719 provides details about the modifications made to the auditing configuration. Auditing configurations are essential for recording system security-related events such as logins, file modifications, and system configuration changes.

Monitoring this event allows security teams to detect suspicious changes to audit policies that may have been made by an attacker to eliminate evidence of malicious activity. Additionally, identifying these changes early can help prevent the spread of malware and ensure that the system maintains its ability to detect and record malicious user actions or processes.

This report supports security teams in implementing controls to detect and correct malware infections, thus contributing to compliance with CMMC Level 1 control SI.1.210, and ensuring that system audit policies are correctly configured to detect behaviors anomalous and malware attacks.', null, null, null, null, null, null, null, null, null, 507, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (794, 'Este reporte recopila información relevante de los logs de Windows generados por el evento 4688, el cual se activa cuando un proceso es creado en el sistema. El evento es particularmente importante para identificar actividades sospechosas, como la ejecución de procesos maliciosos, que podrían estar relacionados con infecciones de malware, y es esencial para cumplir con el control SI.1.210 de CMMC Level 1, que exige identificar y corregir infecciones de malware.

El evento 4688 proporciona detalles sobre los procesos que se inician, incluyendo el nombre del ejecutable, la ruta, el ID del proceso padre y otros detalles asociados. Estos datos permiten detectar si un proceso está relacionado con malware o comportamientos no autorizados en el sistema. La creación de nuevos procesos no autorizados o el comportamiento inusual de procesos conocidos puede ser un indicio de una infección activa o un ataque en curso.

Monitorear los eventos 4688 es crucial para identificar posibles infecciones de malware en sus primeras etapas, así como para detectar actividades anómalas relacionadas con la ejecución de código malicioso. Esta información permite a los equipos de seguridad tomar medidas inmediatas, como la detención de procesos maliciosos, la cuarentena de archivos o el análisis forense para determinar el origen y el impacto de la amenaza.

Este reporte es una herramienta clave para fortalecer las capacidades de detección de malware dentro de la infraestructura de la organización, contribuyendo así al cumplimiento del control SI.1.210 de CMMC Level 1.', null, null, null, null, null, null, null, null, null, 507, true, 284, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (808, 'This report compiles relevant information from the Windows logs generated by events 5061, 4673 and 4674, which are related to the access and manipulation of security objects and policies in the system. These events are crucial to compliance with CMMC Level 4 control SI.4.221, which requires automation of malware detection and response.

Event 5061: This event is triggered when a cryptography operation is performed, which may indicate malicious encryption attempts, such as ransomware attacks.
Events 4673 and 4674: These events are generated when significant changes are made to security policies, such as the creation, modification, or deletion of critical objects, which could be an attempt to alter system configuration to facilitate attacks or circumvent security measures. security.

Automated collection and analysis of these events can detect patterns of anomalous behavior associated with the presence of malware, such as manipulation of security settings or execution of malicious encryption processes. Automation in the detection and response to these events is vital to mitigate the impact of any attempted infection or alteration of systems quickly and efficiently.

This report helps security teams implement automatic controls to monitor and respond to incidents related to security policy manipulation and cryptography, contributing to the prevention of attacks and strengthening the organization''s security posture. In addition, it reinforces compliance with CMMC Level 4 control SI.4.221, ensuring that the detection and response to possible threats is carried out in an effective and automated manner.', null, null, null, null, null, null, null, null, null, 507, true, 286, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Use of Elevated Privileges', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (488, 'Provides valuable insights into system interactions and potential security risks to improve detection of unauthorized access attempts, strengthen compliance with security standards, and improve the overall integrity of your Windows environments.', null, null, null, null, null, null, null, null, null, 510, true, 279, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Failed logon attempt', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (637, 'This report collects and analyzes security events identified by ID 4720 on Windows systems. Event 4720 records the creation of new user accounts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account creation, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (807, 'This report collects relevant information from the Windows logs generated by event 1102, which is activated when a reboot or cleaning of the security logs is performed. This event is critical to compliance with CMMC Level 4 control SI.4.221, which requires automation of malware detection and response.

Event 1102 provides details on cleaning the system event logs, which is critical for automated detection of suspicious or malicious activity. Deleting or modifying security logs can be an indication that a malicious actor is trying to cover their tracks, posing a significant threat to systems integrity.

Monitoring this event in an automated way allows you to identify when changes or deletions are made to the security logs, which can signal cover-up attempts after an attack or intrusion. Detecting and responding to these incidents automatically is essential to ensure the continued protection of the organization''s IT environment.

This report is key to supporting security teams in implementing automatic controls that not only detect possible intrusions or cloaking attempts, but also provide immediate responses to mitigate any potential threats. By doing so, you contribute to CMMC Level 4 compliance, ensuring that detection and response to security incidents is carried out in an efficient and automated manner.', null, null, null, null, null, null, null, null, null, 507, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (796, 'This report collects relevant information from the Windows logs generated by event 5158, which is triggered when the Windows Filtering Platform (WFP) blocks a network connection due to configured filtering rules. The event is particularly important for CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

The Windows Filtering Platform (WFP) is an infrastructure that enables filtering of network traffic, providing fine-grained control over incoming and outgoing connections. When a connection is blocked by network filtering policies, event 5158 records information related to that action, which helps identify suspicious traffic patterns, unauthorized access attempts, or the communication of malware across the network. .

Monitoring these types of events is crucial to detect malicious activity in real time, such as malware attempts to exfiltrate information or connect to command and control servers. This event provides key details about network connections that have been stopped by WFP filtering rules, allowing security teams to identify, investigate, and mitigate potential threats before they can compromise the system.

This report is essential to ensure that network infrastructure protection measures are working correctly, contributing to compliance with CMMC Level 3 control SI.3.219 by enabling effective monitoring of endpoints and early detection of malware and cyber attacks.', null, null, null, null, null, null, null, null, null, 507, true, 296, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Filtering Platform', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (810, 'This report compiles relevant information from the Windows logs generated by event 4689, which is activated when a process finishes executing on the system. This event is crucial for the detection of suspicious activities, such as the termination of malware-related processes, and is essential to comply with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 4689 provides details about processes that have terminated. This information is valuable for correlating malicious processes with their initial creation and determining whether a malicious process was appropriately killed or stopped. Monitoring process termination is essential to identify if an attack has been contained or if a suspicious process has been stopped in time.

Tracking these events allows security teams to analyze process termination patterns, detect potential malware infections that could have been neutralized, and ensure that legitimate processes have not been stopped inappropriately. Additionally, early detection of terminating malicious processes may indicate an attempt by an attacker to conceal or remove evidence.

This report supports security teams in the identification and correction of malware infections, thus contributing to compliance with CMMC Level 1 control SI.1.210.', null, null, null, null, null, null, null, null, null, 507, true, 302, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Process Termination', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (798, 'This report compiles relevant information from the Windows logs generated by event 4697, which is activated when the installation of a new service on the system is detected. This event is key to complying with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4697 provides details about the services installed on the system. Monitoring these types of events is essential to detect the installation of unauthorized services that could be used by malicious actors to execute malicious code or establish persistence on the system.

Analyzing these events allows security teams to identify suspicious activity, such as the installation of malware or exploitation tools attempting to covertly execute commands through a new service. Additionally, proactive monitoring of service installation ensures that any unauthorized changes are detected in time, helping to prevent attacks and maintain the integrity of systems.

This report is an essential tool for effective endpoint monitoring, as it allows you to identify and investigate new service installations that could be indicative of a malware infection. By doing so, it contributes to compliance with CMMC Level 3 control SI.3.219, helping to strengthen detection and response to threats on network endpoints.', null, null, null, null, null, null, null, null, null, 507, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Service Installed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (802, 'This event is logged when a Windows service fails to start due to an error and may be linked to system services that are responsible for managing and controlling other services, including those involved in system security and monitoring.

The Service Control Manager manages interactions between Windows services, and when a service that should be monitoring or protecting the system against threats (such as malware detection) fails, event 7030 is an indication that something has gone wrong. This event is important because it can alert you to attempts to disable critical services that help protect the system.

In the context of CMMC Level 4, where automation of malware detection and response is required, the logs generated by SCM allow the identification of failures that could have been caused by a malicious attempt to disable security or monitoring services.

So, event 7030, being part of the SCM logs, has a direct relationship with monitoring the health of system services, especially those related to security and incident response, which is crucial to comply with CMMC Level 4 control SI.4.221.', null, null, null, null, null, null, null, null, null, 507, true, 323, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Service Control Manager Log Information', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1096, 'This report gathers relevant information from the 4663 events generated in Windows logs, which are used to verify compliance with PCI DSS Requirement 2.1.1. This requirement establishes that all security policies and operational procedures must be documented, kept up-to-date, in use, and known to all affected parties.

4663 events correspond to access to files and objects within the system, allowing the tracking of the access, modification, or deletion of key documents, such as security policies and operational procedures. These events confirm that relevant documents are being managed according to defined standards, ensuring that policies and procedures are available, up-to-date, and accessible to the appropriate parties for implementation.

This report facilitates validation that security policies and operational procedures, essential for data protection, are being correctly managed within the IT environment and that the requirements established by PCI DSS regarding the documentation and continuous updating of these policies are met.', null, null, null, null, null, null, null, null, null, 801, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (793, 'This report collects relevant information from the Windows logs generated by event 7031, which is triggered when the Service Control Manager (SCM) detects that a service has ended unexpectedly. The event is especially important when such termination is unplanned or may be related to malicious activities, such as malware infections, and is key to complying with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 7031 provides details about services that have stopped unexpectedly. These events allow security teams to detect possible attempts by attackers to disable critical system services through malware or other forms of manipulation.

Monitoring these types of events is essential to identify anomalous or malicious activities that may compromise the stability and security of systems. Collecting 7031 event information allows security teams to act quickly on unexpected termination of services, which could indicate that malware is attempting to interfere with system processes.

This report is essential to ensure that malware infections are detected in time and that essential system services are restored and protected. In addition, it contributes to compliance with CMMC Level 1 control SI.1.210, ensuring that systems are continuously monitored and protected against threats that may affect their operation and security.', null, null, null, null, null, null, null, null, null, 507, true, 341, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Unexpected Service Failures', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (809, 'This report gathers relevant information from the Windows logs generated by Windows Defender events 2001, 2003 and 3002, which record the actions taken by the protection system against detected threats. These events are key to compliance with CMMC Level 1 control SI.1.210, which focuses on the identification and correction of system failures, including the detection and response to malware.

Event 2001: This event indicates that Windows Defender has detected a threat on the system and has taken protective action, such as removing or quarantining malicious files.
Event 2003: Records additional actions that Windows Defender may have taken, such as scanning in the background or responding to threats on critical files or locations.
Event 3002: Provides additional details on the execution of threat mitigation measures, including user or administrator intervention if necessary, and the status of affected files.

Collecting these events allows you to verify that Windows Defender is actively monitoring and responding to system threats, which is critical to mitigating the risk of malware infections and other vulnerabilities. These logs provide detailed information about the threats detected and the actions implemented to contain or eliminate those threats, allowing security teams to monitor the effectiveness of protection responses.

This report contributes to compliance with CMMC Level 1 control SI.1.210 by ensuring that system failures caused by malware or malicious activities are detected and appropriately acted upon. Correctly configuring and monitoring Windows Defender and collecting these logs provides a solid foundation for conducting regular audits, evaluating the effectiveness of mitigation actions, and ultimately protecting critical systems from potential cyber threats.', null, null, null, null, null, null, null, null, null, 507, true, 348, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Defender Action Against Detected Threat', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (812, 'This report collects relevant information from the Windows logs generated by events 5156, 5158 and 5159, which are related to monitoring system network activity and allowed network connections. These events are essential to comply with CMMC Level 3 control SI.3.219, which requires implementing endpoint monitoring for malware detection.

Event 5156: Provides details about the network connections that have been allowed between the system and other devices on the network, helping to identify suspicious communications that could be related to malicious activity.
Event 5158: Logs blocked network connections, which may indicate unauthorized access attempts or the spread of malware attempting to establish connections to other machines.
Event 5159: Provides details about network connections allowed or denied based on security policies, which is crucial for identifying traffic that could be associated with malware behavior on an endpoint.

These events identify unusual patterns of network traffic that could be indicative of a malware attack, such as connection attempts to unknown or blocked IP addresses, communication attempts by unauthorized processes, or unusual use of network ports. Monitoring these events is essential to quickly detect malicious behavior and prevent the spread of malware within the corporate network.

This report facilitates the implementation of security controls that allow you to identify, block and mitigate the impact of malware on the organization''s endpoints. Additionally, it supports security teams in the proactive detection of threats, contributing to compliance with CMMC Level 3 control SI.3.219, ensuring that endpoints are adequately monitored to detect malicious activities and prevent security incidents.', null, null, null, null, null, null, null, null, null, 507, true, 349, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Connections and Port Assignments', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (985, 'This report presents a detailed analysis of Windows Event Viewer events ID 6005 and ID 6006, which record events related to system startup and shutdown. Event 6005 indicates the start of a Windows event log event, while event 6006 signals a controlled system shutdown.

The collection and evaluation of these events is essential for the validation of Disaster Recovery and Business Continuity, according to CMMC (Cybersecurity Maturity Model Certification) standards and requirements. By analyzing these logs, it is ensured that the system is being booted and shut down correctly, which helps confirm the correct implementation of recovery strategies, effective monitoring, and continued availability of services.', null, null, null, null, null, null, null, null, null, 517, true, 311, 'TEMPLATE', null, null, 'Windows Event Log Service', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (561, 'Log of access attempts to critical files or specific directories, capturing detailed information about the subject (user or process), the object (file or directory), the type of access requested, and the outcome.', null, null, null, null, null, null, null, null, null, 504, true, 277, 'TEMPLATE', null, null, null, null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (986, 'This report presents an analysis of Windows Event Viewer events ID 1001, which are related to system shutdown errors or unexpected failures in the operating system. Event 1001 is generated when the system detects an unexpected shutdown or system crash, which may be an indication of problems related to system availability.

Tracking these events is crucial to meeting Disaster Recovery and Business Continuity requirements, as stipulated in the CMMC (Cybersecurity Maturity Model Certification) model. The collection and analysis of event ID 1001 logs allows the identification of critical failures that could affect the continued operation of the system, helping to ensure that recovery and contingency mechanisms are implemented and functioning correctly to maintain system stability and availability in the event of unexpected incidents.c', null, null, null, null, null, null, null, null, null, 517, true, 339, 'TEMPLATE', null, null, 'Windows Error Reporting', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (984, 'This report collects and analyzes relevant information from Windows Event Viewer events ID 6008, which indicate unexpected system shutdowns. Monitoring these events is essential to evaluate the availability and stability of the systems within the framework of compliance with Disaster Recovery and Business Continuity Monitoring according to the requirements of CMMC (Cybersecurity Maturity Model Certification).

The analysis of these logs allows us to identify unplanned interruptions, possible hardware or software failures, and evaluate the effectiveness of disaster recovery plans, ensuring operational resilience and business continuity.', null, null, null, null, null, null, null, null, null, 517, true, 340, 'TEMPLATE', null, null, 'Windows Logging Unexpected System Shutdowns', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (988, 'This report presents key information extracted from the Windows event logs (event 1074) related to planned system shutdowns and restarts. The goal is to ensure that shutdown and restart activities are performed in a controlled and documented manner, which is critical to compliance with Disaster Recovery and Business Continuity Monitoring policies as required by CMMC. The collection of this data guarantees the traceability of actions related to the maintenance and operational availability of the systems.', null, null, null, null, null, null, null, null, null, 517, true, 385, 'TEMPLATE', null, null, 'Windows Scheduled System Shutdowns and Restarts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (987, 'This report presents the relevant data from the logs of Windows event ID 41, which indicates that the system has rebooted without shutting down cleanly. This type of event is crucial for monitoring system availability, as it can be indicative of unexpected interruptions that affect the operational continuity of the technological infrastructure. The analysis of these events allows us to verify the system''s ability to recover from unexpected failures and maintain its proper functioning, fundamental aspects within the principles of Disaster Recovery and Business Continuity Monitoring established by the Cybersecurity Maturity Model Certification (CMMC).', null, null, null, null, null, null, null, null, null, 517, true, 384, 'TEMPLATE', null, null, 'Windows Unexpected System Reboot', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (989, 'This report collects and analyzes critical Windows system events, specifically events 7023 and 7026, recorded in the system log. These events are related to the unexpected termination of essential services and the failure to load drivers during system startup.

The purpose of this report is to provide visibility into possible failures in the technological infrastructure, identifying incidents that may affect the availability, resilience and operational continuity of the Windows environment. The information presented is key to evaluating compliance with the Disaster Recovery and Business Continuity Monitoring requirements established within the CMMC (Cybersecurity Maturity Model Certification) framework.', null, null, null, null, null, null, null, null, null, 517, true, 386, 'TEMPLATE', null, null, 'Windows Failure to load system services', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (990, 'This report collects and analyzes 1000 events in the Windows event log, which are errors from applications that have failed unexpectedly.

The purpose of this report is to identify applications that experience recurring failures, evaluate their impact on system stability, and determine potential risks to operational continuity. The information presented is essential to monitor and improve the resilience of the technological environment, guaranteeing compliance with the requirements of Disaster Recovery and Business Continuity Monitoring within the framework of CMMC (Cybersecurity Maturity Model Certification).', null, null, null, null, null, null, null, null, null, 517, true, 387, 'TEMPLATE', null, null, 'Windows Application failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (991, 'This report consolidates and analyzes Windows event log 1026 events, which indicate unhandled exceptions in applications that use the .NET Framework environment.

The objective of the report is to identify applications that experience failures due to execution errors in .NET, evaluate their impact on system stability, and determine potential risks to operational continuity. This information is crucial to monitor the resilience of the technological environment and ensure compliance with the Disaster Recovery and Business Continuity Monitoring requirements within the CMMC (Cybersecurity Maturity Model Certification) framework.

The report includes key details that facilitate the analysis of trends and the implementation of corrective measures to mitigate interruptions in critical services.', null, null, null, null, null, null, null, null, null, 517, true, 388, 'TEMPLATE', null, null, 'Windows .NET Runtime Error', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (992, 'This report consolidates and analyzes Windows event log events 11707, which record successful installation of applications through the MsiInstaller service.

The purpose of the report is to provide visibility into the installation of software on the monitored systems, ensuring that changes to the infrastructure are controlled and comply with Disaster Recovery and Business Continuity Monitoring policies within the CMMC (Cybersecurity Maturity Model Certification) framework.

The report includes key details that allow you to verify the correct implementation of critical applications, guaranteeing the stability and availability of essential services.', null, null, null, null, null, null, null, null, null, 517, true, 388, 'TEMPLATE', null, null, 'Windows Software installation completed successfully', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (993, 'This report collects and analyzes Windows event log events 11708, which indicate failures in installing software through the MsiInstaller service.

The purpose of the report is to identify and evaluate failed application installation attempts on monitored systems, allowing for proactive review of potential configuration, permissions, or software integrity issues.

Within the framework of CMMC''s Disaster Recovery and Business Continuity Monitoring (Cybersecurity Maturity Model Certification), this report contributes to change management and operational continuity, ensuring that critical systems are not affected by errors in software implementation. Key details relevant to incident resolution are included.', null, null, null, null, null, null, null, null, null, 517, true, 390, 'TEMPLATE', null, null, 'Windows Software installation failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (994, 'This report collects and analyzes Windows registry events 10016, which indicate permissions problems in activating COM (Component Object Model) components. These events can signal misconfigurations in the security of critical services and applications, impacting business continuity and disaster recovery.

Analysis of these events is essential to ensure compliance with Disaster Recovery and Business Continuity Monitoring requirements within the CMMC (Cybersecurity Maturity Model Certification) framework, ensuring that COM component permissions are correctly configured to avoid disruptions to key systems. This report helps identify and correct permission configurations that could compromise the operational resilience and security of the infrastructure.', null, null, null, null, null, null, null, null, null, 517, true, 391, 'TEMPLATE', null, null, 'Windows Permissions issues in DCOM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (996, 'his report compiles the records of Windows log events 18, 19, and 20, which correspond to system startup and shutdown activities. The information extracted from these events is used to verify compliance with the Disaster Recovery and Business Continuity Monitoring requirements of the CMMC framework. These events are critical in ensuring that the system initiates and shuts down in a controlled and reliable manner, in accordance with organizational policies for system availability and recovery.

The report includes details of system startup and shutdown times, as well as any anomalies or failures that may indicate potential issues with system availability. By analyzing these events, the report helps validate the effectiveness of disaster recovery procedures and business continuity plans, ensuring that the system can be restored promptly in case of a failure or disruption.', null, null, null, null, null, null, null, null, null, 517, true, 393, 'TEMPLATE', null, null, 'Windows System Boots and Shutdowns', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (960, 'This report compiles relevant information from the Windows event 4663 and 4656 logs, which are used to track access and actions performed on protected objects on the system, such as files and folders. Event 4663 records actions performed on specific objects, such as reading, writing or deleting files, while event 4656 captures when an access attempt is made to a protected object, detailing the type of access requested and the success or failure of that attempt.

These events are essential to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, as they provide visibility into how users interact with sensitive data (CUI) and if there are attempts to access or manipulate it without proper authorization. By analyzing these logs, you can ensure that data in transit is protected, preventing loss, unauthorized access or alteration during handling and transportation. In addition, they allow us to identify possible security breaches that could put the confidentiality and integrity of the CUI at risk.', null, null, null, null, null, null, null, null, null, 514, true, 273, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Attempt to Access a Protected Object', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (959, 'This report gathers relevant information extracted from the logs of Windows event 4670, which is designed to record changes in the permissions of system objects, such as files or folders. Event 4670 is triggered whenever an object''s access control lists (ACLs) are modified, allowing you to track and audit who has access to what data and what permissions have been granted or removed.

The analysis of these records is crucial to ensure compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since it allows monitoring and controlling access to Controlled Unclassified Information (CUI), guaranteeing that there are no unauthorized modifications to access permissions that could put the integrity or confidentiality of sensitive data at risk. This report contributes to identifying and mitigating any attempted tampering with the security of the CUI, which reinforces protection measures against data loss or leak during handling and transportation.', null, null, null, null, null, null, null, null, null, 514, true, 274, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (958, 'This report collects and analyzes the logs of Windows event 4663, which captures information about accesses and modifications to objects within the system, such as files or directories. Event 4663 is essential for tracking activities related to data access and manipulation, especially when it involves Controlled Unclassified Information (CUI).

The analysis of these logs is essential to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since it allows identifying unauthorized access or attempts to transfer sensitive data, ensuring that the CUI is not compromised during its handling or transport. This report allows you to monitor and mitigate risks of data leakage or loss, strengthening the protection of critical information against unauthorized access and manipulation.', null, null, null, null, null, null, null, null, null, 514, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (966, 'This report collects information from Windows events 4719, which record changes to system audit settings. Its monitoring is essential for compliance with CMMC Level 4 (MP.4.125): Automate DLP processes to secure sensitive information, since modifications to these policies may affect the ability to detect and prevent data loss (DLP).

The analysis of these events allows us to identify unauthorized or suspicious adjustments to security records, ensuring that processes for protecting sensitive information are consistent and automated to minimize risks of exposure.', null, null, null, null, null, null, null, null, null, 514, true, 280, 'TEMPLATE', null, null, 'Windows Level 4 (MP.4.125): Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (956, 'This report gathers and analyzes relevant information from Windows events 5140 and 5145, which record file access and sharing on the network. These events are key to monitoring access to Controlled Unclassified Information (CUI) and detecting possible attempts at unauthorized transfer or leakage of sensitive data.

The collection of these logs allows you to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, ensuring that protected information is adequately controlled during its transmission over the network. Through this analysis, suspicious access, changes in sharing permissions and unusual activities that could compromise data security can be identified, thus strengthening information loss prevention measures.', null, null, null, null, null, null, null, null, null, 514, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Network Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (511, 'The SI.3.217 (System Time Settings Changes) control in the CMMC (Cybersecurity Maturity Model Certification) focuses on monitoring and controlling changes in the system time settings. This control is critical to ensure the integrity of the systems and the security of the organization, as unauthorized changes to the system time may be indicative of attempts to tamper with or evade audit logs.', null, null, null, null, null, null, null, null, null, 503, true, 303, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): System Time Settings Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (957, 'This report collects and analyzes the logs for Windows event 4660, which indicates the deletion of an object within the system, such as files, folders, or registry keys. This event is crucial to monitor the manipulation of Controlled Unclassified Information (CUI) and detect possible attempts at unauthorized deletion of sensitive data.

Reviewing these logs allows you to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, ensuring that protected information is protected against improper modifications or deletions. Through this analysis, suspicious activities, unauthorized access and possible attempts to exfiltrate or destroy critical information can be identified, thus strengthening data security and information loss prevention strategies.', null, null, null, null, null, null, null, null, null, 514, true, 298, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Object Deletion', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (720, 'This report compiles security alert logs generated in Windows logs, which are used to monitor access patterns and detect potential anomalies in the use of system resources. These alerts are triggered in response to significant security events, such as unauthorized access, suspicious modifications to critical files, or privilege escalation attempts. The collection and analysis of these alerts are essential to verify compliance with the NIST CSF DE.CM-1 requirement: Continuous monitoring of network activities for malicious activity, which mandates continuous monitoring of network activities to detect malicious behavior that could compromise the security of systems and data.

The report includes key details such as:

Events that caused the alert, providing context about the suspicious activity.

Alert severity, indicating the associated risk level.

Alert status, specifying whether it is active, resolved, or under investigation.

Alert category, which classifies the type of threat detected (e.g., unauthorized access, permission changes, failed authentication attempts).

Event source, identifying the system, user, or process that generated the alert.

Date and time of the event, allowing the activity to be correlated with other security events.

Analyzing these alerts can detect anomalous access patterns, improve incident response capabilities, and strengthen security controls in environments that handle sensitive information. By using automated tools for continuous activity monitoring, this report helps ensure proactive protection of systems and networks, in accordance with the requirements of NIST CSF DE.CM-1.', null, null, null, null, null, null, null, null, null, 604, true, 248, 'TEMPLATE', null, null, 'Windows Alerts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (967, 'This report gathers relevant information from event 4698 (A scheduled task was created) logs on Windows, used to evaluate compliance with CMMC Level 4 control MP.4.125. This control requires the automation of Data Loss Prevention (DLP) processes to protect sensitive information, including Controlled Unclassified Information (CUI) during processing and storage.

The analysis of these events allows us to identify the creation of scheduled tasks in the system, ensuring that unauthorized processes are not implemented that could compromise the security of the information. In addition, it facilitates the detection of changes in the configuration of critical tasks and possible persistence attempts through automated execution of scripts or applications.', null, null, null, null, null, null, null, null, null, 514, true, 372, 'TEMPLATE', null, null, 'Windows Level 4 (MP.4.125): Scheduled Task Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (961, 'This report gathers relevant information extracted from the event logs generated by Windows event 5142, which is related to the creation and configuration of network shares. This type of event is crucial for compliance with CMMC Level 3 control (MP.3.123), which establishes the need to protect the CUI during its transport and prevent any loss or exposure of it.

Windows event 5142 is triggered when a share is created on the system, which could involve exposing sensitive data if not configured properly. Through this report, the activity related to the creation of shared resources is monitored and audited, ensuring that these resources are configured correctly to prevent unauthorized access to CUI and guaranteeing that security controls are applied in accordance with the best practices established in the CMMC.

This report helps identify any shared resource creation events that may represent a risk in terms of CUI protection. In addition, it allows verifying the correct configuration of access and use policies for shared resources on the network, thus supporting the implementation of protection measures in the transport of CUI. In combination with other data monitoring and security measures, these logs provide key evidence to meet information protection requirements during its transfer in the corporate environment.', null, null, null, null, null, null, null, null, null, 514, true, 367, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Shared Network Object Creation', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (442, 'The Windows Account Logon Failure Report provides comprehensive visualization of failed logon attempts in a Windows-based environment, segregated by reason status and user-host information. This report plays an important role in demonstrating security controls that relate to access and identity management, which is significant in compliance with various regulations.

For HIPAA, this report contributes evidence of enforcing access controls (164.312(a)(1)) and log-in monitoring (164.308(a)(5)(ii)(C)). For CMMC, it supports control AC.2.013 by limiting unsuccessful logon attempts and satisfying SI.4.230, which requires a system that alerts and limits anomalous activities.

In GLBA, this report supports the safeguard rule by showing active monitoring of access attempts, critical for detecting unauthorized access. It also helps in validating user identification and authentication procedures, making it useful for demonstrating SOC2 Type 2 controls related to user access.

For FISMA, the report aids in demonstrating compliance with the AC-7 control on unsuccessful logon attempts. It assists in meeting GDPR requirements on data privacy and access control by identifying potential unauthorized access attempts.

For PCI-DSS, this report supports Requirement 10 to track and monitor all access to network resources and cardholder data. By monitoring and investigating failed login attempts, enterprises can identify, respond to and mitigate potential risks in a timely fashion.', null, null, null, null, null, null, null, null, null, 101, true, 266, 'TEMPLATE', null, null, null, null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (962, 'This report collects relevant information about security events identified with ID 5143 on Windows, which are generated when access rules are added or modified on shared resources.

The analysis of these events is essential to audit changes in the configuration of shared resource permissions on the network, ensuring that access is controlled and aligned with the organization''s security policies.

This monitoring is especially critical in the context of compliance with CMMC Level 3 (MP.3.123), since it allows verifying the adequate protection of the CUI (Controlled Unclassified Information) during its transport and preventing data loss by detecting changes in the access configuration to shared resources.', null, null, null, null, null, null, null, null, null, 514, true, 368, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Shared Resource Modification', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (443, 'The Windows Account Logon Success Report provides a consolidated view of successful logon events. This report supports security controls such as managing and controlling user access and monitoring system activity, hence proving compliance with key elements across numerous regulations.

For HIPAA, this aligns with the Technical Safeguard for Access Control which requires covered entities to implement procedures for the control of, and access to, electronic protected health information (45 CFR § 164.312(b)).

Under CMMC, it aligns with Access Control (AC.1.001 & AC.1.002), relating to limiting information access to authorized users.

With GLBA, it supports the Safeguards Rule, reinforcing the need for a security program that ensures the safeguarding of customer information.

In compliance with SOC2 Type 2, the report provides evidence for satisfying the criteria for Security, demonstrating that only authorized individuals have access.

For FISMA, the report ties with control AC-2 - Account management, reflecting on the effective management of system access by tracking successful logon events.

Under GDPR, it helps in establishing the control “Access” in Article 32, demonstrating the ability to ensure system access only to authorized persons to prevent unauthorized processing of personal data.

PCI-DSS mapping is to Requirement 8, authenticating access to system components. A successful logon validates the effectiveness of user identification and authentication mechanisms. ', null, null, null, null, null, null, null, null, null, 101, true, 265, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (444, 'This security report logs the assignment of special privilege escalations, aiding in identifying potentially rogue accounts or insider threats. It supports user access management and compliance by monitoring for elevated permissions activity – a crucial aspect in maintaining robust cybersecurity practices.

1. HIPAA: Helps meet Security Rule''s provisions especially §164.308(a)(4) (Information Access Management), as it aids in controlling permissions.

2. CMMC: Contributes to control AC.1.001 (limiting system access to authorized users), AC.1.002 (process for managing accounts), and AC.2.011 (session termination at the end of a user session).

3. GLBA & SOC2 Type 2: This report supports the Information Security Program''s objectives as specified in GLBA and Common Criteria (CC4.1/CC5.7) of SOC2 Type 2, ensuring access control & activity monitoring.

4. FISMA: Helps meet control CP-9 (Protection of Information at Rest) as it tracks special privilege assignments to prevent unauthorised access.

5. GDPR: Assists in meeting Article 32 requiring the implementation of appropriate security of data, particularly people who have access to personal data.

6. PCI-DSS: Contributes to the requirement 8 - Identify and authenticate access to system components.

The report''s core value lies in its capabilities to promptly detect privilege escalations, anomalous behavior, and potential insider threats, thereby reinforcing overall data protection mechanisms.', null, null, null, null, null, null, null, null, null, 101, true, 264, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (445, 'This report presents aggregated and correlated logs for successful Office 365 (O365) active directory (AD) logins, categorized by the user, and the location from where the login originated. The visualization helps to quickly identify unusual patterns, like logins from unexpected locations or at odd times.

In terms of compliance:
1. HIPAA: This report supports the "Information Access Management" control as it helps ensure that users are only accessing the network/resources from authorized locations.
2. CMMC: It aligns with "Access Control" by monitoring who is accessing the network.
3. GLBA: It assists with the "Safeguards Rule," ensuring that customers'' personal information is adequately protected.
4. SOC2 Type 2: The adherence to the "Security" and “Access Controls” principles can be validated by this report as it tracks successful logins.
5. FISMA: This report supports "Access Control" (AC-2: Account Management) by providing an account of successful logins.
6. GDPR: Article 32 - security of processing, data breaches can be identified or prevented by monitoring login activities.
7. PCI-DSS: Helps with Requirement 10 to regularly monitor and test networks, and Requirement 8 for identifying and authenticating access to system components.
', null, null, null, null, null, null, null, null, null, 102, true, 261, 'TEMPLATE', null, null, null, null); @@ -140,7 +130,6 @@ INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (450, 'The Azure Login Activity report provides comprehensive insights into the login activities within the Azure environment. It displays critical details such as user IDs, IP addresses, timestamps, logins'' success or failure status, location, and more.

1. HIPAA: The report contributes to the Audit Controls (§164.312(b)) requirement by providing a detailed log of access activities that may contain PHI.
2. CMMC: Under the Access Control (AC.4.096), a thorough record of login activities is required for the workforce to monitor and control access.
3. GLBA: Safeguards Rule requires organizations to monitor systems for unauthorized access. Failures in login attempts highlighted in the report can give early warnings of such activities.
4. SOC2 Type 2: One part of the Common Criteria (CC6.1) of SOC2 states that organizations must implement logical access security measures to protect data. Monitoring and documenting all attempted logins can prove adherence.
5. FISMA: This report helps meet the AC-2 and AU-2 controls, requiring a method to authenticate and audit user activities.
6. GDPR: Article 32 emphasizes security techniques like pseudonymization and encryption. The report helps demonstrate the access control and supports the conditions under Article 30 (Records of processing activities).
7. PCI-DSS: Requirement 10 mandates tracking and monitoring all access to network resources and cardholder data. The report provides detailed logging of such activities to maintain compliance.', null, null, null, null, null, null, null, null, null, 103, true, 258, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (451, 'The Azure Login Activity report provides comprehensive insights into the login activities within the Azure environment. It displays critical details such as user IDs, IP addresses, timestamps, logins'' success or failure status, location, and more.

1. HIPAA: The report contributes to the Audit Controls (§164.312(b)) requirement by providing a detailed log of access activities that may contain PHI.
2. CMMC: Under the Access Control (AC.4.096), a thorough record of login activities is required for the workforce to monitor and control access.
3. GLBA: Safeguards Rule requires organizations to monitor systems for unauthorized access. Failures in login attempts highlighted in the report can give early warnings of such activities.
4. SOC2 Type 2: One part of the Common Criteria (CC6.1) of SOC2 states that organizations must implement logical access security measures to protect data. Monitoring and documenting all attempted logins can prove adherence.
5. FISMA: This report helps meet the AC-2 and AU-2 controls, requiring a method to authenticate and audit user activities.
6. GDPR: Article 32 emphasizes security techniques like pseudonymization and encryption. The report helps demonstrate the access control and supports the conditions under Article 30 (Records of processing activities).
7. PCI-DSS: Requirement 10 mandates tracking and monitoring all access to network resources and cardholder data. The report provides detailed logging of such activities to maintain compliance.', null, null, null, null, null, null, null, null, null, 103, true, 239, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (452, 'The "Office 365 Unsuccessful Logon Attempts" report provides a detailed view into failed logon attempts to an organization''s Office 365 environment, featuring visualizations for failed login instances per user and their geographical locations.

This report integrates critical security controls like ''Account Monitoring and Control'', ''Data Protection and Privacy'', and ''Incident Response and Management''. Unsuccessful logon attempts could signal a possible unauthorized access attempt, thereby satisfying the monitoring requirements of various laid down compliance standards.

For HIPAA, this report supports the technical safeguard of ''Access Control & Audit Controls'' by ensuring only authorized users have access and tracking login attempts. Similarly, for GDPR, it supports ''Article 32 - Security of processing'' by protecting against unauthorized data processing.

Under FISMA, it correlates to control ''AC-7: Unsuccessful Logon Attempts'' ensuring safeguards against repeated logon attempts. It backs PCI-DSS''s requirement ''10: Track and monitor all access to network resources'' by providing a way to audit access to system resources.

Under SOC2 Type 2, this report aids in addressing the security principle by identifying and documenting unsuccessful attempts. GLBA and CMMC also demand similar controls over access and incident management which are directly served by this report. ', null, null, null, null, null, null, null, null, null, 102, true, 262, 'TEMPLATE', null, null, null, null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (963, 'This report gathers relevant information from security events recorded with ID 4985 in Windows, which indicate that the state of a transaction has changed within the system. These events allow monitoring modifications in transactional processes that may be related to the management and protection of sensitive information.

In the context of CMMC Level 3 (MP.3.123) compliance, tracking these events is essential to ensure the protection of the CUI (Controlled Unclassified Information) during its transport and prevent data loss. Auditing changes to system transactions helps detect suspicious activity, improper access, or potential vulnerabilities in the manipulation of protected data.

Analysis of these events allows organizations to improve their security controls, detect unauthorized modifications and strengthen data protection in environments where classified or critical information is handled.', null, null, null, null, null, null, null, null, null, 514, true, 369, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): File System Transaction Status Changes', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (453, 'The "Meraki Firewall Activity" report, containing visualizations of the top 100 events sorted by IP source and Meraki events by source IP and port, is crucial for security management and compliance with numerous regulations.

1. HIPAA: By controlling and monitoring network access, it aids in maintaining the confidentiality of Protected Health Information (PHI), which is mandated under HIPAA.
2. CMMC: The report aids in maintaining situational awareness (SA) and system and information integrity (SI), both required under CMMC level 3 regulations.
3. GLBA: The report can help confirm the Safeguards Rule of GLBA by monitoring system activities and thereby protecting customers'' personal financial information.
4. SOC 2 Type 2: This report demonstrates the effectiveness of the organization''s system controls which are required for SOC 2 Type 2 compliance.
5. FISMA: The report assists in maintaining the system and information integrity (SI) control, crucial for FISMA compliance.
6. GDPR: The report proves the implementation of appropriate security measures critical to protecting personal data of EU citizens, thereby aiding in GDPR compliance.
7. PCI-DSS: For PCI-DSS, this report helps in fulfilling requirements for maintaining a secure network and regularly monitoring and testing', null, null, null, null, null, null, null, null, null, 201, true, 259, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (454, 'The "Cisco Switch Activity" report provides comprehensive visibility on the network layer activities across the environment. It records and represents activities associated with Cisco switch, categorized by host, along with overall switch activity. This involves data like traffic, irregular behaviors, unauthorized access attempts, intrusion attempts, and network performance issues.

This report directly supports several compliance regulations:

1. HIPAA: It satisfies the ''Information Access Management'' (164.308(a)(4)) by monitoring unauthorized network access attempts, and ''Security Incident Procedures'' (164.308(a)(6)) by logging intrusion attempts.
2. GLBA: Helps in fulfilling ''Safeguards Rule'', ensuring secure customer data transmission within the network, keeping track of unusual activity patterns, strengthening access controls.
3. SOC 2 Type 2: The report adheres to the ''Communication and Information'' principle by displaying network activity thereby aiding in change management.
4. FISMA: Supports AU (Audit & Accountability) controls by maintaining a detailed account of network activities.
5. CMMC: Level 3 controls involving ''Detection and Monitoring'' can be met since SIEM helps identify malicious activity by maintaining comprehensive centralized logs.
6. PCI-DSS: It contributes to Requirement 1, "Install and maintain firewall configuration to protect', null, null, null, null, null, null, null, null, null, 201, true, 256, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (455, 'The Windows Systems Activity report is a valuable component for maintaining compliance with several standards. It includes visualizations for total Windows alert counts and a review of these alerts. These figures provide a snapshot of security-related activities within your Windows-based systems.

1. HIPAA: Ensures PHI is protected against threats to its security and integrity. Anomalies or high alert counts on Windows Systems could represent threats.
2. CMMC: Windows alerts fall under the "SIEM system" (AM.2.044), showcasing that malicious activity is being identified and mitigated.
3. GLBA: Ensures customers'' personal financial information is adequately protected. Alerts triggered due to unusual activity help in safeguarding the information.
4. SOC2 Type 2: Shows continuous monitoring of security controls. Alerts indicate that abnormal activity is detected and acted upon.
5. FISMA: Windows alerts provide evidence for risk assessment (RA-3), audit and accountability controls (AU-2, AU-6) by assessing, detecting, and reporting unusual activities.
6. GDPR: Alert count goes towards ensuring ongoing confidentiality, integrity, and availability of processing systems and services (Article 32).
7. PCI-DSS: Helps meet Requirement 10.6 (Review logs and security events for all system components to identify anomalies or suspicious activity). Windows alert counts allow to spot such activities, adding an extra layer to the PCI-DSS compliance process.
', null, null, null, null, null, null, null, null, null, 203, true, 255, 'TEMPLATE', null, null, null, null); @@ -150,7 +139,6 @@ INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (460, 'The Azure Subscription Activity is a security report that summarizes activities and operations in an Azure environment. It shows the number of events by resource and lists all Azure operations.

- HIPAA: This report aids in meeting the Audit Controls (164.312 b) requirement by monitoring the system activity and providing an audit trail of attempted access to electronic protected health information (ePHI).
- CMMC: It contributes towards the Situational Awareness (SA.2.179) control, providing information about cyber operations to identify and respond to security incidents.
- GLBA: The report addresses Detection, Prevention, and Response Mechanisms control by indicating abnormal activities that may suggest a security threat.
- SOC2 Type 2: Aids in the monitoring and evaluating of alteration of system configurations, critical to meeting the System Activity Review Common Criteria (CC6.1).
- FISMA: Supports the audit and accountability control (AU-2) which requires an organization to review/analyze information system activity to detect inappropriate or unusual activity.
- GDPR: In line with Article 32''s requirement for a process to regularly test, assess, and evaluate the effectiveness of security measures, the report provides auditable evidence of this.
- PCI-DSS: Contributes to Requirement 10: Track and monitor all access to network resources and cardholder data by providing an audit trail of system activity for each providing in-scope entity. ', null, null, null, null, null, null, null, null, null, 301, true, 260, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (461, 'The Azure WAF report provides a clear overview of web application firewall (WAF) events across certain categories. It is crucial in identifying potential threats and maintaining cybersecurity.

1. HIPAA: It supports HIPAA’s “Access Control” and “Audit Control” requirements. Identifying and recording access attempts helps ensure only authorized users can view and handle PHI.

2. CMMC: It maps to three CMMC domains - "Access Control", "Audit and Accountability" and "Risk Management" by controlling access, chronicling events and detecting potentially malicious activities.

3. GLBA: The report aids compliance with GLBA by logging all events, a requirement under "Financial Privacy Rule" and "Safeguards Rule" to protect customer data.

4. SOC2 Type2: The report supports achieving "Security" and "Availability" service principles by monitoring security events and maintaining system availability.

5. FISMA: It satisfies a number of FISMA controls including AC-4 (Information flow enforcement) and AU-2 (Audit events).

6. GDPR: It helps meet the GDPR''s "Integrity and Confidentiality" principle by enabling prompt detection and rectification of security incidents to prevent breach of personal data.

7. PCI-DSS: The report supports PCI-DSS requirement 10 (Track and monitor all access to network resources and cardholder data) and requirement 1 (Install and maintain a firewall configuration to protect cardholder data) by tracking events and reporting potential breaches.', null, null, null, null, null, null, null, null, null, 301, true, 269, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (462, 'The AWS Subscription Activity report delivered by the SIEM system delivers critical visibility into user activity within the AWS infrastructure, including logons to the AWS Console and generated AWS Events.

Firstly, AWS Console logon activities can help towards maintaining the necessary access control as mandated by HIPAA (164.312(a)(1) - Access Control, 164.312(b) - Audit Controls) and CMMC (AC.2.009 - Login Monitoring), ensuring that only authorized individuals can access protected data. Besides, monitoring such activities can provide valuable logs for SOC2 Type 2 as part of Common Criteria 7 (System Monitoring).

Secondly, AWS Events indicate actions taken within the AWS ecosystem (e.g., starting/stopping instances, modifying security groups, or bucket policies). Such data helps assured configuration management (CM) and security incident event management (SIEM), thus fulfilling parts of the FISMA and NIST standards (CM.2.061, IR.3.093 to name a few) and PCI-DSS requirement 10 (track and monitor all access to network resources and cardholder data).

Further, these event logs contribute to GDPR''s requirement for both integrity and confidentiality (Article 32) and GLBA’s Safeguard Rule, where firms are required to design and implement a safeguards program.

This report helps ensure the organization meets key aspects of these compliance standards, providing necessary evidence during audits and enabling proactive measures to minimize security risk.', null, null, null, null, null, null, null, null, null, 301, true, 239, 'TEMPLATE', null, null, null, null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (713, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect potential malicious activity. By analyzing event ID 4663 on Windows systems, this report facilitates the monitoring of access and modifications to system objects, which may indicate unauthorized attempts to manipulate or alter critical data. Monitoring these types of events is essential for identifying suspicious activity that could compromise system security, enabling a rapid and effective response to potential threats and ensuring the protection of the network''s digital assets.', null, null, null, null, null, null, null, null, null, 604, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (463, 'The O365 Active Directory report provides crucial insight into user activity details and potential suspicious behavior in the network. This report''s data can greatly assist in compliance with various regulations and standards by mapping to specific security controls.

HIPAA: The report helps safeguard sensitive health information by monitoring unauthorized access attempts, which is crucial for the Administrative Safeguards requirement.

GLBA: The report supports the Safeguards Rule by monitoring, detecting, and documenting security incidents involving customer data.

CMMC: The activity log supports Level 3 controls by providing audit records, risk management, and identification of malicious content.

FISMA: The report helps implement control RA-5 (Vulnerability Scanning), SI-4 (Information System Monitoring), AU-2 (Audit Events), and AU-12 (Audit Generation).

SOC2 Type 2: Logs align with monitoring access control and changes to systems processing data, providing real-time alerts for unauthorized access.

GDPR: The report supports the accountability and data security principles by enabling control and understanding over data processing activities.

PCI-DSS: The report is essential in meeting Requirement 10 (Track and monitor all access to network resources and cardholder data) by logging all components of the cardholder data environment.', null, null, null, null, null, null, null, null, null, 302, true, 271, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (464, 'The O365 Exchange Report is a comprehensive summary of the top 5 most executed exchange operations and other exchange activities occurring within the Office 365 environment. This report provides insights into user activities, permission changes, mailbox operations, and policy modifications.

From a compliance perspective, such information is crucial as it ensures strict adherence to HIPAA, GLBA and GDPR regulations concerning data privacy and integrity. By closely monitoring exchange operations, businesses can identify and prevent unauthorized access or data sharing, something that is vital in the healthcare industry (HIPAA), financial institutions (GLBA), and organizations managing data of EU citizens (GDPR).

For the CMMC, domains like Access Control (AC) and Audit and Accountability (AU) relate directly to such reports because it ensures controlled access and provides auditable evidence of data actions.

For FISMA, it maps to the AU family, allowing federal agencies to maintain audit logs and track information system activities.

In SOC2 Type 2, this report contributes to the "Security" and "Confidentiality" principles as it tracks sensitive data handling & access.

For PCI-DSS, requirement 10, "Track and monitor all access to network resources and cardholder data", this report provides documented proof that access to such resources is closely monitored. ', null, null, null, null, null, null, null, null, null, 302, true, 253, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (465, 'The O365 SharePoint Report presents detailed information on user activities within SharePoint including identity of the users, time of access, and actions taken in SharePoint.

1. HIPAA: Sharing and storing patient data could occur in SharePoint. With this report, the organization can verify that only authorized users have accessed such information, meeting the Privacy Rule that requires the safeguarding of Protected Health Information (PHI).

2. CMMC: The report helps monitor and control communications at the system and information level as required by the CMMC practice AC.4.014. It also aids in audit and accountability, mapping to control AU.2.042.

3. SOC2 Type 2: By monitoring user accesses and activities, it helps organizations ensure the design and effectiveness of controls over the security, availability, processing integrity, and privacy of customer data, adhering to the principle of Communication and Information.

4. FISMA: This report maps to control AU-3 (Audit and Accountability) which requires organizations to create, analyze and retain system audit logs, and to IR-5 (Incident Response), as anomalies and suspicious activities can be identified and responses initiated.

5. GDPR: This report supports the monitoring of data processing activities (Article 30) by showing who accessed what data and when, fostering transparency and accountability.

6. PCI-DSS: It supports Requirement 10 by tracking, monitoring all access to network resources and cardholder data.', null, null, null, null, null, null, null, null, null, 302, true, 251, 'TEMPLATE', null, null, null, null); @@ -163,612 +151,648 @@ INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (472, 'Your "AWS Alerts" report, generated from the Security Information and Event Management (SIEM) tool, presents important insights into security events within your Amazon Web Services (AWS) environment. It features two visualizations that display cover AWS alerts in detail.

This report is instrumental in demonstrating compliance with several regulatory frameworks:

1. HIPAA: It helps maintain the "Audit Controls" and "Protection from Malicious Software" requirements. The alerts may identify unusual data access patterns or potential malware, crucial for protecting healthcare information.

2. GDPR: Under ''Integrity and Confidentiality'' principle, the report can show any unauthorized or unusual data access patterns, thus enhancing data protection measures.

3. SOC2 – Type 2: The report supports the "Security, Availability, Processing Integrity, Confidentiality and Privacy" principles by revealing potential system vulnerabilities, unauthorized access attempts, etc.

4. FISMA: The report supports the risk assessment policy and procedures (RA-1) by identifying potential risks and supporting the process of risk mitigation.

5. PCI-DSS: The AWS Alerts report supports the requirement of "Track and monitor all access to network resources and cardholder data" by presenting access and usage patterns in the AWS environment. ', null, null, null, null, null, null, null, null, null, 403, true, 244, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (473, 'This Network Activity Alerts report uses data from a network intrusion detection system (NIDS) to give insights about the state of the organization''s network security.

1. HIPAA: Helps to comply with the Technical Safeguards section - requiring the organization to implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems.

2. CMMC: Contributes to the Domain Access Control (AC) practices where the report helps monitor and manage all the network access activities.

3. SOC 2 Type 2: Supports the Security principle by providing evidence of active network monitoring and intrusion detection.

4. FISMA: Fulfills the Risk Assessment (RA) and System Services & Acquisition (SA) security control families by helping to identify potential threats/vulnerabilities to information systems connected to the network.

5. GDPR: Support control measures for preventing accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to personal data transmitted, stored, or processed.

6. PCI-DSS: It addresses Requirement 10: Track and monitor all access to network resources and cardholder data. The report provides evidence of monitoring activity on network devices that may potentially handle cardholder data.

7. GLBA: Helps in fulfilling the Safeguards Rule, which mandates organizations to identify and assess the risks to customer information, and implement controls to manage these risks.
', null, null, null, null, null, null, null, null, null, 406, true, 243, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (474, 'The Threat Intelligence Alerts report generated from the SIEM provides a visual representation of the detected threats based on the IP and the alerts generated. This report illustrates the threat landscape the firm is facing, helping in timely responses.

1. HIPAA: It contributes to Administrative Safeguard requirements under HIPAA by ensuring a security incident procedure is in place for identifying and responding to various security incidents.

2. CMMC: Under SI (System and Information Integrity) domain, the report helps the organization to identify, analyze, and respond to incidents.

3. GLBA: It assists in meeting GLBA''s requirement controlling risks to customer information by identifying potential threats.

4. SOC2 Type 2: Contributes to Security, Availability and Processing integrity principles, by identifying threats and ensuring system''s availability and security.

5. FISMA: The report aids in adhering FISMA''s Risk Assessment (RA) control - RA.5 (Vulnerability Scanning), which requires scan for vulnerabilities in the system.

6. GDPR: Under Article 32’s requirement of implementing security measures to ensure a level of security appropriate to the risk, this report can help assess risk levels and respond accordingly.

7. PCI-DSS: Contributes to Requirement 10 by tracking and monitoring all access to network resources and cardholder data, identifying potential threats that could lead to unauthorized access.', null, null, null, null, null, null, null, null, null, 405, true, 252, 'TEMPLATE', null, null, null, null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (719, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which mandates continuous monitoring of network activity to detect malicious activity. By analyzing event ID 7030 on Windows systems, the report facilitates monitoring the status and actions of critical services on the system. This monitoring is key to identifying potential failures or unauthorized modifications to services that could indicate malicious activity, such as denial-of-service attacks or attempts to disable security services. The information provided by this event helps maintain system integrity and security, enabling efficient detection and response to potential threats.', null, null, null, null, null, null, null, null, null, 604, true, 323, 'TEMPLATE', null, null, 'Windows Service Control Manager Log Information', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (964, 'This report gathers relevant information from security events logged with ID 4658 in Windows, which indicate that an object handler has been closed on the system. These events are essential for tracking access and manipulation of sensitive resources, such as files, registry keys, and other system objects.

In the context of CMMC Level 3 compliance (MP.3.123), monitoring these events is key to protecting controlled unclassified information (CUI) during its transport and preventing data loss. Auditing these closures allows us to verify whether the data has been handled securely, detect possible unauthorized access and ensure that critical information has not been compromised.

The analysis of these events allows organizations to strengthen their security controls, guarantee the integrity of protected data and detect possible vulnerabilities in the access and manipulation of critical information.', null, null, null, null, null, null, null, null, null, 514, true, 370, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Handle Closure in Security System', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (965, 'This report consolidates information from Windows events 6416, which record the recognition of new external devices in the system. Its monitoring is essential to ensure compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since the connection of unauthorized devices can represent a risk to information security.

The analysis of these events allows us to identify possible vulnerabilities and strengthen control measures to prevent the loss or exposure of Controlled Unclassified Information (CUI).', null, null, null, null, null, null, null, null, null, 514, true, 371, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): External Device Connection', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (968, 'This report gathers relevant information from the security events recorded in the Windows event 4659 logs. Such an event indicates that an identifier has been requested for an object with the intention of deleting it, which may represent a risk to the protection of Controlled Unclassified Information (CUI).

The objective of this analysis is to evaluate compliance with CMMC Level 3 control MP.3.123, which requires the protection of the CUI during its transport and the prevention of data loss. By reviewing these records, we seek to detect suspicious or unauthorized activities related to the deletion of files that contain sensitive information, guaranteeing the implementation of appropriate security measures to avoid improper access or loss of data.', null, null, null, null, null, null, null, null, null, 514, true, 373, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Delete Object Attempt', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (678, 'This report collects and analyzes security events identified by ID 4663 on Windows systems. Event 4663 records access attempts to protected objects. These events are essential for verifying compliance with the NIST CSF PR.DS-3 requirement, which mandates the protective monitoring of data at rest and in transit. This report facilitates the identification and auditing of access to critical data, ensuring that any attempt to access sensitive data is appropriately monitored, logged, and reviewed to protect the confidentiality, integrity, and availability of the information.', null, null, null, null, null, null, null, null, null, 601, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (476, 'This report collects the records of event 4625 from the Windows logs, which document failed login attempts to the system. The information obtained from these events is essential to verify compliance with CMMC''s access control and authentication policy Level 1 (AC.1.001), which states that only authorized users should have access to the system.

The report includes details such as the names of users who attempted access, the host names, and the reasons for login failures. The analysis of these events allows us to identify unauthorized access attempts or possible threats, ensuring that access to the system is appropriately restricted and in line with established security policies.', null, null, null, null, null, null, null, null, null, 510, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (477, 'This report compiles the records of Windows log event 4624, which correspond to successful login attempts to the system. The information extracted from these events is used to verify compliance with the Level 1 policy (AC.1.001) of the CMMC Access Control and Authentication framework, which establishes that access to the system must be limited exclusively to authorized users.

The details provided in the report include user names and host names to ensure that only people with specific privileges have access to the system. The analysis of these events contributes to the detection of unauthorized access and facilitates the validation of the appropriate implementation of access controls.', null, null, null, null, null, null, null, null, null, 510, true, 265, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (478, 'This report collects the logs of event 4720 from the Windows logs, which document the creation of new user accounts on the system. This information is key to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC) to ensure that users have access only to the resources necessary for their functions.

The report includes details such as the identities of the created users, assigned roles, account creation dates and times, as well as the user or system that performed the action. This analysis ensures that the creation of accounts and the assignment of roles is carried out in a controlled manner and in accordance with security policies, which facilitates the proper management of permissions and access to system resources.', null, null, null, null, null, null, null, null, null, 510, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (479, 'This report groups the records of event 4722 from the Windows logs, which document the activation of user accounts previously disabled on the system. The information collected is essential to verify compliance with CMMC''s Authentication and Access Control policy Level 2 (AC.2.007), which requires the implementation of role-based access controls (RBAC). This ensures that users only have access to the resources they need based on their role.

The report includes key details such as the identity of the activated accounts, the role assigned, the date and time of activation, as well as the user or system account that performed the action. The analysis of these events allows us to guarantee that accounts are activated and managed in a controlled manner and in compliance with access policies, preventing improper access and maintaining the principle of least privilege in the assignment of roles and permissions.', null, null, null, null, null, null, null, null, null, 510, true, 293, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Enabled', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (480, 'This report compiles the Windows log event 4726 logs, which document the deletion of user accounts on the system. The extracted information is key to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC). This principle ensures that only users with specific roles have access to necessary resources.

The report includes important details such as the identities of the deleted accounts, the date and time of deletion, and the user or system that executed the action. The analysis of these events ensures that accounts are deleted in a controlled manner and in accordance with established security policies, helping to maintain an IT environment free of unauthorized access and appropriately managing permissions according to the needs of each role.', null, null, null, null, null, null, null, null, null, 510, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (481, 'This report compiles the records of events 4663 and 4656 from the Windows logs, which focus on auditing access to security objects, such as files or folders that contain Controlled Unclassified Information (CUI), and the actions performed about these objects. Event 4663 is generated when a user or process performs an access operation (such as read, write, or modify) on an object, while event 4656 documents access attempts to those security objects, including the action requested and whether it was allowed or denied. These events are essential to verify compliance with the CMMC''s Level 3 Access Control and Authentication policy (AC.3.014), which requires controlling the flow of CUI and protecting the access points that allow its access or modification.

The report includes key details such as the name of the accessed object (file, folder, etc.), the type of access performed (read, write, delete, etc.), the identity of the user or process that performed the action, the date and time of the operation, and whether access was allowed or denied. Analysis of these events ensures that controls over resources containing CUI are effective, that the flow of information is appropriately restricted, and that established security policies for the protection of sensitive data are complied with.', null, null, null, null, null, null, null, null, null, 510, true, 273, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Attempt to Access a Protected Object', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (482, 'This report collects event 4670 logs from the Windows logs, which document changes to the permissions of objects on the system (such as files, folders, or registry keys). The information obtained from these events is crucial to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC) to ensure that users have access only to the resources necessary for their functions.

The report includes details such as the name of the object whose permission was modified, the permissions assigned, the identity of the user or process that made the change, and the date and time the modification was made. The analysis of these events ensures that changes in object permissions are managed in a controlled manner, in accordance with security policies and the roles assigned to each user, which helps prevent unauthorized access and maintain the principle of least protection. privilege.', null, null, null, null, null, null, null, null, null, 510, true, 274, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Protected Object Permission Change', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (483, 'This report collects event 5145 logs from the Windows logs, which document attempts to access shared resources on the network, such as files or folders that contain Controlled Unclassified Information (CUI). Event 5145 is generated when an access attempt to a shared resource is made and logged, providing detailed information about whether access was allowed or denied. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the share that was attempted to be accessed, the identity of the user or process that made the access attempt, the action taken (allow or deny), the source of the access (IP address or source computer). ), and the date and time of the attempt. Analysis of these events allows you to verify that access to resources containing CUI is appropriately restricted, protecting access points from unauthorized access and ensuring that security controls are aligned with CMMC policies.', null, null, null, null, null, null, null, null, null, 510, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Access to shared resource', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (484, 'This report collects the Windows log event 4740 logs, which document the locking out of user accounts after multiple failed authentication attempts. Event 4740 is generated when an account is locked due to repeated unsuccessful access attempts, providing key information about possible unauthorized access attempts or brute force attacks. This information is crucial to verify compliance with CMMC''s Level 5 (AC.5.025) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the blocked account, the identity of the user or process that generated the event, the IP address or computer of origin of the access attempt and the date and time of the block, among others. The analysis of these events allows us to identify behavioral patterns in system access, detect intrusion attempts in real time and strengthen security strategies based on advanced analysis of user behavior. This proactive approach helps prevent unauthorized access and ensure security controls are aligned with CMMC Level 5 policies.', null, null, null, null, null, null, null, null, null, 510, true, 276, 'TEMPLATE', null, null, 'Windows Level 5 (AC.5.025): Account Locks', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (485, 'This report collects event 4663 logs from the Windows logs, which document access attempts to system objects, such as files and folders that may contain Controlled Unclassified Information (CUI). Event 4663 is generated when a user or process attempts to access a protected object and logs whether the action was allowed or denied. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the file or folder that was attempted to be accessed, the identity of the user or process that made the attempt, and the date and time of the attempt. Analysis of these events allows verification that access to resources containing CUI is appropriately restricted, detecting possible unauthorized access attempts and ensuring that security controls are aligned with CMMC policies.', null, null, null, null, null, null, null, null, null, 510, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (487, 'This report collects event 4672 logs from the Windows logs, which document logins by users with elevated privileges, such as those belonging to the Administrators group or with other special permissions. This event is essential to verify compliance with CMMC''s Authentication and Access Control Level 2 policy (AC.2.007), which requires the implementation of role-based access controls (RBAC), ensuring that only authorized users have access. to sensitive resources and special privileges.

The report includes details such as the identity of the user logged in with elevated privileges, the source of access (IP address or source machine), and more. The analysis of these events allows us to verify that privileged access is restricted to users with specific and authorized roles, maintaining the principle of least privilege and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 278, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (488, 'Provides valuable insights into system interactions and potential security risks to improve detection of unauthorized access attempts, strengthen compliance with security standards, and improve the overall integrity of your Windows environments.', null, null, null, null, null, null, null, null, null, 510, true, 279, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Failed logon attempt', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (489, 'This report collects the Windows log event 4719 logs, which document changes to the system audit policy configuration. Event 4719 is generated when security auditing configurations are modified, such as parameters related to what activities will be logged and how event logs will be managed. This information is crucial to verify compliance with the CMMC Audit and Monitoring Policy Level 1 (AU.1.001), which requires audit logs to ensure security and adequate monitoring of system activities.

The report includes key details such as the identity of the user who made the change to the audit policy, the date and time of the change, and information about the context of the change (if available), among others.

Analysis of these events allows you to verify that audit policies are not modified without adequate justification, ensuring that audit configurations remain in line with security requirements. This report is essential to ensure that audit records are managed consistently and that any changes in audit policy are duly recorded, supporting compliance with CMMC Level 1 requirements and ensuring the integrity and continuity of monitoring activities. of the system.', null, null, null, null, null, null, null, null, null, 511, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (490, 'This report collects the logs for event 4648 from the Windows logs, which document the login attempt using explicit credentials (that is, when a user or process logs in using a username and password directly, rather than (automatic login or through a network login service). Event 4648 is generated when a username and password are presented to authenticate a session, providing key information about system access. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit logs to ensure security and monitoring of system activities.

The report includes key details such as the identity of the user who attempted to log in, the date and time of the attempt. Additionally, information is provided about the action taken (whether the login was successful or unsuccessful), and details about the credentials used in the attempt, allowing access to sensitive systems to be tracked.
The analysis of these events ensures that system access attempts are adequately audited, allowing unauthorized access to be detected and suspicious behavior to be monitored. This report is essential to ensure that an adequate record of system access is maintained, supporting the identification of malicious or unauthorized activities and complying with CMMC Level 1 auditing and monitoring requirements.', null, null, null, null, null, null, null, null, null, 511, true, 281, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (491, 'This report collects the records of Windows log events 4722, 4723, 4725, and 4726, which document changes to system user accounts, such as enabling, resetting, disabling, and deleting user accounts. These events are essential to detect changes in account configuration that could indicate an attempt to manipulate credentials or an attempt to evade access controls, which is essential to comply with the Level 4 (AU.4.053) Audit policy. and CMMC Monitoring, which requires improving logging capabilities to support the detection of advanced threats and malicious activities.

The report includes key details about the type of change made (enable, reset, disable, delete), the identity of the user who made the modification, the identity of the user affected by the action (account enabled, reset, disabled, or deleted), and the time and date of the event. Analyzing these events can improve auditing capabilities and detect suspicious or unusual patterns related to user accounts. By quickly identifying unexpected account changes, such as the reactivation of disabled accounts or the deletion of critical accounts, this report facilitates the early detection of threats that could be related to privilege escalation, phishing, or unauthorized access to systems. This ensures that account management practices are aligned with CMMC Level 4 requirements, providing an additional layer of security for the protection of critical infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 282, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Changes in account status', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (492, 'This report collects relevant information from events 4768 (Kerberos Authentication Ticket Granted), 4769 (Kerberos Service Ticket Granted) and 4771 (Kerberos Pre-Authentication Failed) in the Windows logs, for the purpose of verifying compliance with the AU practice. 4.053 of CMMC Level 4, which requires advanced logging capabilities for threat detection.

Analysis of these events is essential to detect and respond to unauthorized access attempts, credential misuse, and suspicious activity in protected environments. The report includes key details such as user name, source IP address, authentication result, Kerberos error codes, and authentication device, allowing you to improve visibility into authentication traffic and strengthen strategies. cybersecurity.

This report facilitates proactive identification of anomalous patterns, potential privilege escalation attempts, or lateral movement within the network, ensuring logging capabilities are robust enough to support advanced threat detection and incident response.', null, null, null, null, null, null, null, null, null, 511, true, 283, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Windows Kerberos ticket requests', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (494, 'This report collects relevant information from events 5140 (A network share object was accessed) and 5145 (A network share object was checked to see whether client can be granted desired access) in the Windows logs, with the objective of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Monitoring these events allows you to analyze access to shared resources on the network, identifying unauthorized access attempts, lateral movements and possible data exfiltration. The report includes key details such as the user''s name, source IP address, shared resource accessed, and the result of the operation, among others.

This analysis helps strengthen the security of the environment by monitoring access to sensitive files, detecting anomalous activity, and providing visibility into possible attack attempts or misuse of permissions. With this information, organizations can improve detection and response to advanced threats, ensuring effective management of security logs.', null, null, null, null, null, null, null, null, null, 511, true, 285, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Access to Shared Resources', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (495, 'This report compiles relevant information from events 4673 (A privileged service was called) and 4674 (An attempt was made to perform a privileged operation) in the Windows logs, with the purpose of verifying compliance with CMMC practice AU.4.053 Level 4, which requires advanced logging capabilities for threat detection.

Monitoring these events is crucial to identifying the use of elevated privileges within the system, as they may indicate attempts to exploit vulnerabilities, abuse of privileged accounts, or lateral movements within the network.

The report includes key information such as the user who performed the action, the tool or process executed with elevated privileges, the result of the operation, etc. This analysis allows you to detect suspicious activities, respond to potential security incidents, and strengthen privileged access controls.

By having this visibility, organizations can improve their ability to detect and respond to advanced threats, ensuring effective monitoring of critical events in the IT infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 286, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Use of Elevated Privileges', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (497, 'Helps maintain tight control over activity in PowerShell, quickly identifying anomalous or suspicious activity that may compromise system or network security. This not only improves the organization''s security posture but also ensures compliance with security regulations and standards.', null, null, null, null, null, null, null, null, null, 511, true, 288, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): PowerShell Script Block Registration', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (758, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user session is authenticated using explicitly provided credentials (for example, username and password) to access network resources. This event is critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4648 provides details about authentication attempts made with explicit credentials, which is crucial for identifying both legitimate and potentially malicious access to critical systems and resources. Monitoring these types of events helps detect unusual behavior, such as unauthorized access attempts through network services or the use of compromised credentials.

This report is essential for detecting suspicious access patterns that could indicate malicious activity, such as brute force attacks, password guessing attempts, or lateral movement of an attacker within the network. It makes it easier for security teams to identify threats early and respond quickly to incidents involving unauthorized access or credential abuse, contributing to CMMC compliance by ensuring effective monitoring of critical systems and protection against attacks.', null, null, null, null, null, null, null, null, null, 502, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (722, 'This report supports compliance with HIPAA Security Rule 164.312(b), which establishes the need to implement mechanisms to log and examine system activity. By analyzing events related to failed login attempts in Office 365, this report facilitates the detection of suspicious activity and provides detailed tracking of unauthorized access. Ensuring continuous review of these events promotes effective system security monitoring, helping to protect the confidentiality, integrity, and availability of sensitive data in compliance with established security and audit policies.', null, null, null, null, null, null, null, null, null, 601, true, 262, 'TEMPLATE', null, null, 'Office 365 Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (662, 'This report collects and analyzes security events identified by ID 4719 on Windows systems. Event 4719 records changes to audit policy configurations, indicating modifications to how system activities are monitored and logged. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of audit policy modifications, ensuring that systems maintain adequate and continuous monitoring of critical activities, contributing to compliance with security policies and effective control.', null, null, null, null, null, null, null, null, null, 601, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (753, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered when a new process is created on the system. This event is critical to comply with CMMC control SI.2.216, which requires detection of malicious code and response to malware infections.

Event 4688 provides details about the started processes, which is essential to identify suspicious processes that could be related to malware, such as unauthorized or unexpected programs running on the system. By analyzing this event, unusual activities can be identified that could indicate the presence of malicious software.

This report facilitates early malware detection by identifying potentially harmful processes that start on the system. It also allows security teams to investigate the source of suspicious processes and take corrective action before a more serious infection occurs. Additionally, it contributes to CMMC compliance by ensuring that risks associated with malware are proactively identified and managed.', null, null, null, null, null, null, null, null, null, 502, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1098, 'This report gathers relevant information from 4728 events generated in Windows logs, which correspond to the addition of users to a security group. Event 4728 is useful for verifying compliance with PCI DSS Requirement 2.1.2, which establishes that the roles and responsibilities for performing the activities defined in Requirement 2 must be documented, assigned, and understood by all involved parties.

This event allows you to audit which users have been added to specific security groups, allowing you to verify that the responsibilities associated with configuring and maintaining system components are clearly assigned to the appropriate individuals or groups. These records are essential for ensuring that security policies and operational procedures are being correctly implemented and that access roles are aligned with defined security responsibilities.

This report helps ensure that activities related to the secure configuration of systems and compliance with security standards are being carried out by authorized and competent persons, supporting the correct management of system components in accordance with documented and assigned procedures.', null, null, null, null, null, null, null, null, null, 801, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (756, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are triggered when a network share is accessed or when changes are made to the share''s permissions. These events are critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Events 5140 and 5145 provide details about accesses and modifications to shared resources on the network, which may be indicative of unusual or malicious behavior. Attackers often attempt to gain unauthorized access to shared resources to steal data or compromise systems. Monitoring these events allows you to identify suspicious access patterns that could signal attempts to exploit network vulnerabilities or lateral movement within the infrastructure.

This report is key to detect unauthorized access, attempts to escalate privileges or manipulation of permissions on critical resources. Correlating these events with other security data allows monitoring teams to identify attacks in real time, facilitating rapid and effective response to incidents. Additionally, it contributes to CMMC compliance by ensuring that appropriate measures are implemented to protect shared resources on the network and prevent malicious activities.', null, null, null, null, null, null, null, null, null, 502, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Network Access to shared resource', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1146, 'This report collects and analyzes relevant information from Windows event 4719 logs, which indicate changes to the system''s audit policy configuration. Its purpose is to assess compliance with PCI DSS Requirement 6.5, ensuring that changes to system components are managed securely and in accordance with established procedures. Monitoring these events allows for the identification of unauthorized changes to audit policies, ensuring traceability of modifications in the production environment. Additionally, it verifies that all modifications comply with documentation, approval, and security impact testing controls before being implemented. This approach contributes to the detection and mitigation of risks associated with uncontrolled changes, ensuring the security and stability of the environment in compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 806, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (634, 'This report consolidates relevant information from successful logon events (Event ID 4624) logged on Windows systems, with the goal of verifying compliance with HIPAA 164.312(a)(1). This requirement mandates the implementation of technical policies to ensure that electronic systems maintaining ePHI (Electronic Protected Health Information) allow access only to authorized individuals. The report provides a detailed analysis of successful authentications, including user accounts, access source, and authentication methods used, to facilitate the identification of potential unauthorized access and reinforce secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (759, 'This report collects relevant information from the Windows logs generated by event 1102, which is triggered when the system audit log is cleared. This event is essential to comply with CMMC control SI.4.221, which requires the use of automated tools to detect and respond to network anomalies.

Event 1102 provides details on audit log deletion, which is critical to identifying unauthorized actions or attempts to manipulate system logs, behavior that could indicate an attack or malicious activity. Monitoring these types of events is crucial to detect attempts to hide traces of previous attacks, which is behavior that can compromise the integrity of the network security system.

This report is key to strengthening the detection of anomalies and the protection of the network infrastructure, allowing security teams to take preventive and response measures against the unauthorized deletion of logs. Additionally, it contributes to CMMC compliance by ensuring that appropriate incident detection tools are used and the integrity of system logs is maintained, facilitating the identification and mitigation of potential network threats.', null, null, null, null, null, null, null, null, null, 502, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (757, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when a login authentication attempt is made using the NTLM (NT LAN Manager) protocol. This event is key to complying with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4776 provides details about failed authentication attempts over NTLM, a protocol used for authentication on Windows networks. Identifying these failed attempts is essential to detect patterns of unauthorized access, such as brute force attacks or password guessing attempts, that seek to exploit vulnerabilities in authentication mechanisms. Monitoring these types of events helps prevent unauthorized access to critical systems and applications.

This report is crucial to detect potential vulnerabilities associated with NTLM that can be exploited by malicious actors, allowing security teams to quickly identify and respond to incidents related to unauthorized access. Additionally, it contributes to CMMC compliance by ensuring that appropriate network monitoring practices are implemented to detect and mitigate potential attacks that compromise the security of the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 301, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (760, 'This report compiles relevant information from the Windows logs generated by event 4689, which is activated when a process or service ends its execution on the system. This event is key to complying with CMMC control SI.4.221, which requires the use of automated tools to detect and respond to network anomalies.

Event 4689 provides details about the termination of processes in the system, allowing you to monitor the activities taking place on the network and detect unusual behavior, such as the termination of unexpected or malicious processes. Monitoring this event helps identify potential attacks, intrusions, or malware that attempt to disrupt critical systems or evade detection of malicious activity.

This report is essential to ensure that security teams are capable of detecting and responding to anomalies in the network in an automated manner, allowing rapid and effective intervention in the event of any event that may jeopardize the security of the system. Additionally, it contributes to compliance with CMMC guidelines by ensuring that appropriate tools are implemented for the detection and response to incidents related to malicious activities within the network infrastructure.', null, null, null, null, null, null, null, null, null, 502, true, 302, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Process Termination', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (754, 'This report compiles relevant information from the Windows logs generated by event 4697, which is activated when a service is installed on the system. This event is key to complying with CMMC control SI.2.216, which requires the detection of malicious code and effective response to malware infections.

Event 4697 provides details about newly installed services on the system, which may be indicative of the installation of unauthorized or malicious software. Many types of malware are installed on the system as services to maintain their persistence. By monitoring these events, you can quickly identify suspicious services that could have been introduced by malware.

This report makes it easier to detect potential malware infections by monitoring newly installed services, allowing security teams to respond efficiently to any signs of malicious activity. Additionally, it contributes to CMMC compliance by ensuring that the services installed on the system are legitimate and not related to malicious behavior.', null, null, null, null, null, null, null, null, null, 502, true, 305, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Service Installed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1143, 'This report collects and analyzes relevant information from Windows event 4688 logs, which record the creation of new processes in the system. Its objective is to assess compliance with PCI DSS Requirement 6.3, ensuring that security vulnerabilities are identified and effectively managed. Analysis of these events allows for the detection of suspicious or unauthorized processes that may indicate the exploitation of vulnerabilities in the system. It also reviews whether the execution of custom and third-party software follows safe practices, such as the application of patches and security updates within established timeframes. This approach helps mitigate risks, identify potential threats, and ensure that systems are protected against known vulnerabilities, aligning with the security controls required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1144, 'This report collects and analyzes relevant information from Windows event 4728 logs, which record the addition of a user to a security group. Its objective is to assess compliance with PCI DSS Requirement 6.4, ensuring that public-facing web applications are protected against attacks. Analysis of these events identifies changes in privilege assignment that could grant unauthorized access to critical resources related to web application security. It also reviews whether access controls and security group management comply with best practices to minimize exploitation risks, prevent privilege escalation attacks, and ensure that only authorized users can perform sensitive configurations. This approach contributes to the detection and mitigation of potential threats, aligning with the security controls established by PCI DSS for the protection of publicly exposed web applications.', null, null, null, null, null, null, null, null, null, 806, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (838, e'The Windows Account Logon Success Report provides a comprehensive view of successful logon events, serving as a crucial tool for compliance within the Banking Audit framework. This report ensures alignment with security controls that manage and monitor user access, safeguarding sensitive financial information and meeting regulatory requirements.
• Banking Regulations: Supports compliance with financial regulations, such as the Safeguards Rule under GLBA, by demonstrating a security program that protects customer data.
• Access Control: Reinforces principles of access management by tracking and validating that only authorized users can access banking systems, aligning with PCI DSS Requirement 8.
• Audit Readiness: Provides evidence for maintaining security and access control, essential for audits and adherence to standards like ISO 27001 and SOC2 Type 2, ensuring secure access is granted only to legitimate users.
• Incident Detection and Prevention: Helps detect unauthorized access attempts by analyzing patterns of successful logons, thereby reducing the risk of data breaches.
• Data Protection: Aligns with global frameworks such as GDPR Article 32, ensuring access to sensitive financial data is restricted to authorized individuals to prevent unauthorized data processing.

By centralizing and monitoring logon events, this report strengthens an organization’s ability to maintain cybersecurity resilience, protect financial systems, and achieve compliance with stringent banking audit requirements.', null, null, null, null, null, null, null, null, null, 703, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (880, 'This report compiles relevant information from the Windows logs generated by events 4728 and 4732, which are triggered when changes are made to user security groups within the system. These events are critical to complying with CMMC control SI.5.223, which requires improving detection capabilities on endpoints using advanced tools.

Event 4728 is triggered when a user is added to a security group, while event 4732 is triggered when a user is added to a privileged type security group. These events are key to monitoring and detecting changes in access configurations to critical resources and privileged groups, which could be indicative of an attempt to escalate privileges or unauthorized modification of user permissions.

By collecting these events, you can quickly detect inappropriate assignment of users to privileged groups, behavior that could be an indication of malicious activity. In addition, this type of monitoring, supported by advanced tools, strengthens threat detection capabilities on endpoints, allowing a more agile response to incidents related to the manipulation of access permissions and the potential abuse of privileges.

This report is key to improving visibility of activities within the system, helping security teams detect unauthorized changes and respond effectively to any threats. Additionally, it contributes to CMMC compliance by ensuring that advanced tools are applied to protect endpoints and detect suspicious or malicious behavior.', null, null, null, null, null, null, null, null, null, 502, true, 316, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Additions to Security Groups', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (761, 'This report collects relevant information from the Windows logs generated by event 7030, which is triggered when a service on the system stops unexpectedly or cannot start correctly. This event is essential to comply with CMMC control SI.5.223, which requires the use of advanced tools to improve endpoint detection capabilities.

Event 7030 provides details about failures to start or stop critical services, which may indicate security issues or attacks aimed at disrupting the normal operation of systems. Detecting these events is crucial as it could signal malicious activities such as disabling key services, manipulation of system configurations or attempts to hide traces of an attack.

This report allows security teams to identify compromised services that may have been affected by malware, ransomware or other types of threats. With the use of advanced monitoring tools, these events can be analyzed in conjunction with other logs to detect suspicious behavior patterns on endpoints and trigger immediate alerts.

By implementing this type of monitoring, the organization strengthens its ability to identify attacks or anomalous behavior on endpoints, allowing a faster and more effective response to security incidents. In addition, it contributes to compliance with CMMC regulations, ensuring the integration of advanced tools for threat detection and proactive protection of critical systems.', null, null, null, null, null, null, null, null, null, 502, true, 323, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Service Control Manager Log Information', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1175, 'This report compiles relevant information from Windows Event 1102 logs, which indicate that the audit log has been deleted. Its analysis is critical to ensuring compliance with PCI DSS requirements 10.2 and 10.2.1, ensuring that audit logs are enabled, active, and protected against unauthorized modification or deletion. It also allows for the detection of anomalous activity and forensic security analysis.', null, null, null, null, null, null, null, null, null, 809, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (762, 'This report compiles relevant information from the Windows logs generated by event 1001, which is triggered when the system registers an event related to error activity or failures in system processes. This event is essential to comply with CMMC control SI.1.210, which requires identifying and correcting system failures, including those caused by malware or other vulnerabilities.

Event 1001 provides details about errors and failures recorded in the system, allowing security and infrastructure teams to identify issues that may be indicative of system failures, malware attacks, or malicious activities. By monitoring these events, the organization can quickly detect anomalous behavior or system vulnerabilities that could be exploited by malicious actors.

This report is key to identifying and correcting any system failure that may compromise security, allowing an early response to malware incidents or other threats that affect the integrity of the system. Additionally, it contributes to CMMC compliance by providing a proactive mechanism for fault detection and correction, which helps strengthen the organization''s overall security posture.', null, null, null, null, null, null, null, null, null, 502, true, 339, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Error Reporting', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (763, 'This report collects relevant information from the Windows logs generated by event 6008, which is triggered when the system detects an unexpected shutdown or unexpected restart of the operating system. This event is crucial to comply with CMMC control SI.1.210, which requires the identification and correction of system failures, including those caused by malware or other vulnerabilities.

Event 6008 provides details about the cause of an unexpected shutdown, which may indicate the presence of system crashes, critical errors, or malicious activities such as malware attacks that affect system stability. By analyzing these events, security teams can identify patterns that suggest tampering attempts or attacks that exploit vulnerabilities in the system.

This report allows the organization to quickly detect problems that may compromise security, facilitating the correction of system failures and the mitigation of risks associated with malware or operational failures. Additionally, it contributes to CMMC compliance by providing a tool for early detection of incidents and taking appropriate corrective actions, strengthening the organization''s security posture.', null, null, null, null, null, null, null, null, null, 502, true, 340, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Logging Unexpected System Shutdowns', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (635, 'This report collects and analyzes security events identified by ID 4625 on Windows systems. Event 4625 records failed login attempts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of unauthorized access attempts and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1192, 'This report compiles relevant information from Windows Event 1102 logs, which are generated when the security audit log is deleted. Since the deletion of audit logs can be an indicator of malicious activity or concealment of unauthorized actions, this event is critical for identifying exceptions and anomalies in the log review process.

Analyzing these events helps ensure compliance with PCI DSS Requirement 10.4.3, ensuring that any anomalies detected during log review are identified and appropriately addressed to maintain the integrity and security of the environment that handles cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (764, 'This report collects relevant information from the Windows logs generated by event 7031, which is triggered when a Windows service stops unexpectedly. This event is essential to comply with CMMC control SI.1.210, which requires the identification and correction of system failures, including those related to malware or operating system malfunctions.

Event 7031 provides details about which services have failed, which may be indicative of critical system failures or a potential security compromise, such as malware attacks that disrupt the normal operation of the services. Analysis of this event can identify services that stop abnormally and, by correlating it with other security events, can help identify suspicious patterns or malware infections.

This report is useful for detecting failures or interruptions in critical system services, facilitating the correction of failures and the investigation of possible security incidents. Additionally, it contributes to CMMC compliance by providing visibility into operational issues and the need for corrective action, helping to protect infrastructure against risks related to system service failures or cyber attacks.', null, null, null, null, null, null, null, null, null, 502, true, 341, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Unexpected Service Failures', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1193, 'This report compiles relevant information from Windows Event 4616 logs, which are generated when a change occurs in the system time settings. Event 4616 is key for monitoring changes in system clock synchronization, helping to ensure the consistency of audit logs and the traceability of security events.

The report is aligned with PCI DSS Requirement 10.6.1, which requires system clocks to be synchronized to ensure accurate audit logs. Analyzing these events can detect unauthorized changes in time settings, helping to prevent alterations that could compromise the integrity of security logs.', null, null, null, null, null, null, null, null, null, 809, true, 303, 'TEMPLATE', null, null, 'Windows System Time Settings Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1229, 'This report analyzes Security Log Closure events (Event ID 1102) on Windows systems to assess compliance with PCI DSS Requirement A1.2.3, which establishes the implementation of processes or mechanisms for reporting and addressing security incidents and vulnerabilities. Event 1102 is generated when the system''s Security Log is cleared or closed, which may indicate an action related to security event management or incident response. This analysis verifies that logs are managed appropriately and that security incidents and vulnerabilities are communicated and addressed securely. It also ensures that the vendor has established mechanisms to remediate incidents in accordance with PCI DSS Requirement 6.3.1, ensuring that customers can safely report incidents and that they are addressed in accordance with security policies. The findings in this report support the validation of audit and incident response processes, ensuring that appropriate records are maintained for security incident investigation and PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 812, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (765, 'This report compiles relevant information from the Windows logs generated by event 7038, which is activated when a service in the system changes state, whether started, stopped, or with an error in its execution. This event is crucial to comply with CMMC control SI.2.216, which requires detection of malicious code and appropriate response to malware infections.

Event 7038 can provide clues about the execution of services associated with possible malware infections, since certain malware can install or modify services to maintain its persistence in the system. By reviewing these events, you can identify services that should not be active or those that are exhibiting anomalous behavior that could be related to an infection.

This report allows detecting anomalies in the execution of services, which is an essential part of the response process for malware incidents. By monitoring these events, security teams can quickly identify any suspicious services that have been compromised and take necessary corrective actions, ensuring compliance with CMMC practices regarding protection and detection of malware-related threats.', null, null, null, null, null, null, null, null, null, 502, true, 342, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Services Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1222, 'This report analyzes successful logon events (Event ID 4624) on Windows systems to evaluate the effectiveness of logical separation in multi-tenant environments according to PCI DSS Requirement A1.1. Authentication logs are reviewed to verify that access to customer and vendor environments is performed only by authorized users and that there is no unauthorized access between customer environments or from the vendor to the customer environments. The results of this report contribute to the validation of security controls, ensuring regulatory compliance and reducing the risk of unauthorized access to shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1166, 'This report collects and analyzes 4648 events (Use of Explicit Credentials) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. Credential usage is verified to ensure each user has a unique ID before accessing system components or cardholder data. The use of shared accounts, proper management of account additions, deletions, and modifications, and the attribution of actions to individual users are also monitored, ensuring strict account lifecycle management and compliance with authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (766, 'This report collects relevant information from the Windows logs generated by event 4769, which is triggered when a Kerberos authentication request is successfully processed in the network environment. This event is critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4769 provides details about Kerberos service ticket requests. Monitoring these types of events is essential to identify unusual activities, such as attempts to exploit vulnerabilities in the Kerberos protocol, replay attacks, or lateral movement of attackers within the network.

This report allows you to detect suspicious behavior that could indicate unauthorized access or attempts to abuse privileges through the Kerberos protocol. Additionally, it facilitates the ability of security teams to investigate potential authentication-related incidents and prevent potential attacks before they compromise the organization''s sensitive systems, contributing to CMMC compliance and strengthening infrastructure protection.', null, null, null, null, null, null, null, null, null, 502, true, 343, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Kerberos Service Ticket', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (767, 'This report compiles relevant information from the Windows logs generated by event 1058, which is triggered when a problem accessing network resources or group policy files prevents the system from completing the update or application of security policies. . This event is essential to comply with CMMC control SI.5.223, which requires improving detection capabilities on endpoints using advanced tools.

Event 1058 provides details on failures in the update of group policies due to errors in accessing files or resources on the network, which may be indicative of an attempt to interfere with security settings or a system anomaly. Since group policies are essential for system security and configuration, any errors in your application could signal a tampering attack or the presence of malware attempting to bypass security settings.

This Reporting is crucial for detecting and responding to anomalies related to system configuration and security, helping to ensure that endpoints follow appropriate security policies. Additionally, it contributes to CMMC compliance by ensuring that advanced tools are used to detect failures and threats that may compromise the integrity of the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 344, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Application of Group Policies Errors', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (768, 'This report compiles key information from the Windows logs generated by events 4688 and 4689, which are related to the creation of new processes and the termination of processes in the system. These events are essential to comply with CMMC control SI.5.223, which requires the use of advanced tools to improve detection capabilities on endpoints and detect suspicious or malicious behavior.

Event 4688 is triggered when a process is created on the system, providing details about the executable, the user who started the process, and the command line used. Event 4689, for its part, records when a process ends, which allows monitoring the activity of the processes in real time.

By reviewing these events, suspicious process execution, rogue applications, or malware activity can be detected, enabling rapid response to security incidents. Additionally, correlating these events with other system logs makes it easier to identify behavioral patterns that could signal an imminent threat.

This report is crucial to strengthening threat detection at the endpoint level, allowing security teams to identify and respond to malicious activity more effectively. Likewise, it contributes to CMMC compliance by improving monitoring and incident response capabilities, especially with respect to the execution and termination of processes in the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 345, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Created and Terminated Processes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (814, 'This report collects relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt fails on the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4625 provides details about failed login attempts. This type of information is crucial for detecting unauthorized access or security breach attempts, such as brute force attacks or password guessing attempts.

Collecting and reviewing logs from this event is essential to comply with security audit policies, allowing security teams to quickly identify and respond to suspicious patterns or repeated failed system access attempts. Additionally, these logs are useful for performing forensic analysis in the event of security incidents, contributing to the improvement of preventive defenses.

This report supports the implementation of appropriate auditing practices, ensuring that user activity logs are captured and reviewed, in line with CMMC Level 1 requirements. Through this review, adequate control over access can be maintained. to systems and detect potential security threats before they compromise infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (822, 'This report collects relevant information from the Windows logs generated by event 4670, which is triggered when the permission settings of an object, including files, folders, or registry keys, are modified. This event is crucial to comply with CMMC Level 1 control AU.1.001, which requires the capture and review of audit logs to ensure the security of the computing environment.

Event 4670 provides details about changes made to access permissions to system objects. This information is essential to monitor and audit access to sensitive resources within the system.

Monitoring modifications to object permissions is essential to detect unauthorized changes that may indicate attempted privilege escalation, malicious moves, or manipulations of critical configurations. In addition, the collection of these logs allows a detailed review of the actions taken, which is key to ensuring that access controls are being applied appropriately and in accordance with security policies.

This report facilitates compliance with CMMC Level 1 control AU.1.001, ensuring that audit logs related to permit modifications are adequately captured and reviewed, contributing to the detection and mitigation of possible security incidents within the company''s infrastructure. organization.', null, null, null, null, null, null, null, null, null, 509, true, 274, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Protected Object Permission Change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (824, 'This report collects relevant information from the Windows logs generated by event 4663, which is triggered when a user performs an access operation on system objects, such as reading, writing or deleting files and folders. This event is crucial to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 4663 provides details about operations performed on system objects. This allows detailed tracking of interactions with critical files and resources within the system. Maintaining a proper record of these events is essential to ensure that any unauthorized access or modification to the organization''s resources can be tracked and audited effectively.

Ensuring that logs of these types of events are available for review and analysis is essential for the early identification of security incidents, such as unauthorized access, malicious modifications or security policy violations. This report contributes to the organization''s ability to investigate and respond to incidents efficiently, ensuring that the information necessary for a complete investigation can be accessed.

In this way, the report supports compliance with CMMC Level 3 control AU.3.045, ensuring that the relevant logs are properly managed, stored and available for review at any time, facilitating a rapid and effective response to security incidents and contributing to the protection of organizational infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (815, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user attempts to log on to a system with explicit credentials, such as a username and password. This event is key to compliance with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review.

Event 4648 provides details about login attempts. This information is vital for tracking system access activities, allowing security teams to detect potential unauthorized attempts or suspicious access.

Collecting these logs also helps identify unusual or malicious access patterns, such as access attempts through compromised accounts, which helps improve incident response capabilities. Additionally, detailed information about login attempts is essential for conducting security audits, especially when investigating the integrity of user accounts and access to critical systems.

This report supports security teams in capturing and reviewing audit logs related to access to systems, ensuring that adequate control is maintained over login attempts, and contributes to compliance with security policies and access control, as established in control AU.1.001 of CMMC Level 1.', null, null, null, null, null, null, null, null, null, 509, true, 281, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (832, 'This report compiles relevant information from the Windows logs generated by event 4688, which is activated every time a new process is created in the system. This event is essential to comply with CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensic analysis capabilities to more effectively detect, investigate, and respond to security incidents.

Event 4688 provides details about creating processes on the system. This information is key to identifying the execution of suspicious or unauthorized processes, which can be indicative of malicious activities such as the execution of malware or the use of tools to carry out attacks.

Monitoring event 4688 with an advanced forensic approach allows security teams to trace the origin and behavior of executed processes, identify anomalous patterns that may indicate a security breach or evasion attempt, and perform detailed analysis of executed processes. in the system. Correlating this event with other security logs can provide a complete picture of attacker activities, helping to proactively detect suspicious behavior.

This report contributes to compliance with CMMC Level 4 control AU.4.053, by providing a detailed analysis of the processes executed in the system. By improving audit logs and applying advanced forensic analysis capabilities, the organization can strengthen its ability to identify, investigate and respond to security incidents, improving protection against persistent threats and unauthorized activities.', null, null, null, null, null, null, null, null, null, 509, true, 284, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (825, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are activated when a user accesses or makes modifications to shared resources on the network, such as files or directories, through SMB protocols. These events are essential to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 5140 is triggered when a network connection is established to a share, while event 5145 is triggered when a file or directory is accessed through a network share. The details of these logs are essential for tracking activities related to access to data and shared files, which can be indicative of suspicious or unauthorized activity.

Ensuring that logs of these events are available for review is key to investigating and auditing access to critical resources within the organization''s network. These events allow us to identify unauthorized access, malicious movements or inappropriate changes in the permissions of shared resources. Having a complete and accessible record of these activities is essential for incident response, allowing an accurate assessment of what happened and contributing to the identification of security gaps.

This report, therefore, supports compliance with CMMC Level 3 control AU.3.045, ensuring that relevant logs regarding access and modification of shared resources are available and appropriately managed, facilitating investigations and improving the ability to the organization to respond quickly to security threats or incidents.', null, null, null, null, null, null, null, null, null, 509, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (823, 'This report compiles relevant information from the Windows logs generated by event 4907, which is activated when changes occur in the system audit policies. This event is essential to comply with CMMC Level 1 control AU.1.001, which requires the capture and review of audit logs to guarantee the integrity and security of information systems.

Event 4907 provides details about the modification of audit policies. This type of information is key to identifying unauthorized alterations to audit policies, which could indicate an attempt to hide malicious activity or avoid detection of anomalous behavior in the system.

Monitoring these changes is crucial to ensure that audit policies are configured correctly and consistently, allowing for proper collection of security events. Reviewing these logs makes it easier to identify inappropriate settings that could weaken the organization''s ability to detect suspicious activity.

This report supports compliance with CMMC Level 1 control AU.1.001, ensuring that appropriate audit configurations are maintained and that changes to audit policies are recorded and reviewed, contributing to the early detection of potential security incidents within the organization. organization infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 291, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Restoration of default security policies', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (817, 'This report compiles relevant information from the Windows logs generated by event 4722, which is triggered when a user account is enabled on the system. This event is key to complying with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4722 provides details about enabling user accounts. This information is crucial to properly monitor and manage user accounts within the infrastructure, ensuring that enabled accounts are legitimate and authorized.

Monitoring user account enablement helps identify any unauthorized changes, such as the reactivation of accounts that should have been disabled for security or compliance reasons. Additionally, it allows you to detect if a malicious actor tries to restore access to a previously disabled account.

This report contributes to the creation of a more robust security environment by ensuring that all events related to the enablement of user accounts are recorded and monitored. In this way, it helps comply with CMMC Level 1 control AU.1.001, ensuring the correct capture and review of audit logs for unusual or potentially malicious activities.', null, null, null, null, null, null, null, null, null, 509, true, 293, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Accounts Enabled', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (818, 'This report collects relevant information from the Windows logs generated by event 4723, which is triggered when a user tries to change their password. This event is critical to comply with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4723 provides details about password change attempts. This type of information is essential for tracking and auditing credential modification attempts, allowing unusual or unauthorized activity to be detected.

Monitoring password change events is key to ensuring that authentication processes follow proper procedures and preventing malicious actors from gaining access to user accounts through unauthorized password changes. It also helps identify potential attack attempts, such as password guessing or privilege abuse.

This report contributes to compliance with AU.1.001 by ensuring that all events related to password change attempts are effectively recorded, monitored, and reviewed. In this way, it facilitates the detection of inappropriate actions and reinforces the security of the system, protecting access credentials and sensitive data.', null, null, null, null, null, null, null, null, null, 509, true, 294, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Password Reset Attempt', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (829, 'This report compiles relevant information from the Windows logs generated by event 1102, which is activated when a shutdown or restart of the security logs is performed on the system. This event is crucial to comply with CMMC Level 3 control AU.3.045, which requires ensuring audit logs are available for review during security investigations.

Event 1102 provides details about when and why security logs were closed or reset, which is essential for monitoring the integrity of audit logs. In the context of security management, it is essential to ensure that logs are not lost or tampered with, as they could contain critical information about past security events, such as unauthorized access attempts or malicious activities within the network.

Monitoring this event allows security teams to detect if logs were closed or restarted by unauthorized users, which could indicate an attempt to hide illicit activities or tamper with evidence in the event of an attack or security incident. The correct management and storage of these logs are essential for the investigation after any security incident, ensuring that all necessary information is available for analysis and possible recovery.

This report contributes to compliance with CMMC Level 3 control AU.3.045 by ensuring that security logs remain accessible and are securely stored for review, allowing security teams to conduct detailed investigations into any suspicious activity or incident. that has taken place in the system.', null, null, null, null, null, null, null, null, null, 509, true, 295, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (821, 'This report compiles relevant information from the Windows logs generated by event 4662, which is triggered when an object in the system is accessed, modified or deleted. This event is key to complying with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review in order to maintain the integrity of the systems.

Event 4662 provides details about access to objects within the system. These logs allow you to monitor changes and access made to critical files or configurations, which is essential to detect suspicious or unauthorized activities.

Monitoring these events contributes to the early identification of unauthorized access or malicious actions, helping to ensure that system configurations and data are protected from tampering or improper access. Additionally, collecting this information ensures that a detailed analysis can be performed on any security incidents that may arise.

This report is essential to support the implementation of an effective audit monitoring strategy, ensuring that CMMC Level 1 control AU.1.001 is met by capturing and reviewing audit logs, which reinforces security and operational integrity within of the organization''s technological infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 297, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Protected Object Access Operation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (826, 'This report compiles relevant information from the Windows logs generated by event 4660, which is triggered when an object, such as a file or directory, is opened or modified. This event is especially important to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 4660 provides details about actions performed on system objects. Additionally, it includes information about the user who performed the action, the exact date and time, and the identifier of the affected object. This information is crucial for detailed tracking of activities performed on critical data and resources within the organization''s technological infrastructure.

Monitoring 4660 events is essential to identify suspicious changes to file systems, such as unauthorized deletion or alteration of important files, which may be indicative of a security breach or malicious activity. By keeping these logs available for review, incident investigation and forensic analysis are facilitated, allowing the origins and scope of potential security compromises to be traced.

This report supports compliance with CMMC Level 3 control AU.3.045, by ensuring that the logs of critical events related to the manipulation of objects and system resources are accessible, well managed and prepared to be analyzed during security investigations, improving the organization''s ability to detect and respond to threats.', null, null, null, null, null, null, null, null, null, 509, true, 298, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Object Deletion', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (830, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when there is an attempt to authenticate a user using a username and password in a network environment. This event is key to meeting CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensic analysis capabilities to detect and respond to security incidents.

Event 4776 provides details about authentication attempts that were not successful. This information is crucial for identifying attack patterns, such as unauthorized access attempts, brute force attacks, or phishing attempts.

Monitoring this event with an advanced forensic approach allows security teams to perform deeper analysis on failed authentication attempts. For example, they can correlate multiple failed attempts from different locations, which could indicate a distributed attack or privilege escalation effort. Additionally, this event can provide valuable information to trace an attacker''s path through the network and improve incident response capabilities.

This report contributes to compliance with CMMC Level 4 control AU.4.053 by providing detailed analysis of failed authentication attempts and improving auditing capabilities through an advanced forensic approach. By doing so, it helps strengthen security by more effectively detecting and analyzing threats that could put the organization''s infrastructure at risk.', null, null, null, null, null, null, null, null, null, 509, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (820, 'This report collects relevant information from the Windows logs generated by event 4738, which is triggered when a change is made to the user account information, such as modifying account attributes. This event is critical to comply with CMMC Level 1 control AU.1.001, which requires capturing and reviewing audit logs of changes to user accounts.

Event 4738 provides details about modifications made to an account. This information allows you to audit account changes and detect suspicious or unauthorized activity, such as unauthorized access to privileged accounts or alteration of critical accounts.

Monitoring changes to user accounts is essential to ensure the integrity of credentials and access permissions within the organization. This event helps identify whether changes were made in accordance with security policies and whether there were attempts to modify accounts without proper authorization.

This report supports compliance with AU.1.001 by ensuring that all changes to user accounts are appropriately recorded and monitored. By doing so, you help protect the organization''s infrastructure against unauthorized account manipulation, ensuring that logs are reviewed to identify potential security incidents and maintaining traceability of actions taken on user accounts.', null, null, null, null, null, null, null, null, null, 509, true, 308, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Account Attributes Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (831, 'This report collects relevant information from the Windows logs generated by event 4771, which is triggered when a Kerberos authentication attempt fails due to a problem with the user''s credentials. This event is critical to meeting CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensics capabilities to detect and respond to security incidents.

Event 4771 provides details about failed Kerberos authentication attempts. This information is valuable in identifying attack patterns, such as unauthorized access attempts, brute force attacks, or issues related to system configuration.

Monitoring this event with an advanced forensic approach allows security teams to perform a thorough analysis of failed authentication attempts, helping to identify potential spoofing or privilege escalation attempts. Additionally, event 4771 allows failed attempts to be correlated with other security events on the network, providing broader context to detect persistent threats and suspicious activity.

This report contributes to compliance with CMMC Level 4 control AU.4.053 by providing a detailed analysis of failed Kerberos authentication attempts. By improving audit logs and using advanced forensics, the organization can improve its ability to detect and respond to security incidents more effectively, strengthening protection against unauthorized access and attacks.', null, null, null, null, null, null, null, null, null, 509, true, 310, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Kerberos pre-authentication failed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (839, e'The Windows Account Logon Failure Report provides a consolidated overview of failed logon attempts, playing a vital role in compliance within the Banking Audit framework. This report enables organizations to monitor, detect, and address unauthorized access attempts, ensuring the protection of sensitive financial systems and data.
• Banking Regulations: Supports compliance with financial regulations, such as the Safeguards Rule under GLBA, by demonstrating measures to prevent unauthorized access to customer data.
• Access Control: Tracks failed logon attempts to identify potential unauthorized access or brute force attacks, aligning with PCI DSS Requirement 10 for monitoring access control events.
• Audit Readiness: Provides evidence of failed access attempts, contributing to the transparency required by standards like SOC2 Type 2 and ISO 27001, ensuring security incidents are logged and reviewed.
• Incident Response: Enhances threat detection by identifying patterns of failed logon attempts, enabling organizations to respond to suspicious activity promptly.
• Data Protection: Aligns with global frameworks such as GDPR Article 32, showcasing controls that prevent unauthorized access to financial systems, protecting sensitive customer data.

By centralizing data on logon failures, this report empowers organizations to enhance their security posture, reduce the risk of data breaches, and comply with stringent banking audit requirements.', null, null, null, null, null, null, null, null, null, 703, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (862, e'The Windows Account Logon Success Report provides a detailed record of successful logon events, capturing essential data such as the user account, timestamp, source IP address, and authentication method. This report is a critical compliance tool within the Banking Audit framework, ensuring traceability of access to sensitive financial systems and supporting regulatory requirements.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring visibility into authorized system access to protect customer information and financial data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, validating that only authorized users gain access to critical systems through secure authentication processes.
• Audit Readiness: Tracks successful logons, providing evidence for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability and secure access management.
• Threat Detection: Identifies unusual access patterns, such as logons from unexpected geographic locations, which could indicate compromised credentials.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that prevent unauthorized access to systems containing sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (819, 'This report collects relevant information from the Windows logs generated by event 4724, which is triggered when a system administrator attempts to reset the password for a user account. This event is crucial to comply with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4724 provides details about password reset attempts. This information allows you to track and audit changes to user account credentials, which is essential for identifying unauthorized access or malicious behavior.

Monitoring password reset attempts is vital to detect suspicious activity, such as attempts to bypass security controls, abuse of administrative privileges, or unauthorized access to critical accounts. This event also helps ensure that password change policies are followed appropriately.

This report contributes to compliance with AU.1.001 by ensuring that all password reset attempts are recorded, monitored, and reviewed. By doing so, it helps protect the integrity of access credentials, ensuring that control over access to critical systems and resources is maintained, strengthening the security of the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 312, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Password Reset Attempts', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (844, 'The Windows User Accounts Created Report provides a detailed record of all user account creation events in the system. This report plays a vital role in ensuring compliance within the Banking Audit framework by monitoring and controlling user account management processes to protect sensitive financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (828, 'This report compiles relevant information from the Windows logs generated by event 5158, which is triggered when a new network connection is allowed through a specific port on a system. This event is essential to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for security investigations.

Event 5158 provides details about established network connections. Additionally, event 5158 shows whether the connection was allowed or blocked by system security policies, which is key to detecting unauthorized access or anomalous behavior in the network infrastructure.

Monitoring 5158 events is crucial to track the flow of information and accesses through the network, allowing you to identify suspicious connection attempts, possible vulnerabilities or malicious activities, such as a privilege escalation attack or lateral movement within the network. By keeping these logs available, organizations can conduct effective investigations in the event of a security incident, analyzing the source, connection type, and impact of any unauthorized access.

This report supports compliance with CMMC Level 3 control AU.3.045, ensuring that detailed logs on network connections are adequately stored, accessible and are part of the investigation process for potential incidents, strengthening threat response capacity and improving security. security on the corporate network.', null, null, null, null, null, null, null, null, null, 509, true, 313, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Windows Connection blocked by Windows Firewall', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (836, 'This report collects relevant information from the Windows logs generated by event 4647, which is triggered when a user actively logs out of the system. This event is key to compliance with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review.

Event 4647 provides details about a user''s logout action. The collection of these logs is essential to monitor user activities within systems and ensure that sessions are closed correctly, which is a preventative measure against unauthorized or unmonitored access.

Analyzing these logs allows security teams to detect anomalous activities, such as logouts at unexpected times or by unauthorized users, which could indicate potential security breaches. Furthermore, having a clear record of logout events is crucial for conducting complete audits, especially in forensic investigation situations related to security incidents.

This report supports the audit policies established at CMMC Level 1, ensuring that logs related to user login and logout are appropriately collected and reviewed. In this way, it contributes to greater visibility and control over user actions within the system, helping to detect possible threats and ensure compliance with security regulations.', null, null, null, null, null, null, null, null, null, 509, true, 351, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Account Logoff', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (837, 'This report compiles relevant information from the Windows logs generated by event 4005, which is activated when the system registers a failure in a user''s login to the system. This event is essential to comply with CMMC Level 3 control AU.3.045, which requires that logs be available for security investigations in the event of incidents.

Event 4005 provides details about failed login attempts. Monitoring these events allows security teams to identify possible threats and take preventive measures in situations that may put the integrity of the infrastructure at risk.

The availability of these logs is essential to enable detailed investigations in the event of a security incident, such as an unauthorized access attempt or a targeted attack on the IT infrastructure. The information from event 4005 allows you to trace failed login attempts, helping to identify vulnerabilities or security gaps that can be exploited.

This report contributes to compliance with CMMC Level 3 control AU.3.045 by ensuring that logs of failed login attempts are stored and accessible for review in the context of security incident investigations. This improves threat detection capabilities and facilitates rapid response to potential security breaches.', null, null, null, null, null, null, null, null, null, 509, true, 352, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Unexpected Logon Process Termination', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (863, e'The Windows Account Logon Failure Report provides detailed logs of unsuccessful login attempts, capturing key information such as the user account, timestamp, source IP address, and failure reason. This report is critical for compliance within the Banking Audit framework, ensuring visibility into unauthorized access attempts and supporting security and regulatory requirements.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of failed logon attempts to detect and mitigate potential threats to financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access attempts to detect unauthorized activities.
• Audit Readiness: Tracks failed logon events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in access control management.
• Threat Detection: Identifies patterns of suspicious behavior, such as brute force attacks, password spraying, or repeated failed logins from specific locations.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that restrict and monitor unauthorized attempts to access systems containing sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (945, 'This report gathers relevant information from the logs of Windows event 4672, which is generated when a user logs on with administrative or high-level privileges. This event is crucial to verify compliance with CMMC''s Level 1 requirement (AU.1.001), which establishes the obligation to capture logs of basic security events. Event 4672 provides a detailed log of activities performed by elevated users, allowing access and usage of administrative accounts to be audited. Capturing and analyzing these logs makes it easier to detect unauthorized access or unusual activities, improving monitoring capabilities and responding effectively to potential security incidents, thereby ensuring that auditing and monitoring practices are aligned with CMMC requirements.', null, null, null, null, null, null, null, null, null, 513, true, 278, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (947, 'This report gathers relevant information from the logs of Windows event 4719, which is generated when the system audit policy configuration is modified. This event is crucial to verify compliance with CMMC''s Level 2 requirement (AU.2.041), which requires retention of audit logs for security events. Altering audit policies may indicate attempts to evade detection of malicious activity or unauthorized administrative changes. Analysis of these events allows you to monitor the integrity of security logs, ensure traceability of changes, and strengthen the monitoring capabilities necessary to comply with CMMC standards.', null, null, null, null, null, null, null, null, null, 513, true, 280, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (949, 'This report compiles relevant information from the logs of Windows event 4688, which is generated when a new process is created in the system. This event is essential to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of key events for compliance and incident response. Monitoring these logs allows you to track process execution, identify suspicious activity, and provide visibility into potential threats or malicious actions within the environment. By analyzing this data, organizations can strengthen their detection, response and compliance capabilities, ensuring effective security incident management.', null, null, null, null, null, null, null, null, null, 513, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (948, 'This report collects relevant information from the logs of Windows event 4907, which is generated when the audit policy retention configuration is modified. This event is essential to verify compliance with CMMC''s Level 2 requirement (AU.2.041), which requires the retention of audit logs for security events. Monitoring this event can detect changes in the way records are stored and retained, which can impact an organization''s ability to track security incidents and meet regulatory requirements. Analyzing these logs helps ensure audit integrity and the availability of critical data for security investigations and reviews.', null, null, null, null, null, null, null, null, null, 513, true, 291, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Restoration of default security policies', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (946, 'This report collects relevant information from the logs of Windows event 1102, which is generated when the system audit log is deleted. This event is essential to verify compliance with the CMMC Level 2 requirement (AU.2.041), which requires the retention of audit logs for security events. Detecting and documenting audit log deletion is key to ensuring data integrity and preventing attempts to hide malicious activity. The analysis of these events allows us to identify possible evidence manipulation attempts, strengthening the system''s ability to maintain reliable traceability and comply with the security standards required by CMMC.', null, null, null, null, null, null, null, null, null, 513, true, 295, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (954, 'This report collects relevant information from the logs of Windows event 4776, which is generated when an authentication attempt on the domain controller is processed by NTLM. This event is essential to verify compliance with CMMC''s Level 4 requirement (AU.4.052), which emphasizes improving audit logs for advanced threat detection. By analyzing these events, it is possible to identify suspicious authentication patterns, such as repeated failed login attempts or authentications from unusual locations, which may indicate attack attempts such as brute force or lateral movement within the network. The correlation of this data with other sources of events allows us to improve threat detection and strengthen the security of the infrastructure, facilitating rapid and automated responses to possible compromises.', null, null, null, null, null, null, null, null, null, 513, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): Account Authentication Using NTLM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (953, 'This report compiles relevant information from the logs of Windows event 4689, which is generated when a process ends in the system. This event is key to verify compliance with CMMC''s Level 4 requirement (AU.4.052), which emphasizes improving audit logs to support advanced threat detection. By monitoring process termination, you can identify anomalous behavior, possible security evasion attempts, or the unexpected termination of critical processes. The analysis of these logs, combined with advanced correlation and threat detection techniques, allows you to strengthen the security of your environment, respond more quickly to potential incidents, and improve your ability to defend against sophisticated attacks.', null, null, null, null, null, null, null, null, null, 513, true, 302, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): Process Termination', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (950, 'This report gathers relevant information from the logs of Windows event 4697, which is generated when a service is installed on the system. This event is key to verifying compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of critical events for compliance and incident response. Installing new services can indicate legitimate configurations, but can also be a sign of malicious activity, such as malware persistence or lateral movements within the network. By analyzing these logs, organizations can identify unauthorized changes, improve threat detection, and strengthen their ability to respond to potential security incidents.', null, null, null, null, null, null, null, null, null, 513, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1025, 'This report consolidates key information from logs generated by the FileAccessed event in Office 365, providing detailed insight into file accesses in environments such as OneDrive and SharePoint. It is intended to support CMMC Level 1 (AU.1.001) compliance, which requires capturing audit logs for basic security events.

Logging these events is critical to establishing information traceability, assisting in the investigation of security incidents, and ensuring compliance with auditing and data protection policies. Additionally, this report provides a foundation for future improvements in the security and monitoring of the organization''s digital environment.', null, null, null, null, null, null, null, null, null, 513, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (944, 'This report collects relevant information from the logs of Windows event 4634, which is generated when a user logs out of a system. This event is essential for verifying compliance with CMMC''s Level 1 requirement (AU.1.001), which establishes the need to capture logs of basic security events. Event 4634 provides important data about user sessions, allowing organizations to monitor and audit login and logout activities. Capturing these logs ensures traceability of user actions and helps identify potential suspicious or unusual behavior, contributing to overall system security and compliance with CMMC audit controls.', null, null, null, null, null, null, null, null, null, 513, true, 350, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logoff', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (955, 'This report compiles and presents key information from the Windows event 4826 logs, focused on the modification of system security settings. Event 4826 is related to the loading of the "Boot Configuration Data" (BCD) and is crucial to detect any attempted changes to security settings that may compromise the integrity of the operating system, such as enabling or disabling advanced protection options.

This type of information is essential to comply with CMMC Level 4 (AU.4.052), which requires strengthening audit logs to support advanced threat detection. The report provides details on changes to configurations such as advanced options, access policies, and kernel and virtualization debugging settings, among others, helping to identify anomalous behavior and potential threats.

The analyzed logs and their corresponding alerts allow a better correlation of events and improve the response capacity to incidents related to unauthorized modifications to the system''s security, which is essential to improve the security posture in highly sensitive environments, such as those that handle CUI (Controlled Unclassified Information).', null, null, null, null, null, null, null, null, null, 513, true, 366, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): BitLocker Settings Modification Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1026, 'This report compiles key information from logs generated by the FileDeleted event in Office 365, providing visibility into file deletion on platforms such as OneDrive and SharePoint. Its purpose is to support CMMC Level 1 (AU.1.001) compliance, which requires the capture of audit logs for basic security events.

The report documents essential details that enable security administrators to track file deletion activities, identify accidental or malicious actions, and prevent the loss of critical information.

Maintaining an accurate record of these events is critical for information traceability, incident investigation, and enforcement of security controls. Additionally, this report can contribute to the improvement of data access and retention policies within the organization, ensuring better information management and regulatory compliance.', null, null, null, null, null, null, null, null, null, 513, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1029, 'This report compiles relevant information from the logs generated by the SharingSet event in Office 365, providing visibility into file and folder sharing actions within the SharePoint and OneDrive environment. Its goal is to support CMMC Level 2 (AU.2.041) compliance, which requires audit log retention for security events, ensuring traceability of information access and sharing within the organization.

The report documents key data whose log retention is critical for security and compliance, allowing organizations to identify potential exposures of sensitive data, detect unauthorized sharing, and improve monitoring of access to critical information. This data also facilitates incident response, risk assessment, and the implementation of more effective access controls to protect the confidentiality of information.', null, null, null, null, null, null, null, null, null, 513, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Sharing Set', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1030, 'This report gathers relevant information from the logs generated by the FileSyncDownloadedFull event in Office 365, which records when a user downloads a full file from SharePoint or OneDrive using file synchronization. Its purpose is to support compliance with CMMC Level 2 (AU.2.041), which requires the retention of audit logs for security events, ensuring traceability of interactions with the organization''s critical data.

The report provides key details that allow identifying access patterns, detecting suspicious downloads of confidential information, and setting alerts for possible data exfiltrations.

Retaining these logs is essential for security and regulatory compliance, as it facilitates incident investigation, information access control, and the implementation of data protection strategies. By maintaining a detailed audit of these events, organizations can reinforce their security policies and mitigate risks associated with the loss or leakage of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): File Synchronization', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1028, 'This report compiles relevant information from the logs generated by the Add-MailboxPermission event in Office 365, providing visibility into the assignment of permissions on mailboxes within the Exchange Online environment. Its objective is to support compliance with CMMC Level 2 (AU.2.041), which requires the retention of audit logs for security events, ensuring the traceability of access and modifications in systems.

The report documents key data that allows you to detect suspicious activities, identify unauthorized changes to mailbox permissions, and strengthen your ability to respond to potential security incidents.

Retaining these events in audit logs is essential to ensure regulatory compliance, provide evidence in security investigations, and improve internal access controls to confidential information. In addition, it allows administrators to effectively monitor and manage access to corporate mailboxes, minimizing risks associated with the exposure of sensitive data.', null, null, null, null, null, null, null, null, null, 513, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Mailbox Permission Assigning', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1027, 'This report compiles relevant information from the logs generated by the FileRenamed event in Office 365, providing visibility into file renaming on platforms such as OneDrive and SharePoint. It is intended to support CMMC Level 1 (AU.1.001) compliance, which requires the capture of audit logs for basic security events.

The report documents key data that allows security administrators to monitor file modifications, detect possible attempts to conceal suspicious activities, and ensure the integrity of stored information.

Logging and analyzing these events is crucial for data traceability, identifying potential security incidents, and maintaining a secure and compliant work environment. Additionally, this report can be used to enforce change control policies and improve document management within the organization.', null, null, null, null, null, null, null, null, null, 513, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Renamed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1031, 'This report collects relevant audit events associated with the use of the SendOnBehalf permission in Office 365. The SendOnBehalf event indicates when a user has sent an email message on behalf of another user, which may involve sensitive activities within the organization.

Analyzing these logs helps verify that logs related to SendOnBehalf activity are maintained appropriately and available for review. This is critical to meeting the security log retention requirements set out in CMMC Level 2, which requires audit logs to be maintained to facilitate the detection of inappropriate activities and ensure the integrity of operations.', null, null, null, null, null, null, null, null, null, 513, true, 399, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Email access', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (970, 'This report gathers relevant information from the logs of Windows Security Auditing event 5145 (A network share object was accessed), used to verify compliance with CMMC Level 4 (SC.4.229), which requires the improvement of cryptographic protections through advanced tools. Event 5145 is triggered when a shared object is accessed on the network, and its analysis allows monitoring how sensitive data is protected and accessed, especially those protected by cryptographic mechanisms. This type of access is crucial to verify if information, including CUI, is properly handled with encryption both at rest and in transit, using advanced tools that ensure the confidentiality and integrity of the data.

This report helps identify unauthorized access, potential vulnerabilities in encryption tools, and ensures that cryptographic policies are properly enforced and verified in environments that handle critical information.', null, null, null, null, null, null, null, null, null, 515, true, 275, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (969, 'This report collects and analyzes Windows Security Auditing ID 4672 (Special Privileges Assigned to New Logon) events, used to verify compliance with CMMC Level 3 (SC.3.177), which requires the implementation of cryptographic protections for Controlled Unclassified Information (CUI). Event 4672 is crucial because it indicates when an account is granted special administrative privileges upon login, which could include access to security settings, cryptographic keys, and encryption mechanisms for data in transit and at rest. Its analysis allows you to identify accounts with access to critical encryption operations, detect possible improper access or changes in encryption policies and correlate this event with other security logs, such as 5061 – Cryptographic Operation and 1102 – Audit Log Cleared, to identify attempts to manipulate encryption or audit evasion. This ensures the correct assignment and monitoring of administrative privileges in environments that manage CUI, helps prevent unauthorized access to cryptographic configurations, and allows effective auditing of critical events related to data security. In this way, this report contributes to strengthening the security posture and compliance with the requirements of CMMC Level 3 (SC.3.177), ensuring the confidentiality and integrity of the CUI.', null, null, null, null, null, null, null, null, null, 515, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (SC.3.177): Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (973, 'This report compiles relevant information from the logs of Windows Security Auditing event 1102 (Audit log cleared), used to verify compliance with CMMC Level 4 (SC.4.229), which seeks to improve cryptographic protections with advanced tools. Event 1102 is generated when the security audit log is deleted, which could affect the integrity of cryptographic tools and processes that protect sensitive information, including Controlled Unclassified Information (CUI). Monitoring these types of events is essential to detect attempts to tamper with or delete audit logs, which could include activities related to the use of cryptography or key management. This report provides visibility into actions that may compromise the traceability of crypto-related events, allowing administrators to take immediate action if an anomaly is identified that puts the security and integrity of the organization''s cryptographic infrastructure at risk.', null, null, null, null, null, null, null, null, null, 515, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (974, 'This report compiles relevant information from the logs of Windows Security Auditing event 4616 (The system time was changed), used to verify compliance with CMMC Level 4 (SC.4.229), which seeks to improve cryptographic protections with advanced tools. Event 4616 is generated when a change is made to the system time, which can affect the validation and synchronization of cryptographic certificates, encryption keys, and other components essential to cryptographic security. An unauthorized change to the system time could compromise the integrity of cryptographic tools and affect the protection of sensitive information, including CUI (Controlled Unclassified Information). Monitoring this event is crucial to detect alterations in time synchronization, which is essential for the correct implementation and verification of cryptographic policies, ensuring that encrypted communications and data are not compromised. This report allows you to identify any deviations that may interfere with security controls related to cryptography.', null, null, null, null, null, null, null, null, null, 515, true, 303, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): System Time Settings Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (972, 'This report compiles relevant information from the logs of Windows Security Auditing event 1058 (Group Policy Management: The system failed to apply Group Policy settings), used to verify compliance with CMMC Level 4 (SC.4.229), which requires improving cryptographic protections using advanced tools. This event is raised when the system is unable to enforce a group policy, which could include policies related to cryptography settings and key management. The information contained in this log is key to monitoring possible failures in the implementation of cryptographic policies, ensuring that information protection policies, especially those related to CUI (Controlled Unclassified Information), are applied correctly. The report can be used to identify problems in the application of configurations that could affect the integrity of advanced cryptographic tools, facilitating early intervention to correct erroneous configurations and maintain the appropriate level of cryptographic protection for sensitive information.', null, null, null, null, null, null, null, null, null, 515, true, 344, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Application of Group Policies Errors', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (971, 'This report compiles relevant information from the logs of Windows Security Auditing event 4826 (Cryptographic operation performed), used to verify compliance with CMMC Level 4 (SC.4.229), which requires improving cryptographic protections using advanced tools. Event 4826 is triggered when a cryptographic operation is performed on the system, such as encryption, decryption, or validation of cryptographic signatures. This logging is essential to monitor the use and integrity of cryptography tools deployed in the environment, especially those that protect sensitive information, such as CUI (Controlled Unclassified Information). By analyzing these events, it can be verified that cryptographic operations are being carried out in accordance with established policies, ensuring that the cryptographic technologies and algorithms used are appropriate and that advanced tools are working correctly to protect data both at rest and in transit. In addition, it can be identified whether cryptographic operations are carried out properly, without vulnerabilities or poor configurations that could compromise the protection of confidential information.', null, null, null, null, null, null, null, null, null, 515, true, 366, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): BitLocker Settings Modification Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (975, 'This report consolidates and analyzes Windows log event ID 36874, generated by Schannel when a TLS connection attempt fails due to a lack of compatibility between the ciphers supported by the client and the server. The information collected is key to verify compliance with CMMC Level 3 control SC.3.177, which requires the implementation of cryptographic protections for controlled unclassified information (CUI). The analysis of these events makes it possible to identify failed TLS connection attempts, evaluating whether the encryption algorithms in use meet the required security standards, detect insecure configurations, such as the absence of modern protocols or the use of obsolete cipher suites, and verify the integrity of the communication channel, ensuring that information in transit is protected against unauthorized access and man-in-the-middle (MITM) attacks. This report is essential for the audit and optimization of cryptographic mechanisms in the organization, ensuring that the transmission of CUI is carried out under adequate security standards.', null, null, null, null, null, null, null, null, null, 515, true, 374, 'TEMPLATE', null, null, 'Windows Level 3 (SC.3.177): TLS protocol Errors', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (976, 'This report consolidates and analyzes Windows registry ID 5061 events generated when cryptographic operations are performed on the system, such as accessing, using, or modifying keys stored in security providers. The information collected is key to verify compliance with CMMC Level 4 control SC.4.229, which requires the improvement of cryptographic protections through advanced tools. This analysis allows monitoring the use of cryptographic keys, identifying unauthorized or unusual access that may compromise the security of the information, verifying the integrity and correct implementation of encryption algorithms in the system, ensuring that the keys used comply with the required security standards, and detecting possible attempts at exploitation or misuse of protected keys within the security environment. This report provides visibility into critical cryptographic operations, allowing you to defense strengthens against advanced threats and ensuring effective protection of controlled unclassified information (CUI).', null, null, null, null, null, null, null, null, null, 515, true, 375, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Protected Files Decryption', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (977, 'This report presents an analysis of Windows activity logs to demonstrate that the SIEM monitors third-party risks, in compliance with CMMC requirements. Through the collection and analysis of logs, access, changes in privileges, process execution and data manipulation are monitored in systems that manage CUI.

Monitoring allows you to identify unauthorized access, detect suspicious activities and verify that third parties comply with established security policies. In addition, event triggering mechanisms and automatic alerts are implemented to respond to possible threats in real time.

This approach reinforces CMMC compliance, ensuring effective oversight of third parties and reducing the risks associated with their access to critical systems. The information presented demonstrates that the SIEM contributes to the protection of sensitive data and the strengthening of security in Windows environments.', null, null, null, null, null, null, null, null, null, 516, true, 376, 'TEMPLATE', null, null, 'Windows Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (755, 'This report compiles relevant information from the Windows logs generated by event 4720, which is triggered when a user account is created on the system. This event is essential to comply with CMMC control SI.2.216, which requires the detection of malicious code and effective response to malware infections.

Event 4720 provides details about the creation of new user accounts, which may be an indication of suspicious activity, such as the creation of unauthorized accounts by an attacker or malware. Some malware infections involve the creation of user accounts to facilitate persistent access to the compromised system.

This report helps identify the creation of unexpected or unauthorized user accounts, which may be a sign that the system has been compromised. By detecting these types of events early, security teams can quickly investigate the cause and take steps to mitigate any potential threats. Additionally, it contributes to CMMC compliance by ensuring that actions related to the creation of user accounts are appropriately monitored and managed to prevent potential malware infections.', null, null, null, null, null, null, null, null, null, 502, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (978, 'This report presents a detailed analysis of the security events recorded by Bitdefender GravityZone in Windows environments, with the objective of demonstrating effective monitoring of third-party risks, in accordance with the requirements of the Cybersecurity Maturity Model Certification (CMMC).

Analysis includes detecting and monitoring unauthorized access, port scans, exploitation attempts, changes to security configurations, and other suspicious activity generated by users, devices, or third-party services interacting with critical systems. Key events related to real-time protection, firewalls, and intrusion prevention mechanisms are examined, providing visibility into external threats that could compromise information integrity.

Through the correlation of logs in the SIEM, a rapid response to anomalies is ensured and an audit history is generated that allows evaluating the effectiveness of the implemented controls. This report supports CMMC compliance by ensuring that third-party activities are continually monitored and alerts are triggered for any deviation from established security policies.', null, null, null, null, null, null, null, null, null, 516, true, 377, 'TEMPLATE', null, null, 'Bitdefender Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (979, 'This report demonstrates how the SIEM monitors and analyzes activity logs on Linux servers with the objective of monitoring risks associated with third parties, in compliance with CMMC guidelines. The events captured in the systems are presented, allowing the identification of accesses, changes in critical configurations, unusual activities and possible security threats.

Analyzing these logs can detect anomalous behavior, such as unauthorized access attempts, modifications to key files, and suspicious system activity. Likewise, relevant details are included such as the affected host, IP addresses involved, type of logged events, log messages and occurrence times, providing visibility into third-party activity in the Linux environment.

This monitoring is essential to ensure information security and compliance with CMMC controls, ensuring that third parties interacting with the systems are effectively monitored and that any suspicious activity is identified and managed in a timely manner.', null, null, null, null, null, null, null, null, null, 516, true, 378, 'TEMPLATE', null, null, 'Linux Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (980, 'This report presents a detailed analysis of firewall logs with the goal of demonstrating that the SIEM monitors third-party risks in Windows environments, meeting CMMC requirements. Key events such as incoming and outgoing network traffic, unauthorized access, suspicious DNS queries, and other security activities that may indicate potential threats are examined.

Through the collection and correlation of these logs, continuous surveillance of third-party connections is ensured, allowing early detection of anomalous behavior and the application of mitigation measures. Monitoring includes information about source and destination IP addresses, ports, protocols used, policies applied, and security events detected.

This monitoring contributes to the identification and reduction of risks associated with external suppliers and access to critical systems, aligning with the best cybersecurity practices established by the CMMC.', null, null, null, null, null, null, null, null, null, 516, true, 380, 'TEMPLATE', null, null, 'Firewall Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (981, 'This report aims to demonstrate that the security information and event management (SIEM) system effectively monitors user activities in Office 365, with an emphasis on identifying and mitigating risks associated with third parties. Through the analysis of the logs generated by Office 365, detailed information is recorded about the operations carried out, such as access to mailboxes, user activity and communications with external sources. Critical data, such as access IP addresses, actions taken (such as access to mail items), and validation of the operation (whether it was successful or not), allow comprehensive monitoring of third-party risks and verification that these accesses comply with established security policies.

Event monitoring in Office 365 aligns with CMMC (Cybersecurity Maturity Model Certification) practices, especially regarding external user access monitoring, authentication, and protection of sensitive data. This ensures that third party activities are recorded, analyzed and evaluated to meet critical data protection requirements, especially those related to access to CUI (Controlled Unclassified Information).', null, null, null, null, null, null, null, null, null, 516, true, 381, 'TEMPLATE', null, null, 'Office 365 Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (982, 'This report is intended to demonstrate that the SIEM system monitors third-party risks in AWS environments, in compliance with the security requirements established by CMMC for Windows systems. The SIEM is configured to analyze and correlate activity logs from AWS, specifically CloudTrail events, to detect potential threats, unauthorized access, and anomalous behavior on the monitored infrastructure. Continuous monitoring of AWS logs through the SIEM allows us to detect third-party risks in the infrastructure, aligning with the CMMC security guidelines for the protection of Windows systems. Proactive access and configuration monitoring helps mitigate vulnerabilities and ensure the integrity of cloud environments.', null, null, null, null, null, null, null, null, null, 516, true, 382, 'TEMPLATE', null, null, 'AWS Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (983, 'This report aims to demonstrate third-party risk monitoring in Windows environments within the Azure infrastructure, in compliance with CMMC (Cybersecurity Maturity Model Certification) requirements. The security monitoring system analyzes events generated in Azure, recording administrative activities, accesses and modifications to critical resources. Logs of operations on virtual machines, computing resources, storage and networks are collected and analyzed to detect possible threats and unauthorized access. The main data sources analyzed include Azure Activity Logs, which record administrative activities; Azure Security Center Logs, which contain security events related to access and configurations; and Azure AD Logs, which monitor suspicious authentications and logins.

Key data analyzed include the type of action performed, the user ID and source IP, the affected resource, the status of the operation, and the correlation ID for tracking and auditing. Thanks to the analysis of these logs, risks such as access from suspicious IP addresses, administrative operations outside established hours and changes in virtual machine configurations without authorization have been identified and mitigated.

Active monitoring of activity logs in Azure helps ensure the security of Windows systems, reducing risks associated with third parties and complying with CMMC guidelines for the protection of data and resources in the cloud.', null, null, null, null, null, null, null, null, null, 516, true, 383, 'TEMPLATE', null, null, 'Azure Activity Monitoring', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (787, 'This report collects relevant information from the Windows logs generated by event 4672, which is triggered when a user obtains elevated privileges when logging into the system. This event is crucial to comply with CMMC Level 3 control AC.3.027, which requires the implementation of measures to monitor and restrict the use of privileged access.

Event 4672 provides details about logins for users who have been granted elevated privileges, such as administrators or members of other groups with access to critical system functions. Monitoring this event is essential to ensure that privileged access is used appropriately and only by users authorized to perform specific tasks that require such privileges.

This report allows security teams to detect unauthorized access or inappropriate use of elevated privileges, whether by mistake or due to malicious behavior. It also helps identify potential risks related to abuse of administrative privileges, ensuring these are closely monitored to prevent uncontrolled access to sensitive systems.

Analysis of this event reinforces CMMC Level 3 compliance, as it helps ensure that the use of privileged access is strictly controlled and that any anomalies are detected in time, mitigating the risk of compromising system security. This type of monitoring contributes to implementing a more robust and efficient security strategy.', null, null, null, null, null, null, null, null, null, 508, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (791, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered every time a new process is created on the system, providing crucial details about process execution attempts by users, including those with privileges. elevated. This event is key to comply with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Monitoring 4688 events allows administrators to detect when a potentially risky or unauthorized process is running on the system, especially when it is launched by a user with elevated privileges.

This report is essential for the early detection of suspicious activities, as it can identify attempts to run malicious programs or the execution of critical processes by users who should not have access to them. It also allows detecting anomalous behavior, such as the unauthorized use of administrative tools or the execution of commands that could compromise the security of the system.

By providing visibility into what processes are being executed and by whom, this report helps identify and restrict inappropriate use of elevated privileges, directly contributing to compliance with CMMC Level 3 AC.3.027. This monitoring is an essential tool for protecting systems. of possible risks related to the abuse of privileged access and strengthen security and access control policies.', null, null, null, null, null, null, null, null, null, 508, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (599, 'This report compiles and presents relevant information about UserLoggedIn events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.1.001. Its purpose is to ensure that access to systems is limited to authorized users only, allowing logins to be monitored and audited on the platform.

The report includes details such as the user''s identity, source IP address, geographic location, and the number of accesses they have had. This information is essential to detect unauthorized access, evaluate authentication patterns, and reinforce security controls to protect organizational data and resources.', null, null, null, null, null, null, null, null, null, 510, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AC.1.001): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (867, e'The Windows User Accounts Created Report provides a comprehensive log of all user account creation events within the system. This report is crucial within the Banking Audit framework to monitor, control, and document account creation, ensuring compliance with regulatory requirements and secure access management.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of account creation to safeguard sensitive financial systems and customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, mandating that only authorized personnel can create accounts and ensuring accounts are assigned appropriate access levels.
• Audit Readiness: Tracks account creation events to provide traceability and accountability, meeting requirements for frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious account creation, which could indicate insider threats or compromised administrative credentials.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict the creation of user accounts that could expose sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1199, 'This report assesses compliance with PCI DSS requirement 11.1.2, verifying that roles and responsibilities for security activities are documented, assigned, and understood.

By analyzing Windows 4732 events, changes to security groups are reviewed to ensure that privilege management is carried out in accordance with established policies. This allows for the detection of potential deviations and ensures the correct assignment of permissions within the monitored environment.', null, null, null, null, null, null, null, null, null, 810, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (790, 'This report compiles relevant information from the Windows logs generated by events 4673 and 4674, which are related to monitoring the activity of privileged accounts. Event 4673 is triggered when a privileged user attempts to access a sensitive action, while event 4674 signals the performance of a privileged type operation on a system. Both events are critical to complying with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access in the IT infrastructure.

Event 4673 provides information about the initiation of an attempt to use elevated privileges, and event 4674 is associated with the actual execution of these actions, such as installing software, modifying critical configurations, or accessing sensitive information. Together, they provide detailed insight into how and when privileged users interact with the system, which is essential for detecting and preventing inappropriate uses of privileges.

This report contributes to security by identifying patterns of activity that could indicate privilege abuse or attempted exploitation of privileged accounts, allowing stricter controls to be applied to restrict unauthorized access and closely monitor critical actions performed by privileged users. . In addition, it is a key tool to ensure that security policies and segregation of privileges are respected, minimizing the risks of unwanted or malicious access.

Monitoring these events directly contributes to compliance with AC.3.027 of CMMC Level 3, improving the organization''s capabilities to restrict and monitor the use of privileged access, and ensuring that only authorized users can perform critical activities on the systems.', null, null, null, null, null, null, null, null, null, 508, true, 286, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Use of Elevated Privileges', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (782, 'This report compiles relevant information from the Windows logs generated by event 4728, which is triggered when a user is added to a group with elevated privileges on the system. This event is key to complying with CMMC Level 2 control AC.2.007, which requires the implementation of the "least privilege" principle to ensure that users only have the permissions necessary to perform their tasks.

Event 4728 provides details about changes to user groups, particularly those related to the assignment of elevated privileges. By monitoring this event, organizations can check whether unauthorized or inappropriate changes are being made to user permissions, which could violate the principle of least privilege.

Detecting these changes is essential to ensure that users do not gain more privileges than necessary to perform their functions, thereby minimizing the risk of privilege abuse, unauthorized access, or privilege escalations. Additionally, constant monitoring of this event allows for rapid response to any attempts to assign excessive privileges to unauthorized users.

This report not only helps maintain tighter control over the assignment of privileges within the infrastructure, but also reinforces security practices based on the principle of least privilege, which is essential for CMMC Level 2 compliance.', null, null, null, null, null, null, null, null, null, 508, true, 316, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Additions to Security Groups', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (783, 'This report compiles relevant information from the Windows logs generated by event 4729, which is triggered when a user is removed from a group with elevated privileges on the system. This event is key to complying with CMMC Level 2 control AC.2.007, which establishes the need to apply the principle of "least privilege" to ensure that users only have the permissions strictly necessary to perform their tasks.

Event 4729 provides details on changes affecting user groups, especially those linked to the removal of elevated privileges. By monitoring this event, organizations can verify that users are being appropriately removed from groups with additional privileges when they no longer need them or have a valid justification for maintaining them.

Monitoring and reviewing these types of events ensures that security is maintained within the IT infrastructure, minimizing the risk of privilege abuse or unauthorized access. Proper removal of excessive privileges is essential to prevent privilege escalations or improper access to sensitive systems and applications.

This report is essential to strengthen CMMC Level 2 compliance by ensuring that the principle of least privilege is consistently implemented and respected within the organization, reducing the risk of potential internal or external threats associated with unnecessary privileges.', null, null, null, null, null, null, null, null, null, 508, true, 317, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (784, 'This report compiles relevant information from the Windows logs generated by event 4732, which is triggered when a user is added to a group with elevated privileges on the system. This event is essential to comply with CMMC Level 2 control AC.2.007, which requires the implementation of the "least privilege" principle, ensuring that users are only given the permissions necessary to perform their tasks.

Event 4732 provides details about adding users to security groups, especially those with elevated privileges, such as administrators or users with access to sensitive resources. Monitoring this event allows organizations to ensure that users are not assigned to these groups without adequate justification and that permissions are granted only to those who truly need them to fulfill their functions.

Proper monitoring of this event is key to avoiding privilege overload within the IT infrastructure, which could result in the risk of unauthorized access or escalation of privileges. Reviewing and auditing the information contained in event 4732 ensures that the principle of least privilege is maintained and that the risk of improper access to sensitive systems or applications is minimized.

This report is essential for CMMC Level 2 compliance, as it ensures that permissions and privileges are appropriately managed and that the principle of least privilege is correctly implemented to prevent potential internal and external threats.', null, null, null, null, null, null, null, null, null, 508, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (645, 'This report collects and analyzes security events identified by ID 4672 on Windows systems. Event 4672 records the assignment of special privileges to accounts during logon, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of privileged access and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (785, 'This report compiles relevant information from the Windows logs generated by event 4733, which is triggered when a user is removed from a group with elevated privileges on the system. This event is essential to comply with CMMC Level 2 control AC.2.007, which requires the implementation and monitoring of the "least privilege" principle. This principle establishes that users should have only the permissions strictly necessary to perform their tasks, avoiding the unnecessary granting of elevated privileges.

Event 4733 provides details on removing users from elevated security groups, which is critical to properly managing access within the IT infrastructure. Monitoring this event ensures that users who no longer need special permissions are promptly removed from such groups, which helps prevent misuse of elevated privileges.

The analysis of this event allows us to detect possible violations of the principle of least privilege, such as the unauthorized permanence of a user in a privileged group, which could generate risks of unauthorized access to sensitive systems or resources. It is a preventative measure to minimize entry points into systems, ensuring that only users with a legitimate need maintain such privileges.

This report is key to CMMC Level 2 compliance, as it helps ensure that privilege management is carried out in a controlled manner and that access is appropriate, helping to prevent both internal and external threats.', null, null, null, null, null, null, null, null, null, 508, true, 321, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Local Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (792, 'This report compiles relevant information from Windows logs associated with Account Manipulation, Domain Policy Modification, Impair Defenses, and Account Access Removal alerts, which are key events for the detection and prevention of privilege escalation in the IT environment. This information is used to verify compliance with CMMC Level 4 control AC.4.028, which requires automation of privilege escalation detection.

Account Manipulation events include activities such as modifying user accounts, assigning roles and privileges, which may indicate attempts to gain elevated access in an unauthorized manner. Domain Policy Modification alerts reflect changes to domain policies that could allow privilege escalation at the network level, and Impair Defenses alerts detect modifications that affect security measures implemented to protect the system. Finally, Account Access Removal alerts record attempts to remove account access, which may be a sign of an attempt to cover the tracks of an attack.

Monitoring these events helps identify anomalous patterns or suspicious actions related to unauthorized elevation of privileges, which is crucial to preventing unauthorized access and potential security compromises. Automating the detection of these events ensures a faster and more accurate response to any attempted privilege escalation, minimizing the risk that an attacker can gain access to critical resources without being detected.

This report contributes significantly to compliance with AC.4.028 by providing a centralized, automated view of key events related to privilege escalation. By automating detection, you strengthen your organization''s security posture, enabling you to efficiently detect and mitigate privilege escalation attacks before they severely impact sensitive data and infrastructure.', null, null, null, null, null, null, null, null, null, 508, true, 347, 'TEMPLATE', null, null, 'Windows Level 4 (AC.4.028): Privilege Escalation Alerts', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (512, 'The SI.3.217 (Certificate Configuration Changes) control of the CMMC (Cybersecurity Maturity Model Certification) focuses on the management of changes in the configuration of digital certificates in systems. This control is essential to maintain confidence in security systems, especially in a business environment where data protection is critical.', null, null, null, null, null, null, null, null, null, 503, true, 304, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Certificate Configuration Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (525, 'This report gathers relevant information on events related to the creation of new user accounts on the system, specifically event 4720, which is generated when a user account is created in a Windows domain. The event provides details about the account created, including the username, creation time, and origin of the request.

The analysis of these events is crucial for compliance with Level 2 (SI.2.212) of the CMMC (Cybersecurity Maturity Model Certification), which establishes the need to implement mechanisms for real-time monitoring of security events. Creating new user accounts can be a critical security action as it could indicate an unauthorized access attempt or modification of system credentials.

Monitoring these events allows you to quickly detect unauthorized account creation, facilitating a proactive response to potential security threats. This report helps ensure that all actions related to user creation are audited and available for review in real time, improving the organization''s ability to detect and respond to potential security incidents in a timely manner.

By constantly tracking account creation events, you ensure that the organization is aligned with security policies and best practices for identity and access management, strengthening the overall security posture.', null, null, null, null, null, null, null, null, null, 503, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (530, 'This report compiles relevant information about event 4726 in the Windows logs, which is generated when a user account is deleted from the system. Deleting user accounts is a critical action that can be related to both legitimate account management and malicious behavior or insider attacks.

In the context of CMMC Level 3 (SI.3.217), monitoring event 4726 is crucial to identify any suspicious activity that may indicate an attack or system tampering. An attacker who has gained elevated privileges could delete user accounts to hide their tracks or prevent administrators from accessing certain resources or identifying their actions.

Analysis of this event helps detect unauthorized actions in the system, such as the deletion of accounts that have not been properly managed or that do not comply with internal security policies. Additionally, it can identify unusual patterns, such as deleting user accounts at atypical times or locations, which could be indicative of internal attacks or external malicious activity.

Collecting and monitoring these events contributes to meeting CMMC requirements by allowing early detection of potential attacks that could be focused on disrupting system security through unauthorized deletion of user accounts.', null, null, null, null, null, null, null, null, null, 503, true, 272, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (521, 'This report focuses on the collection and analysis of event 4624 in the Windows logs, which is generated when a user successfully logs into the system. This event is essential for system access monitoring, as it provides important details about who is logged in, the origin of the login, and the type of authentication used.

The correct collection of these events is crucial for compliance with the CMMC (Cybersecurity Maturity Model Certification), specifically at Level 1 (SI.1.210), which requires identifying and correcting security vulnerabilities in a timely manner. Analysis of event 4624 can detect unusual patterns in logins, such as unauthorized access or access attempts from unexpected geographic locations or devices. These behaviors may be indicative of security breaches or intrusion attempts.

Additionally, collecting these events helps maintain a complete record of user activities, allowing you to audit access to sensitive information and meet security requirements established to protect the organization''s systems and data. Detecting unauthorized or anomalous access early allows for quick corrective action, such as revoking compromised credentials or implementing new access policies.

In summary, monitoring event 4624 is an essential part of the security management process to identify possible threats or configuration errors in system access, allowing the correction of vulnerabilities in a timely manner and reducing the risk of compromising the security infrastructure. ', null, null, null, null, null, null, null, null, null, 503, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (522, 'Proper monitoring of 4625 events is a key component of CMMC (Cybersecurity Maturity Model Certification) compliance, specifically Level 1 (SI.1.210), which requires the identification and correction of security flaws in a timely manner. Analyzing these events allows you to identify patterns of failed access attempts and detect potential security gaps, such as weak passwords or the use of compromised credentials.

By identifying and logging all failed login attempts, additional security measures can be implemented, such as activating locks after multiple failed attempts or scanning users making failed attempts to detect compromised accounts. These logs also help evaluate the effectiveness of password security policies and other access controls.

In summary, the collection and analysis of event 4625 allows us to detect unauthorized access attempts early and correct security weaknesses that could be exploited by attackers. This monitoring helps meet CMMC''s goal of quickly and efficiently identifying and fixing security vulnerabilities, thereby protecting critical infrastructure and sensitive data.', null, null, null, null, null, null, null, null, null, 503, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (864, e'The Windows Policy Changes Report provides detailed logs of modifications to system policies, such as group policies, security settings, and access controls. This report is critical within the Banking Audit framework, as it ensures accountability and compliance with regulatory standards for system configuration and access management.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight of policy changes to protect sensitive financial systems and customer data.
• Configuration Management Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring of system component changes to detect unauthorized modifications.
• Audit Readiness: Tracks policy changes, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in maintaining secure configurations.
• Incident Detection: Identifies unauthorized or suspicious changes to critical policies, which could indicate potential insider threats or attempts to weaken system security.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that restrict and monitor changes to system policies to prevent unauthorized access or breaches.', null, null, null, null, null, null, null, null, null, 701, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (903, e'The Windows Kerberos Ticket Requests Report provides detailed logs of Kerberos authentication events, including ticket-granting ticket (TGT) requests, service ticket requests, and renewal attempts. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as Kerberos ticket requests can reveal authentication misuse or security breaches.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of authentication events to safeguard sensitive financial systems and customer data.
• Authentication Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring secure authentication mechanisms and tracking Kerberos ticket activities.
• Real-Time Alerting: Captures and alerts administrators immediately when unusual Kerberos ticket requests occur, enabling rapid investigation and mitigation.
• Incident Detection: Identifies suspicious Kerberos activities, such as golden ticket attacks, ticket reuse, or brute force attempts, which could indicate compromised accounts or insider threats.
• Audit Readiness: Tracks all Kerberos ticket events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable authentication practices.', null, null, null, null, null, null, null, null, null, 701, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (906, e'The Windows PowerShell Remote Session Creation Report provides detailed logs of events where remote PowerShell sessions are established, capturing information such as the initiating user, source IP address, session commands, and timestamps. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as remote PowerShell sessions can be exploited for unauthorized access or malicious activities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of remote session activities to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring all remote access attempts and activities are logged and monitored.
• Real-Time Alerting: Captures and notifies administrators immediately of remote PowerShell session creations, enabling rapid response to potential threats.
• Incident Detection: Identifies unauthorized or suspicious remote session activities, such as from unusual IP addresses or privilege escalation attempts, which may indicate account compromise or insider threats.
• Audit Readiness: Tracks all remote PowerShell session events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 289, 'TEMPLATE', null, null, 'Windows PowerShell Remote Session Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (527, 'This report gathers and analyzes the information from events 4663 and 4656 in the Windows logs, with the objective of complying with control SI.2.212 of CMMC Level 2, which requires the implementation of mechanisms for real-time supervision of the security events.

Event 4663: This event is raised when an object, such as a file or folder, is accessed or modified in some way. Records important details about the action performed, such as the type of access (read, write, delete, etc.), the object identifier, and the identity of the user or process that performed the action. It is a key indicator of file access and modifications, which can help detect anomalous or unauthorized behavior.

Event 4656: Similar to event 4663, event 4656 is triggered when a process attempts to access an object on the system. Records details about the type of access requested and the identifier of the object being accessed, providing additional information about access attempts to specific resources on the system.

Both events 4663 and 4656 are critical for monitoring actions related to access and modification of files and resources on the system. The ability to detect unauthorized access or suspicious modifications in real time is essential for the implementation of effective security controls, allowing rapid identification of potential incidents and immediate intervention to mitigate risks.

The joint analysis of these events helps to reinforce real-time monitoring measures, detecting access to sensitive data, file manipulations or any activity that could compromise the integrity of the systems. Meeting the SI.2.212 requirements of CMMC Level 2 by collecting and analyzing these events is crucial to maintaining a secure environment and protecting the most critical resources within the technology infrastructure.', null, null, null, null, null, null, null, null, null, 503, true, 273, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Attempt to Access a Protected Object', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (548, 'This report gathers relevant information from the Windows logs corresponding to event 4670, which is triggered when the permissions of a security object, such as a file or folder, are modified. This type of event is key to detecting changes in the security configuration of the organization''s critical resources, which can be an indication of malicious or unauthorized behavior.

Through this report, we seek to identify unauthorized changes in access permissions, which could reflect attempts to escalate privileges or manipulate sensitive data. To comply with the CMMC requirement of SI.5.223, which requires the implementation of advanced monitoring techniques and the use of machine learning to detect anomalous behavior, this event is analyzed within a continuous monitoring framework using behavioral analysis tools .

This report helps identify unusual or unexpected patterns in permission modification, which can enable early detection of advanced threats or targeted attacks. Additionally, the integration of machine learning technologies into the analysis process makes it possible to identify atypical behaviors that might otherwise go undetected with traditional monitoring methods.', null, null, null, null, null, null, null, null, null, 503, true, 274, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Protected Object Permission Change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (543, 'This report is generated from the Windows logs of event 4740, which is triggered when a user account is locked due to multiple failed login attempts. This type of event is crucial for monitoring user behavior within the organization, helping to identify suspicious access patterns that may be indicative of intrusion attempts, such as brute force attacks or unauthorized attempts to access protected accounts.

In the context of CMMC''s Level 4 (SI.4.220): Monitor for malicious behavior across the organization, analysis of these events is critical to detecting and mitigating malicious behavior across the organization. Proactive monitoring of these types of events ensures that threat detection strategies are aligned with security best practices, allowing rapid response to anomalous activities that may compromise the integrity of organizational systems and data.

This report contributes to strengthening real-time monitoring capabilities, improving the ability to detect advanced threats and ensuring that the organization''s security infrastructure is aligned with CMMC requirements.', null, null, null, null, null, null, null, null, null, 503, true, 276, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Account Locks', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (524, 'This report aims to monitor access to objects within the system, identifying and recording relevant security events related to access to sensitive files or directories. Analysis of these events is crucial to detect unauthorized or anomalous activities that may compromise the integrity and confidentiality of critical data in the organization''s environment.

In the context of compliance with CMMC (Cybersecurity Maturity Model Certification), at Level 1 (SI.1.210), which requires the identification and correction of security flaws in a timely manner, monitoring these events is essential to ensure that access to sensitive resources are carried out only by authorized users. Detection of anomalous access or unauthorized attempts allows for rapid intervention to mitigate any potential risk.

The continuous collection and analysis of these access events helps maintain adequate control over system security and ensure that any vulnerabilities are quickly identified and corrected. This contributes significantly to the protection of critical data and assets of the organization, aligning with CMMC requirements for proactive security management and remediation of any vulnerabilities that may be exploited.', null, null, null, null, null, null, null, null, null, 503, true, 277, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (528, 'This report collects relevant information from the Windows event logs, specifically event 4672, which is generated when a user with special privileges (such as administrators or accounts with elevated permissions) logs on to the system. Including this event in the security analysis helps monitor and detect access from users with elevated privileges, a critical aspect for the protection of sensitive systems.

CMMC Level 2 (SI.2.212) compliance focuses on the implementation of effective mechanisms for monitoring security events in real time. Events like 4672 provide crucial visibility into the use of special privileges, allowing organizations to detect any anomalous or unauthorized activity, ensuring that monitoring mechanisms are effective in protecting critical infrastructure.

This report contributes to improving security by facilitating the identification of unusual behavior that may indicate unauthorized access or the exploitation of excessive privileges.', null, null, null, null, null, null, null, null, null, 503, true, 278, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (523, 'This report focuses on the analysis of events 4719 generated in the Windows security logs, which occur when a modification is made to the system audit configuration. This event is important as it allows you to record and monitor any changes made to audit settings, which are crucial for detecting and analyzing security events in the system.

Event 4719 may be indicative of adjustments made to audit policies, such as changes to access log parameters, modifications to critical event tracking configurations, or adjustments to the monitoring of administrative and user actions. These changes can directly impact the organization''s ability to detect security incidents, so it is essential to ensure that audit configurations are appropriate and are not altered without valid justification.

The collection and analysis of 4719 events is essential for compliance with CMMC (Cybersecurity Maturity Model Certification) at Level 1 (SI.1.210), which requires the identification and correction of security vulnerabilities in a timely manner. Tracking this event helps ensure that systems auditing remains active and that unauthorized modifications are not made to security configurations that could impact the visibility and analysis of security events.

Además, el monitoreo adecuado de estos cambios permite verificar si los ajustes en las configuraciones de auditoría están alineados con las mejores prácticas de seguridad y que no se están deshabilitando o modificando controles de auditoría críticos, lo que podría abrir puertas a posibles ataques sin ser detectados.

En resumen, la recopilación y análisis de los eventos 4719 garantiza que las configuraciones de auditoría del sistema se mantengan intactas y efectivas, permitiendo una detección oportuna de fallos de seguridad. Este proceso contribuye al cumplimiento del objetivo de CMMC de identificar y corregir debilidades de seguridad de forma rápida y eficiente, protegiendo la infraestructura y los datos críticos de la organización.', null, null, null, null, null, null, null, null, null, 503, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (529, 'This report collects relevant information from event 4648 in the Windows logs, which is generated when a login attempt is made using explicit credentials (username and password) by a process or program. This type of event is significant for monitoring access activities in IT infrastructure, as it can indicate potentially unauthorized access attempts or manipulations in authentication processes.

In the context of CMMC Level 3 (SI.3.217), event 4648 helps detect login attempts that could be part of a credentials attack, such as brute force attacks or reuse of compromised credentials. This type of monitoring is essential to identify unauthorized access or anomalous authentication behavior that could compromise the security of the organization.

The report allows you to identify unusual access patterns, such as login attempts from unusual locations or outside normal working hours, which is indicative of possible external or internal attacks. This information is key to activating alerts and taking immediate action against unauthorized access threats.

The collection and analysis of these events are essential to comply with CMMC requirements, since they allow early detection of attacks and help strengthen the security posture of the IT infrastructure by implementing protective measures, preventing attackers from achieving access critical systems.', null, null, null, null, null, null, null, null, null, 503, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (544, 'This report is generated from the Windows logs of events 4768, 4769 and 4771, which are directly related to the user authentication process using the Kerberos protocol. These events are triggered in situations where authentication ticket requests, authentication failures, or ticket validation errors occur.

Event 4768: Indicates a Kerberos service ticket request for a successfully authenticated user.
Event 4769: Triggered when there is a request for a service ticket for a user who could not be authenticated due to a Kerberos error.
Event 4771: Raised when the Kerberos authentication process fails due to incorrect or expired credentials.
Analysis of these events is crucial for monitoring malicious behavior within the organization. Authentication failures or repeated attempts to obtain service tickets may be indicative of malicious activity, such as spoofing attacks, unauthorized access attempts, or advanced intrusion behavior.

In the context of CMMC''s Level 4 (SI.4.220): Monitor for malicious behavior across the organization, these events are a key source of information to identify suspicious behavior related to credential management and access to sensitive resources. Monitoring and analyzing these events makes it possible to quickly detect attempted security breaches, which facilitates an early response to possible threats and contributes to strengthening the organization''s security infrastructure.

This report supports the implementation of robust security controls by detecting anomalous behavior, providing a detailed view of events that may be associated with attacks or attempts to compromise user credentials within the network.', null, null, null, null, null, null, null, null, null, 503, true, 283, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Kerberos ticket requests', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (537, 'This report compiles relevant information about event 4688 in the Windows logs, which is generated every time a process is created on the system. This event is of vital importance for security monitoring, since it allows identifying the execution of new processes that may be part of normal activities or, in the case of being malicious, an indication of compromise or attack on the system.

In the context of CMMC Level 3 (SI.3.217), monitoring this event is crucial to detect possible attacks. The creation of unauthorized or unusual processes can be a sign of malicious activities such as running malware, unauthorized scripts, or launching attack tools. In addition, attackers often use techniques such as executing code on the system to maintain their presence, which would be reflected in these types of events.

Analysis of 4688 events allows the detection of anomalous behavior patterns, such as the creation of processes from unusual locations or associated with illegitimate activities, which facilitates early identification of threats. The collection and analysis of this information contributes to maintaining effective control over activities within the systems, ensuring that you can react quickly to potential security incidents.

This report is essential to meet the threat monitoring and detection requirements established in CMMC Level 3 (SI.3.217), allowing organizations to implement efficient monitoring tools that support the detection of attacks and suspicious activities in real time.', null, null, null, null, null, null, null, null, null, 503, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (542, 'It allows you to verify that the system is recording access to network resources appropriately, which helps comply with level 4 (AU.4.053) of the CMMC. Additionally, you can see that the events are being correctly classified with important details about the user, type of access, and source of access (IP and port), which is essential to comply with access monitoring and auditing policies on a network.', null, null, null, null, null, null, null, null, null, 503, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (538, 'This report compiles relevant information from Windows logs about event 7045, which is generated when a new service is installed on the system. Installing a service is a critical action that can indicate the execution of processes or software persistently on the system. Since attackers can use services to maintain access or control in a compromised environment, monitoring this type of activity is essential to detect potential threats or malicious actions.

In the context of CMMC Level 3 (SI.3.217) compliance, monitoring 7045 events is essential to detect unauthorized service installation attempts. These services can be used by attackers to execute malicious code or control systems without detection by administrators. This event is especially useful for identifying suspicious or unrecognized software, which may be indicative of a persistent attack.

The report of this event provides detailed information about the name of the service, its location and the process that installed it, allowing security teams to identify unusual behavior and take preventive or corrective measures. This continuous monitoring approach is vital to strengthen system defense and improve early detection of potential incidents.

In summary, the analysis of 7045 events in Windows logs is a key tool in compliance with CMMC requirement SI.3.217, since it allows organizations to identify and mitigate possible risks related to the unauthorized installation of services, improving attack detection capabilities.', null, null, null, null, null, null, null, null, null, 503, true, 290, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (532, 'This report collects relevant information from event 4907 in the Windows logs, which is generated when auditing is disabled on the system. Disabling auditing is a critical action that can be used by attackers to hide malicious activities by disabling system event logs. This activity, although it may be legitimate in some cases, represents a significant risk when performed without adequate justification, as it prevents the collection of important information about actions taken on the system.

In the context of CMMC Level 3 (SI.3.217), monitoring this event is essential to detect potential attacks that may be manipulating system configuration to bypass auditing and surveillance measures. Disabling auditing could be an indication that an attacker is trying to avoid detection of their actions or movements within the infrastructure.

Analysis of this event helps identify unauthorized changes to the audit configuration, which could be a sign of a security compromise. Monitoring these events can detect attempts to conceal malicious activity and ensure that auditing systems continue to function properly to provide complete logs to help identify threats.

Compliance with CMMC Level 3 (SI.3.217) requirements is supported by active monitoring of these events, as it ensures that security monitoring and auditing mechanisms are functioning properly, and that any tampering or disabling attempts audit is detected immediately.', null, null, null, null, null, null, null, null, null, 503, true, 291, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Restoration of default security policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (498, ' This report collects relevant information from 7045 (New Service Installed) events in Windows logs, for the purpose of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Event 7045 is generated when a new service is installed on the system, which can be legitimate behavior or an indicator of malicious activity, such as the installation of persistent services used by attackers to maintain unauthorized access to a system.

This report includes key details such as the name of the service, the associated executable binary, the startup type of the service, the user who performed the installation, the date and time of the event, and the affected computer.

The analysis of these logs allows us to detect the creation of suspicious services, prevent persistence attacks and strengthen defenses against advanced threats that seek to compromise IT infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 290, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Installation of Services', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (499, 'This report focuses on the collection and analysis of event 4907 in the Windows logs, which is related to changes in system security audit policies. This event is generated when an audit policy is modified, which may indicate a possible alteration in security configurations or an attempt to disable auditing of important events.

Monitoring events like 4907 is critical for CMMC (Cybersecurity Maturity Model Certification) compliance, especially at Level 5 (AU.5.055), which requires improving auditing capabilities to detect advanced threats. Altering audit policies can be an indication of malicious activity, such as manipulating audit logs to conceal unauthorized access, a technique commonly used in advanced attacks.

Detecting changes to auditing configurations helps prevent log collection from being disabled or circumvented, which is essential for constant vigilance against advanced threats. This event is also part of best practices for intrusion detection and protecting the IT environment from potential malicious actors attempting to modify audit settings to hide their activity.

Collecting and analyzing 4907 events can strengthen incident response capabilities, ensure the integrity of audit logs, and improve the ability to detect sophisticated attacks.', null, null, null, null, null, null, null, null, null, 511, true, 291, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Restoration of default security policies', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (500, 'This report is designed to monitor and analyze events related to system security configuration and policy changes. Event 4902 is generated when there is a change to the Windows auditing system configuration, including enabling or disabling auditing policies that can affect the collection and analysis of security logs.

The analysis of these events is crucial for compliance with Level 1 (SI.1.210) of the CMMC (Cybersecurity Maturity Model Certification), which requires the timely identification and correction of security flaws. This event may indicate that system audit configurations are being adjusted, impacting the visibility of security activity within the organization''s IT environment. An unauthorized or unexpected change to these settings could decrease the ability to detect malicious activity or compromise the integrity of security logs.

This report facilitates continuous monitoring of system audit configurations, allowing rapid correction of any changes that affect the ability to detect security incidents. Ensures that the organization is aligned with best practices to maintain complete visibility of system activities, contributing to the protection of critical assets and data, as well as the continuous improvement of security control.', null, null, null, null, null, null, null, null, null, 503, true, 292, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Audit Policy Change', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (501, 'This report gathers relevant information on events related to enabling user accounts on the system, specifically event 4722, which is generated when a user account in the Windows domain is enabled. This type of event is important as it can signal that a previously disabled account has been activated, which could have security implications if the account is associated with unauthorized access or users who should not have access to the system.

Monitoring this event is essential to comply with Level 2 (SI.2.212) of the CMMC (Cybersecurity Maturity Model Certification), which requires the implementation of mechanisms for real-time supervision of security events. Detecting the enablement of accounts, especially those that have been previously disabled for security reasons, is crucial to identifying possible vulnerabilities in the system.

This report helps ensure that all actions related to account enablement are audited and available for review in real time, improving the organization''s ability to quickly detect and respond to security incidents. It allows greater visibility into actions taken on user accounts and helps prevent unauthorized access to critical system resources.

By actively monitoring the enablement of user accounts, identity and access management practices are reinforced, contributing to a more robust security posture aligned with industry best practices.', null, null, null, null, null, null, null, null, null, 503, true, 293, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): User Accounts Enabled', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (502, 'This report gathers relevant information on events related to changing user account passwords in the system, specifically event 4723, which is generated when a user attempts to change their own password, whether successfully or not. This event is crucial to detect possible unauthorized access attempts or tampering with account credentials, especially when password change attempts are made by unauthorized users or under suspicious circumstances.

Monitoring this event is essential to comply with Level 2 (SI.2.212) of the CMMC (Cybersecurity Maturity Model Certification), which establishes the need to implement mechanisms for real-time monitoring of security events. Detecting password change attempts helps identify malicious user activity attempting to bypass access controls or perform compromising actions on specific accounts.

This report helps ensure that any password modification attempts are audited, providing real-time visibility into activities related to account credentials. This not only improves the organization''s ability to detect and respond to security incidents, but also contributes to the implementation of strong password management policies.

By monitoring these types of events, the organization can identify potential vulnerabilities related to password tampering and prevent unauthorized access to its systems. In this way, a more solid security posture is ensured, aligned with best practices in cybersecurity.', null, null, null, null, null, null, null, null, null, 503, true, 294, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): User Password Reset Attempt', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (503, 'This report collects key information from Windows logs related to event 1102, which is triggered when system event logs have been cleared, an action that may indicate an attempt to hide suspicious or malicious activity on the system.

Event 1102 is directly related to monitoring activity in the event logs, as it records when a user or process deletes the event logs, which is a critical action that can impact the integrity of the audit logs. In the context of compliance with SI.2.212 of CMMC Level 2, this event is essential to implement real-time monitoring mechanisms for security events, as it provides the visibility necessary to detect attempts to manipulate or delete audit records, which which could interfere with the ability to audit and respond to security incidents effectively.

This event is especially important for detecting suspicious or malicious activity, such as security breach cover-up attempts or unauthorized activities. Including Event 1102 in log analysis ensures that log integrity is maintained and effective real-time security monitoring can be performed, meeting the requirements of CMMC Level 2 (SI.2.212). .

The continuous collection and analysis of 1102 events ensures that organizations can detect any attempted security log manipulation and take the necessary corrective action to protect the system and its resources. This practice is essential to maintain traceability of security incidents and to meet the continuous monitoring requirements established by CMMC.', null, null, null, null, null, null, null, null, null, 503, true, 295, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Cleaned Event Log', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (504, 'This report compiles relevant information from the Windows logs generated by event 5158, related to the Windows Filtering Platform (WFP), with the objective of supporting compliance with control SI.2.212 of CMMC Level 2, which requires the implementation of mechanisms to real-time monitoring of security events.

Event 5158 is triggered when a network connection is allowed through the Windows Filtering Platform, a key component in the Windows network traffic filtering infrastructure. This system monitors and controls network traffic, allowing the detection of unauthorized or malicious connections and ensuring that only authorized connections can access system resources.

This report allows you to identify traffic patterns and network access, detecting possible threats or suspicious activities through the filtering platform. The data provided by event 5158 is essential to implement intrusion detection and prevention measures in real time, contributing to the early identification of security incidents.

In this way, the analysis of this event helps satisfy the requirements of CMMC Level 2 (SI.2.212), by providing continuous visibility of network connections and ensuring that security monitoring mechanisms are effective for the protection of network connections. systems and information.', null, null, null, null, null, null, null, null, null, 503, true, 296, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Filtering Platform', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (508, 'This report groups the events generated by the Windows Service Control Manager (SCM), specifically event 7035, which is activated when a service is requested to start or stop on the system. This event may be relevant for real-time monitoring of critical services and their management in the IT environment.

Including these events in the report makes it easier to track changes in the state of services, which is essential for detecting suspicious activity, such as unauthorized attempts to start or stop services. This information helps detect possible malicious actions that could compromise the integrity or availability of the systems, as well as the effectiveness of control mechanisms in real time.

Compliance with CMMC - Level 2 (SI.2.212): The analysis of these events meets the requirement of Level 2 (SI.2.212): Implement mechanisms for real-time security event monitoring of CMMC, allowing early identification of threats in time real by monitoring the actions performed on Windows services. The collection, storage and analysis of these logs is essential to identify attempts to tamper with or interrupt services, and to ensure rapid response to incidents.', null, null, null, null, null, null, null, null, null, 503, true, 300, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Monitoring of Critical System Services Status', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (505, 'This report focuses on the collection and analysis of relevant information from event 4662 in the Windows logs, with the objective of supporting compliance with CMMC Level 2 control SI.2.212. Control SI.2.212 requires the implementation of mechanisms for the Real-time monitoring of security events, which is critical to quickly identifying and responding to cyber threats.

Event 4662 is triggered when an attempt is made to access or modify a security object on the system, such as a file, folder, or registry key, that is under protection by an access control system. This event provides details about the operations performed, such as reading, writing, or deleting objects, and who attempted them. Details include the session identifier, the type of access requested, the object affected, and the identity of the user or process that performed the operation.

The analysis of this event in real time allows monitoring access to critical resources within the system, detecting unusual or potentially malicious behavior, and generating alerts regarding possible security violations. This helps identify unauthorized data manipulation attempts, which is crucial to meet CMMC''s continuous security monitoring requirements.

In summary, event 4662 plays a key role in improving security auditing and monitoring capabilities, enabling the detection of potential security incidents related to access to sensitive objects, and directly contributes to compliance with CMMC Level controls. 2 (SI.2.212).', null, null, null, null, null, null, null, null, null, 503, true, 297, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Protected Object Access Operation', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (506, 'This report focuses on the collection and analysis of relevant information from event 4660 in the Windows logs, with the objective of supporting compliance with control SI.2.212 of CMMC Level 2, which requires the implementation of mechanisms for supervision in real time of security events.

Event 4660 is triggered when a process attempts to delete an object on the system, such as a file or folder, which may be related to sensitive data deletion actions or unauthorized changes to the system. This event records details about the affected object, the operation that was attempted (deletion), and the identity of the user or process that attempted the action.

Analysis of this event is essential to ensure that critical object removals are monitored in real time. This helps detect unauthorized activity, whether due to error or malicious intent, and generate alerts that allow administrators to quickly take preventive or corrective action.

By monitoring events such as 4660, you can strengthen control over data integrity and systems security, detecting unauthorized access or unexpected actions. Compliance with SI.2.212 is crucial for incident response capability and for maintaining active protection of sensitive resources within the infrastructure.

In summary, event 4660 plays a key role in detecting potentially hazardous activities related to the removal of critical objects, contributing to compliance with the real-time monitoring requirements mandated by CMMC Level 2 (SI.2.212).', null, null, null, null, null, null, null, null, null, 503, true, 298, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Object Deletion', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (508, 'This report groups the events generated by the Windows Service Control Manager (SCM), specifically event 7035, which is activated when a service is requested to start or stop on the system. This event may be relevant for real-time monitoring of critical services and their management in the IT environment.

Including these events in the report makes it easier to track changes in the state of services, which is essential for detecting suspicious activity, such as unauthorized attempts to start or stop services. This information helps detect possible malicious actions that could compromise the integrity or availability of the systems, as well as the effectiveness of control mechanisms in real time.

Compliance with CMMC - Level 2 (SI.2.212): The analysis of these events meets the requirement of Level 2 (SI.2.212): Implement mechanisms for real-time security event monitoring of CMMC, allowing early identification of threats in time real by monitoring the actions performed on Windows services. The collection, storage and analysis of these logs is essential to identify attempts to tamper with or interrupt services, and to ensure rapid response to incidents.', null, null, null, null, null, null, null, null, null, 503, true, 300, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Monitoring of Critical System Services Status', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (509, 'This report collects information relevant to event 4776 in the Windows logs, which is generated when an authentication attempt, usually through Kerberos or NTLM, fails. This event is of great importance for continuous monitoring of systems and early detection of possible unauthorized access attempts or cyber attacks.

In the context of Level 3 (SI.3.217) of the CMMC, this type of event allows the identification of anomalous patterns of failed authentication attempts, which may be indicative of attacks such as brute force, phishing or privilege escalation attempts. The report focuses on capturing these events so that any unusual behavior can be quickly analyzed, ensuring that unauthorized access attempts are detected and managed efficiently.

Monitoring events like 4776 provides real-time visibility into failed authentication attempts, which is crucial for detecting suspicious behavior that may compromise infrastructure security. In addition, the report facilitates the generation of alerts about possible security incidents, allowing corrective measures to be taken before an attack materializes.

This active monitoring approach is essential to meeting CMMC requirements by ensuring that attack detection mechanisms are in place and operating effectively, which is key to protecting the organization from external and internal threats.', null, null, null, null, null, null, null, null, null, 503, true, 301, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Account Authentication Using NTLM', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (510, 'This report compiles relevant information about event 4688 in the Windows logs, which is generated every time a process is created on the system. This event is of vital importance for security monitoring, since it allows identifying the execution of new processes that may be part of normal activities or, in the case of being malicious, an indication of compromise or attack on the system.

In the context of CMMC Level 3 (SI.3.217), monitoring this event is crucial to detect possible attacks. The creation of unauthorized or unusual processes can be a sign of malicious activities such as running malware, unauthorized scripts, or launching attack tools. In addition, attackers often use techniques such as executing code on the system to maintain their presence, which would be reflected in these types of events.

Analysis of 4688 events allows the detection of anomalous behavior patterns, such as the creation of processes from unusual locations or associated with illegitimate activities, which facilitates early identification of threats. The collection and analysis of this information contributes to maintaining effective control over activities within the systems, ensuring that you can react quickly to potential security incidents.

This report is essential to meet the threat monitoring and detection requirements established in CMMC Level 3 (SI.3.217), allowing organizations to implement efficient monitoring tools that support the detection of attacks and suspicious activities in real time.', null, null, null, null, null, null, null, null, null, 503, true, 302, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Process Termination', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (511, 'The SI.3.217 (System Time Settings Changes) control in the CMMC (Cybersecurity Maturity Model Certification) focuses on monitoring and controlling changes in the system time settings. This control is critical to ensure the integrity of the systems and the security of the organization, as unauthorized changes to the system time may be indicative of attempts to tamper with or evade audit logs.', null, null, null, null, null, null, null, null, null, 503, true, 303, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): System Time Settings Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (512, 'The SI.3.217 (Certificate Configuration Changes) control of the CMMC (Cybersecurity Maturity Model Certification) focuses on the management of changes in the configuration of digital certificates in systems. This control is essential to maintain confidence in security systems, especially in a business environment where data protection is critical.', null, null, null, null, null, null, null, null, null, 503, true, 304, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Certificate Configuration Changes', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (513, 'This report focuses on the Windows logs for event 4697, which is generated when a service is installed on a system. Installing services is a critical operation that can be used by both legitimate administrators and malicious actors to alter systems configuration, establish persistence, or hide malicious activities.

In the context of CMMC Level 4 (SI.4.220): Monitor for malicious behavior across the organization, event 4697 is essential to detect unauthorized installation of services that could indicate a malware attack, persistence activity, or the establishment of backdoors. The presence of a service installed without proper authorization or outside of standard procedures can be a sign of suspicious behavior and is therefore an important monitoring target.

This type of malicious behavior can be an early indicator of an advanced attack, where an attacker installs a service to maintain control over the compromised system, or to continuously execute code without being detected. For example, an attacker could install a service to run a Trojan horse or rootkit that remains on the system even after reboots or configuration changes.

Monitoring this event allows you to quickly identify unauthorized installations of services, facilitating early detection of intrusions and response to possible security incidents. This surveillance capability contributes to risk reduction by allowing security teams to proactively act against potential threats before they can escalate and compromise critical systems or sensitive data.', null, null, null, null, null, null, null, null, null, 503, true, 305, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Windows Service Installed', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (514, 'This report collects relevant information from the Windows logs corresponding to event 4799, which is generated when a user logs out of the system. This event is crucial for monitoring user account behavior and detecting possible user account enumeration attempts, a technique used by attackers to obtain information about valid accounts on a system.

In the context of CMMC SI.5.223, which requires the implementation of advanced monitoring to detect anomalous behavior using machine learning, event 4799 is analyzed to identify unusual patterns that could indicate account enumeration attacks. Attempts to log out repeatedly with different credentials or at unusual times may signal activities of an attacker trying to discover valid user accounts or learn about network login and logout behavior.

The report is integrated with advanced tools that use machine learning to detect anomalous behavior associated with account enumeration attempts and other types of persistence attacks, improving the organization''s ability to identify advanced threats early and effectively.', null, null, null, null, null, null, null, null, null, 503, true, 306, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): User Accounts Enumeration', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (515, 'This report collects relevant information from the Windows logs associated with event 4798, which is generated when the configuration of user accounts in the system is consulted. This event is crucial to detect possible anomalous behavior related to account enumeration or unauthorized access to sensitive account settings.

In the context of CMMC SI.5.223, which promotes the use of advanced monitoring with machine learning to identify anomalous behavior, event 4798 is monitored to detect unusual patterns of account inquiries. Repeated queries to user account settings or unauthorized access could be indicative of an attacker attempting to obtain information about system accounts, such as privileges, settings, and other associated characteristics.

The report provides a detailed view of events related to querying account settings and uses machine learning tools to identify anomalous behavior, such as unusual query patterns, that could signal exploitation attempts or attacks aimed at obtaining sensitive information. .

This type of advanced monitoring helps the organization detect attacks early, improving the ability to respond to potential threats before they can impact system security.', null, null, null, null, null, null, null, null, null, 503, true, 307, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Group Membership Enumerated', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (628, 'This report collects key information from event 4732 in the Windows logs, which is generated when a user is added to a security group. Including this event in security monitoring is essential for tracking changes in group membership, especially those that provide access to critical resources or elevated privileges.

Within the framework of CMMC Level 2 (SI.2.212) compliance, real-time monitoring of events such as 4732 is a crucial measure to ensure that only authorized users have access to the organization''s sensitive resources. This event is an early alert for the detection of changes to user permissions, which may involve unauthorized elevation of privileges or unplanned access to critical systems.

The report provides visibility into who, when and why a user was added to a security group, which is critical for access control and detecting potential threats or security breaches. Ensuring these events are appropriately monitored helps maintain a robust security environment and prevent improper access, in compliance with CMMC continuous monitoring requirements.', null, null, null, null, null, null, null, null, null, 503, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (630, 'This report is based on the Windows logs for event 4733, which is generated when a user is removed from a security group. This type of event is critical for monitoring access to sensitive systems, since changes in security group membership can be indicative of an attempted lateral movement or an internal attack that seeks to escalate privileges or modify access controls. unauthorized manner.

In the context of CMMC Level 4 (SI.4.220): Monitor for malicious behavior across the organization, event 4733 is relevant to identifying activities that may be associated with malicious modifications to user privileges or group settings that manage critical permissions. These changes may be indicative of suspicious activity, such as an attacker attempting to gain access to restricted resources or making an alteration to user permissions in order to facilitate unauthorized access.

Monitoring this event, especially when unauthorized deletions or modifications are detected in high-privilege groups (such as system administrators or sensitive data access groups), allows the organization to proactively respond to malicious behavior before it can compromise network security or critical systems.

This report provides visibility into changes in security groups, enabling early detection of anomalous behavior and improving the organization''s ability to prevent and mitigate potential internal attacks or external intrusions.', null, null, null, null, null, null, null, null, null, 503, true, 321, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Local Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (629, 'This report collects information relevant to event 4657 in the Windows logs, which is generated when a system object, either a file or a registry key, is modified. This event is crucial for real-time monitoring of activities that could involve changes to security settings or critical files of the organization.

In the context of Level 2 (SI.2.212) of the CMMC, monitoring events such as 4657 is essential to detect and prevent unauthorized activities that may compromise the integrity of systems or allow the execution of malicious actions. This event provides visibility into changes made to important objects, allowing you to identify unplanned or unusual modifications to the environment, such as alteration of sensitive files or system configurations.

The report helps ensure that all critical modifications are detected and analyzed in real time, allowing early intervention in the event of potential security incidents. Additionally, it ensures that a detailed record is maintained of activities that may have an impact on security, aligning with the continuous monitoring requirements and the improvement of audit capabilities that are fundamental in CMMC compliance.', null, null, null, null, null, null, null, null, null, 503, true, 322, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Registry Value Modification', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1007, 'This report collects and analyzes FileAccessed event logs in Office 365 to verify compliance with CMMC Level 1 (SI.1.210), which requires the identification and correction of security breaches in a timely manner.

Access to sensitive files is a critical point in information security, and monitoring these events allows you to detect possible unauthorized access, unusual activities, and usage patterns that may indicate vulnerabilities in access controls. This report identifies the users, files, and locations involved in each access event, facilitating audit review and analysis of suspicious behavior.

By consolidating this information, the report helps you take preventive and corrective measures in a timely manner, ensuring that data is protected in accordance with established security policies and reducing the risk of sensitive information being exposed.', null, null, null, null, null, null, null, null, null, 503, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (SI.1.210): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (866, e'The Windows Audit Policy Change Report provides a detailed log of modifications to audit policies, such as changes to audit settings, logging configurations, and retention policies. This report is a critical component of the Banking Audit framework, ensuring transparency and control over how audit data is captured and managed.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight of audit policy changes to protect the integrity of financial systems and sensitive customer data.
• Compliance with Monitoring Standards: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of audit policy modifications to detect unauthorized changes.
• Audit Readiness: Tracks audit policy changes to provide traceability and accountability, meeting the requirements of frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious audit policy changes, which could indicate attempts to disable monitoring or obscure malicious activity.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict changes to audit settings to prevent data breaches or unauthorized access.', null, null, null, null, null, null, null, null, null, 701, true, 292, 'TEMPLATE', null, null, 'Windows Audit Policy Change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (930, 'This report collects and analyzes relevant information from AWS logs about the DeleteUser event, used to verify compliance with CMMC Level 1 (SI.1.210): Identify and correct security flaws in a timely manner.

The DeleteUser event in AWS IAM records the deletion of user accounts, which can pose a security risk if not handled properly. This report allows you to identify and correct possible vulnerabilities by monitoring user deletions, detecting unauthorized access, suspicious changes and ensuring the integrity of access controls in the organization.

Analysis of these events helps to:
-Identify unauthorized or accidental user deletions.
-Verify which accounts have been deleted and who performed the action.
-Review the origin of the request and the devices or IP addresses involved.
-Evaluate compliance with security controls related to user management.

This report helps ensure that user removal actions are legitimate and that any suspicious activity is investigated and corrected in a timely manner, aligning with the security requirements established by CMMC.', null, null, null, null, null, null, null, null, null, 503, true, 359, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): IAM User Deletion', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (931, 'This report gathers relevant information from AWS logs related to the ListAccessKeys event, which is generated when a user''s access keys are listed in AWS IAM. The analysis of these events is essential to comply with CMMC Level 3 control SI.3.217, which requires the use of monitoring tools to detect possible attacks.

Unauthorized or suspicious access to the access key enumeration may indicate reconnaissance attempts by malicious actors within the cloud infrastructure. This report provides key details such as the user''s identity, source IP address, the source of the event, and the time it occurred, allowing for proactive security assessment and identification of potential threats.', null, null, null, null, null, null, null, null, null, 503, true, 360, 'TEMPLATE', null, null, 'AWS Level 3 (SI.3.217): ListAccessKeys Logs', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1010, 'This report collects relevant information from the FileDeleted event logs in Office 365, used to verify compliance with CMMC Level 3 (SI.3.217), which establishes the need to use monitoring tools to detect potential attacks.

The FileDeleted event is generated when a file is deleted within the Office 365 environment, which may indicate a legitimate or potentially malicious action. Deleting critical files, especially those containing sensitive or controlled information, requires close monitoring to detect suspicious activities that may be associated with ransomware attacks, unauthorized deletion of data, or attempts to hide evidence of an attack.

The report includes essential details such as the ID of the deleted file, the user who performed the action, the source and destination of the file, as well as the date and time the deletion occurred. In addition, the location from which the deletion was performed and the device involved are recorded.

Monitoring file deletion events is a key tool for identifying anomalous activity patterns, such as mass file deletion or deletion to unauthorized locations. This report facilitates the detection of security incidents, enabling a rapid response to mitigate any potential attack or malicious behavior that compromises data integrity.', null, null, null, null, null, null, null, null, null, 503, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 3 (SI.3.217): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1008, 'This report gathers relevant information from the SharingSet event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (SI.2.212), which requires the implementation of mechanisms for real-time monitoring of security events.

The SharingSet event is generated when a file or folder is shared with other users inside or outside the organization. Monitoring these actions is essential to detect misuse configurations, accidental sharing of sensitive information, or malicious attempts at data exfiltration.

This report provides key details that allow identifying behavior patterns and detecting any anomalies in the management of permissions and access to critical information.

The collection and analysis of these events in real time contribute to strengthening security controls, facilitating rapid response to possible incidents and minimizing the risk of sensitive data exposure.', null, null, null, null, null, null, null, null, null, 503, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (SI.2.212): Sharing Set', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1009, 'This report collects key information from the Add-MailboxPermission event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (SI.2.212), which requires the implementation of mechanisms for real-time monitoring of security events.

The Add-MailboxPermission event is generated when permissions are granted on a mailbox to another user or entity. Monitoring these events is essential to detect unauthorized access, improper changes in email permissions, and possible attempts at data exfiltration.

The report includes relevant information that allows for the detection of anomalies in privilege management, ensuring the protection of sensitive information contained in emails.

The collection and real-time analysis of these events strengthens organizational security, allowing a rapid response to possible security incidents and helping to prevent improper access to critical information.', null, null, null, null, null, null, null, null, null, 503, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 2 (SI.2.212): Mailbox Permission Assigning', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1011, 'This report gathers relevant information from the FileRenamed event logs in Office 365, used to verify compliance with CMMC Level 3 (SI.3.217), which establishes the need to use monitoring tools to detect potential attacks.

The FileRenamed event is generated when a file within Office 365 is renamed, which could be an indication of an attempt to hide the content or origin of the file, especially in cases of cyberattacks, such as ransomware or unauthorized access to critical information. File renaming can be an indicator of suspicious behavior that could compromise data integrity or regulatory compliance.

Monitoring file renaming events allows you to identify unauthorized changes to data or infrastructure, detecting possible attempts to hide information or illegitimate activities. This report facilitates early detection of security incidents, allowing a rapid response to mitigate any potential threats and protect critical information in the Office 365 environment.', null, null, null, null, null, null, null, null, null, 503, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 3 (SI.3.217): File Renamed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (733, 'This report collects relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to identify inappropriate behavior or suspicious activities.

Event 4720 provides details on creating user accounts. By reviewing and correlating this data with other activity logs, unusual patterns can be detected, such as account creation without justification or at unusual times, which could indicate malicious behavior or attempted privilege escalation.

This report makes it easy to identify potential inappropriate activities related to user account management, allowing security teams to quickly investigate and act on any unauthorized access attempts or account misuse. Additionally, contributes to compliance with CMMC regulations by ensuring that events that may flag suspicious behavior within the organization are appropriately reviewed.', null, null, null, null, null, null, null, null, null, 501, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (729, 'This report compiles key information from the Windows logs generated by event 4624, which is triggered when a user successfully logs on to a system. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior and unauthorized activities.

Event 4624 provides details about system logins. By analyzing and correlating these logs with other security events, you can identify unusual behavior patterns, such as access attempts at unusual times, access from unauthorized locations, or repeated login attempts.

This report helps detect inappropriate behavior or suspicious activities, such as unauthorized access attempts or improper access, and allows early corrective action to mitigate security risks. Additionally, it contributes to CMMC compliance by ensuring that audit logs are appropriately reviewed to identify any attempted exploitation or system compromise.', null, null, null, null, null, null, null, null, null, 501, true, 265, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (730, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt to the system is unsuccessful. This event is critical to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior and unauthorized activities.

Event 4625 provides key details about failed login attempts. By analyzing these events, patterns of failed access attempts can be identified that could indicate a brute force attack, an unauthorized access attempt, or the exploitation of compromised credentials.

This report makes it easy to detect suspicious behavior related to unauthorized access attempts, and by correlating this information with other system logs, security teams can identify trends that require a proactive response. Additionally, it contributes to CMMC compliance by ensuring adequate review and monitoring of audit events that may flag inappropriate or malicious activities.', null, null, null, null, null, null, null, null, null, 501, true, 266, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (734, 'This report compiles relevant information from the Windows logs generated by event 4726, which is triggered when a user account is disabled on the system. This event is essential to comply with CMMC control AU.2.044, which requires review of audit logs for inappropriate or suspicious behavior.

Event 4726 provides details about deactivating user accounts. By reviewing and correlating this data with other activity logs, patterns can be identified that suggest unusual behavior, such as account disabling without justification or at unusual times, which could indicate attempts to hide malicious activity or compromise system security. .

This report is useful for detecting suspicious activities related to user account management, allowing security teams to take quick action to investigate and mitigate potential risks. Additionally, contributes to compliance with CMMC regulations by ensuring that appropriate review is conducted of events that may indicate inappropriate behavior within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (737, 'This report compiles relevant information from the Windows logs generated by event 4672, which is triggered when a user gains elevated privileges, such as administrator, through an interactive or remote login. This event is crucial to comply with CMMC control AC.3.032, which requires monitoring and controlling remote access to sensitive systems to prevent misuse of elevated privileges.

Event 4672 provides key details about logging in for elevated users. Monitoring these events helps identify the use of elevated accounts in remote sessions, helping ensure that only authorized users access critical or sensitive systems.

This report is essential to control remote access to sensitive resources, ensuring that access is appropriate and authorized. Additionally, it contributes to CMMC compliance by strengthening security policies to protect sensitive systems from unauthorized access.', null, null, null, null, null, null, null, null, null, 501, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.032): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (732, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user account is used to log on to a system with explicit credentials, such as using network credentials or a service account. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior.

Event 4648 provides details about login attempts with explicit credentials. By reviewing these types of logs, it is possible to identify unusual access or authentication attempts that may be related to unauthorized or malicious activity.

This report allows security teams to identify suspicious patterns of behavior, such as login attempts at unusual times or from unusual locations, which could indicate a possible attack. Furthermore, by correlating these events with other logs related to access or activities in the system, the detection of security incidents and inappropriate behavior is facilitated.

In summary, this report is an important tool to ensure compliance with CMMC regulations, helping to detect inappropriate behavior and ensuring that audit logs are appropriately reviewed to protect organizational infrastructure.', null, null, null, null, null, null, null, null, null, 501, true, 281, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (735, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are triggered when access is made to a share on the network or when an attempt to access a share is blocked due to a configuration. incorrect permissions. These events are critical to complying with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate or suspicious behavior.

Event 5140 is logged when a connection is established to a share. Event 5145 is raised when an attempt to access a share is denied due to permissions issues, which may indicate inappropriate or intentional behavior.

By reviewing and correlating these events with other logs, such as failed access attempts or permission setting changes, you can identify anomalous patterns that suggest unauthorized access attempts or malicious actions that compromise system security.

This report is key to detecting inappropriate behavior related to access to shared resources, allowing security teams to take preventive actions against possible threats. Additionally, it facilitates compliance with CMMC regulations by ensuring that access and denial events are appropriately reviewed and correlated to identify suspicious activity within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 285, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (738, 'This report compiles relevant information from the Windows logs generated by event 7045, which is activated when a service is installed on the system. This event is essential to comply with CMMC control AC.3.032, which requires monitoring and controlling remote access to sensitive systems to protect them from potential vulnerabilities.

Event 7045 captures details about the installation of new services on the system, which may be related to the configuration of remote or management services. These services could involve potential access to sensitive systems if not properly monitored and controlled.

This report allows you to detect the installation of services that could enable unauthorized remote access to critical systems. Monitoring these events ensures that only legitimate and controlled services are installed, contributing to system security and CMMC compliance by ensuring that remote access to sensitive systems is strictly managed and monitored.', null, null, null, null, null, null, null, null, null, 501, true, 290, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.032): Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (933, 'This report collects and analyzes relevant information from AWS logs related to the DeleteUser event, with the objective of verifying compliance with the Level 2 requirement (AU.2.044) of the CMMC framework. Reviewing these logs can detect potentially inappropriate activities, such as unauthorized deletion of user accounts, actions taken outside of business hours, or from unusual locations. By monitoring these events, you improve your ability to identify potential insider threats, administrative errors, or malicious attempts to remove evidence of unauthorized activity.', null, null, null, null, null, null, null, null, null, 501, true, 359, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): IAM User Deletion', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1023, 'This report collects and analyzes FileAccessed events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed to detect inappropriate behavior.

Monitoring these events helps identify file accesses that may indicate suspicious activity, such as mass viewing of sensitive documents, access to restricted information by unauthorized users, or unusual behavior patterns when interacting with files. By analyzing logs, it is possible to detect attempts at data exfiltration, improper access, or misuse of information within the Office 365 environment.

The information obtained in this report helps strengthen monitoring of user behavior, ensuring early detection of potential security incidents and guaranteeing compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (736, 'This report collects relevant information from the Windows logs generated by event 4767, which is triggered when a user account is unlocked on the system after being locked out due to failed login attempts. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate or suspicious behavior.

Event 4767 provides details about the account that was unlocked, the account that performed the action, among others. By reviewing and correlating this data with other activity logs, anomalous patterns can be identified, such as attempts to unlock accounts at unusual times or by unauthorized accounts, which could signal attempts to circumvent security policies or unauthorized access.

This report is useful for detecting suspicious behavior related to the management of blocked accounts, allowing security teams to respond quickly to possible incidents. Additionally, contributes to compliance with CMMC regulations by ensuring effective review of events that may indicate inappropriate or malicious behavior within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 336, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Unlocked Account', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (869, e'The Windows User Password Reset Attempt Report provides a detailed record of password reset activities, capturing both successful and failed attempts. This report is critical within the Banking Audit framework to monitor credential management processes and ensure compliance with access control policies.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of password reset attempts to protect financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, which mandates secure authentication and password management practices.
• Audit Readiness: Tracks all password reset attempts, providing traceability and accountability for frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious password reset attempts, which could indicate account compromise, phishing attacks, or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict unauthorized password reset activities to prevent unauthorized access to sensitive data.', null, null, null, null, null, null, null, null, null, 701, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (932, 'This report collects and analyzes relevant information from AWS logs related to the ConsoleLogin event, with the objective of verifying compliance with the Level 2 requirement (AU.2.044) of the CMMC framework. Reviewing these logs can detect inappropriate behavior, such as unauthorized access attempts, access from unusual locations, or multiple failed login attempts. By monitoring these events, you strengthen the security of your environment and facilitate early identification of potential insider threats or compromised credentials.', null, null, null, null, null, null, null, null, null, 501, true, 353, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): Console Login', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (936, 'This report collects and analyzes AWS log events related to the AssumeRole action, used for role assumption in AWS IAM. Its objective is to provide visibility over remote access to sensitive systems, allowing possible misuse or unauthorized access to be identified.

The report contributes to compliance with Level 3 (AC.3.032) of CMMC, which requires monitoring and controlling remote access to systems that contain sensitive information. Reviewing AssumeRole events can detect unexpected privilege changes, accesses from unusual locations, or the use of compromised credentials.', null, null, null, null, null, null, null, null, null, 501, true, 354, 'TEMPLATE', null, null, 'AWS Level 3 (AC.3.032): Access Roles Assumption', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (938, 'This report collects and analyzes AWS log events related to ListAccessKeys, with the objective of evaluating compliance with CMMC Level 4 control (AU.4.053), which requires the detection of anomalous user behavior using automated tools.

The ListAccessKeys event is used to list the access keys associated with an AWS account, which can be an indicator of suspicious activity or credential scanning attempts. Continuous monitoring of this event allows us to detect unusual access, identify possible account compromises and mitigate risks associated with exposed or misused credentials.

Analysis of these logs includes key information such as the user or role that executed the action, the source IP address, the service from which the request was made, and the frequency of these events. Correlation with automated behavioral analysis tools allows irregular patterns to be identified and alerts generated for potential threats, contributing to a proactive approach to cloud infrastructure security.', null, null, null, null, null, null, null, null, null, 501, true, 360, 'TEMPLATE', null, null, 'AWS Level 4 (AU.4.053): ListAccessKeys Logs', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (934, 'This report collects and analyzes relevant information from AWS logs about the DetachUserPolicy event, with the objective of verifying compliance with the Cybersecurity Maturity Model Certification (CMMC) Level 2 control (AU.2.044).

The DetachUserPolicy event is raised when a policy attached to a user is deleted in AWS IAM, which may indicate changes to access permissions. The periodic review of these events allows us to detect possible inappropriate activities, unauthorized access or incorrect security configurations that could compromise the integrity and security of the infrastructure.

The review of these records contributes to the strengthening of auditing and monitoring practices for the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 501, true, 361, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): User Policies Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (935, 'This report collects and analyzes AWS log events related to the ListUsers action in Amazon Cognito. Its purpose is to provide visibility into user listing requests within the environment, allowing unusual or potentially inappropriate behavior to be detected.

The report contributes to compliance with CMMC Level 2 (AU.2.044), which requires periodic review of audit logs to identify suspicious or unauthorized activities. By monitoring ListUsers events, you can detect unusual accesses, user enumeration attempts, or anomalous activity from unknown IP addresses.

The data includes key information that makes it easy to identify access patterns and implement corrective measures in case of suspicious activity.', null, null, null, null, null, null, null, null, null, 501, true, 362, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): User Listing Activity', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (937, 'This report collects and analyzes AWS log events related to DescribeInstances, with the objective of evaluating compliance with CMMC Level 3 control (AC.3.032), which requires monitoring and controlling remote access to sensitive systems.

The DescribeInstances event allows you to obtain information about EC2 instances in AWS, which could indicate attempts to enumerate resources within the infrastructure. Analyzing these events helps detect unusual access, identify suspicious usage patterns, and strengthen the security of your cloud environment.

The data presented includes key details. This information is essential to identify possible internal threats or unauthorized access attempts, allowing a proactive response to security risks.', null, null, null, null, null, null, null, null, null, 501, true, 363, 'TEMPLATE', null, null, 'AWS Level 3 (AC.3.032): Querying EC2 Instances', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (476, 'This report collects the records of event 4625 from the Windows logs, which document failed login attempts to the system. The information obtained from these events is essential to verify compliance with CMMC''s access control and authentication policy Level 1 (AC.1.001), which states that only authorized users should have access to the system.

The report includes details such as the names of users who attempted access, the host names, and the reasons for login failures. The analysis of these events allows us to identify unauthorized access attempts or possible threats, ensuring that access to the system is appropriately restricted and in line with established security policies.', null, null, null, null, null, null, null, null, null, 510, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (478, 'This report collects the logs of event 4720 from the Windows logs, which document the creation of new user accounts on the system. This information is key to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC) to ensure that users have access only to the resources necessary for their functions.

The report includes details such as the identities of the created users, assigned roles, account creation dates and times, as well as the user or system that performed the action. This analysis ensures that the creation of accounts and the assignment of roles is carried out in a controlled manner and in accordance with security policies, which facilitates the proper management of permissions and access to system resources.', null, null, null, null, null, null, null, null, null, 510, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (477, 'This report compiles the records of Windows log event 4624, which correspond to successful login attempts to the system. The information extracted from these events is used to verify compliance with the Level 1 policy (AC.1.001) of the CMMC Access Control and Authentication framework, which establishes that access to the system must be limited exclusively to authorized users.

The details provided in the report include user names and host names to ensure that only people with specific privileges have access to the system. The analysis of these events contributes to the detection of unauthorized access and facilitates the validation of the appropriate implementation of access controls.', null, null, null, null, null, null, null, null, null, 510, true, 265, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (600, 'This report collects and presents relevant information about UserLoginFailed events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.1.001. Its purpose is to ensure that access to the system is restricted to authorized users, and to detect failed login attempts, which could indicate unauthorized access attempts or brute force attacks.

The report includes details such as user identity, source IP address, geographic location. This information is crucial for identifying suspicious patterns, blocking unauthorized access, and enforcing authentication controls in the system, helping to protect sensitive data and corporate resources.', null, null, null, null, null, null, null, null, null, 510, true, 262, 'TEMPLATE', null, null, 'Office 365 Level 1 (AC.1.001): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (480, 'This report compiles the Windows log event 4726 logs, which document the deletion of user accounts on the system. The extracted information is key to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC). This principle ensures that only users with specific roles have access to necessary resources.

The report includes important details such as the identities of the deleted accounts, the date and time of deletion, and the user or system that executed the action. The analysis of these events ensures that accounts are deleted in a controlled manner and in accordance with established security policies, helping to maintain an IT environment free of unauthorized access and appropriately managing permissions according to the needs of each role.', null, null, null, null, null, null, null, null, null, 510, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (481, 'This report compiles the records of events 4663 and 4656 from the Windows logs, which focus on auditing access to security objects, such as files or folders that contain Controlled Unclassified Information (CUI), and the actions performed about these objects. Event 4663 is generated when a user or process performs an access operation (such as read, write, or modify) on an object, while event 4656 documents access attempts to those security objects, including the action requested and whether it was allowed or denied. These events are essential to verify compliance with the CMMC''s Level 3 Access Control and Authentication policy (AC.3.014), which requires controlling the flow of CUI and protecting the access points that allow its access or modification.

The report includes key details such as the name of the accessed object (file, folder, etc.), the type of access performed (read, write, delete, etc.), the identity of the user or process that performed the action, the date and time of the operation, and whether access was allowed or denied. Analysis of these events ensures that controls over resources containing CUI are effective, that the flow of information is appropriately restricted, and that established security policies for the protection of sensitive data are complied with.', null, null, null, null, null, null, null, null, null, 510, true, 273, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Attempt to Access a Protected Object', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (482, 'This report collects event 4670 logs from the Windows logs, which document changes to the permissions of objects on the system (such as files, folders, or registry keys). The information obtained from these events is crucial to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC) to ensure that users have access only to the resources necessary for their functions.

The report includes details such as the name of the object whose permission was modified, the permissions assigned, the identity of the user or process that made the change, and the date and time the modification was made. The analysis of these events ensures that changes in object permissions are managed in a controlled manner, in accordance with security policies and the roles assigned to each user, which helps prevent unauthorized access and maintain the principle of least protection. privilege.', null, null, null, null, null, null, null, null, null, 510, true, 274, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Protected Object Permission Change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (483, 'This report collects event 5145 logs from the Windows logs, which document attempts to access shared resources on the network, such as files or folders that contain Controlled Unclassified Information (CUI). Event 5145 is generated when an access attempt to a shared resource is made and logged, providing detailed information about whether access was allowed or denied. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the share that was attempted to be accessed, the identity of the user or process that made the access attempt, the action taken (allow or deny), the source of the access (IP address or source computer). ), and the date and time of the attempt. Analysis of these events allows you to verify that access to resources containing CUI is appropriately restricted, protecting access points from unauthorized access and ensuring that security controls are aligned with CMMC policies.', null, null, null, null, null, null, null, null, null, 510, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Access to shared resource', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (484, 'This report collects the Windows log event 4740 logs, which document the locking out of user accounts after multiple failed authentication attempts. Event 4740 is generated when an account is locked due to repeated unsuccessful access attempts, providing key information about possible unauthorized access attempts or brute force attacks. This information is crucial to verify compliance with CMMC''s Level 5 (AC.5.025) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the blocked account, the identity of the user or process that generated the event, the IP address or computer of origin of the access attempt and the date and time of the block, among others. The analysis of these events allows us to identify behavioral patterns in system access, detect intrusion attempts in real time and strengthen security strategies based on advanced analysis of user behavior. This proactive approach helps prevent unauthorized access and ensure security controls are aligned with CMMC Level 5 policies.', null, null, null, null, null, null, null, null, null, 510, true, 276, 'TEMPLATE', null, null, 'Windows Level 5 (AC.5.025): Account Locks', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (485, 'This report collects event 4663 logs from the Windows logs, which document access attempts to system objects, such as files and folders that may contain Controlled Unclassified Information (CUI). Event 4663 is generated when a user or process attempts to access a protected object and logs whether the action was allowed or denied. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the file or folder that was attempted to be accessed, the identity of the user or process that made the attempt, and the date and time of the attempt. Analysis of these events allows verification that access to resources containing CUI is appropriately restricted, detecting possible unauthorized access attempts and ensuring that security controls are aligned with CMMC policies.', null, null, null, null, null, null, null, null, null, 510, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (487, 'This report collects event 4672 logs from the Windows logs, which document logins by users with elevated privileges, such as those belonging to the Administrators group or with other special permissions. This event is essential to verify compliance with CMMC''s Authentication and Access Control Level 2 policy (AC.2.007), which requires the implementation of role-based access controls (RBAC), ensuring that only authorized users have access. to sensitive resources and special privileges.

The report includes details such as the identity of the user logged in with elevated privileges, the source of access (IP address or source machine), and more. The analysis of these events allows us to verify that privileged access is restricted to users with specific and authorized roles, maintaining the principle of least privilege and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 278, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (590, 'This report collects the records of event 4688 from the Windows logs, which document the creation of new processes in the system. Event 4688 is generated every time a process is started, providing key information about the execution of applications and commands, which allows detecting suspicious activities such as the execution of malware, the use of unauthorized tools or attempts to escalate privileges. This information is crucial to verify compliance with CMMC''s Level 5 (AC.5.025) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the started process, the identity of the user or service account that ran the process, the path of the executable, the execution parameters, the identity of the parent process, among others. The analysis of these events allows us to detect anomalous behavior patterns, identify the use of unauthorized tools and strengthen security strategies through proactive detection of threats in real time. This report contributes to the early identification of attacks and the protection of systems that handle Controlled Unclassified Information (CUI), ensuring that security controls are aligned with CMMC Level 5 policies.
', null, null, null, null, null, null, null, null, null, 510, true, 284, 'TEMPLATE', null, null, 'Windows Level 5 (AC.5.025): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (589, 'This report collects and analyzes the records of events 5140 and 5145 of the Windows logs, which monitor access to shared resources on the network, such as files and folders that may contain Controlled Unclassified Information (CUI).
Event 5140 is generated when a shared resource on the network is accessed by a user or process, providing key information about the established session and the users involved.
Event 5145 documents specific attempts to access files or folders within a share, indicating whether the action was allowed or denied and detailing the permissions used.
These events are critical to verify compliance with CMMC Level 3 policy AC.3.014, which requires controlling the flow of CUI and protecting access points to this sensitive data within the network infrastructure.

The report includes key details such as:
-Name of the accessed share.
-Identity of the user or process that performed the action.
-IP address or source computer from where the resource was accessed.
-Date and time of the access attempt', null, null, null, null, null, null, null, null, null, 510, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Network Access to shared resource', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (873, 'This report compiles and presents relevant information about AttachRolePolicy events in AWS, with the objective of verifying compliance with CMMC practice AC.2.007. It focuses on ensuring that access policies are properly associated with roles, ensuring that role-based access controls (RBAC) are implemented correctly. The report includes key details about the policies assigned to the roles, the specific role affected, the accounts involved, and the source of the request. This information is crucial to verify that access to sensitive resources is strictly controlled by assigning appropriate permissions based on user roles, ensuring that the principle of least privilege is maintained and risks of unauthorized access are minimized.', null, null, null, null, null, null, null, null, null, 510, true, 356, 'TEMPLATE', null, null, 'AWS Level 2 (AC.2.007): Attach Role Policy', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (576, 'This report groups the records of event 4729 from the Windows logs, which document the removal of a user from a security group on the system. This information is crucial to verify compliance with CMMC''s Authentication and Access Control Policy Level 2 (AC.2.007), which establishes the implementation of role-based access controls (RBAC), ensuring that users maintain access only to the resources necessary for their assigned functions and roles.

The report includes important details such as the identities of users removed from security groups, the name of the group to which they belonged, the date and time of the removal, and the account that made the modification. The analysis of these events allows us to verify that the management of roles and permissions is carried out in a controlled manner, ensuring that access is adequate and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 317, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (479, 'This report groups the records of event 4722 from the Windows logs, which document the activation of user accounts previously disabled on the system. The information collected is essential to verify compliance with CMMC''s Authentication and Access Control policy Level 2 (AC.2.007), which requires the implementation of role-based access controls (RBAC). This ensures that users only have access to the resources they need based on their role.

The report includes key details such as the identity of the activated accounts, the role assigned, the date and time of activation, as well as the user or system account that performed the action. The analysis of these events allows us to guarantee that accounts are activated and managed in a controlled manner and in compliance with access policies, preventing improper access and maintaining the principle of least privilege in the assignment of roles and permissions.', null, null, null, null, null, null, null, null, null, 510, true, 293, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): User Accounts Enabled', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (574, 'This report compiles and presents the relevant information extracted from the Windows event logs corresponding to event 4776, which is triggered during authentication attempts on systems using network authentication (NTLM). Analysis of these logs is essential to verify compliance with CMMC practice AC.1.001, which establishes the need to limit system access to authorized users only.

Event 4776 is used to audit access attempts, both successful and unsuccessful, and can provide key data on unauthorized access or inappropriate access attempts. This report includes details such as the username, the origin of the authentication request, and the authentication status.

Based on the information obtained, this report validates that access to the systems is restricted to previously authorized users and provides evidence to ensure compliance with access control and authentication policies.', null, null, null, null, null, null, null, null, null, 510, true, 301, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (585, 'This report collects the records of event 4697 from the Windows logs, which document the installation of new services on the system. Event 4697 is generated when a service is installed, providing key information about the user who performed the installation, the associated executable, and the privileges with which the service is running. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the installed service, the identity of the user or process that performed the installation, the date and time of the installation, among others. The analysis of these events allows us to verify that only authorized users can install services in the environment, avoiding unauthorized access, the execution of malicious software and possible leaks of Controlled Unclassified Information (CUI), ensuring that security controls are aligned with the CMMC policies.
', null, null, null, null, null, null, null, null, null, 510, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Service Installed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (587, 'This report collects the Windows log event 4771 logs, which document failed Kerberos authentication attempts on the system. Event 4771 is generated when a Kerberos authentication attempt cannot complete, which may indicate unauthorized access or an attempted access to protected resources, such as those containing Controlled Unclassified Information (CUI). This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the identity of the user or system that attempted the failed authentication, the date and time of the attempt, the source of the access attempt (IP address or source computer), and the resource or service that was attempted to be accessed. . The analysis of these events is essential to identify and mitigate possible unauthorized access threats, ensuring that CUI access points are properly protected against attacks and non-legitimate access, in accordance with the security policies required by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 310, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Kerberos pre-authentication failed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (575, 'This report collects the Windows log event 4728 logs, which document the addition of a user to a security group on the system. This information is essential to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC), ensuring that users only have access to the necessary resources according to their function and role.

The report includes key details such as the identities of users added to security groups, the name of the group to which they were assigned, the date and time of the modification, as well as the account that performed the action. The analysis of these events ensures that the assignment of roles and permissions is carried out in a controlled manner and in accordance with established security policies, helping to maintain the principle of least privilege and prevent unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 316, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Additions to Security Groups', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (577, 'This report collects the records of event 4731 from the Windows logs, which document the creation of a security group on the system. This information is essential to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC), ensuring that access to the system is assigned. appropriately and only to users with the roles necessary for their functions.

The report includes key details such as the name, the identities of the administrators responsible for the creation, the date and time of the action, and any other information related to the group configuration. The analysis of these events ensures that the creation of security groups is carried out in a controlled manner, in line with established security policies, to facilitate effective management of user roles and permissions.', null, null, null, null, null, null, null, null, null, 510, true, 318, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Creation of Security-Enabled Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (578, 'This report compiles the Windows log event 4735 logs, which document the modification of the properties of a security group on the system. This information is key to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC).

The report includes details such as the name of the modified security group, the changes made to its properties, as well as the identity of the user or system that performed the action. The date and time of the modification is also included. The analysis of these events ensures that modifications to security groups are carried out in a controlled manner and in accordance with established security policies, ensuring that users maintain appropriate access and permissions according to their roles and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 319, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security enabled local group change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (579, 'This report collects the Windows log event 4732 logs, which document the addition of a user to a security group on the system. This information is crucial to verify compliance with the CMMC''s Authentication and Access Control policy Level 2 (AC.2.007), which establishes the implementation of role-based access controls (RBAC).

The report includes key details such as the name of the security group to which the user was added, the identity of the added user, the account or system that performed the action, among others. The analysis of these events allows us to verify that users are assigned to security groups according to their role and need for access to specific resources. This ensures that access is adequate and that the risk of unauthorized access is minimized, complying with established security policies and facilitating the correct implementation of the RBAC model.', null, null, null, null, null, null, null, null, null, 510, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (617, 'This report collects the logs for Windows log event 4733, which document the removal of a user from a security group on the system. This information is essential to verify compliance with CMMC''s Authentication and Access Control Policy Level 2 (AC.2.007), which requires the implementation of role-based access controls (RBAC).

The report includes key details such as the name of the security group from which the user was removed, the identity of the removed user, the account or system that performed the action, and the date and time of the modification. The analysis of these events ensures that actions to remove users from security groups are carried out in a controlled manner, ensuring that access to resources is appropriate and adheres to the principle of least privilege. This minimizes the risk of unauthorized access and ensures that access controls are managed according to the roles defined for each user, complying with CMMC security policies.', null, null, null, null, null, null, null, null, null, 510, true, 321, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Local Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (580, 'This report collects the records of Windows log event 4657, which documents changes to the security settings of file and folder objects, especially those that contain Controlled Unclassified Information (CUI). Event 4657 is generated when a modification is made to the properties of an object, such as changes to access control lists (ACLs), the security property of a file or folder, or audit settings. This information is essential to verify compliance with CMMC''s Level 3 policy (AC.3.014), which requires controlling the flow of CUI and adequately protecting access points to this data.

The report includes key details such as the name of the modified object, the type of change made (for example, modifications to ACLs, access permissions, or security attributes), the identity of the user or process that made the modification, and the date and time the change occurred. The analysis of these events allows us to verify that the security configurations of the objects that contain CUI are adequately managed and that access to this data is correctly controlled, aligning with the security policies that protect sensitive information.', null, null, null, null, null, null, null, null, null, 510, true, 322, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Registry Value Modification', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (602, 'This report compiles and presents relevant information about AddedToGroup events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.2.007. Its purpose is to ensure that role-based access controls (RBAC) are implemented correctly, ensuring that users are only added to groups according to their roles and responsibilities within the organization.

The report includes key details such as the user added to the group, the group that has been granted access, the account that performed the action, the time of the event, and any changes to access permissions. This information is crucial to ensuring that users have only the permissions necessary to perform their jobs and that the principle of least privilege is maintained, thereby minimizing the risks of unauthorized access to sensitive resources.', null, null, null, null, null, null, null, null, null, 510, true, 324, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): SharePoint Group Membership Additions', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (603, 'This report collects and presents relevant information about FileAccessed and FileAccessedExtended events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The focus of the report is on controlling the flow of sensitive information (CUI) and protecting access points to sensitive files, ensuring that only authorized users can access critical data.

The report includes key details such as the file accessed, the user who accessed it, the time of the event, among others. This information is crucial for monitoring and auditing access to confidential information, identifying potential risks or unauthorized access, and ensuring that access controls are being correctly applied to protect sensitive data entry points within the organization.', null, null, null, null, null, null, null, null, null, 510, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Accessed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (604, 'This report collects and presents relevant information about SecurityRoleUpdated events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.2.007. The focus of the report is on ensuring that security role updates are managed appropriately, ensuring that users have access only to the resources necessary according to their role and responsibility within the organization.

The report includes essential details such as the user whose security role was modified, the account that performed the action, the time of the event, among others. This information is key to ensuring that role-based access controls (RBAC) are being properly implemented and maintained, which contributes to the protection of sensitive data and helps prevent unauthorized access to critical systems and resources.', null, null, null, null, null, null, null, null, null, 510, true, 326, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): Security Role Update', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (605, 'This report collects and presents relevant information about the AddedToSharingLink event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The focus of the report is on controlling the flow of sensitive information (CUI) and protecting access points to shared resources, ensuring that the use of file sharing links is restricted and appropriately monitored.

The report includes key details such as the shared file or folder, users added to the sharing links, time of the event, access settings (for example, read-only or edit access), and security policies associated with the shared link. . This information is essential to ensure that only authorized users can access sensitive information through sharing links, minimizing the risk of unauthorized exposure and maintaining control over the flow of CUI in the organization.', null, null, null, null, null, null, null, null, null, 510, true, 327, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Sharing Link Operation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (606, 'This report collects and presents relevant information about the AddedToSecureLink event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The report focuses on controlling the flow of sensitive information (CUI) and securing access points to shared resources securely, ensuring that secure links are used appropriately for access to sensitive data.

The report includes key details such as the users who have been added to the secure links, the time of the event, the type of file or share, among others. This information is crucial to ensure that access to the CUI is properly controlled, protecting the integrity of the shared data and ensuring that only authorized persons can access it through secure channels, in accordance with security and access control standards. required by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 328, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Secure Link Operation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (607, 'This report compiles and presents relevant information about the Add delegated permission granted event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. It focuses on controlling the flow of sensitive information (CUI) and protecting resource access points, ensuring that permission delegations are appropriately and securely assigned.

The report includes key details about the delegated permissions granted. This information is essential to ensure that CUI-sensitive access points are strictly controlled, allowing only authorized access through delegated permissions that are aligned with established security policies. In this way, access to sensitive data is protected and misuse of permissions is prevented, complying with CMMC access control and information flow requirements.', null, null, null, null, null, null, null, null, null, 510, true, 329, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Delegated Permission Grant', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (608, 'This report gathers relevant information about the FileTranscriptContentAccessed event from Office 365 logs, with the goal of verifying compliance with CMMC practice AC.3.014. The focus is on controlling the flow of sensitive information, specifically as it relates to the transcribed contents of files, ensuring that access to CUI (Controlled Unclassified Information) is adequately monitored and protected.

The report includes details about the users who have accessed file transcripts, as well as the identifiers of the files involved. Additionally, the type of access performed (read, modify, etc.) and any relevant details about the security settings applied (for example, access policies, multi-factor authentication) are documented. This information is crucial to detect possible unauthorized or inappropriate access to CUI, ensuring that the flow of said information is controlled and protected, in accordance with the security standards established by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 330, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Access and Activity', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (609, 'This report compiles key information about the FileDownloaded event in Office 365 logs, with the goal of verifying compliance with CMMC practice AC.3.014. The main purpose is to monitor the flow of sensitive information and protect access points to CUI (Controlled Unclassified Information), ensuring that files with critical information are downloaded only by authorized users.

The report includes details about the users downloading files, the names and locations of the files involved, as well as the IP addresses from which the downloads were made. Additionally, security settings such as access controls and any suspicious or unauthorized activity related to file downloads are documented. This information is essential to detect and prevent improper access to CUI, ensuring compliance with the security standards established by CMMC to protect the integrity of critical information.', null, null, null, null, null, null, null, null, null, 510, true, 331, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): OneDrive File Download', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (870, 'This report presents detailed logs of access attempts to the AWS console, focused on verifying that only authorized users have access to the system. Login activity is analyzed using the ConsoleLogin event to ensure that access is limited to authenticated and authorized users, in accordance with CMMC practice AC.1.001, which establishes the need to restrict access to systems to only authorized users. The report includes key information such as authentication status (with/without MFA), source IP address, and login username, to monitor and prevent unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 353, 'TEMPLATE', null, null, 'AWS Level 1 (AC.1.001): Console Login', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (874, 'This report compiles and presents relevant information about ConsoleLogin events in AWS, with the objective of verifying compliance with CMMC practice AU.1.001. It focuses on ensuring that AWS console logins are properly audited, ensuring that access to the system is effectively monitored. The report includes key details about login attempts, such as the user involved, the source IP address, and whether multi-factor authentication (MFA) was used. This information is crucial to verify that console accesses are recorded in a way that detects unauthorized activities, ensuring the integrity of the systems and compliance with audit requirements to protect sensitive data.', null, null, null, null, null, null, null, null, null, 510, true, 353, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): Console Login', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (871, 'This report presents a detailed analysis of AssumeRole events in AWS, with the objective of verifying that access to the systems is restricted to authorized users only. Through role assumption records, compliance with CMMC practice AC.1.001 is reviewed, which establishes the limitation of access to systems and data to duly authorized users and roles. The report includes key details such as the role assumed, among others, ensuring that only legitimate actors can obtain additional privileges on the systems.', null, null, null, null, null, null, null, null, null, 510, true, 354, 'TEMPLATE', null, null, 'AWS Level 1 (AC.1.001): Access Roles Assumption', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (872, 'This report presents a detailed analysis of CreateRole events in AWS, focused on verifying the implementation of role-based access controls (RBAC) to ensure compliance with CMMC practice AC.2.007. The goal is to ensure that the creation and assignment of roles in the AWS infrastructure is done in a controlled manner and aligned with the principles of minimum access and segregation of duties. The report includes critical information such as the name of the role created, the associated policy, the AWS account involved, and details about the source of the request, allowing you to verify that only the appropriate roles are defined for access to sensitive resources and that They are maintained in accordance with established safety requirements.', null, null, null, null, null, null, null, null, null, 510, true, 354, 'TEMPLATE', null, null, 'AWS Level 2 (AC.2.007): Access Roles Assumption', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (997, 'This report provides a detailed analysis of file deletion events (FileDeleted) in the O365 (SharePoint) environment, with the objective of verifying compliance with the controls established in CMMC Level 3 (AC.3.014). The report collects information on file deletion activities to ensure that sensitive data, including CUI, is managed according to access and protection policies. The purpose of the report is to monitor the flow of CUI, ensuring that files containing this information are deleted according to expiration and retention policies, without unauthorized deletions. In addition, it verifies that only users with appropriate permissions are carrying out the deletion of sensitive files, ensuring that deletion operations are tracked and audited to detect any suspicious or unauthorized activity. It also allows you to identify patterns and unusual events related to the deletion of sensitive files, providing a key tool to ensure the protection of information and compliance with CMMC Level 3 regulations.', null, null, null, null, null, null, null, null, null, 510, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (998, 'This report provides a detailed analysis of file sharing events (SharingSet) in the O365 environment (OneDrive/SharePoint), with the aim of verifying compliance with the controls established in CMMC Level 2 (AC.2.007).

The purpose of this monitoring is to ensure that only users and groups with the appropriate privileges can access sensitive files, avoiding unnecessary exposure or improper access. In addition, it allows identifying possible risks, such as the use of public links or the assignment of excessive permissions, and detecting unusual activity patterns in permission management.

This report is a key tool to ensure that the principles of least privilege and segregation of duties are correctly applied in the O365 environment, contributing to the protection of information and compliance with CMMC Level 2 requirements.', null, null, null, null, null, null, null, null, null, 510, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): Sharing Set', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (775, 'This report compiles relevant information from the Windows logs generated by event 4740, which is triggered when a user account is locked due to failed login attempts. This event is essential to comply with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure access security.

Monitoring this event can detect possible brute force attacks, unauthorized access attempts, or authentication misconfigurations that could compromise system security.

This report allows security teams to properly analyze and manage account lockouts, ensuring that access is monitored and controlled in accordance with established policies. Its implementation strengthens system configuration management and contributes to CMMC compliance, guaranteeing a timely response to possible threats related to access to user accounts.', null, null, null, null, null, null, null, null, null, 506, true, 276, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Account Locks', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (769, 'This report collects relevant information from the Windows logs generated by event 4663, which is triggered when an access attempt is made to an object with specific permissions, such as files, folders, or registry keys. This event is key to complying with CMMC control CM.2.063, which requires monitoring changes to the system to detect unauthorized or suspicious modifications.

By monitoring these events, security teams can identify anomalous activity, such as attempts to modify critical system files, changes to security configurations, or improper access to sensitive data.

This report allows administrators to evaluate whether changes made to the system are legitimate or indicate a possible threat, such as file manipulation by malware or a user with improper privileges. Additionally, its analysis contributes to CMMC compliance by ensuring that changes to the system are recorded and reviewed to prevent security incidents.', null, null, null, null, null, null, null, null, null, 506, true, 277, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (772, 'This report collects relevant information from the Windows logs generated by event 4719, which is triggered when changes are made to the system audit policy configuration. This event is critical to comply with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Monitoring this event can detect unauthorized or suspicious alterations to the audit logs, which could indicate monitoring evasion attempts or malicious activities within the system.

This report is essential so that security teams can identify and respond to changes in audit configuration, ensuring that critical records remain protected and that any modifications to system policies are properly evaluated and justified. Its implementation strengthens configuration management and contributes to CMMC compliance, ensuring rigorous control over the integrity of the organizational infrastructure.', null, null, null, null, null, null, null, null, null, 506, true, 280, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (770, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered when a new process is created on the system. This event is critical to comply with CMMC control CM.2.063, which requires monitoring of system changes to detect unauthorized or suspicious modifications.

Analysis of these logs can identify anomalous activities, such as the execution of unauthorized software, the launch of malicious scripts, or attempts to escalate privileges.

This report helps security teams track the creation of processes in the system, evaluate potential threats, and quickly respond to suspicious events. Additionally, its implementation contributes to CMMC compliance, ensuring that changes to the system are monitored and that potential risks are detected before compromising the integrity of the infrastructure.', null, null, null, null, null, null, null, null, null, 506, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (776, 'This report compiles relevant information from the Windows logs generated by event 5058, which is triggered when a private key is loaded or modified in Windows Key and Certificate Manager. This event is crucial to comply with CMMC Level 3 control CM.3.068, which requires the implementation of controls to manage system configurations.

Event 5058 allows you to monitor changes in cryptographic key management, which is essential to detect possible attempts at certificate manipulation, unauthorized access to private keys, or improper configurations that may compromise system security. Identifying and recording these changes helps prevent attacks based on altered credentials or misuse of digital certificates.

This report provides visibility into changes to the key and certificate infrastructure, allowing security teams to evaluate the integrity of cryptographic mechanisms and ensure compliance with organizational security policies, thus strengthening risk management and protection of assets. critical assets.', null, null, null, null, null, null, null, null, null, 506, true, 304, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Certificate Configuration Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (588, 'This report compiles the records of security alerts generated in the Windows logs, used to monitor access patterns and detect possible anomalies in the use of system resources. These alerts are triggered in response to significant security events, such as unauthorized access, suspicious modifications to critical files, or privilege escalation attempts. The collection and analysis of these alerts is essential to verify compliance with CMMC''s Level 4 Access Control and Authentication policy (AC.4.021), which requires the use of automated tools to monitor access patterns and detect unusual activities that may compromise the security of Controlled Unclassified Information (CUI).

The report includes key details such as:
-Events that caused the alert, providing context about the suspicious activity.
-Severity of the alert, indicating the level of associated risk.
-Status of the alert, specifying whether it is active, resolved or under investigation.
-Alert category, classifying the type of threat detected (for example, unauthorized access, permission changes, failed authentication attempts).
-Source of the event, identifying the system, user or process that generated the alert.
-Date and time of the event, allowing the activity to be correlated with other security events.

The analysis of these alerts allows us to detect anomalous access patterns, improve incident response capacity, and strengthen security controls in environments that handle CUI. By using automated tools for continuous access monitoring, this report helps ensure that access points and the flow of sensitive information are proactively protected, in alignment with CMMC Level 4 requirements.', null, null, null, null, null, null, null, null, null, 510, true, 248, 'TEMPLATE', null, null, 'Windows Level 4 (AC.4.021): Alerts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (771, 'This report collects relevant information from the Windows logs generated by event 7045, which is triggered when a new service is installed on the system. This event is crucial to comply with CMMC control CM.2.063, which requires monitoring system changes to detect unauthorized or suspicious modifications.

Reviewing these logs can identify the installation of unauthorized services, unapproved remote access tools, or malicious activity related to persistent threats on the system.

This report helps security teams quickly detect and respond to the installation of new services, ensuring the integrity of the environment and minimizing the risks associated with uncontrolled changes to the infrastructure. Its implementation contributes to CMMC compliance, ensuring that system configuration changes are monitored and potential threats are detected before compromising organizational security.', null, null, null, null, null, null, null, null, null, 506, true, 290, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (780, 'This report compiles relevant information from the Windows logs generated by event 4907, which is triggered when a change in security audit policies is detected. This event is key to complying with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 4907 provides details on modifications to auditing configurations, which are essential to detect unauthorized adjustments that could alter security audit behavior, thereby compromising the integrity of monitoring and data protection policies. Unauthorized changes to auditing configurations may indicate attempts to hide malicious activity or interfere with monitoring and control processes.

Automating the detection of these types of changes is essential to guarantee transparency in system activities and the protection of the infrastructure against possible malicious manipulations. This report makes it easy to identify unauthorized modifications to audit policies, allowing preventive measures to be taken before they affect system security.

Automated monitoring of these types of events ensures that any alterations to audit configurations are detected quickly, allowing security teams to respond immediately to threats or suspicious activities. Additionally, it contributes to CMMC Level 4 compliance by strengthening the organization''s ability to proactively detect and respond to unauthorized changes to security systems.', null, null, null, null, null, null, null, null, null, 506, true, 291, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Restoration of default security policies', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (777, 'This report collects relevant information from the Windows logs generated by event 1102, which is triggered when the audit log is cleared on a system. This event is critical to comply with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 1102 provides details on the deletion of audit logs, which is essential for detecting suspicious or malicious activities that attempt to hide traces of unauthorized access or malicious actions on the system. Deleting or altering audit logs can be an indication that an attacker is trying to cover their tracks or modify evidence, posing a significant threat to system security and integrity.

This report is key to detecting possible attempts to manipulate or delete logs, ensuring that audit logs are protected and that any unauthorized changes to the system configuration can be detected. In addition, it facilitates the automation of the monitoring process, which is essential to identify threats in real time and ensure that organizational security policies are met, supporting CMMC compliance at its most advanced level.', null, null, null, null, null, null, null, null, null, 506, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (886, e'The Windows Critical Hardware Failure Report provides detailed logs of hardware-related issues, such as disk failures, memory errors, or overheating events. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as hardware failures can lead to data loss, downtime, or system vulnerabilities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring that critical hardware failures are monitored and mitigated to protect financial systems and sensitive data.
• Real-Time Alerting: Captures and notifies administrators in real-time of hardware issues, enabling immediate action to minimize risks and prevent system downtime.
• Incident Response: Identifies patterns of recurring hardware issues, supporting root cause analysis and proactive maintenance planning.
• Audit Readiness: Provides traceability of hardware failure events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and reliable system operations.
• Data Protection: Supports compliance with PCI DSS Requirement 5, ensuring the availability and integrity of hardware components critical to financial systems.', null, null, null, null, null, null, null, null, null, 701, true, 299, 'TEMPLATE', null, null, 'Windows Critical Hardware Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (779, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when an authentication attempt is made through NTLM. This event is essential to comply with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

This event is especially useful for identifying unusual patterns that may indicate unauthorized activity, such as login attempts using compromised credentials or brute force password guessing attacks.

Automating the detection of these events helps protect against unauthorized access to critical systems and ensures that any change in authentication is quickly detected, preventing malicious actors from executing internal or external attacks. In addition, it allows for a faster and more efficient response to incidents related to unauthorized access.

This report is essential to strengthen the security of the systems by detecting possible gaps in access to the systems and maintaining constant surveillance over the credentials used in the environment. It also contributes to CMMC Level 4 compliance by ensuring the implementation of automatic controls for the detection of unauthorized changes related to authentication.', null, null, null, null, null, null, null, null, null, 506, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (774, 'This report compiles relevant information from the Windows logs generated by event 4738, which is activated when a modification is made to a user''s account within the system. This event is key to complying with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Monitoring this event is critical to detect unauthorized alterations to user accounts, which could indicate privilege escalation attempts, account compromises, or misconfigurations that could impact system security.

This report allows security teams to audit and validate that all modifications to user accounts are authorized and comply with established security policies. Its implementation strengthens system configuration management and contributes to CMMC compliance, ensuring that account changes are appropriately monitored and controlled to prevent improper access or incorrect configurations.', null, null, null, null, null, null, null, null, null, 506, true, 308, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): User Account Attributes Changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (773, 'This report compiles relevant information from the Windows logs generated by event 4735, which is triggered when changes are made to the properties of a security group on the system. This event is key to complying with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Event 4735 provides details about modifications to security groups. Monitoring this event is critical to detect unauthorized changes to security groups, which could indicate attempted privilege escalation, alterations to access permissions, or misconfigurations that compromise system security.

This report allows security teams to identify and respond to changes in system configuration, ensuring that changes are authorized and aligned with established security policies. Its implementation strengthens configuration management and contributes to CMMC compliance, ensuring that controls over security groups remain within the parameters defined by the organization.', null, null, null, null, null, null, null, null, null, 506, true, 319, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Security enabled local group change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (778, 'This report compiles relevant information from the Windows logs generated by event 4732, which is triggered when a user is added to a security group on a system. This event is key to complying with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 4732 provides details on modifications made to security groups, which is essential for tracking changes in access privileges to critical resources within the IT infrastructure. An unauthorized change to security groups may indicate an attempt to elevate privileges or compromise access control to sensitive data. Detecting these events automatically helps prevent unauthorized users from gaining improper access to systems or applications.

This reporting is critical to identifying and preventing malicious internal movements, such as unauthorized access to privileged systems or escalation of privileges, ensuring that appropriate security configurations are maintained and that access controls are constantly monitored. Additionally, it contributes to CMMC Level 4 compliance by enabling the automation of unauthorized change detection, which is essential for rapid response to security incidents.', null, null, null, null, null, null, null, null, null, 506, true, 320, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (781, 'This report compiles relevant information from the Windows logs generated by event 4946, which is triggered when a change is made to the audit policies related to the system''s security configuration. This event is essential to comply with CMMC Level 4 control CM.4.070, which requires automation in the detection of unauthorized changes to systems.

Event 4946 provides details about changes to security auditing configurations, which could be used by malicious actors to modify auditing parameters in order to hide their activities or interfere with incident detection mechanisms. Monitoring this event makes it easier to identify unauthorized alterations to auditing configurations, allowing administrators to detect attempts to tamper with the system and act quickly.

Automating the detection of these changes is crucial to ensure that the security infrastructure remains intact and that any alterations to audit policies are detected without delay. This report helps organizations prevent malicious or unauthorized changes from going undetected, ensuring that systems integrity and audit policies are not compromised.

Automated monitoring of these types of events also contributes to CMMC Level 4 compliance by improving the organization''s ability to quickly detect and respond to security incidents, increasing overall threat protection and strengthening network security posture. ', null, null, null, null, null, null, null, null, null, 506, true, 346, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Firewall Exception List Changed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (941, 'This report compiles and analyzes relevant information from Threat Intelligence Activity logs to evaluate compliance with CMMC level 5 (IR.5.102), which emphasizes improving incident response through the use of machine learning and advanced analytics. Through data correlation, detection of anomalous patterns, and prediction of emerging threats, this report enables proactive response to security incidents. Additionally, it provides insights into how automated systems identify, classify and mitigate sophisticated threats, ensuring more effective protection against advanced attacks targeting critical infrastructure and sensitive data.', null, null, null, null, null, null, null, null, null, 512, true, 365, 'TEMPLATE', null, null, 'Level 5 (IR.5.102): Threat Detection and Response using SOC AI', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (516, 'This report collects the Windows log event 4624 logs, which document successful login attempts to the system. Event 4624 is generated when a user or process logs in successfully, providing key information about system access. This information is crucial to verify compliance with the CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit records to ensure adequate monitoring of activities and access to the system.

The details provided in the report include user IDs and host names to ensure that only people with specific privileges have access to the system. The analysis of these events ensures that access to the system is being correctly recorded and monitored, contributing to the detection of unauthorized access and ensuring that appropriate access controls are applied. This report is essential to meet the audit requirements established by CMMC Level 1, ensuring that activities within the system are properly recorded and audited to detect possible security threats.', null, null, null, null, null, null, null, null, null, 511, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Success', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (517, 'This report collects event 4625 logs from the Windows logs, which document failed login attempts to the system. Event 4625 is generated when a login attempt is unsuccessful, providing detailed information about the source and nature of the failed attempt. This information is essential to verify compliance with CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit records to ensure adequate monitoring of activities and access to the system, especially in cases of failed access. .

The report includes details such as the names of users who attempted access, the host names, and the reasons for login failures. Analyzing these events can detect suspicious access patterns and track failed attempts, which is key to preventing unauthorized access or malicious activity. This report is essential to meet the audit requirements established by CMMC Level 1, ensuring that all access activities are properly recorded and audited, and helping to maintain the security of the system against unauthorized access attempts.', null, null, null, null, null, null, null, null, null, 511, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (596, 'This report collects the logs of event 4720 from the Windows logs, which document the creation of a new user account on the system. Event 4720 is generated when an administrator or authorized process creates a new user account on the system, providing detailed information about the user who performed the action and the details of the created account. This information is key to verify compliance with CMMC''s Level 2 Audit and Monitoring policy (AU.2.042), which requires guaranteeing the collection of logs to detect and analyze security events, including the creation of user accounts that can influence in system security.

The report includes details such as the identities of the created users, assigned roles, account creation dates and times, as well as the user or system that performed the action.
The analysis of these events makes it possible to monitor the creation of user accounts in the system, ensuring that only authorized people can add new accounts and that the process is properly recorded. This is essential to detect suspicious activities or the unauthorized creation of accounts that could be used to access sensitive information. This report is essential to meet CMMC Level 2 audit requirements, ensuring that all relevant events related to account creation are correctly monitored and analyzed.', null, null, null, null, null, null, null, null, null, 511, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (611, 'This report compiles relevant information from AWS logs related to activity by user and event type, providing visibility into actions taken on cloud infrastructure. This monitoring is essential to comply with CMMC Level 2 control AU.2.042, which requires ensuring the collection of logs for the detection and analysis of security events.

Activity logs by user and event in AWS include detailed information about actions performed on cloud services, such as logins, configuration modifications, permission changes, resource accesses, and other critical operations. These logs help identify suspicious activities, unauthorized access attempts, or configurations that could compromise the security of your environment.

By capturing and analyzing these events, organizations can detect anomalous patterns, correlate potentially malicious activities, and proactively respond to security incidents. Additionally, the retention and ongoing analysis of these logs is key to conducting forensic audits and ensuring compliance with established security policies.

This report facilitates compliance with CMMC Level 2 control AU.2.042 by ensuring the effective collection and monitoring of security events in AWS. In this way, incident response capacity is improved, the traceability of actions within the cloud environment is reinforced, and the integrity and security of the organization''s critical systems and data is guaranteed.', null, null, null, null, null, null, null, null, null, 511, true, 239, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Activity By User and Event', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (612, 'This report compiles relevant information from AWS logs related to events in the cloud, providing visibility into the activity in the infrastructure and the services used. This monitoring is essential to comply with CMMC Level 2 control AU.2.042, which requires ensuring the collection of logs for the detection and analysis of security events.

Cloud logs include events generated by users and services within AWS, such as accesses, configuration modifications, permission changes, resource usage, and other critical activities. These logs, obtained through services such as AWS CloudTrail, AWS Config, AWS CloudWatch, and AWS Security Hub, allow organizations to track events and detect potential threats or unauthorized activity.

The analysis of these events contributes to strengthening the security of the environment by allowing the identification of anomalous patterns, the correlation of incidents and the performance of forensic audits. Additionally, it facilitates compliance with security regulations and standards by ensuring the traceability and availability of records for security investigations.

This report supports the implementation of effective monitoring controls in AWS, ensuring that logs are collected and used to detect and analyze security events, in compliance with CMMC Level 2 control AU.2.042.', null, null, null, null, null, null, null, null, null, 511, true, 227, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Cloud', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (598, 'This report collects the logs for Windows log event 4726, which document the removal of a user account from the system. Event 4726 is generated when an administrator or authorized process deletes a user account, providing detailed information about the action taken, the user who performed the deletion, and the details of the deleted account. This information is crucial to verify compliance with CMMC''s Level 2 Auditing and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events, including the deletion of user accounts that could be indicative of an attempt to conceal malicious activity or unauthorized access.

The report includes important details such as the identities of the deleted accounts, the date and time of deletion, and the user or system that executed the action.
Analysis of these events is important to monitor the deletion of user accounts, ensuring that accounts are not deleted without proper authorization and that all events are properly recorded. This report is essential to detect suspicious activities or attempts to delete user accounts that could be used for unauthorized access. Compliance with CMMC Level 2 auditing requirements is supported by ensuring that all actions related to account deletion are monitored and analyzed to maintain system security.', null, null, null, null, null, null, null, null, null, 511, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): User Accounts Deleted', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (518, 'This report collects Windows log event 4670 records, which document changes in audits of security objects on the system, such as files or folders, that may be subject to access controls. Event 4670 is generated when modifications are made to an object''s audit settings, which may include modifying permissions or audit settings that affect the monitoring of security events associated with protected resources. This information is crucial to verify compliance with CMMC Auditing and Monitoring Policy Level 3 (AU.3.045), which requires correlating audit logs to support event analysis and ensuring audit configurations are aligned with policies. security and protection of information.

The report includes details such as the name of the object whose permission was modified, the permissions assigned, the identity of the user or process that made the change, and the date and time the modification was made. Analysis of these events is critical to correlating audit logs and ensuring that audit policies are configured correctly, allowing for accurate assessment of system security. This report allows you to detect unauthorized changes to audit configurations, which could interfere with the analysis of security events. Ensures that the system maintains the ability to properly audit all sensitive resources and that audit configurations are appropriate for event analysis, supporting compliance with CMMC Level 3 security controls.', null, null, null, null, null, null, null, null, null, 511, true, 274, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Protected Object Permission Change', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (519, 'This report collects the Windows log event 4663 logs, which document attempts to access system security objects, such as protected files or folders. Event 4663 is generated when a user or process performs an operation (such as read, write, or delete) on a security object, providing details about the action performed, the type of access requested, and the result of the operation. This information is crucial to verify compliance with CMMC''s Level 3 Auditing and Monitoring policy (AU.3.045), which requires correlating audit logs to support the analysis of security events and ensure that access to critical resources is monitored. and analyzed effectively.
The report includes key details such as the name of the file or folder that was attempted to be accessed, the identity of the user or process that made the attempt, and the date and time of the attempt.
Analysis of these events allows us to correlate audit logs and ensure that all access attempts to sensitive objects are properly monitored, ensuring that access controls are working correctly and that access is appropriate to the privileges of the user or process. This report facilitates the detection of relevant security events and provides information necessary for a comprehensive analysis, supporting compliance with CMMC Level 3 requirements for event correlation and protection of sensitive information.', null, null, null, null, null, null, null, null, null, 511, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to critical files or specific directories', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (520, 'This report collects the logs of event 4672 from the Windows logs, which document the login of an account with special privileges. Event 4672 is generated when an elevated user, such as an administrator or an account with system privileges, logs on to the system. This information is crucial to verify compliance with CMMC''s Level 1 Audit and Monitoring policy (AU.1.001), which requires audit records to ensure that activities and access to systems are adequately monitored, especially for accounts. with special privileges.

The report includes details such as the identity of the user who has logged in with elevated privileges, the origin of the access (IP address or originating machine), among others. Analysis of these events is critical to monitoring access to privileged accounts, ensuring that only authorized users with the appropriate credentials can access critical systems. This report helps verify that audit logs are correctly configured and effective in detecting suspicious or unauthorized access, which is key to system security and compliance with CMMC Level 1 requirements.', null, null, null, null, null, null, null, null, null, 511, true, 278, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (623, 'This report compiles relevant information from the Windows logs related to event 4689, which is generated when a process is terminated on the system. This event provides details about processes that are started and terminated, which is essential for monitoring application behavior and detecting anomalous or potentially malicious behavior, such as unauthorized processes or processes that terminate abruptly.

The analysis of this event in the context of the CMMC and specifically for Level 5 compliance (AU.5.055) aims to improve audit capabilities, facilitating early detection of advanced threats. The information collected from event 4689 allows you to track the processes that are running on the system, which is a critical step in identifying possible suspicious activities or signs of an intrusion.

The collection of these logs ensures that the relevant processes are audited in depth, contributing to greater visibility on the actions carried out on the systems and improving the ability to respond to security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 302, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Process Termination', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (489, 'This report collects the Windows log event 4719 logs, which document changes to the system audit policy configuration. Event 4719 is generated when security auditing configurations are modified, such as parameters related to what activities will be logged and how event logs will be managed. This information is crucial to verify compliance with the CMMC Audit and Monitoring Policy Level 1 (AU.1.001), which requires audit logs to ensure security and adequate monitoring of system activities.

The report includes key details such as the identity of the user who made the change to the audit policy, the date and time of the change, and information about the context of the change (if available), among others.

Analysis of these events allows you to verify that audit policies are not modified without adequate justification, ensuring that audit configurations remain in line with security requirements. This report is essential to ensure that audit records are managed consistently and that any changes in audit policy are duly recorded, supporting compliance with CMMC Level 1 requirements and ensuring the integrity and continuity of monitoring activities. of the system.', null, null, null, null, null, null, null, null, null, 511, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (490, 'This report collects the logs for event 4648 from the Windows logs, which document the login attempt using explicit credentials (that is, when a user or process logs in using a username and password directly, rather than (automatic login or through a network login service). Event 4648 is generated when a username and password are presented to authenticate a session, providing key information about system access. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit logs to ensure security and monitoring of system activities.

The report includes key details such as the identity of the user who attempted to log in, the date and time of the attempt. Additionally, information is provided about the action taken (whether the login was successful or unsuccessful), and details about the credentials used in the attempt, allowing access to sensitive systems to be tracked.
The analysis of these events ensures that system access attempts are adequately audited, allowing unauthorized access to be detected and suspicious behavior to be monitored. This report is essential to ensure that an adequate record of system access is maintained, supporting the identification of malicious or unauthorized activities and complying with CMMC Level 1 auditing and monitoring requirements.', null, null, null, null, null, null, null, null, null, 511, true, 281, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (491, 'This report collects the records of Windows log events 4722, 4723, 4725, and 4726, which document changes to system user accounts, such as enabling, resetting, disabling, and deleting user accounts. These events are essential to detect changes in account configuration that could indicate an attempt to manipulate credentials or an attempt to evade access controls, which is essential to comply with the Level 4 (AU.4.053) Audit policy. and CMMC Monitoring, which requires improving logging capabilities to support the detection of advanced threats and malicious activities.

The report includes key details about the type of change made (enable, reset, disable, delete), the identity of the user who made the modification, the identity of the user affected by the action (account enabled, reset, disabled, or deleted), and the time and date of the event. Analyzing these events can improve auditing capabilities and detect suspicious or unusual patterns related to user accounts. By quickly identifying unexpected account changes, such as the reactivation of disabled accounts or the deletion of critical accounts, this report facilitates the early detection of threats that could be related to privilege escalation, phishing, or unauthorized access to systems. This ensures that account management practices are aligned with CMMC Level 4 requirements, providing an additional layer of security for the protection of critical infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 282, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Changes in account status', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (492, 'This report collects relevant information from events 4768 (Kerberos Authentication Ticket Granted), 4769 (Kerberos Service Ticket Granted) and 4771 (Kerberos Pre-Authentication Failed) in the Windows logs, for the purpose of verifying compliance with the AU practice. 4.053 of CMMC Level 4, which requires advanced logging capabilities for threat detection.

Analysis of these events is essential to detect and respond to unauthorized access attempts, credential misuse, and suspicious activity in protected environments. The report includes key details such as user name, source IP address, authentication result, Kerberos error codes, and authentication device, allowing you to improve visibility into authentication traffic and strengthen strategies. cybersecurity.

This report facilitates proactive identification of anomalous patterns, potential privilege escalation attempts, or lateral movement within the network, ensuring logging capabilities are robust enough to support advanced threat detection and incident response.', null, null, null, null, null, null, null, null, null, 511, true, 283, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Windows Kerberos ticket requests', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (627, 'This report collects the records of event 4688 from the Windows logs, which document the creation of new processes in the system. Event 4688 is generated every time a process is started, providing key information about the execution of applications and commands, which allows detecting suspicious activities such as the execution of malware, the use of unauthorized tools or attempts to escalate privileges. This information is crucial to verify compliance with CMMC''s Level 2 (AU.2.042) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the started process, the identity of the user or service account that ran the process, the path of the executable, the execution parameters, the identity of the parent process, among others. The analysis of these events allows us to detect anomalous behavior patterns, identify the use of unauthorized tools and strengthen security strategies through proactive detection of threats in real time. This report contributes to the early identification of attacks and the protection of systems that handle Controlled Unclassified Information (CUI), ensuring that security controls are aligned with CMMC Level 5 policies.', null, null, null, null, null, null, null, null, null, 511, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (494, 'This report collects relevant information from events 5140 (A network share object was accessed) and 5145 (A network share object was checked to see whether client can be granted desired access) in the Windows logs, with the objective of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Monitoring these events allows you to analyze access to shared resources on the network, identifying unauthorized access attempts, lateral movements and possible data exfiltration. The report includes key details such as the user''s name, source IP address, shared resource accessed, and the result of the operation, among others.

This analysis helps strengthen the security of the environment by monitoring access to sensitive files, detecting anomalous activity, and providing visibility into possible attack attempts or misuse of permissions. With this information, organizations can improve detection and response to advanced threats, ensuring effective management of security logs.', null, null, null, null, null, null, null, null, null, 511, true, 285, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (876, 'This report compiles and presents relevant information about AssumeRole events in AWS, with the objective of verifying compliance with CMMC level 2 practice AU.2.042. The main focus is to ensure that audit logs related to role assumption are collected comprehensively, allowing security events to be detected and analyzed. The report includes details such as the identity of the user assuming the role, the ARN of the assumed role, the account involved, and the source of the request. This information is essential to monitor critical activities, identify unusual patterns, and ensure that necessary logs are available to support event analysis and respond effectively to potential security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 357, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Roles Assumption', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (495, 'This report compiles relevant information from events 4673 (A privileged service was called) and 4674 (An attempt was made to perform a privileged operation) in the Windows logs, with the purpose of verifying compliance with CMMC practice AU.4.053 Level 4, which requires advanced logging capabilities for threat detection.

Monitoring these events is crucial to identifying the use of elevated privileges within the system, as they may indicate attempts to exploit vulnerabilities, abuse of privileged accounts, or lateral movements within the network.

The report includes key information such as the user who performed the action, the tool or process executed with elevated privileges, the result of the operation, etc. This analysis allows you to detect suspicious activities, respond to potential security incidents, and strengthen privileged access controls.

By having this visibility, organizations can improve their ability to detect and respond to advanced threats, ensuring effective monitoring of critical events in the IT infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 286, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Use of Elevated Privileges', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (620, 'This report compiles relevant information from 5007 events (The auditing settings on object were changed) in Windows logs, with the objective of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Event 5007 is generated when changes are made to system auditing settings, which may indicate attempts to disable or modify critical records in order to evade detection of malicious activity.

The analysis of the displayed data allows us to detect suspicious alterations in audit policies, identify possible attempts to conceal malicious activity and strengthen security controls.

Monitoring these events is essential to ensure the integrity of audit logs and improve the ability to detect and respond to advanced threats, ensuring the protection of critical systems within the organization.', null, null, null, null, null, null, null, null, null, 511, true, 287, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Changes to Defender settings', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (521, 'This report focuses on the collection and analysis of event 4624 in the Windows logs, which is generated when a user successfully logs into the system. This event is essential for system access monitoring, as it provides important details about who is logged in, the origin of the login, and the type of authentication used.

The correct collection of these events is crucial for compliance with the CMMC (Cybersecurity Maturity Model Certification), specifically at Level 1 (SI.1.210), which requires identifying and correcting security vulnerabilities in a timely manner. Analysis of event 4624 can detect unusual patterns in logins, such as unauthorized access or access attempts from unexpected geographic locations or devices. These behaviors may be indicative of security breaches or intrusion attempts.

Additionally, collecting these events helps maintain a complete record of user activities, allowing you to audit access to sensitive information and meet security requirements established to protect the organization''s systems and data. Detecting unauthorized or anomalous access early allows for quick corrective action, such as revoking compromised credentials or implementing new access policies.

In summary, monitoring event 4624 is an essential part of the security management process to identify possible threats or configuration errors in system access, allowing the correction of vulnerabilities in a timely manner and reducing the risk of compromising the security infrastructure. ', null, null, null, null, null, null, null, null, null, 503, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (522, 'Proper monitoring of 4625 events is a key component of CMMC (Cybersecurity Maturity Model Certification) compliance, specifically Level 1 (SI.1.210), which requires the identification and correction of security flaws in a timely manner. Analyzing these events allows you to identify patterns of failed access attempts and detect potential security gaps, such as weak passwords or the use of compromised credentials.

By identifying and logging all failed login attempts, additional security measures can be implemented, such as activating locks after multiple failed attempts or scanning users making failed attempts to detect compromised accounts. These logs also help evaluate the effectiveness of password security policies and other access controls.

In summary, the collection and analysis of event 4625 allows us to detect unauthorized access attempts early and correct security weaknesses that could be exploited by attackers. This monitoring helps meet CMMC''s goal of quickly and efficiently identifying and fixing security vulnerabilities, thereby protecting critical infrastructure and sensitive data.', null, null, null, null, null, null, null, null, null, 503, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (523, 'This report focuses on the analysis of events 4719 generated in the Windows security logs, which occur when a modification is made to the system audit configuration. This event is important as it allows you to record and monitor any changes made to audit settings, which are crucial for detecting and analyzing security events in the system.

Event 4719 may be indicative of adjustments made to audit policies, such as changes to access log parameters, modifications to critical event tracking configurations, or adjustments to the monitoring of administrative and user actions. These changes can directly impact the organization''s ability to detect security incidents, so it is essential to ensure that audit configurations are appropriate and are not altered without valid justification.

The collection and analysis of 4719 events is essential for compliance with CMMC (Cybersecurity Maturity Model Certification) at Level 1 (SI.1.210), which requires the identification and correction of security vulnerabilities in a timely manner. Tracking this event helps ensure that systems auditing remains active and that unauthorized modifications are not made to security configurations that could impact the visibility and analysis of security events.

Además, el monitoreo adecuado de estos cambios permite verificar si los ajustes en las configuraciones de auditoría están alineados con las mejores prácticas de seguridad y que no se están deshabilitando o modificando controles de auditoría críticos, lo que podría abrir puertas a posibles ataques sin ser detectados.

En resumen, la recopilación y análisis de los eventos 4719 garantiza que las configuraciones de auditoría del sistema se mantengan intactas y efectivas, permitiendo una detección oportuna de fallos de seguridad. Este proceso contribuye al cumplimiento del objetivo de CMMC de identificar y corregir debilidades de seguridad de forma rápida y eficiente, protegiendo la infraestructura y los datos críticos de la organización.', null, null, null, null, null, null, null, null, null, 503, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (524, 'This report aims to monitor access to objects within the system, identifying and recording relevant security events related to access to sensitive files or directories. Analysis of these events is crucial to detect unauthorized or anomalous activities that may compromise the integrity and confidentiality of critical data in the organization''s environment.

In the context of compliance with CMMC (Cybersecurity Maturity Model Certification), at Level 1 (SI.1.210), which requires the identification and correction of security flaws in a timely manner, monitoring these events is essential to ensure that access to sensitive resources are carried out only by authorized users. Detection of anomalous access or unauthorized attempts allows for rapid intervention to mitigate any potential risk.

The continuous collection and analysis of these access events helps maintain adequate control over system security and ensure that any vulnerabilities are quickly identified and corrected. This contributes significantly to the protection of critical data and assets of the organization, aligning with CMMC requirements for proactive security management and remediation of any vulnerabilities that may be exploited.', null, null, null, null, null, null, null, null, null, 503, true, 277, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (525, 'This report gathers relevant information on events related to the creation of new user accounts on the system, specifically event 4720, which is generated when a user account is created in a Windows domain. The event provides details about the account created, including the username, creation time, and origin of the request.

The analysis of these events is crucial for compliance with Level 2 (SI.2.212) of the CMMC (Cybersecurity Maturity Model Certification), which establishes the need to implement mechanisms for real-time monitoring of security events. Creating new user accounts can be a critical security action as it could indicate an unauthorized access attempt or modification of system credentials.

Monitoring these events allows you to quickly detect unauthorized account creation, facilitating a proactive response to potential security threats. This report helps ensure that all actions related to user creation are audited and available for review in real time, improving the organization''s ability to detect and respond to potential security incidents in a timely manner.

By constantly tracking account creation events, you ensure that the organization is aligned with security policies and best practices for identity and access management, strengthening the overall security posture.', null, null, null, null, null, null, null, null, null, 503, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (527, 'This report gathers and analyzes the information from events 4663 and 4656 in the Windows logs, with the objective of complying with control SI.2.212 of CMMC Level 2, which requires the implementation of mechanisms for real-time supervision of the security events.

Event 4663: This event is raised when an object, such as a file or folder, is accessed or modified in some way. Records important details about the action performed, such as the type of access (read, write, delete, etc.), the object identifier, and the identity of the user or process that performed the action. It is a key indicator of file access and modifications, which can help detect anomalous or unauthorized behavior.

Event 4656: Similar to event 4663, event 4656 is triggered when a process attempts to access an object on the system. Records details about the type of access requested and the identifier of the object being accessed, providing additional information about access attempts to specific resources on the system.

Both events 4663 and 4656 are critical for monitoring actions related to access and modification of files and resources on the system. The ability to detect unauthorized access or suspicious modifications in real time is essential for the implementation of effective security controls, allowing rapid identification of potential incidents and immediate intervention to mitigate risks.

The joint analysis of these events helps to reinforce real-time monitoring measures, detecting access to sensitive data, file manipulations or any activity that could compromise the integrity of the systems. Meeting the SI.2.212 requirements of CMMC Level 2 by collecting and analyzing these events is crucial to maintaining a secure environment and protecting the most critical resources within the technology infrastructure.', null, null, null, null, null, null, null, null, null, 503, true, 273, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Attempt to Access a Protected Object', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (528, 'This report collects relevant information from the Windows event logs, specifically event 4672, which is generated when a user with special privileges (such as administrators or accounts with elevated permissions) logs on to the system. Including this event in the security analysis helps monitor and detect access from users with elevated privileges, a critical aspect for the protection of sensitive systems.

CMMC Level 2 (SI.2.212) compliance focuses on the implementation of effective mechanisms for monitoring security events in real time. Events like 4672 provide crucial visibility into the use of special privileges, allowing organizations to detect any anomalous or unauthorized activity, ensuring that monitoring mechanisms are effective in protecting critical infrastructure.

This report contributes to improving security by facilitating the identification of unusual behavior that may indicate unauthorized access or the exploitation of excessive privileges.', null, null, null, null, null, null, null, null, null, 503, true, 278, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (529, 'This report collects relevant information from event 4648 in the Windows logs, which is generated when a login attempt is made using explicit credentials (username and password) by a process or program. This type of event is significant for monitoring access activities in IT infrastructure, as it can indicate potentially unauthorized access attempts or manipulations in authentication processes.

In the context of CMMC Level 3 (SI.3.217), event 4648 helps detect login attempts that could be part of a credentials attack, such as brute force attacks or reuse of compromised credentials. This type of monitoring is essential to identify unauthorized access or anomalous authentication behavior that could compromise the security of the organization.

The report allows you to identify unusual access patterns, such as login attempts from unusual locations or outside normal working hours, which is indicative of possible external or internal attacks. This information is key to activating alerts and taking immediate action against unauthorized access threats.

The collection and analysis of these events are essential to comply with CMMC requirements, since they allow early detection of attacks and help strengthen the security posture of the IT infrastructure by implementing protective measures, preventing attackers from achieving access critical systems.', null, null, null, null, null, null, null, null, null, 503, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (530, 'This report compiles relevant information about event 4726 in the Windows logs, which is generated when a user account is deleted from the system. Deleting user accounts is a critical action that can be related to both legitimate account management and malicious behavior or insider attacks.

In the context of CMMC Level 3 (SI.3.217), monitoring event 4726 is crucial to identify any suspicious activity that may indicate an attack or system tampering. An attacker who has gained elevated privileges could delete user accounts to hide their tracks or prevent administrators from accessing certain resources or identifying their actions.

Analysis of this event helps detect unauthorized actions in the system, such as the deletion of accounts that have not been properly managed or that do not comply with internal security policies. Additionally, it can identify unusual patterns, such as deleting user accounts at atypical times or locations, which could be indicative of internal attacks or external malicious activity.

Collecting and monitoring these events contributes to meeting CMMC requirements by allowing early detection of potential attacks that could be focused on disrupting system security through unauthorized deletion of user accounts.', null, null, null, null, null, null, null, null, null, 503, true, 272, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (532, 'This report collects relevant information from event 4907 in the Windows logs, which is generated when auditing is disabled on the system. Disabling auditing is a critical action that can be used by attackers to hide malicious activities by disabling system event logs. This activity, although it may be legitimate in some cases, represents a significant risk when performed without adequate justification, as it prevents the collection of important information about actions taken on the system.

In the context of CMMC Level 3 (SI.3.217), monitoring this event is essential to detect potential attacks that may be manipulating system configuration to bypass auditing and surveillance measures. Disabling auditing could be an indication that an attacker is trying to avoid detection of their actions or movements within the infrastructure.

Analysis of this event helps identify unauthorized changes to the audit configuration, which could be a sign of a security compromise. Monitoring these events can detect attempts to conceal malicious activity and ensure that auditing systems continue to function properly to provide complete logs to help identify threats.

Compliance with CMMC Level 3 (SI.3.217) requirements is supported by active monitoring of these events, as it ensures that security monitoring and auditing mechanisms are functioning properly, and that any tampering or disabling attempts audit is detected immediately.', null, null, null, null, null, null, null, null, null, 503, true, 291, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Restoration of default security policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (537, 'This report compiles relevant information about event 4688 in the Windows logs, which is generated every time a process is created on the system. This event is of vital importance for security monitoring, since it allows identifying the execution of new processes that may be part of normal activities or, in the case of being malicious, an indication of compromise or attack on the system.

In the context of CMMC Level 3 (SI.3.217), monitoring this event is crucial to detect possible attacks. The creation of unauthorized or unusual processes can be a sign of malicious activities such as running malware, unauthorized scripts, or launching attack tools. In addition, attackers often use techniques such as executing code on the system to maintain their presence, which would be reflected in these types of events.

Analysis of 4688 events allows the detection of anomalous behavior patterns, such as the creation of processes from unusual locations or associated with illegitimate activities, which facilitates early identification of threats. The collection and analysis of this information contributes to maintaining effective control over activities within the systems, ensuring that you can react quickly to potential security incidents.

This report is essential to meet the threat monitoring and detection requirements established in CMMC Level 3 (SI.3.217), allowing organizations to implement efficient monitoring tools that support the detection of attacks and suspicious activities in real time.', null, null, null, null, null, null, null, null, null, 503, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (538, 'This report compiles relevant information from Windows logs about event 7045, which is generated when a new service is installed on the system. Installing a service is a critical action that can indicate the execution of processes or software persistently on the system. Since attackers can use services to maintain access or control in a compromised environment, monitoring this type of activity is essential to detect potential threats or malicious actions.

In the context of CMMC Level 3 (SI.3.217) compliance, monitoring 7045 events is essential to detect unauthorized service installation attempts. These services can be used by attackers to execute malicious code or control systems without detection by administrators. This event is especially useful for identifying suspicious or unrecognized software, which may be indicative of a persistent attack.

The report of this event provides detailed information about the name of the service, its location and the process that installed it, allowing security teams to identify unusual behavior and take preventive or corrective measures. This continuous monitoring approach is vital to strengthen system defense and improve early detection of potential incidents.

In summary, the analysis of 7045 events in Windows logs is a key tool in compliance with CMMC requirement SI.3.217, since it allows organizations to identify and mitigate possible risks related to the unauthorized installation of services, improving attack detection capabilities.', null, null, null, null, null, null, null, null, null, 503, true, 290, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Installation of Services', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (542, 'It allows you to verify that the system is recording access to network resources appropriately, which helps comply with level 4 (AU.4.053) of the CMMC. Additionally, you can see that the events are being correctly classified with important details about the user, type of access, and source of access (IP and port), which is essential to comply with access monitoring and auditing policies on a network.', null, null, null, null, null, null, null, null, null, 503, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.217): Access to Shared Resources', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (543, 'This report is generated from the Windows logs of event 4740, which is triggered when a user account is locked due to multiple failed login attempts. This type of event is crucial for monitoring user behavior within the organization, helping to identify suspicious access patterns that may be indicative of intrusion attempts, such as brute force attacks or unauthorized attempts to access protected accounts.

In the context of CMMC''s Level 4 (SI.4.220): Monitor for malicious behavior across the organization, analysis of these events is critical to detecting and mitigating malicious behavior across the organization. Proactive monitoring of these types of events ensures that threat detection strategies are aligned with security best practices, allowing rapid response to anomalous activities that may compromise the integrity of organizational systems and data.

This report contributes to strengthening real-time monitoring capabilities, improving the ability to detect advanced threats and ensuring that the organization''s security infrastructure is aligned with CMMC requirements.', null, null, null, null, null, null, null, null, null, 503, true, 276, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Account Locks', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (544, 'This report is generated from the Windows logs of events 4768, 4769 and 4771, which are directly related to the user authentication process using the Kerberos protocol. These events are triggered in situations where authentication ticket requests, authentication failures, or ticket validation errors occur.

Event 4768: Indicates a Kerberos service ticket request for a successfully authenticated user.
Event 4769: Triggered when there is a request for a service ticket for a user who could not be authenticated due to a Kerberos error.
Event 4771: Raised when the Kerberos authentication process fails due to incorrect or expired credentials.
Analysis of these events is crucial for monitoring malicious behavior within the organization. Authentication failures or repeated attempts to obtain service tickets may be indicative of malicious activity, such as spoofing attacks, unauthorized access attempts, or advanced intrusion behavior.

In the context of CMMC''s Level 4 (SI.4.220): Monitor for malicious behavior across the organization, these events are a key source of information to identify suspicious behavior related to credential management and access to sensitive resources. Monitoring and analyzing these events makes it possible to quickly detect attempted security breaches, which facilitates an early response to possible threats and contributes to strengthening the organization''s security infrastructure.

This report supports the implementation of robust security controls by detecting anomalous behavior, providing a detailed view of events that may be associated with attacks or attempts to compromise user credentials within the network.', null, null, null, null, null, null, null, null, null, 503, true, 283, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Kerberos ticket requests', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (548, 'This report gathers relevant information from the Windows logs corresponding to event 4670, which is triggered when the permissions of a security object, such as a file or folder, are modified. This type of event is key to detecting changes in the security configuration of the organization''s critical resources, which can be an indication of malicious or unauthorized behavior.

Through this report, we seek to identify unauthorized changes in access permissions, which could reflect attempts to escalate privileges or manipulate sensitive data. To comply with the CMMC requirement of SI.5.223, which requires the implementation of advanced monitoring techniques and the use of machine learning to detect anomalous behavior, this event is analyzed within a continuous monitoring framework using behavioral analysis tools .

This report helps identify unusual or unexpected patterns in permission modification, which can enable early detection of advanced threats or targeted attacks. Additionally, the integration of machine learning technologies into the analysis process makes it possible to identify atypical behaviors that might otherwise go undetected with traditional monitoring methods.', null, null, null, null, null, null, null, null, null, 503, true, 274, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Protected Object Permission Change', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (554, 'This report compiles relevant information from 4105 events (WMI Event Filter activity detected) in Windows logs, with the objective of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for the detection of threats.

Event 4105 is generated when activity is detected in Windows Management Instrumentation (WMI) event filters, a mechanism used for task automation and system data collection. Attackers can abuse WMI filters to establish persistence or execute malicious commands without detection.

This report includes key details such as the user who performed the action, the date and time of the event, and the affected computer. Analyzing these logs can identify potential attempts at malicious use of WMI, detect suspicious activity, and strengthen security controls against advanced threats.

Continuous monitoring of these events is critical to preventing stealth persistence attacks and ensuring critical systems maintain a robust security posture against potential adversaries.', null, null, null, null, null, null, null, null, null, 511, true, 289, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): PowerShell Remote Session Creation', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (555, 'The AU.4.053 control helps ensure that only authorized services are installed on Windows systems, preventing unauthorized or malicious services from compromising the system. By auditing service installations and ensuring strict controls, this measure reduces the risk of persistent threats or unauthorized access. Additionally, it contributes to compliance with organizational security policies and the requirements set forth in CMMC, reinforcing a secure and well-maintained system environment.', null, null, null, null, null, null, null, null, null, 511, true, 290, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (878, 'This report compiles and presents relevant information about PutBucketPolicy events in AWS, with the objective of verifying compliance with CMMC practice AU.2.042. It focuses on ensuring that S3 bucket policies are properly monitored and logged to detect and analyze security events.

The report includes key details such as the affected account, the bucket in question, the policy applied, the identity of the user who performed the action, and the source of the request. This information is critical to ensuring that changes to bucket access policies are tracked, allowing for effective response to potential misconfigurations or unauthorized access.', null, null, null, null, null, null, null, null, null, 511, true, 358, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Bucket Access Policies', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (498, ' This report collects relevant information from 7045 (New Service Installed) events in Windows logs, for the purpose of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Event 7045 is generated when a new service is installed on the system, which can be legitimate behavior or an indicator of malicious activity, such as the installation of persistent services used by attackers to maintain unauthorized access to a system.

This report includes key details such as the name of the service, the associated executable binary, the startup type of the service, the user who performed the installation, the date and time of the event, and the affected computer.

The analysis of these logs allows us to detect the creation of suspicious services, prevent persistence attacks and strengthen defenses against advanced threats that seek to compromise IT infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 290, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (788, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user logs on to the system. The event is especially important when it comes to logging in with elevated privileges, such as an administrator, and is key to complying with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Event 4624 provides details on successful login attempts, and in particular, those involving privileged accounts. This information allows us to identify users who access systems with elevated privileges and whether such access is being used appropriately.

Monitoring this access is essential to ensure that elevated accounts are used only by authorized users and for the specific tasks for which they have been assigned such access. Additionally, information from 4624 events helps detect anomalous or potentially dangerous behavior that could indicate abuse of privileges, unauthorized access, or malicious movements within the infrastructure.

This report supports security teams in the implementation of access controls and privilege management, thus contributing to the prevention of possible security incidents. In doing so, it reinforces compliance with CMMC Level 3 control AC.3.027, ensuring that privileged access is strictly controlled, monitored and restricted according to the operational and security needs of the organization.', null, null, null, null, null, null, null, null, null, 508, true, 265, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (901, e'The Windows Certificate Configuration Changes Report provides detailed logs of modifications to certificate stores, such as the addition, deletion, or modification of certificates or trust settings. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as certificate changes can directly impact secure communication and trust relationships.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of certificate configuration changes to safeguard sensitive financial systems and customer data.
• Security Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of system configuration changes, including certificates.
• Real-Time Alerting: Captures and notifies administrators immediately when certificate changes occur, enabling rapid response to potential threats.
• Incident Detection: Identifies suspicious changes to certificates, such as unauthorized trust additions or the removal of critical certificates, which could indicate malicious activity.
• Audit Readiness: Tracks all certificate-related changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust configuration management practices.', null, null, null, null, null, null, null, null, null, 701, true, 304, 'TEMPLATE', null, null, 'Windows Certificate Configuration Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (910, e'The Windows Account Logon Success report provides detailed records of events where a user account successfully authenticates on a Windows system. This report is essential for tracking login activities and correlating events across systems, enabling effective monitoring, detection of anomalies, and compliance with security frameworks.
• Regulatory Compliance: Aligns with frameworks like GLBA, PCI DSS, and ISO 27001, ensuring that successful logon activities are logged and available for audits to demonstrate robust access control mechanisms.
• User Activity Monitoring: Tracks successful logins to provide visibility into authorized access and helps identify unusual patterns, such as logins from unexpected locations or outside of normal business hours.
• Event Correlation: Links logon events with subsequent system activities, such as file access, process creation, or privilege escalation, to establish a comprehensive security audit trail.
• Real-Time Alerts: Captures successful logons in real-time and notifies administrators of activity from sensitive accounts or systems, enabling rapid incident response.
• Incident Detection: Helps identify suspicious behavior, such as frequent logins from multiple IP addresses or use of compromised credentials, which could indicate an ongoing attack.
• Audit Readiness: Provides detailed information on successful logons, including username, logon time, originating IP address, and authentication method, ensuring compliance with audit requirements.', null, null, null, null, null, null, null, null, null, 702, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (789, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt is rejected due to incorrect credentials or unauthorized access. This event is crucial for compliance with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Event 4625 provides details about failed login attempts, including those involving privileged accounts. Monitoring these events is essential to detect unauthorized access attempts to critical systems, especially those seeking to gain elevated privileges, such as administrator privileges. Additionally, this type of information is useful for identifying patterns of behavior that could indicate malicious activity, such as brute force attacks or credential exploitation attempts.

This report helps organizations track failed access attempts to privileged accounts, enabling alerts and corrective actions to be implemented in the event of suspicious activity or security policy violations. Thus, it helps restrict privileged access only to authorized users and ensures that preventive measures are taken to prevent abuse of such privileges.

The report also plays an important role in improving security posture by identifying potential access gaps before attackers can exploit them. It directly contributes to compliance with control AC.3.027 of CMMC Level 3, strengthening the monitoring and control mechanisms of privileged access within the organization.', null, null, null, null, null, null, null, null, null, 508, true, 266, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (499, 'This report focuses on the collection and analysis of event 4907 in the Windows logs, which is related to changes in system security audit policies. This event is generated when an audit policy is modified, which may indicate a possible alteration in security configurations or an attempt to disable auditing of important events.

Monitoring events like 4907 is critical for CMMC (Cybersecurity Maturity Model Certification) compliance, especially at Level 5 (AU.5.055), which requires improving auditing capabilities to detect advanced threats. Altering audit policies can be an indication of malicious activity, such as manipulating audit logs to conceal unauthorized access, a technique commonly used in advanced attacks.

Detecting changes to auditing configurations helps prevent log collection from being disabled or circumvented, which is essential for constant vigilance against advanced threats. This event is also part of best practices for intrusion detection and protecting the IT environment from potential malicious actors attempting to modify audit settings to hide their activity.

Collecting and analyzing 4907 events can strengthen incident response capabilities, ensure the integrity of audit logs, and improve the ability to detect sophisticated attacks.', null, null, null, null, null, null, null, null, null, 511, true, 291, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Restoration of default security policies', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (593, 'This report collects the Windows log event 1102 logs, which document the clearing of system security event logs. Event 1102 is generated when security event logs are cleared, providing key information about actions taken on the system to ensure the integrity and retention of audit logs. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Auditing and Monitoring policy, which requires audit logs to be made and ensure that they are properly managed to protect the integrity of the information.

The report includes key details such as the date and time the event occurred, and the name of the computer on which the action was executed, information about the reasons behind the deletion (if available), and any related actions or previous events that led to the deletion of the records. These types of events should be monitored closely, as deletion of security event logs could indicate attempts to conceal unauthorized or malicious activity.

Analysis of these events ensures that security audit logs are not deleted without adequate justification, protecting the integrity of the logs and ensuring that security controls are aligned with CMMC Level 1 audit requirements. This report contributes to the identification of possible attempts to manipulate records and facilitates proper management of security events within the organization''s environment.', null, null, null, null, null, null, null, null, null, 511, true, 295, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (595, 'This report collects the logs of event 4697 from the Windows logs, which document the installation of new services on the system. Event 4697 is generated when a service is installed, which may involve adding software or configuring processes that may have security implications. This information is crucial to verify compliance with CMMC''s Level 2 Audit and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events, including the installation of services that may modify behavior. of the system or represent a security risk.

The report includes key details such as the name of the installed service, the identity of the user or process that performed the installation, the date and time of the installation, among others. The analysis of these events allows us to detect the unauthorized installation of services or software in the system, helping to identify possible attack vectors or changes that could compromise the security of the system. This report is essential to verify the correct collection of event logs related to the installation of services and ensure that all relevant events are properly audited, supporting compliance with the audit requirements established by CMMC Level 2.', null, null, null, null, null, null, null, null, null, 511, true, 305, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Service Installed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (592, 'This report collects the logs for Windows log events 6005 and 6006, which document the startup and shutdown of events from the system event log service (Event Log). Event 6005 is generated when the event log service starts, while event 6006 is generated when the event log service stops. These events provide key information about the state of the system and ensure that audit logs are being generated and maintained correctly. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit logs to ensure security and monitoring of system activities.

The report includes key details such as the date and time in which the event registration service was started or stopped and information about the computer on which the event was registered, among others. Analyzing these events allows you to verify that the event logging service is working correctly and that audit logs have not been disabled or interrupted. This report is essential to ensure that system audit logs are being properly managed, supporting compliance with CMMC Level 1 requirements and allowing monitoring of system access and activities.', null, null, null, null, null, null, null, null, null, 511, true, 311, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Event Log Service', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (597, 'This report collects the Windows log event 4724 logs, which document password reset attempts for user accounts on the system. Event 4724 is generated when a password reset attempt is made, either by an administrator or by the account user themselves, and provides key information about credential modification attempts. This information is crucial to verify compliance with CMMC''s Level 2 Auditing and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events related to access and changes in credentials.

The report includes key details such as the identity of the user whose password was reset, the identity of the user or administrator who executed the action, the date and time of the event, among others. The analysis of these events allows us to detect unauthorized or undocumented attempts to modify credentials, providing an effective way to monitor access and activities related to user credentials. This report is essential for auditing password management processes, ensuring that appropriate controls are applied to protect access credentials and contributing to compliance with CMMC Level 2 security policies.', null, null, null, null, null, null, null, null, null, 511, true, 312, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Password Reset Attempts', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (618, 'This report collects the Windows log event 5158 logs, which document attempts to establish incoming or outgoing network connections on the system. Event 5158 is generated when a Windows firewall allows or blocks a network connection based on configured security policies. This information is essential to verify compliance with CMMC''s Level 4 Audit and Monitoring policy (AU.4.053), which requires improving logging capabilities to support threat detection, allowing the identification of suspicious or unauthorized connections that may be indicative. of an attempted intrusion or malicious activity.

The report includes key details such as the name of the application that attempted to make the connection, and the action taken by the firewall (allow or block), among others. Analyzing these events can improve auditing capabilities and detect traffic patterns that could be indicative of advanced threats, such as unauthorized access attempts or lateral movements within the network. This report facilitates early detection of malicious activity, ensuring that network security policies are properly configured and that unauthorized connections are effectively blocked, aligning with CMMC Level 4 requirements for threat detection and security protection. critical infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 313, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Windows Connection blocked by Windows Firewall', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (622, 'This report collects relevant information from the Windows logs, specifically from event 1100 related to the Event Logging Service Shut Down. This event is generated when the Windows Event Logging service stops unexpectedly or on a scheduled basis. Stopping the event log service can have significant implications on the system''s ability to audit, as it interrupts the collection of security logs and other important events.

Analysis of this event is crucial to ensure the continuity of audit logs in the system. In the context of the CMMC and compliance with level 5 (AU.5.055), the aim is to improve audit capabilities to detect advanced threats. The interruption of the event log service may be indicative of a technical or security problem, and monitoring it allows you to identify possible gaps in the audit system and react quickly.

This report helps ensure that the event logging service remains operational at all times, ensuring that log collection is not compromised and enabling timely response to security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 314, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Event Logging Service Shut Down', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (625, 'This report analyzes event 5379 in the Windows logs, which refers to smart card authentication attempts. Monitoring this event is key in detecting Credential Access, a technique commonly used by attackers to gain unauthorized access to systems through theft or spoofing of credentials.

In this specific case, events 5379 indicate when a smart card authentication attempt has occurred, whether successful or failed. Attackers can use techniques such as stealing smart cards or misusing credentials associated with smart cards to gain access to protected systems and networks. Detecting these authentication attempts is essential to prevent the exploitation of stolen or compromised credentials.

This event is part of the advanced auditing capabilities required in compliance with the CMMC (Cybersecurity Maturity Model Certification), in particular for Level 5 (AU.5.055), which seeks to improve auditing capabilities to detect advanced threats. Proactively monitoring these events can identify suspicious access and block Credential Access attempts, protecting the integrity of credentials and critical systems.', null, null, null, null, null, null, null, null, null, 511, true, 315, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Credential Access', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (626, 'This report collects Windows log event 4732 logs, which document attempts to add users to system security groups. Event 4732 is generated when a user or process is added to a security group, providing information about the group to which it was added, the identity of the user who made the modification, and the details of the security group to which the user was added. added. This information is crucial to verify compliance with CMMC''s Level 5 Auditing and Monitoring policy (AU.5.055), which requires improving auditing capabilities for advanced threat detection, allowing for the identification of possible changes in the privileges of users who may be related to privilege escalation or unauthorized activities.
The report includes key details such as the name of the security group to which the user was added, the identity of the added user, the account or system that performed the action, among others.
Analyzing these events can improve auditing capabilities to detect unusual patterns or anomalous behavior related to changes in user privileges and access to sensitive resources. This report contributes to advanced threat detection by identifying changes to security groups that could be indicative of a privilege escalation attempt or security breach. Ensures auditing of security configurations is aligned with CMMC Level 5 security controls, ensuring adequate visibility for early detection of advanced threats.', null, null, null, null, null, null, null, null, null, 511, true, 320, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (619, 'This report collects event 4657 logs from the Windows logs, which document modifications to system security objects, such as files, folders, or registry keys. Event 4657 is generated when a significant change is made to the security attributes of an object, such as modifying access permissions or auditing settings for a resource. This information is crucial to verify compliance with CMMC''s Level 4 Audit and Monitoring policy (AU.4.053), which requires improving logging capabilities to support threat detection, allowing the identification and analysis of critical changes that may be related to malicious behavior or unauthorized activities.
The report includes key details such as the name of the modified object, the type of change made (for example, modifications to ACLs, access permissions, or security attributes), the identity of the user or process that made the modification , and the date and time the change occurred.
Analyzing these events can enhance logging capabilities to identify changes that could be indicative of an attempt to compromise system security or manipulate access to sensitive resources. This report facilitates early detection of threats related to unauthorized modification of security configuration and contributes to the visibility of security-relevant events, ensuring that access and audit controls are aligned with CMMC Level security requirements 4.', null, null, null, null, null, null, null, null, null, 511, true, 322, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Registry Value Modification', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (800, 'This report compiles relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is essential for compliance with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4720 provides details about the creation of new user accounts, which is an important event to detect unauthorized changes or malicious activities on the system. The creation of unauthorized user accounts could be a sign that a malicious actor has compromised a system and is attempting to gain additional access with elevated privileges, which could make it easier to spread malware or execute attacks.

Monitoring these events allows security teams to quickly identify the creation of unusual or unexpected user accounts, which is key to detecting the presence of malicious actors. This type of surveillance is essential to prevent unauthorized user accounts from being used to spread malware or make lateral movements within the organization''s infrastructure.

This report supports security by providing visibility into changes to user accounts, allowing administrators to investigate any suspicious activity and quickly take corrective action. Additionally, it contributes to compliance with CMMC Level 3 control SI.3.219 by ensuring endpoint monitoring tools are properly deployed to detect and mitigate malware threats before they cause harm.', null, null, null, null, null, null, null, null, null, 507, true, 267, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (621, 'This report gathers relevant information from the Windows logs, specifically from Service Control Manager event 7030. This event is raised when a service attempts to start but fails due to a configuration or security restriction, preventing it from running interactively. The collection and analysis of these events is crucial to identify possible failures in service configuration, security problems related to access policies or operational restrictions. The report is aimed at supporting compliance with level 4 (AU.4.053) of the CMMC, by providing clear visibility on failures in attempts to start services, allowing better detection and response to possible threats or operational irregularities in the environment. .

This type of report helps meet monitoring and auditing requirements for critical events, contributing to the early detection of security problems and the optimization of control over the execution of services within the system.', null, null, null, null, null, null, null, null, null, 511, true, 323, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Service Control Manager Log Information', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1000, 'This report provides a detailed analysis of file access events (FileAccessed) in the O365 environment with the objective of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information about file accesses which allows validating that file access events are being correctly recorded providing visibility into user interaction with information stored in the organization

The purpose of this monitoring is to ensure that all file accesses are properly audited, detect unusual accesses that may represent a security risk, and provide evidence for the review and audit of activities in the organization''s information repositories

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of file accesses in its O365 environment contributing to the protection of information and the detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 511, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (613, 'This report collects and analyzes key information about DescribeLogStreams events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its objective is to ensure that the query and retrieval of log streams in AWS CloudWatch Logs are recorded and monitored for the detection and analysis of security events.

The report includes details such as the account involved, the identity of the user who made the request, and the source of the request. This information is essential to audit access to critical logs, detect unusual activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 332, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): DescribeLogStreams Logs', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (911, e'The Windows Account Logon Failure report provides detailed records of failed authentication attempts on a Windows system. This report is essential for identifying unauthorized access attempts, detecting suspicious activity, and maintaining compliance with security and audit frameworks.
• Regulatory Compliance: Ensures alignment with standards like GLBA, PCI DSS, and ISO 27001, by tracking failed login attempts as part of a comprehensive audit trail for access controls.
• Unauthorized Access Monitoring: Detects and records failed login attempts, providing visibility into potential brute-force attacks, use of invalid credentials, or attempts to access sensitive systems.
• Event Correlation: Links failed login events with related activities, such as IP addresses, user accounts, or repeated attempts, to detect potential threat patterns or misconfigurations.
• Real-Time Alerts: Captures failed logon attempts in real-time, triggering alerts for administrators when thresholds are met or when sensitive accounts are targeted, enabling rapid response.
• Incident Detection: Identifies unusual or repeated failed attempts, such as those from unexpected locations or outside normal business hours, which may indicate a security threat or compromised account.
• Audit Readiness: Documents all failed logon attempts with details such as username, logon type, originating IP, timestamp, and error codes, ensuring that comprehensive records are available for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (614, 'This report collects and analyzes key information about PutObject events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its goal is to ensure that the creation and modification of objects in Amazon S3 are recorded and monitored for the detection and analysis of security events.

The report includes details such as the account involved, the destination bucket, the source IP address, and the source of the request. This information is essential to audit access and modifications to sensitive data, detect possible unauthorized activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 333, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): PutObject Logs', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (615, 'This report collects and analyzes relevant information about GetBucketAcl events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its objective is to ensure that queries to the access control lists (ACLs) of Amazon S3 buckets are recorded and monitored to detect and analyze possible security events.

The report includes key details such as the account involved, the bucket queried, the identity of the user who made the request, the originating IP address, and the source of the request. This information is essential to audit attempts to access bucket permissions, identify possible unauthorized activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 334, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): GetBucketAcl Logs', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (813, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user logs on to the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4624 provides details about successful login attempts to the system. These logs are essential to track user activities on the system and to identify unauthorized or unusual access.

Collecting and reviewing logs from this event is crucial to comply with security audit policies and ensure system accesses are appropriately monitored. Analysis of 4624 events can detect anomalous behavior patterns, which may indicate unauthorized access attempts or potential security breaches.

This report contributes to the implementation of appropriate audit practices, facilitating the capture and review of relevant user activity records, in accordance with CMMC Level 1 regulations. Additionally, it reinforces the ability of security teams to identify and correct vulnerabilities related to access to systems, helping to maintain the integrity and availability of data.', null, null, null, null, null, null, null, null, null, 509, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (616, 'This report collects and analyzes relevant information about DescribeLogGroups events in AWS, with the objective of verifying compliance with CMMC practice AU.2.042. Its purpose is to ensure that queries to log groups in Amazon CloudWatch Logs are recorded and monitored for the detection and analysis of security events.

The report includes key details such as the account involved, the user or service that made the request, the source IP address, the time of the event, and the source of the request. This information is essential to audit the access and display of log groups, identifying possible unauthorized activities and ensuring proper collection and monitoring of logs in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 335, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): DescribeLogGroups Logs', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (879, 'This report collects relevant information about event 4634 (Logoff) in Windows logs, with the objective of verifying compliance with CMMC Level 1 practice AU.1.001, which requires the implementation of audit logs to track activities in the system .

Event 4634 indicates when a user session has ended successfully, which is critical for access monitoring and detecting anomalous activity. The report includes details such as the user ID, logout time, event source, and workstation used.

This analysis is key to ensuring that all user sessions are effectively logged, allowing for security audits and detection of potential incidents, such as unauthorized access or attempts to evade session controls.', null, null, null, null, null, null, null, null, null, 511, true, 350, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logoff', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (875, 'This report compiles and presents relevant information about CreateRole events in AWS, with the objective of verifying compliance with CMMC practice AU.1.001. It focuses on ensuring that role creation in AWS is properly audited, ensuring that changes to role configurations are effectively logged. The report includes key details about the roles created, such as the role name, the account involved, and the source of the request. This information is crucial to verify that actions related to role management in the system are correctly monitored, ensuring that access to sensitive resources is managed and documented in accordance with security policies. This allows any unauthorized activity or unapproved changes to be detected, helping to maintain the security and integrity of the system.', null, null, null, null, null, null, null, null, null, 511, true, 355, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): Access Roles Assumption', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1224, 'This report analyzes user-initiated logoff events (Event ID 4647) on Windows systems to assess compliance with PCI DSS Requirement A1.1 in multi-tenant environments. Activity logs are reviewed to verify that users terminate their sessions in a controlled manner and that no unauthorized access exists between customer and vendor environments. The analysis includes key information that contributes to the validation of security controls, ensuring that sessions are properly managed and reducing the risk of unauthorized persistence on shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 351, 'TEMPLATE', null, null, 'Windows User Account Logoff', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (877, 'This report compiles and presents relevant information about AttachRolePolicy events in AWS, with the objective of verifying compliance with CMMC level 2 practice AU.2.042. It focuses on ensuring that audit logs related to the association of policies to roles are collected effectively, allowing the detection and analysis of security events. The report includes key details such as the identity of the user performing the action, the ARN of the attached policy, the affected role, the account involved, and the source of the request. This information is critical to monitoring permission changes, detecting unauthorized activity, and ensuring that necessary logs are available to support event analysis and improve response to potential security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 356, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Attach Role Policy', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1001, 'This report provides a detailed analysis of FileDeleted events in the O365 environment with the goal of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information which allows validating that file deletions are being properly logged providing visibility into data deletion activities in the organization

The purpose of this monitoring is to ensure that all file deletions are properly audited, detect unauthorized or suspicious deletions, and provide evidence for the review and audit of sensitive information deletion actions

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of file deletions in its O365 environment contributing to the protection of information and the detection of unauthorized activities.', null, null, null, null, null, null, null, null, null, 511, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (816, 'This report collects relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4720 provides details on creating user accounts. This information is essential to maintaining control over account management in the system, allowing security teams to verify that accounts are being created in an authorized manner and in accordance with the organization''s access policies.

Monitoring the creation of user accounts is vital to identify unauthorized changes to the system, such as the creation of malicious or elevated accounts without proper approval. Additionally, by recording this information, organizations can conduct audits and review user accounts to ensure they are aligned with roles and operational needs.

This report helps ensure that complete and accurate audit logs are maintained for every action related to the creation of user accounts, contributing to effective infrastructure security management and compliance with CMMC Level 1 control AU.1.001.', null, null, null, null, null, null, null, null, null, 509, true, 267, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1002, 'This report provides a detailed analysis of file sharing events (SharingSet) in the O365 environment with the objective of verifying compliance with CMMC Level 2 control AU.2.042, which requires ensuring that logs are collected to detect and analyze security events

The report collects key information about file sharing actions, which allows detecting unusual or risky activities related to file sharing, such as assigning excessive permissions or sharing sensitive information with unauthorized users

The purpose of this monitoring is to ensure that file sharing actions are correctly recorded and audited, identifying behavioral patterns that could represent a security threat and providing data for incident analysis

This report is an essential tool for CMMC Level 2 compliance, ensuring that file sharing events are correctly collected and analyzed to detect possible security incidents in the O365 environment, contributing to the protection of information and the prevention of unauthorized access authorized.', null, null, null, null, null, null, null, null, null, 511, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.042): Sharing Set', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (912, e'The Windows User Accounts Created report provides detailed logs of events where new user accounts are created on a Windows system. This report is crucial for tracking account creation activities, ensuring compliance with security standards, and detecting unauthorized account provisioning.
• Regulatory Compliance: Ensures adherence to frameworks such as PCI DSS, ISO 27001, and SOC2, by maintaining records of all user account creation activities to support access control and audit requirements.
• Account Management Monitoring: Tracks the creation of user accounts, allowing administrators to verify that accounts are provisioned through authorized processes and for legitimate purposes.
• Event Correlation: Links user account creation events to administrative actions, IP addresses, and associated events (e.g., privilege escalations or group assignments) for a comprehensive audit trail.
• Real-Time Alerts: Notifies administrators of new account creation in real-time, particularly for privileged accounts or accounts created outside of standard provisioning workflows.
• Incident Detection: Helps identify unauthorized account creation, which could indicate insider threats, privilege misuse, or malicious activities such as backdoor account setups.
• Audit Readiness: Logs all details of account creation events, including the account name, creation time, associated user or process, and originating machine, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1003, 'This report provides a detailed analysis of FileSyncDownloadedFull events in the O365 environment to verify compliance with CMMC Level 2 control AU.2.042, which requires ensuring that logs are collected to detect and analyze security events.

The report collects key information about file synchronizations, allowing you to identify unusual or suspicious activities related to file synchronization, such as unauthorized access or sensitive file transfers that could pose a security risk.

The purpose of this monitoring is to ensure that file synchronization actions are properly audited, detecting behavioral patterns that could indicate threats and providing relevant data for incident analysis.

This report is a key tool for CMMC Level 2 compliance, ensuring that all file synchronization events are collected and analyzed, contributing to the protection of information and the improvement of security in the O365 environment.', null, null, null, null, null, null, null, null, null, 511, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.042): File Synchronization', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1005, 'This report presents a detailed analysis of FileRenamed events in the Office 365 (SharePoint) environment to verify compliance with CMMC Level 3 control AU.3.045. Key information is collected to correlate audit records and facilitate analysis of security events.

The purpose of this report is to improve visibility into changes to sensitive files, detect unusual activity, and support the identification of potential security incidents by escalating events within the system for audit purposes.', null, null, null, null, null, null, null, null, null, 511, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.045): File Renamed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (740, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt fails on the system. This event is essential to comply with CMMC control AU.1.001, which requires retaining logs for basic review and ensuring the availability of information to audit access and detect possible inappropriate activities.

Event 4625 provides details about failed login attempts. This information is key to monitoring unauthorized system access attempts, identifying patterns of repeated failures or brute force attacks, and maintaining appropriate records for later review.

This report is useful for ensuring that event logs related to failed login attempts are stored and available for review. This contributes to compliance with CMMC regulations, allowing for basic audits and strengthening security through early detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 505, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Failure', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (739, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user successfully logs into the system. This event is essential to comply with CMMC control AU.1.001, which requires retaining logs for basic review and ensuring that a proper audit of system access can be performed.

Event 4624 provides details about successful user login. This data is essential for maintaining a record of system access activities, allowing basic reviews to be performed to detect unauthorized access or unusual behavior.

This report helps ensure that login-related event logs are suitable for ongoing auditing, contributing to CMMC compliance and the ability to perform security reviews and analysis to protect the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 505, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (742, 'This report compiles relevant information from the Windows logs generated by event 4663, which is triggered when an object or file is accessed or modified in the system. This event is essential to comply with CMMC control AU.1.001, which requires the retention of logs for basic review, ensuring that records are maintained to audit access and modifications to objects in the system.

Event 4663 provides details about accesses to important files and objects. By compiling this information, it is easier to review access activities to critical data and protected objects, helping to detect possible unauthorized access or improper manipulation.

This report ensures that logs related to file access and modification are adequately retained, facilitating their review when necessary. This contributes not only to compliance with CMMC requirements, but also to strengthening system security by monitoring key activities that could signal threats or data exfiltration attempts.', null, null, null, null, null, null, null, null, null, 505, true, 277, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (744, 'This report collects relevant information from the Windows logs generated by event 4719, which is triggered when system audit policy settings are modified. This event is essential to comply with CMMC control AU.2.043, which requires ensuring that audit logs are protected from unauthorized modifications.

Event 4719 provides details about changes made to audit policy configurations. By monitoring this event, it is possible to identify alterations in auditing configurations that could indicate attempts to disable or manipulate the event log to hide suspicious or malicious activity.

This report is essential to ensure that system audit settings remain intact and protected from unauthorized changes, allowing security teams to quickly detect and respond to potential security incidents. Additionally, it contributes to CMMC compliance by ensuring that audit logs are kept protected, helping to preserve the integrity and reliability of the monitoring system and the ability to perform effective forensic audits.', null, null, null, null, null, null, null, null, null, 505, true, 280, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (743, 'This report compiles relevant information from the Windows logs generated by event 1102, which is triggered when system audit logs are deleted or their status has changed. This event is crucial to comply with CMMC control AU.2.043, which requires ensuring that audit logs are protected from unauthorized modifications.

Event 1102 provides details about deleting audit logs. This information is key to ensuring that log deletion activities are reviewed, preventing the alteration or destruction of audit evidence that may be necessary for subsequent investigations.

This report contributes to the protection of logs, allowing security teams to detect and react to attempts to manipulate or delete key records that could compromise the integrity of the monitoring system. Additionally, it facilitates compliance with CMMC requirements by ensuring that logs are adequately protected against unauthorized modifications, which is essential to maintain audit reliability in the organization''s security environment.', null, null, null, null, null, null, null, null, null, 505, true, 295, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (745, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered during failed authentication attempts on a system through the use of incorrect credentials. This event is crucial to comply with CMMC control AU.3.044, which requires maintaining event logs for advanced review and effective response to security incidents.

Event 4776 provides details about authentication attempts. By monitoring this event, patterns of failed login attempts can be identified, which could indicate brute force attacks or unauthorized attempts to access the system.

This report is essential to retain relevant logs that can be reviewed later to identify possible threats or security incidents. Additionally, by storing these events appropriately, security teams can conduct subsequent investigations if suspicious activity is detected. This also facilitates CMMC compliance by ensuring that authentication records are thoroughly reviewed and can be used in effective incident response or analysis.', null, null, null, null, null, null, null, null, null, 505, true, 301, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (747, 'This report collects relevant information from the Windows logs generated by event 4771, which is triggered when a login attempt via Kerberos is unsuccessful due to an authentication failure. This event is essential to comply with CMMC control AU.3.044, which requires retaining logs for advanced review and appropriate response to security incidents.

Event 4771 captures details about failed login attempts using the Kerberos protocol. Monitoring these events is key to identifying potential unauthorized access attempts or suspicious activities, such as brute force attacks or credential exploitation attempts.

This report is essential to maintain detailed records of failed login attempts and enable advanced review in case of security incidents. By storing this information, security teams can investigate patterns of failed attempts, detect unusual behavior, and take steps to prevent unauthorized access. Additionally, it contributes to CMMC compliance by ensuring that records are adequate for analysis and response to potential security incidents.', null, null, null, null, null, null, null, null, null, 505, true, 310, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Kerberos pre-authentication failed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (750, 'This report collects relevant information from the Windows logs generated by event 1100, which is triggered when the Windows Event Logging service stops. This event is crucial to comply with CMMC control AU.5.055, which requires the use of advanced tools to ensure the integrity and availability of the logs.

Event 1100 provides information about the stopping of the event log service, which is essential for monitoring potential interruptions in the audit process and ensuring that event logs are kept intact and accessible for future review. Collecting and analyzing these events can detect unauthorized shutdowns or issues with log integrity, which could impact the ability to perform accurate audits and respond to security incidents effectively.

This report facilitates the identification of events in which the event logging service has been stopped, allowing proactive monitoring to maintain continuity in the collection and preservation of logs. Additionally, it contributes to compliance with CMMC requirements, ensuring that log protection and availability mechanisms are effectively implemented and monitored in accordance with best security practices.', null, null, null, null, null, null, null, null, null, 505, true, 314, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Event Logging Service Shut Down', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1032, 'This report compiles relevant information from FileAccessed events in Office 365, recording file accesses within the organization''s environment. The information contained in this report demonstrates compliance with CMMC Level 1 requirement AU.1.001, ensuring the capture and retention of basic audit records for review.

Analysis of these events provides visibility into who, when, and from where files are accessed, allowing for the detection of usage patterns, unusual accesses, and ensuring traceability of activity on data stored in the cloud.', null, null, null, null, null, null, null, null, null, 505, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (746, 'This report collects relevant information from the Windows logs generated by event 4767, which is triggered when a user account is unlocked after being locked out due to failed login attempts or security policy violations. This event is crucial to comply with CMMC control AU.3.044, which requires maintaining logs for advanced review and appropriate response to security incidents.

Event 4767 provides details about the unlocked account. Monitoring this event allows us to detect situations in which a previously blocked account is restored, which could be indicative of a change in user behavior, or in some cases, a possible attempt to evade security measures.

This report is essential to retain logs of events related to account unlocking, which facilitates investigation and response to security incidents. By storing this information, security teams can perform advanced screening to identify suspicious patterns, contributing to rapid detection of potential threats. Additionally, this process helps ensure CMMC compliance by ensuring that account unlock events are appropriately reviewed and can be used for effective incident response.', null, null, null, null, null, null, null, null, null, 505, true, 336, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Unlocked Account', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (751, 'This report collects relevant information from the Windows logs generated by event 5038, which is triggered when modification or deletion of an audit log file is detected or when unauthorized access is made to a protected log file. This event is essential to comply with CMMC control AU.4.053, which requires the implementation of integrity controls on audit logs to prevent their manipulation or alteration.

Event 5038 provides details about access to the log files, indicating whether there has been an alteration or inappropriate access to them. This information is crucial to ensuring the integrity of audit logs, helping to detect possible attempts to hide malicious activity or modify critical records.

This report is key to ensuring that audit logs are adequately protected against alterations or manipulations, allowing security teams to take immediate action if suspicious behavior is detected. By implementing effective integrity controls on logs, the reliability of the information used for analysis and response to security incidents is guaranteed. Additionally, it contributes to compliance with CMMC standards by ensuring that audit logs are kept protected from unauthorized modifications.', null, null, null, null, null, null, null, null, null, 505, true, 337, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Audit File integrity Validation Failed', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (752, 'This report collects relevant information from the Windows logs generated by event 1105, which is triggered when the Windows Event Logging Service backs up the event logs. This event is important to comply with CMMC control AU.5.055, which requires the use of advanced tools to guarantee the integrity and availability of the logs.

Event 1105 provides details on event log backup operations, allowing you to verify the integrity of the logs and their availability for future review or incident investigation. Collecting this event helps ensure that audit logs are adequately backed up, protecting their retention from unauthorized modifications or data loss.

This report is essential to ensure that event logs are backed up regularly and effectively, which contributes to the integrity of the logs and their availability for security analysis and investigations. Additionally, it helps meet CMMC requirements by providing an additional layer of protection and ensuring that log backup mechanisms are properly implemented and monitored across the organization''s IT infrastructure.', null, null, null, null, null, null, null, null, null, 505, true, 338, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Log Automatic Backup', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1033, 'This report compiles relevant information from FileDeleted events in Office 365, recording the deletion of files within the organization''s environment. The information contained in this report demonstrates compliance with CMMC Level 1 requirement AU.1.001, ensuring the capture and retention of basic audit records for review.

Analysis of these events provides visibility into which files have been deleted, by whom, when, and from what location or device. This facilitates the detection of unauthorized activities, the recovery of information in the event of accidental deletion, and the assurance of data traceability within the cloud environment.', null, null, null, null, null, null, null, null, null, 505, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1036, 'This report compiles relevant information about Add-MailboxPermission events in Office 365, ensuring audit log retention for advanced review and incident response, in compliance with CMMC Level 3 requirement AU.3.044.

Analysis of these events allows monitoring and auditing changes to mailbox access permissions, identifying privilege assignments that could compromise information security. This report is essential for detecting unauthorized access, investigating security incidents, and ensuring that logs remain intact and accessible for forensic analysis in the event of suspicious activity or potential security breaches.', null, null, null, null, null, null, null, null, null, 505, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.044): Mailbox Permission Assigning', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1035, 'This report compiles key information about FileRenamed events in Office 365, ensuring the protection and retention of audit records against unauthorized modifications, in compliance with CMMC Level 2 requirement AU.2.043.

Analysis of these events allows you to track when and by whom files have been renamed within your organization''s environment, verify changes to sensitive documents, and ensure record integrity. The information included in this report is essential for detecting suspicious activity, auditing file modifications, and implementing controls that prevent unauthorized alteration of audit logs.', null, null, null, null, null, null, null, null, null, 505, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Renamed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1232, 'This report presents relevant information collected from logs generated by the Office 365 MailItemsAccessed event, as part of the audit integrity monitoring and control activities required by the CMMC Level 4 standard (AU.4.053). This control requires the implementation of mechanisms to ensure the integrity of audit logs, ensuring their protection against unauthorized modification, deletion, or malicious alteration.

The collected logs include critical details about access to email items. Analyzing these logs allows for validating the integrity of the recorded events and detecting any anomalous activity that could compromise information security, thereby complying with CMMC requirement AU.4.053.', null, null, null, null, null, null, null, null, null, 505, true, 400, 'TEMPLATE', null, null, 'Office 365 Level 4 (AU.4.053): MailItems Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1233, 'This report collects and analyzes Office 365 FileSyncUploadedFull event logs to comply with the CMMC Level 5 standard (AU.5.055), which requires the use of advanced tools to ensure the integrity and availability of audit logs.

Data about users, applications, IP addresses, devices, platforms, geographic locations, names and sizes of synchronized files, and whether they are synchronized from managed devices is examined. This analysis helps identify legitimate access and detect suspicious activity that could compromise information security.', null, null, null, null, null, null, null, null, null, 505, true, 401, 'TEMPLATE', null, null, 'Office Level 5 (AU.5.055): File Sync Uploaded Full', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (558, 'This report gathers relevant information from the Windows logs generated by event 4720, which is triggered when a user account is created on the system. Event 4720 is crucial to compliance with CMMC AU.2.043, which requires log review and event correlation to identify inappropriate, unauthorized, or suspicious activity.

Event 4720 captures essential details about creating a user account. This information is vital to detect unauthorized creation of user accounts or possible manipulations in account settings that could be used for improper access to the system.

Reviewing this event in conjunction with other security events can identify patterns of behavior that could indicate unusual activity, such as account creation outside of business hours or on unapproved systems, which may be a sign of a security breach. or an unauthorized access attempt.

Correlating 4720 events with other security logs provides complete visibility into the lifecycle of user accounts, ensuring that activities related to account creation are legitimate and appropriately managed.

This report facilitates the proactive analysis of system security and contributes to compliance with CMMC guidelines, allowing the early detection of possible vulnerabilities or risks in the management of user accounts.', null, null, null, null, null, null, null, null, null, 504, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): User Accounts Created', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (557, 'This report gathers key information from the Windows logs generated by event 4625, which is triggered when a login attempt fails. This event is essential for compliance with CMMC AU.2.043, which requires log review and event correlation to detect inappropriate and unauthorized activities.

Event 4625 captures details of failed login attempts. Collecting these events allows for deep analysis of failed access attempts, which may indicate unauthorized access attempts, brute force attacks, or vulnerabilities in the authentication system.

By reviewing and correlating 4625 events with other security events on the system, this report helps identify unusual or suspicious patterns of behavior, such as multiple failed attempts in a short period of time. These activities could be indicative of an attempted security breach that, if not detected in time, could compromise the integrity of the systems.

Constant monitoring of 4625 events and their correlation with other critical events allows the organization to proactively respond to potential threats and take necessary steps to protect systems and sensitive information.', null, null, null, null, null, null, null, null, null, 504, true, 266, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Account Logon Failure', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (556, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user successfully logs into the system. This event is key to compliance with CMMC AU.2.043, which requires the review of logs and the correlation of events to detect inappropriate or unauthorized activities.

In this case, event 4624 provides details about successful login attempts to the systems, including the identity of the user, the origin of the session, the type of authentication used, and other relevant data. These events are essential for reviewing user activity and detecting access patterns that could indicate anomalous or suspicious behavior.

The report uses analysis tools to correlate login logs with other system security events, identifying potential inappropriate activity, such as unauthorized access or privilege escalation attempts. Continuous monitoring and correlation of these events allows the organization to quickly detect and respond to any suspicious activity, helping to strengthen the overall security posture.

This log review process is a critical part of access control and security event management, ensuring that only authorized users can access the organization''s systems and resources, while quickly identifying potential threats.', null, null, null, null, null, null, null, null, null, 504, true, 265, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Account Logon Success', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1012, 'This report presents relevant information extracted from Office 365 UserLoggedIn event logs, designed to assist in compliance with CMMC Level 2 (AU.2.043) control. The control establishes the need to review logs and correlate events to detect inappropriate activities that may compromise the security of the organization.

UserLoggedIn event logs contain essential data about user login attempts to Office 365 systems, allowing you to detect unauthorized access, unusual patterns of behavior, and potential malicious access attempts. This report facilitates the identification of security incidents by analyzing access data in real time and correlating it with other relevant security events.

This report provides a solid foundation for security audits and incident response, ensuring that access events are reviewed and correlated to quickly detect and respond to potential threats that may affect the integrity of systems and data in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (569, 'This report compiles relevant information from the Windows logs generated by event 4726, which is recorded when a user account is deleted from the system. This event is critical to comply with CMMC control AU.4.054, which requires the implementation of advanced event correlation to detect evolving threats.

Event 4726 allows you to monitor account deletions, which can be an indicator of suspicious activity, such as attempts to hide traces of unauthorized access or malicious deletion of critical accounts. By correlating this event with other security logs, such as privilege changes, unusual access, or security policy modifications, patterns can be identified that indicate ongoing malicious activity.

This report facilitates the detection of advanced threats by providing visibility into changes in user account management, allowing a proactive response to potential security incidents. Additionally, it reinforces CMMC compliance by ensuring advanced monitoring and effective correlation of critical events within the system.', null, null, null, null, null, null, null, null, null, 504, true, 272, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.054): User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (610, 'This report compiles relevant information from Windows logs associated with Account Manipulation, Domain Policy Modification, Impair Defenses, and Account Access Removal alerts, which are key events for the detection and prevention of privilege escalation in the IT environment. This information is used to verify compliance with CMMC Level 4 control AC.4.028, which requires automation of privilege escalation detection.

Account Manipulation events include activities such as modifying user accounts, assigning roles and privileges, which may indicate attempts to gain elevated access in an unauthorized manner. Domain Policy Modification alerts reflect changes to domain policies that could allow privilege escalation at the network level, and Impair Defenses alerts detect modifications that affect security measures implemented to protect the system. Finally, Account Access Removal alerts record attempts to remove account access, which may be a sign of an attempt to cover the tracks of an attack.

Monitoring these events helps identify anomalous patterns or suspicious actions related to unauthorized elevation of privileges, which is crucial to preventing unauthorized access and potential security compromises. Automating the detection of these events ensures a faster and more accurate response to any attempted privilege escalation, minimizing the risk that an attacker can gain access to critical resources without being detected.

This report contributes significantly to compliance with AC.4.028 by providing a centralized, automated view of key events related to privilege escalation. By automating detection, you strengthen your organization''s security posture, enabling you to efficiently detect and mitigate privilege escalation attacks before they severely impact sensitive data and infrastructure.', null, null, null, null, null, null, null, null, null, 510, true, 244, 'TEMPLATE', null, null, 'AWS Level 4 (AC.4.021): Alerts', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (927, e'The Windows Access to Shared Resources report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or other network-shared assets. This report is critical for tracking resource usage, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks such as PCI DSS, HIPAA, and ISO 27001, by documenting access to shared resources to demonstrate adherence to data protection and resource usage policies.
• Resource Usage Monitoring: Tracks who accessed shared resources, what operations were performed (read, write, delete), and when the access occurred, ensuring transparency and accountability.
• Event Correlation: Links shared resource access events with user accounts, originating systems, and subsequent activities to provide a comprehensive audit trail.
• Real-Time Alerts: Generates notifications for access to critical shared resources, especially by unauthorized users or from suspicious locations, enabling immediate investigation.
• Incident Detection: Identifies suspicious behaviors, such as repeated unauthorized access attempts, unusual resource usage patterns, or access from untrusted systems, which may indicate insider threats or account compromise.
• Audit Readiness: Logs detailed information, including the resource accessed, the user or system performing the action, the type of access (read, write, delete), and the timestamp, ensuring robust documentation for compliance and forensic analysis.', null, null, null, null, null, null, null, null, null, 702, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (925, e'The Windows PowerShell Script Block Registration report provides detailed logs of events where PowerShell script blocks are registered for execution. This report is critical for monitoring the use of PowerShell, detecting potential security threats, and ensuring compliance with security policies and audit frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by logging PowerShell script block executions to ensure adherence to access control and script execution policies.
• PowerShell Activity Monitoring: Tracks all script blocks executed via PowerShell, ensuring visibility into administrative tasks, automation scripts, and potentially malicious activity.
• Event Correlation: Links PowerShell script block registration events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail.
• Real-Time Alerts: Sends notifications for suspicious or unauthorized script block registrations, enabling rapid response to potential threats or misconfigurations.
• Incident Detection: Identifies anomalies, such as obfuscated scripts, scripts executed with elevated privileges, or script blocks executed from unusual sources, which may indicate malware or insider threats.
• Audit Readiness: Logs detailed information for each registered script block, including the script content (if available), the user or account responsible, the execution host, and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 288, 'TEMPLATE', null, null, 'Windows PowerShell Script Block Registration', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (916, e'The Windows Local Security Group Member Removal report provides detailed logs of events where a user or object is removed from a local security group on a Windows system. This report is essential for monitoring privilege adjustments, detecting unauthorized modifications, and ensuring compliance with access control policies.
• Regulatory Compliance: Ensures alignment with frameworks such as PCI DSS, ISO 27001, and SOC2, by documenting all group membership removals to maintain an auditable trail of privilege management activities.
• Privilege Management Monitoring: Tracks removals from local security groups to confirm that privilege reductions align with organizational policies and prevent unintended loss of access.
• Event Correlation: Links group membership removal events with related administrative actions, user accounts, and originating systems to build a comprehensive security audit trail.
• Real-Time Alerts: Sends notifications when members are removed from critical groups, such as Administrators or Remote Desktop Users, enabling timely response to unauthorized actions or configuration changes.
• Incident Detection: Identifies unexpected or unauthorized removals from security groups, which may indicate insider threats, administrative errors, or malicious activities.
• Audit Readiness: Logs detailed information for each event, including the name of the group, the removed member, the user or process performing the action, and the timestamp, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (942, 'This report consolidates relevant information from the Windows event 4624 logs to evaluate compliance with the CMMC Level 1 requirement (AU.1.001), which requires the capture of basic security events. By recording successful logins, these logs provide evidence of activity in the system, allowing the organization to maintain access traceability and strengthen its monitoring and incident response capabilities. The collection and analysis of these logs contributes to the early detection of threats, facilitating audits and ensuring compliance with established security controls.', null, null, null, null, null, null, null, null, null, 513, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (943, 'This report compiles relevant information from the logs of Windows event 4625, which is activated in cases of failed login attempts, to verify compliance with the Level 1 requirement (AU.1.001) of CMMC. This event is critical to detecting and documenting unauthorized or failed access attempts to systems, providing an additional layer of monitoring on the organization''s systems. Through the capture of these logs, traceability and visibility of possible threats is ensured, which allows preventive or corrective measures to be taken against possible intrusion attempts, and supports compliance with the basic security controls required by CMMC.', null, null, null, null, null, null, null, null, null, 513, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (940, 'This report compiles relevant information from Threat Intelligence activity logs used to improve incident response, aligning with compliance with CMMC''s Level 3 requirement (IR.3.098). It contains details on the indicators of attack (IOCs) identified, the analysis methods applied and how this data was used to optimize incident responses. The report allows us to evaluate how threat indicators are integrated into incident response operations, strengthening the ability to detect and mitigate cybersecurity risks.', null, null, null, null, null, null, null, null, null, 512, true, 252, 'TEMPLATE', null, null, 'Level 3 (IR.3.098): Threat Intelligence Activity', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1152, 'This report collects and analyzes Windows 4732 events, which record the addition of users to security groups on the system. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. By reviewing these events, we validate that access to resources and systems is granted according to users'' specific roles and needs, ensuring the implementation of the principle of least privilege and guaranteeing that only authorized users have access to critical information based on their role.', null, null, null, null, null, null, null, null, null, 805, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1148, 'This report collects and analyzes Windows 1102 events, which indicate the deletion of the security audit log. Its purpose is to assess compliance with PCI DSS Requirement 7.1, ensuring that processes and mechanisms for restricting access to system components and cardholder data are defined, understood, and in use. Monitoring these events can detect potential attempts to conceal unauthorized activity, ensuring the integrity and availability of audit logs.', null, null, null, null, null, null, null, null, null, 805, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (565, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are activated when accessing shared resources on the network. These events are critical to comply with CMMC control AU.3.045, which requires correlation of security events to identify suspicious behavior and detect malicious activity.

Events 5140 and 5145 provide details about shared resource accesses, including user identity, connection origin, and assigned permissions. By correlating these events with other activity logs, such as unauthorized access attempts or modifications to sensitive files, patterns can be identified that indicate potential threats, such as data exfiltration or lateral movements within the network.

This report helps detect suspicious events related to access to shared resources, allowing preventive measures to be taken against possible internal or external attacks. Additionally, it contributes to compliance with CMMC regulations by ensuring effective monitoring and correlation of key events for infrastructure protection.', null, null, null, null, null, null, null, null, null, 504, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (633, 'This report compiles relevant information from the Windows logs generated by event 4663, which is triggered when an object or file is accessed or modified in the system. This event is essential to comply with CMMC control AU.2.043, which requires log review and correlation of events to detect inappropriate or malicious activities.

Event 4663 provides details about access to critical files and objects, allowing you to monitor changes or unauthorized access to sensitive data. By correlating this event with other system activity logs, patterns can be identified that suggest attempts at manipulation or misuse of information, contributing to the detection of unusual activities that may compromise the security of the organization.

This report helps detect suspicious events related to access to confidential files and the modification of important data, allowing preventive measures to be taken against possible internal or external attacks. Additionally, it facilitates compliance with CMMC regulations by ensuring that events that may indicate inappropriate activities are appropriately reviewed and correlated.', null, null, null, null, null, null, null, null, null, 504, true, 277, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (563, 'This report compiles relevant information from the Windows logs generated by event 4672, which is essential to comply with CMMC control AU.3.045, which requires the correlation of security events to identify suspicious behavior or malicious activities. Event 4672, related to login of elevated users, is used to detect unusual behavior, such as unauthorized access or abuse of privileges within the system.

Analyzing and correlating this event with other security logs can identify patterns that could indicate threats, such as access to sensitive systems or attempts to abuse elevated privileges. This report facilitates the detection of possible security incidents, thus contributing to the monitoring and strengthening of the protection capabilities of the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 504, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1123, 'This report compiles relevant information from 4670 events (Permissions on Audit Objects Changed) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1. This requirement establishes that processes and mechanisms for protecting cardholder data using strong cryptography during transmission over open, public networks must be clearly defined and understood.

Event 4670 allows for auditing changes to security object permissions, providing visibility into modifications to critical settings that could affect the protection of transmitted data. This event can identify attempts to alter encryption policy settings, changes to security certificates, or adjustments to communication protocols that could compromise the security of the PAN (Primary Account Number) during transmission.

This analysis assesses the proper implementation and maintenance of cryptographic measures, ensuring that only authorized personnel can modify key settings and that PCI DSS controls for the secure transmission of cardholder data are followed.', null, null, null, null, null, null, null, null, null, 803, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (952, 'This report compiles relevant information from the logs of Windows event 4720, which is generated when a new user account is created on the system. This event is critical to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of critical events for compliance and incident response. Monitoring the creation of user accounts allows us to detect possible malicious activities, unauthorized access or improper configurations that may compromise the security of the environment. By analyzing these logs, organizations can strengthen their access controls, improve visibility into infrastructure changes, and ensure the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 267, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (566, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when explicit credentials are used to log on to a system. This event is critical to comply with CMMC control AU.3.045, which requires correlation of security events to identify suspicious behavior and detect malicious activity.

By correlating this event with other activity logs, such as failed access attempts, privilege changes, or unusual remote connections, patterns can be identified that suggest privilege escalation attempts, lateral movement, or unauthorized access within the system.

This report allows us to detect suspicious events related to the improper use of credentials, helping to strengthen monitoring and response capabilities against possible threats. Additionally, it contributes to compliance with CMMC regulations by ensuring effective review and correlation of key events for organizational security.', null, null, null, null, null, null, null, null, null, 504, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (564, 'This report compiles relevant information from the Windows logs generated by event 4688, which is recorded when a new process is created in the system. Its analysis is essential for compliance with CMMC control AU.3.045, which requires the correlation of security events to detect suspicious behavior or malicious activities.

Monitoring this event allows you to identify program execution, detect the creation of unusual processes, and correlate activities with other security events. This helps uncover potential threats, such as the use of unauthorized tools, the execution of suspicious scripts, or attempts at lateral movement within the network.

This report strengthens the incident detection and response capacity, facilitating the identification of anomalous patterns and improving the protection of the infrastructure against unauthorized access or malicious activities.', null, null, null, null, null, null, null, null, null, 504, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Windows Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (570, 'This report collects relevant information from the Windows logs generated by event 5007, which is recorded when changes are made to the Windows audit policy configuration. This event is critical to comply with CMMC control AU.4.054, which requires the implementation of advanced event correlation to detect evolving threats.

Event 5007 can indicate legitimate modifications to audit policies, but it can also be a sign of malicious activity, such as attempts to disable security monitoring or evade detection of suspicious events. By correlating it with other security events, such as changes in user privileges, unusual access or disabling of security services, it is possible to identify patterns that suggest attempts at manipulation or compromise of the system.

This report makes it easier to detect potential advanced threats by providing visibility into alterations to auditing configurations. In addition, it contributes to CMMC compliance by strengthening the ability to monitor and analyze critical events that may affect the organization''s security.', null, null, null, null, null, null, null, null, null, 504, true, 287, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.054): Changes to Defender settings', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (557, 'This report gathers key information from the Windows logs generated by event 4625, which is triggered when a login attempt fails. This event is essential for compliance with CMMC AU.2.043, which requires log review and event correlation to detect inappropriate and unauthorized activities.

Event 4625 captures details of failed login attempts. Collecting these events allows for deep analysis of failed access attempts, which may indicate unauthorized access attempts, brute force attacks, or vulnerabilities in the authentication system.

By reviewing and correlating 4625 events with other security events on the system, this report helps identify unusual or suspicious patterns of behavior, such as multiple failed attempts in a short period of time. These activities could be indicative of an attempted security breach that, if not detected in time, could compromise the integrity of the systems.

Constant monitoring of 4625 events and their correlation with other critical events allows the organization to proactively respond to potential threats and take necessary steps to protect systems and sensitive information.', null, null, null, null, null, null, null, null, null, 504, true, 266, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (558, 'This report gathers relevant information from the Windows logs generated by event 4720, which is triggered when a user account is created on the system. Event 4720 is crucial to compliance with CMMC AU.2.043, which requires log review and event correlation to identify inappropriate, unauthorized, or suspicious activity.

Event 4720 captures essential details about creating a user account. This information is vital to detect unauthorized creation of user accounts or possible manipulations in account settings that could be used for improper access to the system.

Reviewing this event in conjunction with other security events can identify patterns of behavior that could indicate unusual activity, such as account creation outside of business hours or on unapproved systems, which may be a sign of a security breach. or an unauthorized access attempt.

Correlating 4720 events with other security logs provides complete visibility into the lifecycle of user accounts, ensuring that activities related to account creation are legitimate and appropriately managed.

This report facilitates the proactive analysis of system security and contributes to compliance with CMMC guidelines, allowing the early detection of possible vulnerabilities or risks in the management of user accounts.', null, null, null, null, null, null, null, null, null, 504, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): User Accounts Created', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (559, 'This report gathers relevant information from the Windows logs generated by event 4722, related to the enablement of user accounts on the system. Event 4722 is crucial for compliance with CMMC AU.2.043, which requires log review and event correlation to identify inappropriate or suspicious activity.

The review of this event, in conjunction with other security records, facilitates the detection of irregularities in the management of user accounts, contributing to the early identification of unauthorized activities. Correlating events allows you to detect unusual patterns or actions, which helps prevent potential security incidents.

This report supports compliance with CMMC guidelines by ensuring that activities related to enabling user accounts are appropriately monitored, strengthening the ability to detect inappropriate behavior and mitigate risks.', null, null, null, null, null, null, null, null, null, 504, true, 293, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): User Accounts Enabled', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1124, 'This report compiles relevant information from 4719 events (System Audit Configuration Changed) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1. This requirement establishes that processes and mechanisms for protecting cardholder data using strong cryptography during transmission over open, public networks must be defined and understood.

Event 4719 allows for auditing changes to system audit configurations, which is critical to ensuring oversight of data protection-related activities during transmission. Changing these parameters could impact the ability to detect unauthorized access, changes to security certificates, cryptographic protocol failures, or attempts to disable critical event monitoring.

Analysis of these events provides visibility into potential system audit changes, allowing verification that security policies and procedures are documented, up-to-date, and operational, in accordance with the controls established in PCI DSS for the secure transmission of cardholder data.', null, null, null, null, null, null, null, null, null, 803, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (560, 'This report gathers relevant information from the Windows logs generated by event 4723, which refers to an attempt to change the password of a user account. This event is essential for compliance with CMMC control AU.2.043, which establishes the need to review logs and correlate events to detect inappropriate activities.

Analysis of this event helps identify unauthorized or failed password modification attempts, which may be an indicator of suspicious activity or account compromise attempts. Correlating this event with other relevant logs allows for more accurate detection of anomalous patterns or unusual behavior, thus improving the ability to prevent unauthorized access or malicious behavior.

This report supports compliance with CMMC regulations by ensuring that password modification actions are reviewed efficiently, contributing to the identification and mitigation of risks related to unauthorized access and the integrity of user accounts.', null, null, null, null, null, null, null, null, null, 504, true, 294, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): User Password Reset Attempt', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (561, 'Log of access attempts to critical files or specific directories, capturing detailed information about the subject (user or process), the object (file or directory), the type of access requested, and the outcome.', null, null, null, null, null, null, null, null, null, 504, true, 277, 'TEMPLATE', null, null, null, null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (562, 'This report gathers relevant information from the Windows logs generated by event 4660, which is triggered when an object, such as a file or directory, is deleted on a system. Event 4660 is crucial to comply with CMMC control AU.3.045, which states the need to correlate security events to identify suspicious behavior and potential security incidents.

Event 4660 captures details about the deletion of objects on the system, providing information about what files or directories were deleted, who performed the action, and when it was performed. These details can be critical in identifying potential malicious activity or suspicious behavior, such as unauthorized deletion of critical files or sensitive data. By correlating this event with other security logs, such as access logs, authentication logs, or security configuration changes, unusual patterns of behavior can be identified.

This report is essential to detect and mitigate possible threats related to the deletion of important or confidential information, helping to identify activities that may indicate an attempted cover-up of malicious actions or an attack. Additionally, it facilitates CMMC compliance by improving event monitoring and correlation capabilities, allowing for a timely response to suspicious activities.', null, null, null, null, null, null, null, null, null, 504, true, 298, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Object Deletion', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (563, 'This report compiles relevant information from the Windows logs generated by event 4672, which is essential to comply with CMMC control AU.3.045, which requires the correlation of security events to identify suspicious behavior or malicious activities. Event 4672, related to login of elevated users, is used to detect unusual behavior, such as unauthorized access or abuse of privileges within the system.

Analyzing and correlating this event with other security logs can identify patterns that could indicate threats, such as access to sensitive systems or attempts to abuse elevated privileges. This report facilitates the detection of possible security incidents, thus contributing to the monitoring and strengthening of the protection capabilities of the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 504, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (564, 'This report compiles relevant information from the Windows logs generated by event 4688, which is recorded when a new process is created in the system. Its analysis is essential for compliance with CMMC control AU.3.045, which requires the correlation of security events to detect suspicious behavior or malicious activities.

Monitoring this event allows you to identify program execution, detect the creation of unusual processes, and correlate activities with other security events. This helps uncover potential threats, such as the use of unauthorized tools, the execution of suspicious scripts, or attempts at lateral movement within the network.

This report strengthens the incident detection and response capacity, facilitating the identification of anomalous patterns and improving the protection of the infrastructure against unauthorized access or malicious activities.', null, null, null, null, null, null, null, null, null, 504, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Windows Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (565, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are activated when accessing shared resources on the network. These events are critical to comply with CMMC control AU.3.045, which requires correlation of security events to identify suspicious behavior and detect malicious activity.

Events 5140 and 5145 provide details about shared resource accesses, including user identity, connection origin, and assigned permissions. By correlating these events with other activity logs, such as unauthorized access attempts or modifications to sensitive files, patterns can be identified that indicate potential threats, such as data exfiltration or lateral movements within the network.

This report helps detect suspicious events related to access to shared resources, allowing preventive measures to be taken against possible internal or external attacks. Additionally, it contributes to compliance with CMMC regulations by ensuring effective monitoring and correlation of key events for infrastructure protection.', null, null, null, null, null, null, null, null, null, 504, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to Shared Resources', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (566, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when explicit credentials are used to log on to a system. This event is critical to comply with CMMC control AU.3.045, which requires correlation of security events to identify suspicious behavior and detect malicious activity.

By correlating this event with other activity logs, such as failed access attempts, privilege changes, or unusual remote connections, patterns can be identified that suggest privilege escalation attempts, lateral movement, or unauthorized access within the system.

This report allows us to detect suspicious events related to the improper use of credentials, helping to strengthen monitoring and response capabilities against possible threats. Additionally, it contributes to compliance with CMMC regulations by ensuring effective review and correlation of key events for organizational security.', null, null, null, null, null, null, null, null, null, 504, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Logins with explicit credentials', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (567, 'This report collects relevant information from the Windows logs generated by event 4697, which is triggered when a new service is installed on the system. This event is critical to comply with CMMC control AU.3.045, which requires correlation of security events to identify suspicious behavior and detect malicious activity.

Event 4697 provides details about the installation of new services, allowing you to monitor system configuration changes that could indicate persistence attempts by attackers or the execution of unauthorized software. By correlating this event with other security logs, such as privilege changes or unusual access, patterns can be identified that suggest suspicious activity within the environment.

This report helps detect possible threats related to the installation of unauthorized services, facilitating the taking of preventive measures to mitigate security risks. Additionally, it contributes to compliance with CMMC regulations by ensuring effective monitoring and correlation of key events for infrastructure protection.', null, null, null, null, null, null, null, null, null, 504, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Service Installed', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (568, 'This report collects relevant information from the Windows logs generated by event 4738, which is triggered when there is a change in the information of a user account, such as the modification of the password or other important attributes. This event is essential to comply with CMMC control AU.3.045, which establishes the need to correlate security events to identify suspicious behavior.

Event 4738 provides detailed information about any alterations to user accounts, which may indicate attempted credential manipulation or unauthorized modifications. By correlating this event with other security logs, such as system access logs and authentication event logs, you can identify unusual or malicious patterns of behavior, such as accessing critical accounts or modifying user privileges without justification.

This report allows you to identify potentially malicious activities that involve the modification of user accounts and is a key tool to detect suspicious changes that may compromise organizational security. Additionally, it facilitates CMMC compliance by implementing robust event correlation practices, crucial to identifying and mitigating risks related to unauthorized access.', null, null, null, null, null, null, null, null, null, 504, true, 308, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): User Account Attributes Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (569, 'This report compiles relevant information from the Windows logs generated by event 4726, which is recorded when a user account is deleted from the system. This event is critical to comply with CMMC control AU.4.054, which requires the implementation of advanced event correlation to detect evolving threats.

Event 4726 allows you to monitor account deletions, which can be an indicator of suspicious activity, such as attempts to hide traces of unauthorized access or malicious deletion of critical accounts. By correlating this event with other security logs, such as privilege changes, unusual access, or security policy modifications, patterns can be identified that indicate ongoing malicious activity.

This report facilitates the detection of advanced threats by providing visibility into changes in user account management, allowing a proactive response to potential security incidents. Additionally, it reinforces CMMC compliance by ensuring advanced monitoring and effective correlation of critical events within the system.', null, null, null, null, null, null, null, null, null, 504, true, 272, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.054): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (570, 'This report collects relevant information from the Windows logs generated by event 5007, which is recorded when changes are made to the Windows audit policy configuration. This event is critical to comply with CMMC control AU.4.054, which requires the implementation of advanced event correlation to detect evolving threats.

Event 5007 can indicate legitimate modifications to audit policies, but it can also be a sign of malicious activity, such as attempts to disable security monitoring or evade detection of suspicious events. By correlating it with other security events, such as changes in user privileges, unusual access or disabling of security services, it is possible to identify patterns that suggest attempts at manipulation or compromise of the system.

This report makes it easier to detect potential advanced threats by providing visibility into alterations to auditing configurations. In addition, it contributes to CMMC compliance by strengthening the ability to monitor and analyze critical events that may affect the organization''s security.', null, null, null, null, null, null, null, null, null, 504, true, 287, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.054): Changes to Defender settings', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (571, 'This report compiles relevant information from the Windows logs generated by event 1000, which is recorded when an application or process on the system experiences an error and closes unexpectedly. This event is critical to comply with CMMC control AU.4.054, which requires the implementation of advanced event correlation to detect evolving threats.

Event 1000 can be an indicator of possible malicious activity, such as attempts to exploit vulnerabilities, crashes in critical applications, or the execution of unauthorized code. By correlating it with other security events, such as suspicious process execution attempts, unusual access, or system configuration changes, it is possible to identify patterns that suggest attack attempts or infrastructure compromises.

This report facilitates the detection of possible advanced threats by providing visibility into application failures and their possible relationship with malicious activities. Additionally, it contributes to CMMC compliance by strengthening the ability to correlate and analyze critical events in the IT environment.', null, null, null, null, null, null, null, null, null, 504, true, 309, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.054): Application Errors', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (574, 'This report compiles and presents the relevant information extracted from the Windows event logs corresponding to event 4776, which is triggered during authentication attempts on systems using network authentication (NTLM). Analysis of these logs is essential to verify compliance with CMMC practice AC.1.001, which establishes the need to limit system access to authorized users only.

Event 4776 is used to audit access attempts, both successful and unsuccessful, and can provide key data on unauthorized access or inappropriate access attempts. This report includes details such as the username, the origin of the authentication request, and the authentication status.

Based on the information obtained, this report validates that access to the systems is restricted to previously authorized users and provides evidence to ensure compliance with access control and authentication policies.', null, null, null, null, null, null, null, null, null, 510, true, 301, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Authentication Using NTLM', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (575, 'This report collects the Windows log event 4728 logs, which document the addition of a user to a security group on the system. This information is essential to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC), ensuring that users only have access to the necessary resources according to their function and role.

The report includes key details such as the identities of users added to security groups, the name of the group to which they were assigned, the date and time of the modification, as well as the account that performed the action. The analysis of these events ensures that the assignment of roles and permissions is carried out in a controlled manner and in accordance with established security policies, helping to maintain the principle of least privilege and prevent unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 316, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Additions to Security Groups', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (576, 'This report groups the records of event 4729 from the Windows logs, which document the removal of a user from a security group on the system. This information is crucial to verify compliance with CMMC''s Authentication and Access Control Policy Level 2 (AC.2.007), which establishes the implementation of role-based access controls (RBAC), ensuring that users maintain access only to the resources necessary for their assigned functions and roles.

The report includes important details such as the identities of users removed from security groups, the name of the group to which they belonged, the date and time of the removal, and the account that made the modification. The analysis of these events allows us to verify that the management of roles and permissions is carried out in a controlled manner, ensuring that access is adequate and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 317, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security Group Member Removal', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (577, 'This report collects the records of event 4731 from the Windows logs, which document the creation of a security group on the system. This information is essential to verify compliance with CMMC''s Level 2 Authentication and Access Control policy (AC.2.007), which requires the implementation of role-based access controls (RBAC), ensuring that access to the system is assigned. appropriately and only to users with the roles necessary for their functions.

The report includes key details such as the name, the identities of the administrators responsible for the creation, the date and time of the action, and any other information related to the group configuration. The analysis of these events ensures that the creation of security groups is carried out in a controlled manner, in line with established security policies, to facilitate effective management of user roles and permissions.', null, null, null, null, null, null, null, null, null, 510, true, 318, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Creation of Security-Enabled Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (578, 'This report compiles the Windows log event 4735 logs, which document the modification of the properties of a security group on the system. This information is key to verify compliance with CMMC''s Level 2 (AC.2.007) Access Control and Authentication policy, which requires the implementation of role-based access controls (RBAC).

The report includes details such as the name of the modified security group, the changes made to its properties, as well as the identity of the user or system that performed the action. The date and time of the modification is also included. The analysis of these events ensures that modifications to security groups are carried out in a controlled manner and in accordance with established security policies, ensuring that users maintain appropriate access and permissions according to their roles and minimizing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 319, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security enabled local group change', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (579, 'This report collects the Windows log event 4732 logs, which document the addition of a user to a security group on the system. This information is crucial to verify compliance with the CMMC''s Authentication and Access Control policy Level 2 (AC.2.007), which establishes the implementation of role-based access controls (RBAC).

The report includes key details such as the name of the security group to which the user was added, the identity of the added user, the account or system that performed the action, among others. The analysis of these events allows us to verify that users are assigned to security groups according to their role and need for access to specific resources. This ensures that access is adequate and that the risk of unauthorized access is minimized, complying with established security policies and facilitating the correct implementation of the RBAC model.', null, null, null, null, null, null, null, null, null, 510, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (580, 'This report collects the records of Windows log event 4657, which documents changes to the security settings of file and folder objects, especially those that contain Controlled Unclassified Information (CUI). Event 4657 is generated when a modification is made to the properties of an object, such as changes to access control lists (ACLs), the security property of a file or folder, or audit settings. This information is essential to verify compliance with CMMC''s Level 3 policy (AC.3.014), which requires controlling the flow of CUI and adequately protecting access points to this data.

The report includes key details such as the name of the modified object, the type of change made (for example, modifications to ACLs, access permissions, or security attributes), the identity of the user or process that made the modification, and the date and time the change occurred. The analysis of these events allows us to verify that the security configurations of the objects that contain CUI are adequately managed and that access to this data is correctly controlled, aligning with the security policies that protect sensitive information.', null, null, null, null, null, null, null, null, null, 510, true, 322, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Registry Value Modification', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (585, 'This report collects the records of event 4697 from the Windows logs, which document the installation of new services on the system. Event 4697 is generated when a service is installed, providing key information about the user who performed the installation, the associated executable, and the privileges with which the service is running. This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the name of the installed service, the identity of the user or process that performed the installation, the date and time of the installation, among others. The analysis of these events allows us to verify that only authorized users can install services in the environment, avoiding unauthorized access, the execution of malicious software and possible leaks of Controlled Unclassified Information (CUI), ensuring that security controls are aligned with the CMMC policies.
', null, null, null, null, null, null, null, null, null, 510, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Service Installed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (587, 'This report collects the Windows log event 4771 logs, which document failed Kerberos authentication attempts on the system. Event 4771 is generated when a Kerberos authentication attempt cannot complete, which may indicate unauthorized access or an attempted access to protected resources, such as those containing Controlled Unclassified Information (CUI). This information is crucial to verify compliance with CMMC''s Level 3 (AC.3.014) Access Control and Authentication policy, which requires controlling the flow of CUI and adequately protecting access points to this sensitive data.

The report includes key details such as the identity of the user or system that attempted the failed authentication, the date and time of the attempt, the source of the access attempt (IP address or source computer), and the resource or service that was attempted to be accessed. . The analysis of these events is essential to identify and mitigate possible unauthorized access threats, ensuring that CUI access points are properly protected against attacks and non-legitimate access, in accordance with the security policies required by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 310, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Kerberos pre-authentication failed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (588, 'This report compiles the records of security alerts generated in the Windows logs, used to monitor access patterns and detect possible anomalies in the use of system resources. These alerts are triggered in response to significant security events, such as unauthorized access, suspicious modifications to critical files, or privilege escalation attempts. The collection and analysis of these alerts is essential to verify compliance with CMMC''s Level 4 Access Control and Authentication policy (AC.4.021), which requires the use of automated tools to monitor access patterns and detect unusual activities that may compromise the security of Controlled Unclassified Information (CUI).

The report includes key details such as:
-Events that caused the alert, providing context about the suspicious activity.
-Severity of the alert, indicating the level of associated risk.
-Status of the alert, specifying whether it is active, resolved or under investigation.
-Alert category, classifying the type of threat detected (for example, unauthorized access, permission changes, failed authentication attempts).
-Source of the event, identifying the system, user or process that generated the alert.
-Date and time of the event, allowing the activity to be correlated with other security events.

The analysis of these alerts allows us to detect anomalous access patterns, improve incident response capacity, and strengthen security controls in environments that handle CUI. By using automated tools for continuous access monitoring, this report helps ensure that access points and the flow of sensitive information are proactively protected, in alignment with CMMC Level 4 requirements.', null, null, null, null, null, null, null, null, null, 510, true, 248, 'TEMPLATE', null, null, 'Windows Level 4 (AC.4.021): Alerts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (589, 'This report collects and analyzes the records of events 5140 and 5145 of the Windows logs, which monitor access to shared resources on the network, such as files and folders that may contain Controlled Unclassified Information (CUI).
Event 5140 is generated when a shared resource on the network is accessed by a user or process, providing key information about the established session and the users involved.
Event 5145 documents specific attempts to access files or folders within a share, indicating whether the action was allowed or denied and detailing the permissions used.
These events are critical to verify compliance with CMMC Level 3 policy AC.3.014, which requires controlling the flow of CUI and protecting access points to this sensitive data within the network infrastructure.

The report includes key details such as:
-Name of the accessed share.
-Identity of the user or process that performed the action.
-IP address or source computer from where the resource was accessed.
-Date and time of the access attempt', null, null, null, null, null, null, null, null, null, 510, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.014): Network Access to shared resource', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (590, 'This report collects the records of event 4688 from the Windows logs, which document the creation of new processes in the system. Event 4688 is generated every time a process is started, providing key information about the execution of applications and commands, which allows detecting suspicious activities such as the execution of malware, the use of unauthorized tools or attempts to escalate privileges. This information is crucial to verify compliance with CMMC''s Level 5 (AC.5.025) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the started process, the identity of the user or service account that ran the process, the path of the executable, the execution parameters, the identity of the parent process, among others. The analysis of these events allows us to detect anomalous behavior patterns, identify the use of unauthorized tools and strengthen security strategies through proactive detection of threats in real time. This report contributes to the early identification of attacks and the protection of systems that handle Controlled Unclassified Information (CUI), ensuring that security controls are aligned with CMMC Level 5 policies.
', null, null, null, null, null, null, null, null, null, 510, true, 284, 'TEMPLATE', null, null, 'Windows Level 5 (AC.5.025): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (592, 'This report collects the logs for Windows log events 6005 and 6006, which document the startup and shutdown of events from the system event log service (Event Log). Event 6005 is generated when the event log service starts, while event 6006 is generated when the event log service stops. These events provide key information about the state of the system and ensure that audit logs are being generated and maintained correctly. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Audit and Monitoring policy, which requires audit logs to ensure security and monitoring of system activities.

The report includes key details such as the date and time in which the event registration service was started or stopped and information about the computer on which the event was registered, among others. Analyzing these events allows you to verify that the event logging service is working correctly and that audit logs have not been disabled or interrupted. This report is essential to ensure that system audit logs are being properly managed, supporting compliance with CMMC Level 1 requirements and allowing monitoring of system access and activities.', null, null, null, null, null, null, null, null, null, 511, true, 311, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Event Log Service', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (593, 'This report collects the Windows log event 1102 logs, which document the clearing of system security event logs. Event 1102 is generated when security event logs are cleared, providing key information about actions taken on the system to ensure the integrity and retention of audit logs. This information is crucial to verify compliance with CMMC''s Level 1 (AU.1.001) Auditing and Monitoring policy, which requires audit logs to be made and ensure that they are properly managed to protect the integrity of the information.

The report includes key details such as the date and time the event occurred, and the name of the computer on which the action was executed, information about the reasons behind the deletion (if available), and any related actions or previous events that led to the deletion of the records. These types of events should be monitored closely, as deletion of security event logs could indicate attempts to conceal unauthorized or malicious activity.

Analysis of these events ensures that security audit logs are not deleted without adequate justification, protecting the integrity of the logs and ensuring that security controls are aligned with CMMC Level 1 audit requirements. This report contributes to the identification of possible attempts to manipulate records and facilitates proper management of security events within the organization''s environment.', null, null, null, null, null, null, null, null, null, 511, true, 295, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (595, 'This report collects the logs of event 4697 from the Windows logs, which document the installation of new services on the system. Event 4697 is generated when a service is installed, which may involve adding software or configuring processes that may have security implications. This information is crucial to verify compliance with CMMC''s Level 2 Audit and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events, including the installation of services that may modify behavior. of the system or represent a security risk.

The report includes key details such as the name of the installed service, the identity of the user or process that performed the installation, the date and time of the installation, among others. The analysis of these events allows us to detect the unauthorized installation of services or software in the system, helping to identify possible attack vectors or changes that could compromise the security of the system. This report is essential to verify the correct collection of event logs related to the installation of services and ensure that all relevant events are properly audited, supporting compliance with the audit requirements established by CMMC Level 2.', null, null, null, null, null, null, null, null, null, 511, true, 305, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Service Installed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (596, 'This report collects the logs of event 4720 from the Windows logs, which document the creation of a new user account on the system. Event 4720 is generated when an administrator or authorized process creates a new user account on the system, providing detailed information about the user who performed the action and the details of the created account. This information is key to verify compliance with CMMC''s Level 2 Audit and Monitoring policy (AU.2.042), which requires guaranteeing the collection of logs to detect and analyze security events, including the creation of user accounts that can influence in system security.

The report includes details such as the identities of the created users, assigned roles, account creation dates and times, as well as the user or system that performed the action.
The analysis of these events makes it possible to monitor the creation of user accounts in the system, ensuring that only authorized people can add new accounts and that the process is properly recorded. This is essential to detect suspicious activities or the unauthorized creation of accounts that could be used to access sensitive information. This report is essential to meet CMMC Level 2 audit requirements, ensuring that all relevant events related to account creation are correctly monitored and analyzed.', null, null, null, null, null, null, null, null, null, 511, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (597, 'This report collects the Windows log event 4724 logs, which document password reset attempts for user accounts on the system. Event 4724 is generated when a password reset attempt is made, either by an administrator or by the account user themselves, and provides key information about credential modification attempts. This information is crucial to verify compliance with CMMC''s Level 2 Auditing and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events related to access and changes in credentials.

The report includes key details such as the identity of the user whose password was reset, the identity of the user or administrator who executed the action, the date and time of the event, among others. The analysis of these events allows us to detect unauthorized or undocumented attempts to modify credentials, providing an effective way to monitor access and activities related to user credentials. This report is essential for auditing password management processes, ensuring that appropriate controls are applied to protect access credentials and contributing to compliance with CMMC Level 2 security policies.', null, null, null, null, null, null, null, null, null, 511, true, 312, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Password Reset Attempts', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (598, 'This report collects the logs for Windows log event 4726, which document the removal of a user account from the system. Event 4726 is generated when an administrator or authorized process deletes a user account, providing detailed information about the action taken, the user who performed the deletion, and the details of the deleted account. This information is crucial to verify compliance with CMMC''s Level 2 Auditing and Monitoring policy (AU.2.042), which requires ensuring the collection of logs to detect and analyze security events, including the deletion of user accounts that could be indicative of an attempt to conceal malicious activity or unauthorized access.

The report includes important details such as the identities of the deleted accounts, the date and time of deletion, and the user or system that executed the action.
Analysis of these events is important to monitor the deletion of user accounts, ensuring that accounts are not deleted without proper authorization and that all events are properly recorded. This report is essential to detect suspicious activities or attempts to delete user accounts that could be used for unauthorized access. Compliance with CMMC Level 2 auditing requirements is supported by ensuring that all actions related to account deletion are monitored and analyzed to maintain system security.', null, null, null, null, null, null, null, null, null, 511, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (599, 'This report compiles and presents relevant information about UserLoggedIn events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.1.001. Its purpose is to ensure that access to systems is limited to authorized users only, allowing logins to be monitored and audited on the platform.

The report includes details such as the user''s identity, source IP address, geographic location, and the number of accesses they have had. This information is essential to detect unauthorized access, evaluate authentication patterns, and reinforce security controls to protect organizational data and resources.', null, null, null, null, null, null, null, null, null, 510, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AC.1.001): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (600, 'This report collects and presents relevant information about UserLoginFailed events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.1.001. Its purpose is to ensure that access to the system is restricted to authorized users, and to detect failed login attempts, which could indicate unauthorized access attempts or brute force attacks.

The report includes details such as user identity, source IP address, geographic location. This information is crucial for identifying suspicious patterns, blocking unauthorized access, and enforcing authentication controls in the system, helping to protect sensitive data and corporate resources.', null, null, null, null, null, null, null, null, null, 510, true, 262, 'TEMPLATE', null, null, 'Office 365 Level 1 (AC.1.001): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (602, 'This report compiles and presents relevant information about AddedToGroup events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.2.007. Its purpose is to ensure that role-based access controls (RBAC) are implemented correctly, ensuring that users are only added to groups according to their roles and responsibilities within the organization.

The report includes key details such as the user added to the group, the group that has been granted access, the account that performed the action, the time of the event, and any changes to access permissions. This information is crucial to ensuring that users have only the permissions necessary to perform their jobs and that the principle of least privilege is maintained, thereby minimizing the risks of unauthorized access to sensitive resources.', null, null, null, null, null, null, null, null, null, 510, true, 324, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): SharePoint Group Membership Additions', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (603, 'This report collects and presents relevant information about FileAccessed and FileAccessedExtended events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The focus of the report is on controlling the flow of sensitive information (CUI) and protecting access points to sensitive files, ensuring that only authorized users can access critical data.

The report includes key details such as the file accessed, the user who accessed it, the time of the event, among others. This information is crucial for monitoring and auditing access to confidential information, identifying potential risks or unauthorized access, and ensuring that access controls are being correctly applied to protect sensitive data entry points within the organization.', null, null, null, null, null, null, null, null, null, 510, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Accessed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (604, 'This report collects and presents relevant information about SecurityRoleUpdated events in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.2.007. The focus of the report is on ensuring that security role updates are managed appropriately, ensuring that users have access only to the resources necessary according to their role and responsibility within the organization.

The report includes essential details such as the user whose security role was modified, the account that performed the action, the time of the event, among others. This information is key to ensuring that role-based access controls (RBAC) are being properly implemented and maintained, which contributes to the protection of sensitive data and helps prevent unauthorized access to critical systems and resources.', null, null, null, null, null, null, null, null, null, 510, true, 326, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): Security Role Update', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (605, 'This report collects and presents relevant information about the AddedToSharingLink event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The focus of the report is on controlling the flow of sensitive information (CUI) and protecting access points to shared resources, ensuring that the use of file sharing links is restricted and appropriately monitored.

The report includes key details such as the shared file or folder, users added to the sharing links, time of the event, access settings (for example, read-only or edit access), and security policies associated with the shared link. . This information is essential to ensure that only authorized users can access sensitive information through sharing links, minimizing the risk of unauthorized exposure and maintaining control over the flow of CUI in the organization.', null, null, null, null, null, null, null, null, null, 510, true, 327, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Sharing Link Operation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (606, 'This report collects and presents relevant information about the AddedToSecureLink event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. The report focuses on controlling the flow of sensitive information (CUI) and securing access points to shared resources securely, ensuring that secure links are used appropriately for access to sensitive data.

The report includes key details such as the users who have been added to the secure links, the time of the event, the type of file or share, among others. This information is crucial to ensure that access to the CUI is properly controlled, protecting the integrity of the shared data and ensuring that only authorized persons can access it through secure channels, in accordance with security and access control standards. required by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 328, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Secure Link Operation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (607, 'This report compiles and presents relevant information about the Add delegated permission granted event in Office 365 logs, with the objective of verifying compliance with CMMC practice AC.3.014. It focuses on controlling the flow of sensitive information (CUI) and protecting resource access points, ensuring that permission delegations are appropriately and securely assigned.

The report includes key details about the delegated permissions granted. This information is essential to ensure that CUI-sensitive access points are strictly controlled, allowing only authorized access through delegated permissions that are aligned with established security policies. In this way, access to sensitive data is protected and misuse of permissions is prevented, complying with CMMC access control and information flow requirements.', null, null, null, null, null, null, null, null, null, 510, true, 329, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): Delegated Permission Grant', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (608, 'This report gathers relevant information about the FileTranscriptContentAccessed event from Office 365 logs, with the goal of verifying compliance with CMMC practice AC.3.014. The focus is on controlling the flow of sensitive information, specifically as it relates to the transcribed contents of files, ensuring that access to CUI (Controlled Unclassified Information) is adequately monitored and protected.

The report includes details about the users who have accessed file transcripts, as well as the identifiers of the files involved. Additionally, the type of access performed (read, modify, etc.) and any relevant details about the security settings applied (for example, access policies, multi-factor authentication) are documented. This information is crucial to detect possible unauthorized or inappropriate access to CUI, ensuring that the flow of said information is controlled and protected, in accordance with the security standards established by CMMC.', null, null, null, null, null, null, null, null, null, 510, true, 330, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Access and Activity', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (609, 'This report compiles key information about the FileDownloaded event in Office 365 logs, with the goal of verifying compliance with CMMC practice AC.3.014. The main purpose is to monitor the flow of sensitive information and protect access points to CUI (Controlled Unclassified Information), ensuring that files with critical information are downloaded only by authorized users.

The report includes details about the users downloading files, the names and locations of the files involved, as well as the IP addresses from which the downloads were made. Additionally, security settings such as access controls and any suspicious or unauthorized activity related to file downloads are documented. This information is essential to detect and prevent improper access to CUI, ensuring compliance with the security standards established by CMMC to protect the integrity of critical information.', null, null, null, null, null, null, null, null, null, 510, true, 331, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): OneDrive File Download', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (610, 'This report compiles relevant information from Windows logs associated with Account Manipulation, Domain Policy Modification, Impair Defenses, and Account Access Removal alerts, which are key events for the detection and prevention of privilege escalation in the IT environment. This information is used to verify compliance with CMMC Level 4 control AC.4.028, which requires automation of privilege escalation detection.

Account Manipulation events include activities such as modifying user accounts, assigning roles and privileges, which may indicate attempts to gain elevated access in an unauthorized manner. Domain Policy Modification alerts reflect changes to domain policies that could allow privilege escalation at the network level, and Impair Defenses alerts detect modifications that affect security measures implemented to protect the system. Finally, Account Access Removal alerts record attempts to remove account access, which may be a sign of an attempt to cover the tracks of an attack.

Monitoring these events helps identify anomalous patterns or suspicious actions related to unauthorized elevation of privileges, which is crucial to preventing unauthorized access and potential security compromises. Automating the detection of these events ensures a faster and more accurate response to any attempted privilege escalation, minimizing the risk that an attacker can gain access to critical resources without being detected.

This report contributes significantly to compliance with AC.4.028 by providing a centralized, automated view of key events related to privilege escalation. By automating detection, you strengthen your organization''s security posture, enabling you to efficiently detect and mitigate privilege escalation attacks before they severely impact sensitive data and infrastructure.', null, null, null, null, null, null, null, null, null, 510, true, 244, 'TEMPLATE', null, null, 'AWS Level 4 (AC.4.021): Alerts', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (611, 'This report compiles relevant information from AWS logs related to activity by user and event type, providing visibility into actions taken on cloud infrastructure. This monitoring is essential to comply with CMMC Level 2 control AU.2.042, which requires ensuring the collection of logs for the detection and analysis of security events.

Activity logs by user and event in AWS include detailed information about actions performed on cloud services, such as logins, configuration modifications, permission changes, resource accesses, and other critical operations. These logs help identify suspicious activities, unauthorized access attempts, or configurations that could compromise the security of your environment.

By capturing and analyzing these events, organizations can detect anomalous patterns, correlate potentially malicious activities, and proactively respond to security incidents. Additionally, the retention and ongoing analysis of these logs is key to conducting forensic audits and ensuring compliance with established security policies.

This report facilitates compliance with CMMC Level 2 control AU.2.042 by ensuring the effective collection and monitoring of security events in AWS. In this way, incident response capacity is improved, the traceability of actions within the cloud environment is reinforced, and the integrity and security of the organization''s critical systems and data is guaranteed.', null, null, null, null, null, null, null, null, null, 511, true, 239, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Activity By User and Event', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (612, 'This report compiles relevant information from AWS logs related to events in the cloud, providing visibility into the activity in the infrastructure and the services used. This monitoring is essential to comply with CMMC Level 2 control AU.2.042, which requires ensuring the collection of logs for the detection and analysis of security events.

Cloud logs include events generated by users and services within AWS, such as accesses, configuration modifications, permission changes, resource usage, and other critical activities. These logs, obtained through services such as AWS CloudTrail, AWS Config, AWS CloudWatch, and AWS Security Hub, allow organizations to track events and detect potential threats or unauthorized activity.

The analysis of these events contributes to strengthening the security of the environment by allowing the identification of anomalous patterns, the correlation of incidents and the performance of forensic audits. Additionally, it facilitates compliance with security regulations and standards by ensuring the traceability and availability of records for security investigations.

This report supports the implementation of effective monitoring controls in AWS, ensuring that logs are collected and used to detect and analyze security events, in compliance with CMMC Level 2 control AU.2.042.', null, null, null, null, null, null, null, null, null, 511, true, 227, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Cloud', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (613, 'This report collects and analyzes key information about DescribeLogStreams events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its objective is to ensure that the query and retrieval of log streams in AWS CloudWatch Logs are recorded and monitored for the detection and analysis of security events.

The report includes details such as the account involved, the identity of the user who made the request, and the source of the request. This information is essential to audit access to critical logs, detect unusual activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 332, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): DescribeLogStreams Logs', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (614, 'This report collects and analyzes key information about PutObject events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its goal is to ensure that the creation and modification of objects in Amazon S3 are recorded and monitored for the detection and analysis of security events.

The report includes details such as the account involved, the destination bucket, the source IP address, and the source of the request. This information is essential to audit access and modifications to sensitive data, detect possible unauthorized activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 333, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): PutObject Logs', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (615, 'This report collects and analyzes relevant information about GetBucketAcl events in AWS, for the purpose of verifying compliance with CMMC practice AU.2.042. Its objective is to ensure that queries to the access control lists (ACLs) of Amazon S3 buckets are recorded and monitored to detect and analyze possible security events.

The report includes key details such as the account involved, the bucket queried, the identity of the user who made the request, the originating IP address, and the source of the request. This information is essential to audit attempts to access bucket permissions, identify possible unauthorized activities, and ensure proper log collection and analysis in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 334, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): GetBucketAcl Logs', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (616, 'This report collects and analyzes relevant information about DescribeLogGroups events in AWS, with the objective of verifying compliance with CMMC practice AU.2.042. Its purpose is to ensure that queries to log groups in Amazon CloudWatch Logs are recorded and monitored for the detection and analysis of security events.

The report includes key details such as the account involved, the user or service that made the request, the source IP address, the time of the event, and the source of the request. This information is essential to audit the access and display of log groups, identifying possible unauthorized activities and ensuring proper collection and monitoring of logs in the AWS environment.', null, null, null, null, null, null, null, null, null, 511, true, 335, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): DescribeLogGroups Logs', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (617, 'This report collects the logs for Windows log event 4733, which document the removal of a user from a security group on the system. This information is essential to verify compliance with CMMC''s Authentication and Access Control Policy Level 2 (AC.2.007), which requires the implementation of role-based access controls (RBAC).

The report includes key details such as the name of the security group from which the user was removed, the identity of the removed user, the account or system that performed the action, and the date and time of the modification. The analysis of these events ensures that actions to remove users from security groups are carried out in a controlled manner, ensuring that access to resources is appropriate and adheres to the principle of least privilege. This minimizes the risk of unauthorized access and ensures that access controls are managed according to the roles defined for each user, complying with CMMC security policies.', null, null, null, null, null, null, null, null, null, 510, true, 321, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Local Security Group Member Removal', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (618, 'This report collects the Windows log event 5158 logs, which document attempts to establish incoming or outgoing network connections on the system. Event 5158 is generated when a Windows firewall allows or blocks a network connection based on configured security policies. This information is essential to verify compliance with CMMC''s Level 4 Audit and Monitoring policy (AU.4.053), which requires improving logging capabilities to support threat detection, allowing the identification of suspicious or unauthorized connections that may be indicative. of an attempted intrusion or malicious activity.

The report includes key details such as the name of the application that attempted to make the connection, and the action taken by the firewall (allow or block), among others. Analyzing these events can improve auditing capabilities and detect traffic patterns that could be indicative of advanced threats, such as unauthorized access attempts or lateral movements within the network. This report facilitates early detection of malicious activity, ensuring that network security policies are properly configured and that unauthorized connections are effectively blocked, aligning with CMMC Level 4 requirements for threat detection and security protection. critical infrastructure.', null, null, null, null, null, null, null, null, null, 511, true, 313, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Windows Connection blocked by Windows Firewall', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (619, 'This report collects event 4657 logs from the Windows logs, which document modifications to system security objects, such as files, folders, or registry keys. Event 4657 is generated when a significant change is made to the security attributes of an object, such as modifying access permissions or auditing settings for a resource. This information is crucial to verify compliance with CMMC''s Level 4 Audit and Monitoring policy (AU.4.053), which requires improving logging capabilities to support threat detection, allowing the identification and analysis of critical changes that may be related to malicious behavior or unauthorized activities.
The report includes key details such as the name of the modified object, the type of change made (for example, modifications to ACLs, access permissions, or security attributes), the identity of the user or process that made the modification , and the date and time the change occurred.
Analyzing these events can enhance logging capabilities to identify changes that could be indicative of an attempt to compromise system security or manipulate access to sensitive resources. This report facilitates early detection of threats related to unauthorized modification of security configuration and contributes to the visibility of security-relevant events, ensuring that access and audit controls are aligned with CMMC Level security requirements 4.', null, null, null, null, null, null, null, null, null, 511, true, 322, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Registry Value Modification', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (620, 'This report compiles relevant information from 5007 events (The auditing settings on object were changed) in Windows logs, with the objective of verifying compliance with CMMC Level 4 practice AU.4.053, which requires advanced logging capabilities for threat detection.

Event 5007 is generated when changes are made to system auditing settings, which may indicate attempts to disable or modify critical records in order to evade detection of malicious activity.

The analysis of the displayed data allows us to detect suspicious alterations in audit policies, identify possible attempts to conceal malicious activity and strengthen security controls.

Monitoring these events is essential to ensure the integrity of audit logs and improve the ability to detect and respond to advanced threats, ensuring the protection of critical systems within the organization.', null, null, null, null, null, null, null, null, null, 511, true, 287, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Changes to Defender settings', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (621, 'This report gathers relevant information from the Windows logs, specifically from Service Control Manager event 7030. This event is raised when a service attempts to start but fails due to a configuration or security restriction, preventing it from running interactively. The collection and analysis of these events is crucial to identify possible failures in service configuration, security problems related to access policies or operational restrictions. The report is aimed at supporting compliance with level 4 (AU.4.053) of the CMMC, by providing clear visibility on failures in attempts to start services, allowing better detection and response to possible threats or operational irregularities in the environment. .

This type of report helps meet monitoring and auditing requirements for critical events, contributing to the early detection of security problems and the optimization of control over the execution of services within the system.', null, null, null, null, null, null, null, null, null, 511, true, 323, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Service Control Manager Log Information', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (622, 'This report collects relevant information from the Windows logs, specifically from event 1100 related to the Event Logging Service Shut Down. This event is generated when the Windows Event Logging service stops unexpectedly or on a scheduled basis. Stopping the event log service can have significant implications on the system''s ability to audit, as it interrupts the collection of security logs and other important events.

Analysis of this event is crucial to ensure the continuity of audit logs in the system. In the context of the CMMC and compliance with level 5 (AU.5.055), the aim is to improve audit capabilities to detect advanced threats. The interruption of the event log service may be indicative of a technical or security problem, and monitoring it allows you to identify possible gaps in the audit system and react quickly.

This report helps ensure that the event logging service remains operational at all times, ensuring that log collection is not compromised and enabling timely response to security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 314, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Event Logging Service Shut Down', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (623, 'This report compiles relevant information from the Windows logs related to event 4689, which is generated when a process is terminated on the system. This event provides details about processes that are started and terminated, which is essential for monitoring application behavior and detecting anomalous or potentially malicious behavior, such as unauthorized processes or processes that terminate abruptly.

The analysis of this event in the context of the CMMC and specifically for Level 5 compliance (AU.5.055) aims to improve audit capabilities, facilitating early detection of advanced threats. The information collected from event 4689 allows you to track the processes that are running on the system, which is a critical step in identifying possible suspicious activities or signs of an intrusion.

The collection of these logs ensures that the relevant processes are audited in depth, contributing to greater visibility on the actions carried out on the systems and improving the ability to respond to security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 302, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Process Termination', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (625, 'This report analyzes event 5379 in the Windows logs, which refers to smart card authentication attempts. Monitoring this event is key in detecting Credential Access, a technique commonly used by attackers to gain unauthorized access to systems through theft or spoofing of credentials.

In this specific case, events 5379 indicate when a smart card authentication attempt has occurred, whether successful or failed. Attackers can use techniques such as stealing smart cards or misusing credentials associated with smart cards to gain access to protected systems and networks. Detecting these authentication attempts is essential to prevent the exploitation of stolen or compromised credentials.

This event is part of the advanced auditing capabilities required in compliance with the CMMC (Cybersecurity Maturity Model Certification), in particular for Level 5 (AU.5.055), which seeks to improve auditing capabilities to detect advanced threats. Proactively monitoring these events can identify suspicious access and block Credential Access attempts, protecting the integrity of credentials and critical systems.', null, null, null, null, null, null, null, null, null, 511, true, 315, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Credential Access', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (626, 'This report collects Windows log event 4732 logs, which document attempts to add users to system security groups. Event 4732 is generated when a user or process is added to a security group, providing information about the group to which it was added, the identity of the user who made the modification, and the details of the security group to which the user was added. added. This information is crucial to verify compliance with CMMC''s Level 5 Auditing and Monitoring policy (AU.5.055), which requires improving auditing capabilities for advanced threat detection, allowing for the identification of possible changes in the privileges of users who may be related to privilege escalation or unauthorized activities.
The report includes key details such as the name of the security group to which the user was added, the identity of the added user, the account or system that performed the action, among others.
Analyzing these events can improve auditing capabilities to detect unusual patterns or anomalous behavior related to changes in user privileges and access to sensitive resources. This report contributes to advanced threat detection by identifying changes to security groups that could be indicative of a privilege escalation attempt or security breach. Ensures auditing of security configurations is aligned with CMMC Level 5 security controls, ensuring adequate visibility for early detection of advanced threats.', null, null, null, null, null, null, null, null, null, 511, true, 320, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (627, 'This report collects the records of event 4688 from the Windows logs, which document the creation of new processes in the system. Event 4688 is generated every time a process is started, providing key information about the execution of applications and commands, which allows detecting suspicious activities such as the execution of malware, the use of unauthorized tools or attempts to escalate privileges. This information is crucial to verify compliance with CMMC''s Level 2 (AU.2.042) Access Control and Authentication policy, which requires continuous monitoring of access through advanced behavioral analysis.

The report includes key details such as the name of the started process, the identity of the user or service account that ran the process, the path of the executable, the execution parameters, the identity of the parent process, among others. The analysis of these events allows us to detect anomalous behavior patterns, identify the use of unauthorized tools and strengthen security strategies through proactive detection of threats in real time. This report contributes to the early identification of attacks and the protection of systems that handle Controlled Unclassified Information (CUI), ensuring that security controls are aligned with CMMC Level 5 policies.', null, null, null, null, null, null, null, null, null, 511, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.042): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (628, 'This report collects key information from event 4732 in the Windows logs, which is generated when a user is added to a security group. Including this event in security monitoring is essential for tracking changes in group membership, especially those that provide access to critical resources or elevated privileges.

Within the framework of CMMC Level 2 (SI.2.212) compliance, real-time monitoring of events such as 4732 is a crucial measure to ensure that only authorized users have access to the organization''s sensitive resources. This event is an early alert for the detection of changes to user permissions, which may involve unauthorized elevation of privileges or unplanned access to critical systems.

The report provides visibility into who, when and why a user was added to a security group, which is critical for access control and detecting potential threats or security breaches. Ensuring these events are appropriately monitored helps maintain a robust security environment and prevent improper access, in compliance with CMMC continuous monitoring requirements.', null, null, null, null, null, null, null, null, null, 503, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (629, 'This report collects information relevant to event 4657 in the Windows logs, which is generated when a system object, either a file or a registry key, is modified. This event is crucial for real-time monitoring of activities that could involve changes to security settings or critical files of the organization.

In the context of Level 2 (SI.2.212) of the CMMC, monitoring events such as 4657 is essential to detect and prevent unauthorized activities that may compromise the integrity of systems or allow the execution of malicious actions. This event provides visibility into changes made to important objects, allowing you to identify unplanned or unusual modifications to the environment, such as alteration of sensitive files or system configurations.

The report helps ensure that all critical modifications are detected and analyzed in real time, allowing early intervention in the event of potential security incidents. Additionally, it ensures that a detailed record is maintained of activities that may have an impact on security, aligning with the continuous monitoring requirements and the improvement of audit capabilities that are fundamental in CMMC compliance.', null, null, null, null, null, null, null, null, null, 503, true, 322, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.212): Registry Value Modification', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (630, 'This report is based on the Windows logs for event 4733, which is generated when a user is removed from a security group. This type of event is critical for monitoring access to sensitive systems, since changes in security group membership can be indicative of an attempted lateral movement or an internal attack that seeks to escalate privileges or modify access controls. unauthorized manner.

In the context of CMMC Level 4 (SI.4.220): Monitor for malicious behavior across the organization, event 4733 is relevant to identifying activities that may be associated with malicious modifications to user privileges or group settings that manage critical permissions. These changes may be indicative of suspicious activity, such as an attacker attempting to gain access to restricted resources or making an alteration to user permissions in order to facilitate unauthorized access.

Monitoring this event, especially when unauthorized deletions or modifications are detected in high-privilege groups (such as system administrators or sensitive data access groups), allows the organization to proactively respond to malicious behavior before it can compromise network security or critical systems.

This report provides visibility into changes in security groups, enabling early detection of anomalous behavior and improving the organization''s ability to prevent and mitigate potential internal attacks or external intrusions.', null, null, null, null, null, null, null, null, null, 503, true, 321, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.220): Local Security Group Member Removal', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (631, 'This report gathers relevant information from the Windows logs generated by event 4732, which is triggered when a user is added to a security group. This event is key to comply with CMMC control AU.2.043, which establishes the need to review logs and correlate events to detect inappropriate activities.

Analysis of event 4732 can identify changes in security group membership, which may reflect unauthorized or anomalous activity, such as elevation of a user''s privileges or incorrect assignment of access. By correlating this event with other system logs, patterns can be identified that indicate potential security incidents, such as improper acquisition of permissions or unauthorized access to sensitive resources.

This report contributes to compliance with CMMC regulations by facilitating the review of changes in security configurations and helping to detect possible inappropriate behavior, which improves the ability to respond to possible threats to the integrity and confidentiality of the systems.', null, null, null, null, null, null, null, null, null, 504, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Member Addition to a Security Local Group', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (632, 'This report collects relevant information from the Windows logs generated by event 4733, which is triggered when a user is removed from a security group. This event is crucial to comply with CMMC control AU.2.043, which requires log review and correlation of events to detect inappropriate activities.

Analysis of this event allows us to identify when a user is removed from a security group, which could indicate changes in access privileges, either for legitimate reasons or due to possible malicious activity. Correlating this event with other system logs helps detect unusual patterns that could signal attempted privilege escalation or lateral movements within the network, helping to identify activities that could compromise system security.

This report contributes to compliance with CMMC regulations by providing visibility into changes in access configurations and helping to identify anomalous behavior that may be indicative of inappropriate actions.', null, null, null, null, null, null, null, null, null, 504, true, 321, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Local Security Group Member Removal', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1013, 'This report collects relevant information from the FileAccessed event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (AU.2.043) control. The control establishes the need to review logs and correlate events to identify inappropriate activities that may indicate potential risks to information security, particularly those affecting the integrity of sensitive files and data.

FileAccessed event logs provide details on file access and modification in Office 365, allowing you to detect unusual or unauthorized behavior, such as access to sensitive documents outside established patterns or by unauthorized users. This report allows you to perform a comprehensive review of files accessed by users, including information about the documents, the applications used, the dates and times of access, as well as the IP address of the devices.

By correlating these events with other security activities on the platform, the report makes it easier to detect inappropriate access or suspicious patterns of behavior, which is crucial to preventing information leaks, unauthorized manipulation, or misuse of files.

Analysis of these logs provides a solid foundation for conducting effective security audits, responding quickly to incidents, and improving critical data access management practices. By reviewing and correlating these events, the organization can ensure that only the appropriate users have access to relevant documents and that any activity that does not comply with security policies is identified in a timely manner.', null, null, null, null, null, null, null, null, null, 504, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1014, 'This report collects relevant information from the FileDeleted event logs in Office 365, with the aim of verifying compliance with CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate logs to detect inappropriate activities that may put data integrity and information security at risk, especially when it comes to sensitive or confidential files.

FileDeleted event logs provide details about file deletion within Office 365, which is essential for identifying unauthorized or suspicious deletions, such as access to high-risk files by unauthorized users or deletions outside of normal operating patterns.

By correlating these events with other activity logs on the platform, the report makes it easier to detect potential security incidents, such as malicious data manipulation or attempts to delete critical information without justification. It also allows for accurate tracking and auditing of actions performed on files, ensuring that any unauthorized or policy-infringed deletion is identified early.

This analysis is essential to ensure data protection and facilitate rapid responses to any incidents related to inappropriate file deletion, which contributes to compliance with security regulations and preserving the integrity of information stored in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1015, 'This report collects relevant information from the SharingSet event logs in Office 365, with the objective of verifying compliance with the CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate the logs to detect inappropriate activities that may compromise data security, especially when it comes to sensitive or controlled information within the organization.

The SharingSet event logs provide details about the permission settings and the assignment of access to share files and documents within Office 365, including SharePoint and OneDrive, which allows identifying incorrect or inappropriate configurations that may expose sensitive data in an unauthorized manner.

The analysis of these logs is crucial to detect suspicious activities, such as the assignment of access permissions to unauthorized users or changes in permissions that are not aligned with the organization''s security policies. In addition, it allows the identification of anomalous patterns of behavior related to information sharing, such as unexpected or external access to documents that should be restricted.

By correlating these events with other user activity and system access logs, the report helps detect possible security incidents, such as information leaks or malicious access, which could put data confidentiality at risk. In this way, the report facilitates the early identification of risks, ensures compliance with regulations and improves the response to inappropriate activities, guaranteeing the protection of information assets in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): Sharing Set', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1018, 'This report collects relevant information from the FileSyncDownloadedFull event logs in Office 365, in order to verify compliance with CMMC Level 4 (AU.4.054) control, which requires the implementation of advanced event correlation to detect evolving threats. The FileSyncDownloadedFull event is generated when a file is fully synchronized through OneDrive or SharePoint, implying a highly relevant file transfer or access to information that could be associated with CUI (Controlled Unclassified Information).

The analysis of this event is crucial to detect unusual patterns in the download of sensitive files, such as those related to mass synchronization of important documents or unauthorized access to files that should be restricted. Through advanced event correlation, this report allows you to identify whether file download activity is linked to other suspicious behavior, such as logins from unusual locations, simultaneous access attempts, or changes in security settings.

Implementing advanced event correlation techniques enables the detection of evolving threats, such as data exfiltration attacks or lateral movement within the network. An example of this type of threat could be an attacker who first accesses a file and then synchronizes it to transfer it to an unauthorized location, all while hiding their actions by executing multiple events at different points in the system.

This report provides a detailed and correlated view of file synchronization activities within the Office 365 infrastructure, making it easier to identify advanced persistent threats (APTs) that may have evaded traditional detection methods. Through this advanced correlation, security teams can quickly respond to incidents, mitigating risks and ensuring that critical files are not compromised or transferred inappropriately.

In short, the report contributes to continuous monitoring and proactive detection of complex threats that affect information integrity, which is essential to prevent data l', null, null, null, null, null, null, null, null, null, 504, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 4 (AU.4.054): File Synchronization', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1125, 'This report compiles relevant information from the 1102 event (Audit log was deleted) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.1. This requirement establishes that all security policies and operating procedures related to the protection of cardholder data during transmission over open and public networks must be documented, up-to-date, in use, and known to all affected parties.

Event 1102 is critical because it indicates the deletion of the audit log, which could compromise the ability to monitor and detect unauthorized access, changes to security settings, or attempts to circumvent data protection controls. Reviewing this event allows for assessing whether security procedures are being followed and whether the integrity of the audit logs is being maintained, ensuring that data protection policies are implemented and operational in compliance with PCI DSS.

Analyzing these events helps identify potential security breaches and verify that the organization has adequate mechanisms for managing, updating, and enforcing cardholder data protection policies.', null, null, null, null, null, null, null, null, null, 803, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1017, 'This report collects relevant information from the Add-MailboxPermission event logs in Office 365, in order to verify compliance with CMMC Level 3 (AU.3.045) control, which requires correlating security events to identify suspicious behavior. The Add-MailboxPermission event records actions related to the assignment of permissions to mailboxes in Exchange, including details about which permissions were granted to which users and on which mailboxes.

The information contained in this event is critical for monitoring permission assignment, as unauthorized changes to mailbox permissions can indicate unusual behavior, such as privilege escalation or improper access to sensitive data. This report helps identify which users have been granted additional access to mailboxes, whether the access was appropriate and authorized, or whether it is a suspicious change that could be indicative of an insider threat or compromise attempt.

Correlating these logs with other related events, such as access to sensitive files or changes to mailbox security settings, makes it easier to detect unusual patterns that could indicate malicious or unauthorized activity. This correlation of events also helps to identify potential fraudulent behavior, such as assigning permissions to unauthorized users to gain access to sensitive or controlled information.

This report contributes to the early identification of potential threats and the implementation of preventive measures, which reinforces the overall security of the system and ensures that mailbox permissions are properly managed, avoiding risks of improper access or loss of critical data.', null, null, null, null, null, null, null, null, null, 504, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.045): Mailbox Permission Assigning', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1016, 'This report collects relevant information from the FileRenamed event logs in Office 365, with the aim of verifying compliance with CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate logs to detect inappropriate activities that may compromise data security and the integrity of files stored in the organization.

The FileRenamed event provides details about the name changes made to files within SharePoint and OneDrive. This information is crucial to identify suspicious actions, such as unauthorized changes to sensitive documents, which could be an indication of tampering or unauthorized access.

By reviewing these logs and correlating them with other events related to file access and permissions, the report can detect inappropriate behavior, such as the modification of critical file names without proper justification or the renaming of documents related to confidential or controlled information. This analysis helps identify anomalous behavior patterns, such as unauthorized users renaming files in order to evade monitoring or manipulate information.

This report helps improve visibility of file changes and facilitates early detection of security incidents, helping to mitigate risks related to improper access and manipulation of information. By correlating this event with other relevant logs, compliance with the organization''s security policies is ensured, guaranteeing that files are not altered or renamed inappropriately.', null, null, null, null, null, null, null, null, null, 504, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Renamed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1126, 'This report compiles relevant information from the 4732 events (A user was added to a security group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.2. This requirement establishes that roles and responsibilities for implementing security controls in the transmission of cardholder data must be documented, assigned, and understood by the involved parties.

Event 4732 is crucial for auditing access management to security groups, as it verifies the correct assignment of privileges to users responsible for applying cryptographic measures and other security controls in the transmission of sensitive data. Proper monitoring of this event facilitates the detection of improper assignments or unauthorized changes to the structure of roles and responsibilities.

This analysis assesses whether the assignment of roles in the security infrastructure is aligned with documented policies and whether access is controlled in accordance with operational and PCI DSS compliance requirements.', null, null, null, null, null, null, null, null, null, 803, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1072, 'This report collects 4732 events generated by the Windows system, which record the addition of users to security groups. Analyzing these events is essential for verifying compliance with PCI DSS Requirements, ensuring that roles and responsibilities for managing access to resources and privileges within the infrastructure are clearly documented, assigned, and understood. Additionally, this report provides visibility into the assignment of users to security groups, ensuring that access and permissions are granted according to defined security policies and procedures, and that activities are performed by the appropriate people.', null, null, null, null, null, null, null, null, null, 807, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (995, 'This report compiles and presents key information from the Windows Event 15 logs, which reflects the reorganization of system registry hives, a process related to disk space management. Data from these events is crucial for identifying potential performance issues or hard drive failures that could impact system stability. This information is essential to monitor and ensure disaster recovery and business continuity, meeting CMMC requirements. Analysis of these events allows you to detect storage-related anomalies and prevent interruptions in critical system services.', null, null, null, null, null, null, null, null, null, 517, true, 392, 'TEMPLATE', null, null, 'Windows Possible Disk Errors', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (999, 'This report provides a detailed analysis of login events (UserLoggedIn) in the O365 environment with the goal of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information about user accesses, which allows validating that login events are being properly logged, providing visibility into access activity in the organization

The purpose of this monitoring is to ensure that all logins are properly audited, detect failed or unusual access attempts that may indicate potential threats, and provide evidence for security review and access auditing in the organization

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of access to its O365 environment, contributing to the protection of information and the detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 511, true, 265, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1006, 'This report collects and analyzes UserLoggedIn event logs in Office 365 to verify compliance with CMMC Level 1 (SI.1.210), which requires the identification and correction of security breaches in a timely manner.

Monitoring logins allows you to detect potential unauthorized access, connection attempts from unusual locations or devices, and anomalous activities that may indicate security risks. By centralizing these events, the report facilitates the evaluation of user behavior, helping to identify suspicious patterns or potential vulnerabilities in the authentication infrastructure.

In addition, this analysis contributes to the implementation of timely corrective measures, ensuring a rapid response to security incidents and strengthening platform access controls.', null, null, null, null, null, null, null, null, null, 503, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (SI.1.210): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1022, 'This report collects and analyzes UserLoginFailed events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed for inappropriate behavior.

Monitoring these events helps identify patterns of failed authentication attempts that could indicate suspicious activity, such as brute force attacks, compromised credentials, or attempts to log in from unauthorized locations or devices. Detecting anomalous behavior in login attempts helps prevent unauthorized access and facilitates corrective action to mitigate security risks.

The information obtained in this report is key to strengthening user behavior monitoring within Office 365, ensuring an effective response to potential threats and ensuring compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 262, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1021, 'This report collects and analyzes UserLoggedIn events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed for inappropriate behavior.

Monitoring these events helps identify unusual access patterns, such as logins from unexpected geographic locations, unauthorized devices, or attempts to access sensitive resources outside of normal business hours. By analyzing these activities, it is possible to detect potential improper access, compromised credentials, or suspicious behavior that may indicate internal or external threats.

The information obtained in this report is key to strengthening user behavior monitoring within Office 365, facilitating early detection of security incidents and ensuring compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (939, 'This report consolidates relevant information from the alert logs that have generated security incidents, providing visibility on critical events and their management. Its objective is to demonstrate compliance with CMMC''s Level 1 requirement (IR.1.002), ensuring that a basic incident response capability is in place. It includes key details about the alerts and incidents created, allowing you to evaluate the effectiveness of the process and ensure adequate detection and management of threats.', null, null, null, null, null, null, null, null, null, 512, true, 364, 'TEMPLATE', null, null, 'Level 1 (IR.1.002): Incidents Generated from Alerts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1024, 'This report collects relevant information from the FileSyncDownloadedFull event logs in Office 365, providing a detailed view of completed file downloads performed through OneDrive and SharePoint synchronization. Its purpose is to support CMMC Level 1 (AU.1.001) compliance, which requires capturing audit logs for basic security events.

The report allows you to identify which users have downloaded files, from which location, and at what time, making it easier to monitor data access and movement within the corporate environment. Capturing these events enables the ability to track the flow of information and detect potential unauthorized activities or file management anomalies.

Additionally, this report can serve as a reference tool to assess usage patterns, strengthen data security, and comply with regulatory requirements related to auditing and retention of security event logs.', null, null, null, null, null, null, null, null, null, 513, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1034, 'This report gathers key information from UserLoggedIn events in Office 365, recording login attempts within the organization''s environment. The information contained in this report supports compliance with CMMC Level 1 requirement AU.1.001, ensuring that essential audit logs are captured and retained for review and analysis.

Monitoring these events helps identify successful and failed accesses, logged in users, source IP addresses, devices used, and geographic locations. This is critical for detecting unauthorized access, auditing user activity, and reinforcing the organization''s security through regular reviews of authentication logs.', null, null, null, null, null, null, null, null, null, 505, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (668, 'This report collects and analyzes security events identified by ID 4720 on Windows systems. Event 4720 records the creation of new user accounts, providing relevant information about when, where, and by whom these accounts were created. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of account creation, ensuring that all changes to the user directory are properly monitored and logged to maintain system integrity and security.', null, null, null, null, null, null, null, null, null, 601, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (633, 'This report compiles relevant information from the Windows logs generated by event 4663, which is triggered when an object or file is accessed or modified in the system. This event is essential to comply with CMMC control AU.2.043, which requires log review and correlation of events to detect inappropriate or malicious activities.

Event 4663 provides details about access to critical files and objects, allowing you to monitor changes or unauthorized access to sensitive data. By correlating this event with other system activity logs, patterns can be identified that suggest attempts at manipulation or misuse of information, contributing to the detection of unusual activities that may compromise the security of the organization.

This report helps detect suspicious events related to access to confidential files and the modification of important data, allowing preventive measures to be taken against possible internal or external attacks. Additionally, it facilitates compliance with CMMC regulations by ensuring that events that may indicate inappropriate activities are appropriately reviewed and correlated.', null, null, null, null, null, null, null, null, null, 504, true, 277, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (634, 'This report consolidates relevant information from successful logon events (Event ID 4624) logged on Windows systems, with the goal of verifying compliance with HIPAA 164.312(a)(1). This requirement mandates the implementation of technical policies to ensure that electronic systems maintaining ePHI (Electronic Protected Health Information) allow access only to authorized individuals. The report provides a detailed analysis of successful authentications, including user accounts, access source, and authentication methods used, to facilitate the identification of potential unauthorized access and reinforce secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (635, 'This report collects and analyzes security events identified by ID 4625 on Windows systems. Event 4625 records failed login attempts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of unauthorized access attempts and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (637, 'This report collects and analyzes security events identified by ID 4720 on Windows systems. Event 4720 records the creation of new user accounts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account creation, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (639, 'This report collects and analyzes security events identified by ID 4726 on Windows systems. Event 4726 records user account deletions, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account deletions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (644, 'This report collects and analyzes security events identified by ID 4670 on Windows systems. Event 4670 records changes to security permissions for system objects, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of changes in access permissions to system resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (645, 'This report collects and analyzes security events identified by ID 4672 on Windows systems. Event 4672 records the assignment of special privileges to accounts during logon, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of privileged access and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (646, 'This report collects and analyzes security events identified by ID 4732 on Windows systems. Event 4732 records the addition of a user to a local security group, providing relevant information for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. This report facilitates the identification and monitoring of changes in security group membership, especially those with access privileges to monitoring systems and log data, contributing to appropriate access control and the implementation of effective security policies.', null, null, null, null, null, null, null, null, null, 602, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (647, 'This report collects and analyzes security events identified by ID 7036 on Windows systems. Event 7036 records changes in the status of system services (starting or stopping), providing relevant information for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to registry data and monitoring systems must be controlled. This report facilitates the identification and monitoring of modifications to critical services, contributing to adequate access control and the implementation of secure monitoring policies.', null, null, null, null, null, null, null, null, null, 602, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (649, 'This report collects and analyzes security events identified by ID 4657 on Windows systems. Event 4657 records changes to a system''s security objects, providing relevant information about modifications to the permission settings or attributes of objects that store or process ePHI (Electronic Protected Health Information). This event is key to verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of changes in access permissions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (651, 'This report collects and analyzes security events identified by ID 5145 on Windows systems. Event 5145 records detailed access to files and folders within network shares, providing relevant information on attempts to read, write, modify, or delete data that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to sensitive files, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 275, 'TEMPLATE', null, null, 'Windows Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (652, 'This report collects and analyzes security events identified by IDs 5140 and 5145 on Windows systems. Event 5140 records access to network shares, while event 5145 provides specific details about access to files and folders within those shares. Both events provide relevant information for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of access to shared resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 285, 'TEMPLATE', null, null, 'Windows Network Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (654, 'This report collects and analyzes security events identified by ID 4663 on Windows systems. Event 4663 records access to security objects, providing relevant information about the reading, writing, or deletion of protected files or resources within a system containing ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to sensitive resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (655, 'This report collects and analyzes security events identified with ID 4624 on Windows systems. Event 4624 records successful logons, providing relevant information essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of authorized access, ensuring that critical logon activities are properly monitored and logged to maintain security and compliance with controlled access policies.', null, null, null, null, null, null, null, null, null, 601, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1097, 'This report gathers relevant information from 4720 events generated in Windows logs, which correspond to the creation of new user accounts in the system. Event 4720 is useful for verifying compliance with PCI DSS requirement 2.1.1, which establishes that all security-related operational policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4720 allows for auditing the creation of new accounts, which is important to ensure that user management procedures, which are part of security policies, are being implemented in accordance with established standards. Furthermore, the correct assignment and awareness of these policies by affected parties can be verified by registering new accounts, especially if they are linked to activities related to the implementation and maintenance of these security policies.

This report ensures that access control and identity management are implemented in accordance with documented, updated, and approved security procedures, helping to ensure the protection of sensitive data and compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 801, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (657, 'This report collects and analyzes security events identified with ID 4625 on Windows systems. Event 4625 records failed logon attempts. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which requires the logging of key system activities. This report facilitates the identification and auditing of unauthorized access attempts, which helps detect suspicious or malicious activity and ensures effective security policy implementation and continuous monitoring.', null, null, null, null, null, null, null, null, null, 601, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (675, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data at rest and in transit. By reviewing relevant events on Windows systems, this report facilitates the identification and auditing of access to critical data, ensuring that any attempt to access, modify, or manipulate sensitive information is adequately monitored and logged to protect its confidentiality, integrity, and availability.', null, null, null, null, null, null, null, null, null, 601, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (659, 'This report collects and analyzes security events identified by ID 4672 on Windows systems. Event 4672 records the assignment of special privileges to users, such as administrator privileges or access to critical system functions. These events provide key information about who has been granted elevated permissions and when, which is critical for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of changes in access privileges, ensuring that access to critical system functions is monitored and controlled, and that all key activities are properly logged to maintain security and regulatory compliance.', null, null, null, null, null, null, null, null, null, 601, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (660, 'This report collects and analyzes security events identified by IDs 6005 and 6006 on Windows systems. Event 6005 records the start of the event log service, while event 6006 records its stop, both providing relevant information on the status of system log collection. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates validation that the system is configured to properly log relevant events, contributing to adequate security governance and the implementation of effective monitoring policies for critical system activities.', null, null, null, null, null, null, null, null, null, 601, true, 311, 'TEMPLATE', null, null, 'Windows Event Log Service', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (662, 'This report collects and analyzes security events identified by ID 4719 on Windows systems. Event 4719 records changes to audit policy configurations, indicating modifications to how system activities are monitored and logged. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of audit policy modifications, ensuring that systems maintain adequate and continuous monitoring of critical activities, contributing to compliance with security policies and effective control.', null, null, null, null, null, null, null, null, null, 601, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (663, 'This report collects and analyzes security events identified with ID 4688 on Windows systems. Event 4688 records the creation of new processes. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which requires the logging of key system activities. This report facilitates the identification of critical process execution and allows you to audit system activity to ensure all key actions are monitored and logged, contributing to the implementation of appropriate security policies and system protection.', null, null, null, null, null, null, null, null, null, 601, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (668, 'This report collects and analyzes security events identified by ID 4720 on Windows systems. Event 4720 records the creation of new user accounts, providing relevant information about when, where, and by whom these accounts were created. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of account creation, ensuring that all changes to the user directory are properly monitored and logged to maintain system integrity and security.', null, null, null, null, null, null, null, null, null, 601, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (669, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data at rest and in transit. By analyzing event ID 4724 on Windows systems, this report facilitates the monitoring of activities related to user account password resets. By logging and auditing password change attempts, it ensures that access to sensitive data is properly managed, protecting the integrity and confidentiality of the information. This monitoring contributes to data protection by detecting and preventing unauthorized access, ensuring compliance with established security policies.', null, null, null, null, null, null, null, null, null, 601, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (674, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data both at rest and in transit. By analyzing events identified by ID 5145 on Windows systems, this report facilitates the monitoring of access and activities related to critical resources. This ensures that any attempt to access or manipulate sensitive data is properly logged, audited, and reviewed, thus guaranteeing the continuous protection of data confidentiality, integrity, and availability, strengthening security policies, and proactive monitoring of the IT infrastructure.', null, null, null, null, null, null, null, null, null, 601, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1120, 'This report compiles relevant information from Windows 4624 events to verify compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when remote access technologies are used, technical controls must prevent the copying and/or relocation of PANs (Primary Account Numbers) by all personnel, except those with express, documented authorization and a defined, legitimate business need.

Event 4624 provides details on successful login attempts to the system, allowing for effective auditing of system access. This event allows you to verify whether remote access is being performed by authorized personnel and whether technical measures are in place to prevent unauthorized manipulation of the PAN, thereby meeting the security requirements of PCI DSS.

Remote access to systems is analyzed, authenticated user identification is identified, and access controls and security policies are validated to prevent unauthorized access that could compromise the security of the PAN and other sensitive information stored or transmitted.', null, null, null, null, null, null, null, null, null, 802, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1158, 'This report compiles relevant information from Windows 4624 events, which record successful system logins. The information contained in these events is crucial for assessing compliance with PCI DSS Requirement 7.3, which establishes that access to system components and data must be managed through an access control system. 4624 events verify that system access is carried out in accordance with defined access control policies, ensuring that only authorized users with the necessary privileges have access to sensitive systems and data. This allows for auditing and managing access based on business needs and assigned user roles.', null, null, null, null, null, null, null, null, null, 805, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1140, 'This report collects and analyzes relevant information from Windows event 4720 logs, which record the creation of new accounts in the system. Its purpose is to assess compliance with PCI DSS Requirement 6.2, ensuring that custom software development is carried out securely. Analysis of these events identifies potential security gaps in access management, ensuring that only authorized users can interact with development, testing, and production environments. It also reviews whether authentication and account control processes follow established security best practices and standards, contributing to the prevention of unauthorized access, mitigating security risks, and implementing audit measures in compliance with PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1149, 'This report collects and analyzes Windows 4720 events, which record the creation of new user accounts. Its purpose is to assess compliance with PCI DSS Requirement 7.2, ensuring that access to system components and data is appropriately defined and assigned. Monitoring these events helps identify the creation of unauthorized accounts, verify the assignment of privileges based on job functions, and ensure the principle of least privilege in access management.', null, null, null, null, null, null, null, null, null, 805, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1159, 'This report compiles relevant information from Windows 4625 events, which record failed login attempts. These event data are essential for assessing compliance with PCI DSS Requirement 7.3, which mandates that access to system components and data must be managed through an access control system. 4625 events provide details on unauthorized access attempts, allowing you to verify that the system is configured to reject unauthorized access and to alert you to potential security risks. This report helps audit the effectiveness of access control, ensuring that only legitimate users with the necessary privileges have access to sensitive systems and data.', null, null, null, null, null, null, null, null, null, 805, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (721, 'This report contributes to compliance with HIPAA Security Rule 164.312(b), which establishes the implementation of mechanisms for recording and examining system activity. By analyzing events logged by the UserLoggedIn ID in Office 365, this report facilitates the monitoring of system access and enables the detection and auditing of any activity related to system use. This monitoring helps ensure that all interactions with ePHI (Electronic Protected Health Information) data are properly logged, allowing for ongoing review of system activity to ensure the confidentiality, integrity, and availability of the information.', null, null, null, null, null, null, null, null, null, 601, true, 261, 'TEMPLATE', null, null, 'Office 365 Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1069, 'This report collects 4720 events generated by the Windows system, which record the creation of new user accounts. Analysis of these events helps verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with user account management are properly documented, assigned, and understood. Additionally, it provides visibility into the assignment of new accounts and their relationship to security activities, helping to ensure that the right people are assigned to perform critical security activities appropriately.', null, null, null, null, null, null, null, null, null, 807, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1080, 'This report captures 4625 events generated by the Windows system, which record failed logon attempts. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities related to system access and security management are properly documented, assigned, and understood. It also helps detect potential unauthorized access attempts, helping to ensure that authentication and authorization activities are performed only by individuals designated to perform tasks related to security controls, in accordance with established policies and operating procedures.', null, null, null, null, null, null, null, null, null, 807, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1079, 'This report collects 4624 events generated by the Windows system, which record successful logons to the system. Analysis of these events is key to verifying compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with accessing the system and performing critical activities are properly documented, assigned, and understood. Additionally, it provides visibility into which users and accounts are accessing systems, allowing validation that the right people have the necessary permissions to perform security activities related to installing and maintaining network controls, in accordance with established operational policies and procedures.', null, null, null, null, null, null, null, null, null, 807, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1162, 'This report collects and analyzes 4720 events (Creation of a New User Account) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that all created accounts have a unique ID before granting access to systems, that generic or shared accounts are not used without documented justification and approval, that account creation is properly authorized with the minimum necessary privileges, that inactive or disassociated user accounts are appropriately managed, and that third-party accounts are activated and deactivated as needed, with activity monitoring. This analysis helps ensure secure and controlled management of the user account lifecycle, in line with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 808, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1164, 'This report collects and analyzes 4624 (Successful Logon) events recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that each user has a unique ID before accessing systems, preventing the misuse of generic or shared accounts. It also verifies that logged-in sessions correspond to authorized users, that inactive accounts are not used uncontrollably, and that third-party access is monitored and managed appropriately. This analysis ensures proper account management and access traceability, strengthening system security.', null, null, null, null, null, null, null, null, null, 808, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (675, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data at rest and in transit. By reviewing relevant events on Windows systems, this report facilitates the identification and auditing of access to critical data, ensuring that any attempt to access, modify, or manipulate sensitive information is adequately monitored and logged to protect its confidentiality, integrity, and availability.', null, null, null, null, null, null, null, null, null, 601, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (676, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data both at rest and in transit. By collecting and analyzing specific events on Windows systems, this report facilitates continuous monitoring of activities related to critical data management. This ensures that any changes to security settings or access to sensitive information are adequately detected, logged, and audited, contributing to the protection of data confidentiality, integrity, and availability within the IT infrastructure.', null, null, null, null, null, null, null, null, null, 601, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (677, 'This report collects and analyzes security events identified by ID 4670 on Windows systems. Event 4670 records attempts to modify permissions or properties of an object protected by a DACL (Discretionary Access Control List), providing relevant information about changes to security settings and access to critical resources. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of attempts to modify permissions, ensuring that changes to security settings are appropriately monitored, logged, and reviewed to maintain the integrity and protection of critical systems.', null, null, null, null, null, null, null, null, null, 601, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (678, 'This report collects and analyzes security events identified by ID 4663 on Windows systems. Event 4663 records access attempts to protected objects. These events are essential for verifying compliance with the NIST CSF PR.DS-3 requirement, which mandates the protective monitoring of data at rest and in transit. This report facilitates the identification and auditing of access to critical data, ensuring that any attempt to access sensitive data is appropriately monitored, logged, and reviewed to protect the confidentiality, integrity, and availability of the information.', null, null, null, null, null, null, null, null, null, 601, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (679, 'This report collects and analyzes security events identified by ID 4648 on Windows systems. Event 4648 records explicit authentication attempts using programmatically provided credentials, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of authenticated access and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (680, 'This report collects and analyzes security events identified by ID 4688 on Windows systems. Event 4688 records the creation of new processes, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of executed processes, their origin, and associated permissions, contributing to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (681, 'This report collects and analyzes security events identified by ID 4738 on Windows systems. Event 4738 records changes to user account properties, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account modifications, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (682, 'This report collects and analyzes security events identified by ID 4724 on Windows systems. Event 4724 records password reset attempts on user accounts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of password changes, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (683, 'This report collects and analyzes security events identified by ID 4719 on Windows systems. Event 4719 records changes to the system''s audit policy configuration, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of audit policy changes, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (684, 'This report collects and analyzes security events identified by ID 4907 on Windows systems. Event 4907 records changes in audit policy settings related to access to system resources, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of audit policy adjustments, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (685, 'This report collects and analyzes security events identified by ID 4690 on Windows systems. Event 4690 records attempts to modify the permissions of protected objects, such as files, folders, or critical resources that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of changes in access permissions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 279, 'TEMPLATE', null, null, 'Windows Failed logon attempt', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (686, 'This report collects and analyzes security events identified by ID 4902 on Windows systems. Event 4902 records changes to local audit policy settings, providing relevant information about modifications to the rules that govern access and activity monitoring on systems that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of audit policy modifications, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 292, 'TEMPLATE', null, null, 'Windows Audit Policy Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (690, 'This report collects and analyzes security events identified by ID 4103 on Windows systems. Event 4103 records the execution of PowerShell scripts with detailed information about the executed commands and their parameters, providing relevant data for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. This report facilitates the identification and monitoring of PowerShell activities that could affect the integrity of monitoring and logging systems, contributing to the implementation of secure access policies and appropriate oversight.', null, null, null, null, null, null, null, null, null, 602, true, 288, 'TEMPLATE', null, null, 'Windows PowerShell Script Block Registration', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (691, 'This report collects and analyzes security events identified by ID 4723 on Windows systems. Event 4723 records attempts to change a user''s password, providing relevant information for verifying compliance with the NIST CSF PR.AC-1 requirement, which establishes that access to systems and assets should be limited based on defined roles. This report facilitates the identification and monitoring of successful or failed password change attempts, contributing to adequate access control and the implementation of identity and role management policies.', null, null, null, null, null, null, null, null, null, 602, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (692, 'This report collects and analyzes security events identified by ID 4723 on Windows systems. Event 4723 records attempts to change a user''s password, providing relevant information for verifying compliance with the NIST CSF PR.AC-1 requirement, which establishes that access to systems and assets should be limited based on defined roles. This report facilitates the identification and monitoring of successful or failed password change attempts, contributing to adequate access control and the implementation of identity and role management policies.', null, null, null, null, null, null, null, null, null, 602, true, 300, 'TEMPLATE', null, null, 'Windows Monitoring of Critical System Services Status', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (693, 'This report collects and analyzes security events identified by ID 7036 on Windows systems. Event 7036 records changes in the status of system services, such as the start or stop of key services. These events provide relevant information for verifying compliance with the HITRUST CSF 01.v requirement, which establishes the obligation to log key system activities. This report facilitates the identification and monitoring of essential services, ensuring that critical system activities are properly logged and audited, and contributing to the implementation of monitoring policies and adequate control of system activities.', null, null, null, null, null, null, null, null, null, 601, true, 300, 'TEMPLATE', null, null, 'Windows Monitoring of Critical System Services Status', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (694, 'This report collects and analyzes security events identified by ID 4689 on Windows systems. Event 4689 records the termination of a process on the system, providing relevant information about which processes have been stopped, who executed them, and when. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which requires the logging of key system activities. This report facilitates the identification and auditing of terminated processes, contributing to the comprehensive monitoring of system activities, ensuring that all key activities are logged and audited to comply with security and control standards.', null, null, null, null, null, null, null, null, null, 601, true, 302, 'TEMPLATE', null, null, 'Windows Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (695, 'This report collects and analyzes security events identified by ID 4907 on Windows systems. Event 4907 records changes to the configuration of centralized access control lists (Audit Policy Changes), providing relevant information about modifications to system audit policies. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of audit policy adjustments, ensuring that any modifications are appropriately logged, reviewed, and approved to maintain effective and continuous monitoring of critical system activities.', null, null, null, null, null, null, null, null, null, 601, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (696, 'This report collects and analyzes security events identified with ID 4738 on Windows systems. Event 4738 records changes to user account properties, providing relevant information essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of changes to user accounts, ensuring that all changes are appropriately monitored, logged, and reviewed to maintain security, integrity, and compliance with controlled access policies.', null, null, null, null, null, null, null, null, null, 601, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (697, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which establishes the need to protectively monitor data both at rest and in transit. By collecting key events on Windows systems, this report enables continuous information security monitoring, ensuring that activities related to the access and use of sensitive data are adequately monitored and logged. This guarantees the protection of the confidentiality, integrity, and availability of critical data, helping to prevent unauthorized access or tampering.', null, null, null, null, null, null, null, null, null, 601, true, 315, 'TEMPLATE', null, null, 'Windows Credential Access', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (698, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which mandates protective monitoring of data at rest and in transit. By analyzing events identified by IDs 4768, 4769, and 4771 on Windows systems, this report facilitates the oversight of processes related to authentication and access to protected resources. By monitoring authentication attempts and Kerberos ticket requests, it ensures that access to sensitive data is properly managed and logged. This contributes to protecting the confidentiality, integrity, and availability of data, ensuring effective monitoring of critical activities and compliance with established security policies.', null, null, null, null, null, null, null, null, null, 601, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (699, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which establishes the need to protectively monitor data both at rest and in transit. By analyzing event ID 4771 on Windows systems, this report facilitates the monitoring of authentication failures during the Kerberos ticket request process. This monitoring allows for the detection of unauthorized access attempts or potential security breaches, ensuring the continuous protection of sensitive data. Logging these events ensures the maintenance of information integrity and availability and strengthens secure access policies in the IT infrastructure.', null, null, null, null, null, null, null, null, null, 601, true, 310, 'TEMPLATE', null, null, 'Windows Kerberos pre-authentication failed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (700, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing events identified by IDs 5140 and 5145 on Windows systems, this report facilitates the monitoring of connections and access to shared network resources. It allows for the identification of suspicious or potentially malicious behavior patterns, which helps mitigate risks and strengthen system security. This continuous monitoring ensures that security policies are in place, contributing to the protection of data and technological infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 285, 'TEMPLATE', null, null, 'Windows Network Access to shared resource', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (701, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 4624 on Windows systems, this report facilitates the monitoring of successful system logins. By identifying authorized access, it allows for efficient monitoring of network activity, helping to detect potential intrusions or suspicious behavior. This continuous monitoring is critical to ensuring environmental security, protecting sensitive data, and ensuring system integrity.', null, null, null, null, null, null, null, null, null, 604, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (702, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 4625 on Windows systems, this report facilitates the monitoring of failed login attempts. These events may indicate unauthorized access attempts or suspicious activity, helping to identify potential threats and prevent malicious access. This continuous monitoring contributes to the protection of network resources and strengthens system security policies.', null, null, null, null, null, null, null, null, null, 604, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1170, 'This report collects and analyzes 4624 (Successful Logon) events recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. System access is examined to ensure each user has a unique ID before accessing system components or cardholder data. The use of shared or generic accounts is also verified, ensuring they are only used in exceptional circumstances and with documented approval. Additionally, active sessions are monitored to identify unauthorized access, inactive accounts, and the use of single sign-on for remote access, ensuring proper account lifecycle management and compliance with regulatory-required authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1177, 'This report compiles relevant information from Windows Event 4625 logs, which indicate failed login attempts. Its purpose is to support the detection of suspicious activity and authentication anomalies, as well as facilitate forensic analysis of security events. It also verifies that audit logging is enabled and active on all system components and in environments that handle cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1.', null, null, null, null, null, null, null, null, null, 809, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1179, 'This report compiles relevant information from Windows Event 4720 logs, which indicate the creation of new user accounts. Its purpose is to verify that all actions performed by individuals with administrative access, including interactive use of system or application accounts, are logged in accordance with PCI DSS requirement 10.2.1.2. This monitoring contributes to the detection of suspicious activity and forensic analysis of events in the IT environment.', null, null, null, null, null, null, null, null, null, 809, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1191, 'This report compiles relevant information from Windows Event 4625 logs, which are generated when a login attempt fails. Analyzing these events is critical for identifying and addressing exceptions or anomalies detected during the log review process, in compliance with PCI DSS Requirement 10.4.3. This requirement mandates that exceptions and unusual activity found in audit logs be investigated and managed appropriately. This report helps detect patterns of failed access attempts that could indicate potential threats, such as intrusion attempts, compromised credentials, or legitimate authentication errors that require review.', null, null, null, null, null, null, null, null, null, 809, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1203, 'This report focuses on gathering relevant information from logs generated by Windows event 4624 to assess compliance with PCI DSS Requirement 11.3.1.2. The purpose of this requirement is to ensure that internal vulnerability scans are performed using authenticated scans. By analyzing successful logon events, the report verifies that systems requiring credentials for authenticated scans are properly documented and managed. It also ensures that systems accepting credentials for scans use sufficient privileges and that, if accounts used for authenticated scanning can be used for interactive logins, these accounts are managed in accordance with the requirements established in PCI DSS Requirement 8.2.2. This report is essential to confirm that practices related to authenticated scans are aligned with the security policies and appropriate access controls defined by PCI DSS.', null, null, null, null, null, null, null, null, null, 810, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1204, 'This report is designed to assess compliance with PCI DSS Requirement 11.3.1.2, which requires internal vulnerability scans to be conducted using authenticated scans. Using logs generated by Windows event 4625, this report collects relevant information about failed login attempts, which may indicate issues with the credentials used in authenticated scans. The report helps verify that systems unable to accept credentials for authenticated scans are properly documented and that systems that allow such scans use sufficient privileges to ensure a proper security assessment. It also ensures that accounts used for authenticated scans that allow interactive logins are managed in accordance with the requirements established in PCI DSS Requirement 8.2.2, ensuring proper handling of credentials and their alignment with security best practices.', null, null, null, null, null, null, null, null, null, 810, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1201, 'This report is designed to assess compliance with PCI DSS Requirement 11.2, which establishes that wireless access points must be identified, monitored, and unauthorized access points must be appropriately managed. By analyzing logs generated by Windows Event 1100, the report gathers key information to verify that both authorized and unauthorized wireless access points are correctly detected and identified. It also ensures that the testing, detection, and identification process is performed at least every three months, as required.', null, null, null, null, null, null, null, null, null, 810, true, 314, 'TEMPLATE', null, null, 'Windows Event Logging Service Shut Down', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (703, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activities to detect malicious behavior. By analyzing event ID 4672 on Windows systems, this report allows monitoring of highly privileged account logins, which can be a critical point in network security. Monitoring these events helps identify potentially suspicious or unauthorized access, enabling a rapid response to malicious activity. This approach helps ensure the continuous protection and security of network assets.', null, null, null, null, null, null, null, null, null, 604, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (704, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 4648 on Windows systems, this report facilitates the monitoring of login attempts using credentials from a different account, which may indicate anomalous or malicious behavior. This continuous monitoring allows suspicious activity to be identified and preventive or corrective actions to be taken in a timely manner, contributing to network protection and system security.', null, null, null, null, null, null, null, null, null, 604, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (705, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4688 on Windows systems, this report allows monitoring the creation of new processes on the system, which may indicate the execution of malicious software or unauthorized activity. This continuous monitoring facilitates early threat detection and enables a rapid response to potential security incidents, helping to maintain the integrity and security of the network and systems.', null, null, null, null, null, null, null, null, null, 604, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (706, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4697 on Windows systems, this report facilitates monitoring the installation of new services on the system, which may indicate unauthorized changes or the execution of malicious activity. This continuous monitoring allows for rapid detection and response to potential threats, helping to protect the network infrastructure and ensuring that security policies remain effective.', null, null, null, null, null, null, null, null, null, 604, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (707, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 4720 on Windows systems, this report facilitates monitoring the creation of new user accounts, which may be indicative of possible unauthorized or malicious activity. By monitoring these types of events, the creation of accounts that do not follow established protocols can be detected, contributing to a rapid response to potential threats and strengthening the security of the network infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1216, 'This report compiles Windows 4720 events, which record when a user is added to a security group. These events are key to verifying the assignment of responsibilities for PCI DSS compliance. They help ensure that security tasks and operational policies are being properly implemented.

The report confirms that quarterly PCI DSS compliance reviews are conducted, including reviewing logs, security configurations, and responding to alerts, ensuring that the organization and its vendors maintain compliance.', null, null, null, null, null, null, null, null, null, 811, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (708, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity for malicious activity. By analyzing event ID 4726 on Windows systems, this report facilitates monitoring user account deletions, which may indicate unauthorized or malicious activity. Monitoring these types of events helps identify changes in the system infrastructure that could compromise its security, enabling an immediate response to potential incidents and ensuring continuous network protection.', null, null, null, null, null, null, null, null, null, 604, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1231, 'This report analyzes user account creation events (Event ID 4720) on Windows systems to assess compliance with PCI DSS Requirement A1.2.2, which establishes the implementation of processes or mechanisms to facilitate rapid forensic investigations in the event of a suspected or confirmed security incident. Event 4720 is generated when a new user account is created, which can be relevant in situations where unauthorized or unexpected account creation is indicative of a security incident. This analysis verifies that event logs provide the information necessary to conduct timely and detailed forensic investigations, enabling a rapid incident response. The findings in this report help ensure that the system has adequate mechanisms for recording and storing critical information, facilitating the resolution of security incidents and ensuring compliance with PCI DSS controls for evidence preservation and forensic investigation.', null, null, null, null, null, null, null, null, null, 812, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (709, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity for malicious activity. By analyzing events identified by IDs 4768, 4769, and 4771 on Windows systems, this report facilitates the monitoring of authentication attempts in the network environment, including failures and errors related to account authentication. Monitoring these events allows for the identification of unusual or suspicious patterns that could indicate malicious activity, facilitating a rapid and proactive response to potential security incidents.', null, null, null, null, null, null, null, null, null, 604, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (710, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 1102 on Windows systems, this report facilitates monitoring the cleanup of security logs, which may indicate an attempt to conceal unauthorized or malicious activity. Monitoring these types of events allows for the detection of log alterations that could compromise system security, enabling an immediate response to security incidents and ensuring the integrity of the network and data.', null, null, null, null, null, null, null, null, null, 604, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (711, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4719 on Windows systems, this report facilitates the monitoring of changes to security audit policies, which may indicate unauthorized adjustments that could compromise log integrity or conceal malicious activity. Monitoring these types of events can detect suspicious changes to security settings, strengthening incident response capabilities and ensuring constant surveillance of the network infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (712, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which requires continuous monitoring of network activity to detect potential malicious activity. By analyzing event ID 4657 on Windows systems, the report facilitates the monitoring of changes to system security objects, which may indicate unauthorized actions that alter system configuration or allow unauthorized access. Monitoring these events is crucial for identifying suspicious alterations or modifications that may affect security, enabling a rapid and proactive response to security incidents and ensuring the integrity of the network infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (713, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect potential malicious activity. By analyzing event ID 4663 on Windows systems, this report facilitates the monitoring of access and modifications to system objects, which may indicate unauthorized attempts to manipulate or alter critical data. Monitoring these types of events is essential for identifying suspicious activity that could compromise system security, enabling a rapid and effective response to potential threats and ensuring the protection of the network''s digital assets.', null, null, null, null, null, null, null, null, null, 604, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (716, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to identify potential malicious activity. By analyzing event ID 5145 on Windows systems, the report facilitates the monitoring of access to shared resources and files, which may reveal unauthorized attempts to manipulate or access sensitive data. Monitoring these types of events allows for the detection of unusual patterns or suspicious activity that could jeopardize the security of the network infrastructure, ensuring a swift response to threats and maintaining the integrity of systems and information.', null, null, null, null, null, null, null, null, null, 604, true, 275, 'TEMPLATE', null, null, 'Windows Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (717, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which requires continuous monitoring of network activities to detect potential malicious activity. By analyzing event ID 4776 on Windows systems, the report enables monitoring of authentication attempts, specifically those involving credential validation on networks and systems. Monitoring these events helps identify unusual access patterns or unauthorized authentication attempts that could be indicative of an attack, such as an unauthorized access attempt or a brute-force attack. This continuous monitoring is essential for detecting potential threats and maintaining the security of the IT infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (719, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which mandates continuous monitoring of network activity to detect malicious activity. By analyzing event ID 7030 on Windows systems, the report facilitates monitoring the status and actions of critical services on the system. This monitoring is key to identifying potential failures or unauthorized modifications to services that could indicate malicious activity, such as denial-of-service attacks or attempts to disable security services. The information provided by this event helps maintain system integrity and security, enabling efficient detection and response to potential threats.', null, null, null, null, null, null, null, null, null, 604, true, 323, 'TEMPLATE', null, null, 'Windows Service Control Manager Log Information', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (720, 'This report compiles security alert logs generated in Windows logs, which are used to monitor access patterns and detect potential anomalies in the use of system resources. These alerts are triggered in response to significant security events, such as unauthorized access, suspicious modifications to critical files, or privilege escalation attempts. The collection and analysis of these alerts are essential to verify compliance with the NIST CSF DE.CM-1 requirement: Continuous monitoring of network activities for malicious activity, which mandates continuous monitoring of network activities to detect malicious behavior that could compromise the security of systems and data.

The report includes key details such as:

Events that caused the alert, providing context about the suspicious activity.

Alert severity, indicating the associated risk level.

Alert status, specifying whether it is active, resolved, or under investigation.

Alert category, which classifies the type of threat detected (e.g., unauthorized access, permission changes, failed authentication attempts).

Event source, identifying the system, user, or process that generated the alert.

Date and time of the event, allowing the activity to be correlated with other security events.

Analyzing these alerts can detect anomalous access patterns, improve incident response capabilities, and strengthen security controls in environments that handle sensitive information. By using automated tools for continuous activity monitoring, this report helps ensure proactive protection of systems and networks, in accordance with the requirements of NIST CSF DE.CM-1.', null, null, null, null, null, null, null, null, null, 604, true, 248, 'TEMPLATE', null, null, 'Windows Alerts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (721, 'This report contributes to compliance with HIPAA Security Rule 164.312(b), which establishes the implementation of mechanisms for recording and examining system activity. By analyzing events logged by the UserLoggedIn ID in Office 365, this report facilitates the monitoring of system access and enables the detection and auditing of any activity related to system use. This monitoring helps ensure that all interactions with ePHI (Electronic Protected Health Information) data are properly logged, allowing for ongoing review of system activity to ensure the confidentiality, integrity, and availability of the information.', null, null, null, null, null, null, null, null, null, 601, true, 261, 'TEMPLATE', null, null, 'Office 365 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (722, 'This report supports compliance with HIPAA Security Rule 164.312(b), which establishes the need to implement mechanisms to log and examine system activity. By analyzing events related to failed login attempts in Office 365, this report facilitates the detection of suspicious activity and provides detailed tracking of unauthorized access. Ensuring continuous review of these events promotes effective system security monitoring, helping to protect the confidentiality, integrity, and availability of sensitive data in compliance with established security and audit policies.', null, null, null, null, null, null, null, null, null, 601, true, 262, 'TEMPLATE', null, null, 'Office 365 Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (723, 'This report supports compliance with HIPAA Security Rule 164.312(b), which establishes the need to implement mechanisms to log and examine system activity. By analyzing FileAccessed events in Office 365, this report enables monitoring of activities associated with the use and manipulation of sensitive data. This continuous monitoring helps ensure that all interactions with information are properly logged, which contributes to protecting the confidentiality, integrity, and availability of data, ensuring compliance with system security and audit policies.', null, null, null, null, null, null, null, null, null, 601, true, 325, 'TEMPLATE', null, null, 'Office 365 File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (724, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data both at rest and in transit. By analyzing events related to the FileDownloaded operation in Office 365, this report facilitates the monitoring of file download-related activities, allowing for the detection of unauthorized access or suspicious activity. This continuous monitoring helps ensure the protection of sensitive data, ensuring its integrity, confidentiality, and availability throughout its entire lifecycle.', null, null, null, null, null, null, null, null, null, 601, true, 331, 'TEMPLATE', null, null, 'Office 365 OneDrive File Download', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (725, 'This report gathers and analyzes logs generated by the AWS DescribeLogStreams operation. This operation lists log streams in a specific log group, providing relevant information about who accesses and views log data that may contain ePHI (Electronic Protected Health Information). This report is essential for verifying compliance with HIPAA 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to log streams, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 332, 'TEMPLATE', null, null, 'AWS DescribeLogStreams Logs', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (726, 'This report gathers and analyzes relevant information generated by the DescribeLogGroups action in AWS. This action lists the log groups configured in Amazon CloudWatch Logs, providing essential information for verifying compliance with HIPAA 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of available log groups, allowing you to validate the correct configuration of permissions and associated access controls, contributing to the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 335, 'TEMPLATE', null, null, 'AWS DescribeLogGroups Logs', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (727, 'This report gathers and analyzes relevant information generated by PutObject events in AWS, which record the upload of objects to an Amazon S3 bucket. This event provides details about data access and storage, essential for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. The report makes it easy to identify who uploaded objects, from which location, and with what permissions, allowing validation of the proper implementation of access and control policies for log data and monitoring systems, thus ensuring their protection and compliance.', null, null, null, null, null, null, null, null, null, 602, true, 333, 'TEMPLATE', null, null, 'AWS PutObject Logs', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (728, 'This report gathers and analyzes relevant information generated by GetBucketAcl events in AWS, which record access requests to the access control list (ACL) of an Amazon S3 bucket. This event provides details on who has viewed or modified the permissions associated with the buckets, which is crucial for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. The report makes it easy to identify access to bucket permissions, ensuring that only authorized individuals can view or modify access controls to critical data and monitoring systems.', null, null, null, null, null, null, null, null, null, 602, true, 334, 'TEMPLATE', null, null, 'AWS GetBucketAcl Logs', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (729, 'This report compiles key information from the Windows logs generated by event 4624, which is triggered when a user successfully logs on to a system. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior and unauthorized activities.

Event 4624 provides details about system logins. By analyzing and correlating these logs with other security events, you can identify unusual behavior patterns, such as access attempts at unusual times, access from unauthorized locations, or repeated login attempts.

This report helps detect inappropriate behavior or suspicious activities, such as unauthorized access attempts or improper access, and allows early corrective action to mitigate security risks. Additionally, it contributes to CMMC compliance by ensuring that audit logs are appropriately reviewed to identify any attempted exploitation or system compromise.', null, null, null, null, null, null, null, null, null, 501, true, 265, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (730, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt to the system is unsuccessful. This event is critical to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior and unauthorized activities.

Event 4625 provides key details about failed login attempts. By analyzing these events, patterns of failed access attempts can be identified that could indicate a brute force attack, an unauthorized access attempt, or the exploitation of compromised credentials.

This report makes it easy to detect suspicious behavior related to unauthorized access attempts, and by correlating this information with other system logs, security teams can identify trends that require a proactive response. Additionally, it contributes to CMMC compliance by ensuring adequate review and monitoring of audit events that may flag inappropriate or malicious activities.', null, null, null, null, null, null, null, null, null, 501, true, 266, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (732, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user account is used to log on to a system with explicit credentials, such as using network credentials or a service account. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate behavior.

Event 4648 provides details about login attempts with explicit credentials. By reviewing these types of logs, it is possible to identify unusual access or authentication attempts that may be related to unauthorized or malicious activity.

This report allows security teams to identify suspicious patterns of behavior, such as login attempts at unusual times or from unusual locations, which could indicate a possible attack. Furthermore, by correlating these events with other logs related to access or activities in the system, the detection of security incidents and inappropriate behavior is facilitated.

In summary, this report is an important tool to ensure compliance with CMMC regulations, helping to detect inappropriate behavior and ensuring that audit logs are appropriately reviewed to protect organizational infrastructure.', null, null, null, null, null, null, null, null, null, 501, true, 281, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (733, 'This report collects relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to identify inappropriate behavior or suspicious activities.

Event 4720 provides details on creating user accounts. By reviewing and correlating this data with other activity logs, unusual patterns can be detected, such as account creation without justification or at unusual times, which could indicate malicious behavior or attempted privilege escalation.

This report makes it easy to identify potential inappropriate activities related to user account management, allowing security teams to quickly investigate and act on any unauthorized access attempts or account misuse. Additionally, contributes to compliance with CMMC regulations by ensuring that events that may flag suspicious behavior within the organization are appropriately reviewed.', null, null, null, null, null, null, null, null, null, 501, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (734, 'This report compiles relevant information from the Windows logs generated by event 4726, which is triggered when a user account is disabled on the system. This event is essential to comply with CMMC control AU.2.044, which requires review of audit logs for inappropriate or suspicious behavior.

Event 4726 provides details about deactivating user accounts. By reviewing and correlating this data with other activity logs, patterns can be identified that suggest unusual behavior, such as account disabling without justification or at unusual times, which could indicate attempts to hide malicious activity or compromise system security. .

This report is useful for detecting suspicious activities related to user account management, allowing security teams to take quick action to investigate and mitigate potential risks. Additionally, contributes to compliance with CMMC regulations by ensuring that appropriate review is conducted of events that may indicate inappropriate behavior within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 272, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (735, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are triggered when access is made to a share on the network or when an attempt to access a share is blocked due to a configuration. incorrect permissions. These events are critical to complying with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate or suspicious behavior.

Event 5140 is logged when a connection is established to a share. Event 5145 is raised when an attempt to access a share is denied due to permissions issues, which may indicate inappropriate or intentional behavior.

By reviewing and correlating these events with other logs, such as failed access attempts or permission setting changes, you can identify anomalous patterns that suggest unauthorized access attempts or malicious actions that compromise system security.

This report is key to detecting inappropriate behavior related to access to shared resources, allowing security teams to take preventive actions against possible threats. Additionally, it facilitates compliance with CMMC regulations by ensuring that access and denial events are appropriately reviewed and correlated to identify suspicious activity within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 285, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Access to Shared Resources', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (736, 'This report collects relevant information from the Windows logs generated by event 4767, which is triggered when a user account is unlocked on the system after being locked out due to failed login attempts. This event is crucial to comply with CMMC control AU.2.044, which requires review of audit logs to detect inappropriate or suspicious behavior.

Event 4767 provides details about the account that was unlocked, the account that performed the action, among others. By reviewing and correlating this data with other activity logs, anomalous patterns can be identified, such as attempts to unlock accounts at unusual times or by unauthorized accounts, which could signal attempts to circumvent security policies or unauthorized access.

This report is useful for detecting suspicious behavior related to the management of blocked accounts, allowing security teams to respond quickly to possible incidents. Additionally, contributes to compliance with CMMC regulations by ensuring effective review of events that may indicate inappropriate or malicious behavior within the organization.', null, null, null, null, null, null, null, null, null, 501, true, 336, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.044): Unlocked Account', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (737, 'This report compiles relevant information from the Windows logs generated by event 4672, which is triggered when a user gains elevated privileges, such as administrator, through an interactive or remote login. This event is crucial to comply with CMMC control AC.3.032, which requires monitoring and controlling remote access to sensitive systems to prevent misuse of elevated privileges.

Event 4672 provides key details about logging in for elevated users. Monitoring these events helps identify the use of elevated accounts in remote sessions, helping ensure that only authorized users access critical or sensitive systems.

This report is essential to control remote access to sensitive resources, ensuring that access is appropriate and authorized. Additionally, it contributes to CMMC compliance by strengthening security policies to protect sensitive systems from unauthorized access.', null, null, null, null, null, null, null, null, null, 501, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.032): Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (738, 'This report compiles relevant information from the Windows logs generated by event 7045, which is activated when a service is installed on the system. This event is essential to comply with CMMC control AC.3.032, which requires monitoring and controlling remote access to sensitive systems to protect them from potential vulnerabilities.

Event 7045 captures details about the installation of new services on the system, which may be related to the configuration of remote or management services. These services could involve potential access to sensitive systems if not properly monitored and controlled.

This report allows you to detect the installation of services that could enable unauthorized remote access to critical systems. Monitoring these events ensures that only legitimate and controlled services are installed, contributing to system security and CMMC compliance by ensuring that remote access to sensitive systems is strictly managed and monitored.', null, null, null, null, null, null, null, null, null, 501, true, 290, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.032): Installation of Services', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (739, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user successfully logs into the system. This event is essential to comply with CMMC control AU.1.001, which requires retaining logs for basic review and ensuring that a proper audit of system access can be performed.

Event 4624 provides details about successful user login. This data is essential for maintaining a record of system access activities, allowing basic reviews to be performed to detect unauthorized access or unusual behavior.

This report helps ensure that login-related event logs are suitable for ongoing auditing, contributing to CMMC compliance and the ability to perform security reviews and analysis to protect the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 505, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (740, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt fails on the system. This event is essential to comply with CMMC control AU.1.001, which requires retaining logs for basic review and ensuring the availability of information to audit access and detect possible inappropriate activities.

Event 4625 provides details about failed login attempts. This information is key to monitoring unauthorized system access attempts, identifying patterns of repeated failures or brute force attacks, and maintaining appropriate records for later review.

This report is useful for ensuring that event logs related to failed login attempts are stored and available for review. This contributes to compliance with CMMC regulations, allowing for basic audits and strengthening security through early detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 505, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (742, 'This report compiles relevant information from the Windows logs generated by event 4663, which is triggered when an object or file is accessed or modified in the system. This event is essential to comply with CMMC control AU.1.001, which requires the retention of logs for basic review, ensuring that records are maintained to audit access and modifications to objects in the system.

Event 4663 provides details about accesses to important files and objects. By compiling this information, it is easier to review access activities to critical data and protected objects, helping to detect possible unauthorized access or improper manipulation.

This report ensures that logs related to file access and modification are adequately retained, facilitating their review when necessary. This contributes not only to compliance with CMMC requirements, but also to strengthening system security by monitoring key activities that could signal threats or data exfiltration attempts.', null, null, null, null, null, null, null, null, null, 505, true, 277, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (743, 'This report compiles relevant information from the Windows logs generated by event 1102, which is triggered when system audit logs are deleted or their status has changed. This event is crucial to comply with CMMC control AU.2.043, which requires ensuring that audit logs are protected from unauthorized modifications.

Event 1102 provides details about deleting audit logs. This information is key to ensuring that log deletion activities are reviewed, preventing the alteration or destruction of audit evidence that may be necessary for subsequent investigations.

This report contributes to the protection of logs, allowing security teams to detect and react to attempts to manipulate or delete key records that could compromise the integrity of the monitoring system. Additionally, it facilitates compliance with CMMC requirements by ensuring that logs are adequately protected against unauthorized modifications, which is essential to maintain audit reliability in the organization''s security environment.', null, null, null, null, null, null, null, null, null, 505, true, 295, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (744, 'This report collects relevant information from the Windows logs generated by event 4719, which is triggered when system audit policy settings are modified. This event is essential to comply with CMMC control AU.2.043, which requires ensuring that audit logs are protected from unauthorized modifications.

Event 4719 provides details about changes made to audit policy configurations. By monitoring this event, it is possible to identify alterations in auditing configurations that could indicate attempts to disable or manipulate the event log to hide suspicious or malicious activity.

This report is essential to ensure that system audit settings remain intact and protected from unauthorized changes, allowing security teams to quickly detect and respond to potential security incidents. Additionally, it contributes to CMMC compliance by ensuring that audit logs are kept protected, helping to preserve the integrity and reliability of the monitoring system and the ability to perform effective forensic audits.', null, null, null, null, null, null, null, null, null, 505, true, 280, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.043): Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (745, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered during failed authentication attempts on a system through the use of incorrect credentials. This event is crucial to comply with CMMC control AU.3.044, which requires maintaining event logs for advanced review and effective response to security incidents.

Event 4776 provides details about authentication attempts. By monitoring this event, patterns of failed login attempts can be identified, which could indicate brute force attacks or unauthorized attempts to access the system.

This report is essential to retain relevant logs that can be reviewed later to identify possible threats or security incidents. Additionally, by storing these events appropriately, security teams can conduct subsequent investigations if suspicious activity is detected. This also facilitates CMMC compliance by ensuring that authentication records are thoroughly reviewed and can be used in effective incident response or analysis.', null, null, null, null, null, null, null, null, null, 505, true, 301, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Account Authentication Using NTLM', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (746, 'This report collects relevant information from the Windows logs generated by event 4767, which is triggered when a user account is unlocked after being locked out due to failed login attempts or security policy violations. This event is crucial to comply with CMMC control AU.3.044, which requires maintaining logs for advanced review and appropriate response to security incidents.

Event 4767 provides details about the unlocked account. Monitoring this event allows us to detect situations in which a previously blocked account is restored, which could be indicative of a change in user behavior, or in some cases, a possible attempt to evade security measures.

This report is essential to retain logs of events related to account unlocking, which facilitates investigation and response to security incidents. By storing this information, security teams can perform advanced screening to identify suspicious patterns, contributing to rapid detection of potential threats. Additionally, this process helps ensure CMMC compliance by ensuring that account unlock events are appropriately reviewed and can be used for effective incident response.', null, null, null, null, null, null, null, null, null, 505, true, 336, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Unlocked Account', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (747, 'This report collects relevant information from the Windows logs generated by event 4771, which is triggered when a login attempt via Kerberos is unsuccessful due to an authentication failure. This event is essential to comply with CMMC control AU.3.044, which requires retaining logs for advanced review and appropriate response to security incidents.

Event 4771 captures details about failed login attempts using the Kerberos protocol. Monitoring these events is key to identifying potential unauthorized access attempts or suspicious activities, such as brute force attacks or credential exploitation attempts.

This report is essential to maintain detailed records of failed login attempts and enable advanced review in case of security incidents. By storing this information, security teams can investigate patterns of failed attempts, detect unusual behavior, and take steps to prevent unauthorized access. Additionally, it contributes to CMMC compliance by ensuring that records are adequate for analysis and response to potential security incidents.', null, null, null, null, null, null, null, null, null, 505, true, 310, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.044): Kerberos pre-authentication failed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (750, 'This report collects relevant information from the Windows logs generated by event 1100, which is triggered when the Windows Event Logging service stops. This event is crucial to comply with CMMC control AU.5.055, which requires the use of advanced tools to ensure the integrity and availability of the logs.

Event 1100 provides information about the stopping of the event log service, which is essential for monitoring potential interruptions in the audit process and ensuring that event logs are kept intact and accessible for future review. Collecting and analyzing these events can detect unauthorized shutdowns or issues with log integrity, which could impact the ability to perform accurate audits and respond to security incidents effectively.

This report facilitates the identification of events in which the event logging service has been stopped, allowing proactive monitoring to maintain continuity in the collection and preservation of logs. Additionally, it contributes to compliance with CMMC requirements, ensuring that log protection and availability mechanisms are effectively implemented and monitored in accordance with best security practices.', null, null, null, null, null, null, null, null, null, 505, true, 314, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Event Logging Service Shut Down', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (751, 'This report collects relevant information from the Windows logs generated by event 5038, which is triggered when modification or deletion of an audit log file is detected or when unauthorized access is made to a protected log file. This event is essential to comply with CMMC control AU.4.053, which requires the implementation of integrity controls on audit logs to prevent their manipulation or alteration.

Event 5038 provides details about access to the log files, indicating whether there has been an alteration or inappropriate access to them. This information is crucial to ensuring the integrity of audit logs, helping to detect possible attempts to hide malicious activity or modify critical records.

This report is key to ensuring that audit logs are adequately protected against alterations or manipulations, allowing security teams to take immediate action if suspicious behavior is detected. By implementing effective integrity controls on logs, the reliability of the information used for analysis and response to security incidents is guaranteed. Additionally, it contributes to compliance with CMMC standards by ensuring that audit logs are kept protected from unauthorized modifications.', null, null, null, null, null, null, null, null, null, 505, true, 337, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Audit File integrity Validation Failed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (752, 'This report collects relevant information from the Windows logs generated by event 1105, which is triggered when the Windows Event Logging Service backs up the event logs. This event is important to comply with CMMC control AU.5.055, which requires the use of advanced tools to guarantee the integrity and availability of the logs.

Event 1105 provides details on event log backup operations, allowing you to verify the integrity of the logs and their availability for future review or incident investigation. Collecting this event helps ensure that audit logs are adequately backed up, protecting their retention from unauthorized modifications or data loss.

This report is essential to ensure that event logs are backed up regularly and effectively, which contributes to the integrity of the logs and their availability for security analysis and investigations. Additionally, it helps meet CMMC requirements by providing an additional layer of protection and ensuring that log backup mechanisms are properly implemented and monitored across the organization''s IT infrastructure.', null, null, null, null, null, null, null, null, null, 505, true, 338, 'TEMPLATE', null, null, 'Windows Level 5 (AU.5.055): Log Automatic Backup', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (753, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered when a new process is created on the system. This event is critical to comply with CMMC control SI.2.216, which requires detection of malicious code and response to malware infections.

Event 4688 provides details about the started processes, which is essential to identify suspicious processes that could be related to malware, such as unauthorized or unexpected programs running on the system. By analyzing this event, unusual activities can be identified that could indicate the presence of malicious software.

This report facilitates early malware detection by identifying potentially harmful processes that start on the system. It also allows security teams to investigate the source of suspicious processes and take corrective action before a more serious infection occurs. Additionally, it contributes to CMMC compliance by ensuring that risks associated with malware are proactively identified and managed.', null, null, null, null, null, null, null, null, null, 502, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (754, 'This report compiles relevant information from the Windows logs generated by event 4697, which is activated when a service is installed on the system. This event is key to complying with CMMC control SI.2.216, which requires the detection of malicious code and effective response to malware infections.

Event 4697 provides details about newly installed services on the system, which may be indicative of the installation of unauthorized or malicious software. Many types of malware are installed on the system as services to maintain their persistence. By monitoring these events, you can quickly identify suspicious services that could have been introduced by malware.

This report makes it easier to detect potential malware infections by monitoring newly installed services, allowing security teams to respond efficiently to any signs of malicious activity. Additionally, it contributes to CMMC compliance by ensuring that the services installed on the system are legitimate and not related to malicious behavior.', null, null, null, null, null, null, null, null, null, 502, true, 305, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Service Installed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (755, 'This report compiles relevant information from the Windows logs generated by event 4720, which is triggered when a user account is created on the system. This event is essential to comply with CMMC control SI.2.216, which requires the detection of malicious code and effective response to malware infections.

Event 4720 provides details about the creation of new user accounts, which may be an indication of suspicious activity, such as the creation of unauthorized accounts by an attacker or malware. Some malware infections involve the creation of user accounts to facilitate persistent access to the compromised system.

This report helps identify the creation of unexpected or unauthorized user accounts, which may be a sign that the system has been compromised. By detecting these types of events early, security teams can quickly investigate the cause and take steps to mitigate any potential threats. Additionally, it contributes to CMMC compliance by ensuring that actions related to the creation of user accounts are appropriately monitored and managed to prevent potential malware infections.', null, null, null, null, null, null, null, null, null, 502, true, 267, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (756, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are triggered when a network share is accessed or when changes are made to the share''s permissions. These events are critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Events 5140 and 5145 provide details about accesses and modifications to shared resources on the network, which may be indicative of unusual or malicious behavior. Attackers often attempt to gain unauthorized access to shared resources to steal data or compromise systems. Monitoring these events allows you to identify suspicious access patterns that could signal attempts to exploit network vulnerabilities or lateral movement within the infrastructure.

This report is key to detect unauthorized access, attempts to escalate privileges or manipulation of permissions on critical resources. Correlating these events with other security data allows monitoring teams to identify attacks in real time, facilitating rapid and effective response to incidents. Additionally, it contributes to CMMC compliance by ensuring that appropriate measures are implemented to protect shared resources on the network and prevent malicious activities.', null, null, null, null, null, null, null, null, null, 502, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Network Access to shared resource', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (757, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when a login authentication attempt is made using the NTLM (NT LAN Manager) protocol. This event is key to complying with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4776 provides details about failed authentication attempts over NTLM, a protocol used for authentication on Windows networks. Identifying these failed attempts is essential to detect patterns of unauthorized access, such as brute force attacks or password guessing attempts, that seek to exploit vulnerabilities in authentication mechanisms. Monitoring these types of events helps prevent unauthorized access to critical systems and applications.

This report is crucial to detect potential vulnerabilities associated with NTLM that can be exploited by malicious actors, allowing security teams to quickly identify and respond to incidents related to unauthorized access. Additionally, it contributes to CMMC compliance by ensuring that appropriate network monitoring practices are implemented to detect and mitigate potential attacks that compromise the security of the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 301, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Account Authentication Using NTLM', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (758, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user session is authenticated using explicitly provided credentials (for example, username and password) to access network resources. This event is critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4648 provides details about authentication attempts made with explicit credentials, which is crucial for identifying both legitimate and potentially malicious access to critical systems and resources. Monitoring these types of events helps detect unusual behavior, such as unauthorized access attempts through network services or the use of compromised credentials.

This report is essential for detecting suspicious access patterns that could indicate malicious activity, such as brute force attacks, password guessing attempts, or lateral movement of an attacker within the network. It makes it easier for security teams to identify threats early and respond quickly to incidents involving unauthorized access or credential abuse, contributing to CMMC compliance by ensuring effective monitoring of critical systems and protection against attacks.', null, null, null, null, null, null, null, null, null, 502, true, 281, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (759, 'This report collects relevant information from the Windows logs generated by event 1102, which is triggered when the system audit log is cleared. This event is essential to comply with CMMC control SI.4.221, which requires the use of automated tools to detect and respond to network anomalies.

Event 1102 provides details on audit log deletion, which is critical to identifying unauthorized actions or attempts to manipulate system logs, behavior that could indicate an attack or malicious activity. Monitoring these types of events is crucial to detect attempts to hide traces of previous attacks, which is behavior that can compromise the integrity of the network security system.

This report is key to strengthening the detection of anomalies and the protection of the network infrastructure, allowing security teams to take preventive and response measures against the unauthorized deletion of logs. Additionally, it contributes to CMMC compliance by ensuring that appropriate incident detection tools are used and the integrity of system logs is maintained, facilitating the identification and mitigation of potential network threats.', null, null, null, null, null, null, null, null, null, 502, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (760, 'This report compiles relevant information from the Windows logs generated by event 4689, which is activated when a process or service ends its execution on the system. This event is key to complying with CMMC control SI.4.221, which requires the use of automated tools to detect and respond to network anomalies.

Event 4689 provides details about the termination of processes in the system, allowing you to monitor the activities taking place on the network and detect unusual behavior, such as the termination of unexpected or malicious processes. Monitoring this event helps identify potential attacks, intrusions, or malware that attempt to disrupt critical systems or evade detection of malicious activity.

This report is essential to ensure that security teams are capable of detecting and responding to anomalies in the network in an automated manner, allowing rapid and effective intervention in the event of any event that may jeopardize the security of the system. Additionally, it contributes to compliance with CMMC guidelines by ensuring that appropriate tools are implemented for the detection and response to incidents related to malicious activities within the network infrastructure.', null, null, null, null, null, null, null, null, null, 502, true, 302, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Process Termination', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (761, 'This report collects relevant information from the Windows logs generated by event 7030, which is triggered when a service on the system stops unexpectedly or cannot start correctly. This event is essential to comply with CMMC control SI.5.223, which requires the use of advanced tools to improve endpoint detection capabilities.

Event 7030 provides details about failures to start or stop critical services, which may indicate security issues or attacks aimed at disrupting the normal operation of systems. Detecting these events is crucial as it could signal malicious activities such as disabling key services, manipulation of system configurations or attempts to hide traces of an attack.

This report allows security teams to identify compromised services that may have been affected by malware, ransomware or other types of threats. With the use of advanced monitoring tools, these events can be analyzed in conjunction with other logs to detect suspicious behavior patterns on endpoints and trigger immediate alerts.

By implementing this type of monitoring, the organization strengthens its ability to identify attacks or anomalous behavior on endpoints, allowing a faster and more effective response to security incidents. In addition, it contributes to compliance with CMMC regulations, ensuring the integration of advanced tools for threat detection and proactive protection of critical systems.', null, null, null, null, null, null, null, null, null, 502, true, 323, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Service Control Manager Log Information', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (762, 'This report compiles relevant information from the Windows logs generated by event 1001, which is triggered when the system registers an event related to error activity or failures in system processes. This event is essential to comply with CMMC control SI.1.210, which requires identifying and correcting system failures, including those caused by malware or other vulnerabilities.

Event 1001 provides details about errors and failures recorded in the system, allowing security and infrastructure teams to identify issues that may be indicative of system failures, malware attacks, or malicious activities. By monitoring these events, the organization can quickly detect anomalous behavior or system vulnerabilities that could be exploited by malicious actors.

This report is key to identifying and correcting any system failure that may compromise security, allowing an early response to malware incidents or other threats that affect the integrity of the system. Additionally, it contributes to CMMC compliance by providing a proactive mechanism for fault detection and correction, which helps strengthen the organization''s overall security posture.', null, null, null, null, null, null, null, null, null, 502, true, 339, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Error Reporting', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (763, 'This report collects relevant information from the Windows logs generated by event 6008, which is triggered when the system detects an unexpected shutdown or unexpected restart of the operating system. This event is crucial to comply with CMMC control SI.1.210, which requires the identification and correction of system failures, including those caused by malware or other vulnerabilities.

Event 6008 provides details about the cause of an unexpected shutdown, which may indicate the presence of system crashes, critical errors, or malicious activities such as malware attacks that affect system stability. By analyzing these events, security teams can identify patterns that suggest tampering attempts or attacks that exploit vulnerabilities in the system.

This report allows the organization to quickly detect problems that may compromise security, facilitating the correction of system failures and the mitigation of risks associated with malware or operational failures. Additionally, it contributes to CMMC compliance by providing a tool for early detection of incidents and taking appropriate corrective actions, strengthening the organization''s security posture.', null, null, null, null, null, null, null, null, null, 502, true, 340, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Logging Unexpected System Shutdowns', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (764, 'This report collects relevant information from the Windows logs generated by event 7031, which is triggered when a Windows service stops unexpectedly. This event is essential to comply with CMMC control SI.1.210, which requires the identification and correction of system failures, including those related to malware or operating system malfunctions.

Event 7031 provides details about which services have failed, which may be indicative of critical system failures or a potential security compromise, such as malware attacks that disrupt the normal operation of the services. Analysis of this event can identify services that stop abnormally and, by correlating it with other security events, can help identify suspicious patterns or malware infections.

This report is useful for detecting failures or interruptions in critical system services, facilitating the correction of failures and the investigation of possible security incidents. Additionally, it contributes to CMMC compliance by providing visibility into operational issues and the need for corrective action, helping to protect infrastructure against risks related to system service failures or cyber attacks.', null, null, null, null, null, null, null, null, null, 502, true, 341, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Unexpected Service Failures', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (765, 'This report compiles relevant information from the Windows logs generated by event 7038, which is activated when a service in the system changes state, whether started, stopped, or with an error in its execution. This event is crucial to comply with CMMC control SI.2.216, which requires detection of malicious code and appropriate response to malware infections.

Event 7038 can provide clues about the execution of services associated with possible malware infections, since certain malware can install or modify services to maintain its persistence in the system. By reviewing these events, you can identify services that should not be active or those that are exhibiting anomalous behavior that could be related to an infection.

This report allows detecting anomalies in the execution of services, which is an essential part of the response process for malware incidents. By monitoring these events, security teams can quickly identify any suspicious services that have been compromised and take necessary corrective actions, ensuring compliance with CMMC practices regarding protection and detection of malware-related threats.', null, null, null, null, null, null, null, null, null, 502, true, 342, 'TEMPLATE', null, null, 'Windows Level 2 (SI.2.216): Services Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (766, 'This report collects relevant information from the Windows logs generated by event 4769, which is triggered when a Kerberos authentication request is successfully processed in the network environment. This event is critical to comply with CMMC control SI.3.219, which requires the implementation of network monitoring to detect attacks.

Event 4769 provides details about Kerberos service ticket requests. Monitoring these types of events is essential to identify unusual activities, such as attempts to exploit vulnerabilities in the Kerberos protocol, replay attacks, or lateral movement of attackers within the network.

This report allows you to detect suspicious behavior that could indicate unauthorized access or attempts to abuse privileges through the Kerberos protocol. Additionally, it facilitates the ability of security teams to investigate potential authentication-related incidents and prevent potential attacks before they compromise the organization''s sensitive systems, contributing to CMMC compliance and strengthening infrastructure protection.', null, null, null, null, null, null, null, null, null, 502, true, 343, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Kerberos Service Ticket', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (767, 'This report compiles relevant information from the Windows logs generated by event 1058, which is triggered when a problem accessing network resources or group policy files prevents the system from completing the update or application of security policies. . This event is essential to comply with CMMC control SI.5.223, which requires improving detection capabilities on endpoints using advanced tools.

Event 1058 provides details on failures in the update of group policies due to errors in accessing files or resources on the network, which may be indicative of an attempt to interfere with security settings or a system anomaly. Since group policies are essential for system security and configuration, any errors in your application could signal a tampering attack or the presence of malware attempting to bypass security settings.

This Reporting is crucial for detecting and responding to anomalies related to system configuration and security, helping to ensure that endpoints follow appropriate security policies. Additionally, it contributes to CMMC compliance by ensuring that advanced tools are used to detect failures and threats that may compromise the integrity of the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 344, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Application of Group Policies Errors', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (768, 'This report compiles key information from the Windows logs generated by events 4688 and 4689, which are related to the creation of new processes and the termination of processes in the system. These events are essential to comply with CMMC control SI.5.223, which requires the use of advanced tools to improve detection capabilities on endpoints and detect suspicious or malicious behavior.

Event 4688 is triggered when a process is created on the system, providing details about the executable, the user who started the process, and the command line used. Event 4689, for its part, records when a process ends, which allows monitoring the activity of the processes in real time.

By reviewing these events, suspicious process execution, rogue applications, or malware activity can be detected, enabling rapid response to security incidents. Additionally, correlating these events with other system logs makes it easier to identify behavioral patterns that could signal an imminent threat.

This report is crucial to strengthening threat detection at the endpoint level, allowing security teams to identify and respond to malicious activity more effectively. Likewise, it contributes to CMMC compliance by improving monitoring and incident response capabilities, especially with respect to the execution and termination of processes in the organization''s systems.', null, null, null, null, null, null, null, null, null, 502, true, 345, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Created and Terminated Processes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (769, 'This report collects relevant information from the Windows logs generated by event 4663, which is triggered when an access attempt is made to an object with specific permissions, such as files, folders, or registry keys. This event is key to complying with CMMC control CM.2.063, which requires monitoring changes to the system to detect unauthorized or suspicious modifications.

By monitoring these events, security teams can identify anomalous activity, such as attempts to modify critical system files, changes to security configurations, or improper access to sensitive data.

This report allows administrators to evaluate whether changes made to the system are legitimate or indicate a possible threat, such as file manipulation by malware or a user with improper privileges. Additionally, its analysis contributes to CMMC compliance by ensuring that changes to the system are recorded and reviewed to prevent security incidents.', null, null, null, null, null, null, null, null, null, 506, true, 277, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (770, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered when a new process is created on the system. This event is critical to comply with CMMC control CM.2.063, which requires monitoring of system changes to detect unauthorized or suspicious modifications.

Analysis of these logs can identify anomalous activities, such as the execution of unauthorized software, the launch of malicious scripts, or attempts to escalate privileges.

This report helps security teams track the creation of processes in the system, evaluate potential threats, and quickly respond to suspicious events. Additionally, its implementation contributes to CMMC compliance, ensuring that changes to the system are monitored and that potential risks are detected before compromising the integrity of the infrastructure.', null, null, null, null, null, null, null, null, null, 506, true, 284, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (771, 'This report collects relevant information from the Windows logs generated by event 7045, which is triggered when a new service is installed on the system. This event is crucial to comply with CMMC control CM.2.063, which requires monitoring system changes to detect unauthorized or suspicious modifications.

Reviewing these logs can identify the installation of unauthorized services, unapproved remote access tools, or malicious activity related to persistent threats on the system.

This report helps security teams quickly detect and respond to the installation of new services, ensuring the integrity of the environment and minimizing the risks associated with uncontrolled changes to the infrastructure. Its implementation contributes to CMMC compliance, ensuring that system configuration changes are monitored and potential threats are detected before compromising organizational security.', null, null, null, null, null, null, null, null, null, 506, true, 290, 'TEMPLATE', null, null, 'Windows Level 2 (CM.2.063): Installation of Services', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (772, 'This report collects relevant information from the Windows logs generated by event 4719, which is triggered when changes are made to the system audit policy configuration. This event is critical to comply with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Monitoring this event can detect unauthorized or suspicious alterations to the audit logs, which could indicate monitoring evasion attempts or malicious activities within the system.

This report is essential so that security teams can identify and respond to changes in audit configuration, ensuring that critical records remain protected and that any modifications to system policies are properly evaluated and justified. Its implementation strengthens configuration management and contributes to CMMC compliance, ensuring rigorous control over the integrity of the organizational infrastructure.', null, null, null, null, null, null, null, null, null, 506, true, 280, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (773, 'This report compiles relevant information from the Windows logs generated by event 4735, which is triggered when changes are made to the properties of a security group on the system. This event is key to complying with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Event 4735 provides details about modifications to security groups. Monitoring this event is critical to detect unauthorized changes to security groups, which could indicate attempted privilege escalation, alterations to access permissions, or misconfigurations that compromise system security.

This report allows security teams to identify and respond to changes in system configuration, ensuring that changes are authorized and aligned with established security policies. Its implementation strengthens configuration management and contributes to CMMC compliance, ensuring that controls over security groups remain within the parameters defined by the organization.', null, null, null, null, null, null, null, null, null, 506, true, 319, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Security enabled local group change', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (774, 'This report compiles relevant information from the Windows logs generated by event 4738, which is activated when a modification is made to a user''s account within the system. This event is key to complying with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure infrastructure security.

Monitoring this event is critical to detect unauthorized alterations to user accounts, which could indicate privilege escalation attempts, account compromises, or misconfigurations that could impact system security.

This report allows security teams to audit and validate that all modifications to user accounts are authorized and comply with established security policies. Its implementation strengthens system configuration management and contributes to CMMC compliance, ensuring that account changes are appropriately monitored and controlled to prevent improper access or incorrect configurations.', null, null, null, null, null, null, null, null, null, 506, true, 308, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): User Account Attributes Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (775, 'This report compiles relevant information from the Windows logs generated by event 4740, which is triggered when a user account is locked due to failed login attempts. This event is essential to comply with CMMC control CM.3.068, which requires the implementation of controls to manage system configurations and ensure access security.

Monitoring this event can detect possible brute force attacks, unauthorized access attempts, or authentication misconfigurations that could compromise system security.

This report allows security teams to properly analyze and manage account lockouts, ensuring that access is monitored and controlled in accordance with established policies. Its implementation strengthens system configuration management and contributes to CMMC compliance, guaranteeing a timely response to possible threats related to access to user accounts.', null, null, null, null, null, null, null, null, null, 506, true, 276, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Account Locks', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (776, 'This report compiles relevant information from the Windows logs generated by event 5058, which is triggered when a private key is loaded or modified in Windows Key and Certificate Manager. This event is crucial to comply with CMMC Level 3 control CM.3.068, which requires the implementation of controls to manage system configurations.

Event 5058 allows you to monitor changes in cryptographic key management, which is essential to detect possible attempts at certificate manipulation, unauthorized access to private keys, or improper configurations that may compromise system security. Identifying and recording these changes helps prevent attacks based on altered credentials or misuse of digital certificates.

This report provides visibility into changes to the key and certificate infrastructure, allowing security teams to evaluate the integrity of cryptographic mechanisms and ensure compliance with organizational security policies, thus strengthening risk management and protection of assets. critical assets.', null, null, null, null, null, null, null, null, null, 506, true, 304, 'TEMPLATE', null, null, 'Windows Level 3 (CM.3.068): Certificate Configuration Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (777, 'This report collects relevant information from the Windows logs generated by event 1102, which is triggered when the audit log is cleared on a system. This event is critical to comply with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 1102 provides details on the deletion of audit logs, which is essential for detecting suspicious or malicious activities that attempt to hide traces of unauthorized access or malicious actions on the system. Deleting or altering audit logs can be an indication that an attacker is trying to cover their tracks or modify evidence, posing a significant threat to system security and integrity.

This report is key to detecting possible attempts to manipulate or delete logs, ensuring that audit logs are protected and that any unauthorized changes to the system configuration can be detected. In addition, it facilitates the automation of the monitoring process, which is essential to identify threats in real time and ensure that organizational security policies are met, supporting CMMC compliance at its most advanced level.', null, null, null, null, null, null, null, null, null, 506, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (778, 'This report compiles relevant information from the Windows logs generated by event 4732, which is triggered when a user is added to a security group on a system. This event is key to complying with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 4732 provides details on modifications made to security groups, which is essential for tracking changes in access privileges to critical resources within the IT infrastructure. An unauthorized change to security groups may indicate an attempt to elevate privileges or compromise access control to sensitive data. Detecting these events automatically helps prevent unauthorized users from gaining improper access to systems or applications.

This reporting is critical to identifying and preventing malicious internal movements, such as unauthorized access to privileged systems or escalation of privileges, ensuring that appropriate security configurations are maintained and that access controls are constantly monitored. Additionally, it contributes to CMMC Level 4 compliance by enabling the automation of unauthorized change detection, which is essential for rapid response to security incidents.', null, null, null, null, null, null, null, null, null, 506, true, 320, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (779, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when an authentication attempt is made through NTLM. This event is essential to comply with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

This event is especially useful for identifying unusual patterns that may indicate unauthorized activity, such as login attempts using compromised credentials or brute force password guessing attacks.

Automating the detection of these events helps protect against unauthorized access to critical systems and ensures that any change in authentication is quickly detected, preventing malicious actors from executing internal or external attacks. In addition, it allows for a faster and more efficient response to incidents related to unauthorized access.

This report is essential to strengthen the security of the systems by detecting possible gaps in access to the systems and maintaining constant surveillance over the credentials used in the environment. It also contributes to CMMC Level 4 compliance by ensuring the implementation of automatic controls for the detection of unauthorized changes related to authentication.', null, null, null, null, null, null, null, null, null, 506, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Account Authentication Using NTLM', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (780, 'This report compiles relevant information from the Windows logs generated by event 4907, which is triggered when a change in security audit policies is detected. This event is key to complying with CMMC Level 4 control CM.4.070, which requires automation of the detection of unauthorized changes to systems.

Event 4907 provides details on modifications to auditing configurations, which are essential to detect unauthorized adjustments that could alter security audit behavior, thereby compromising the integrity of monitoring and data protection policies. Unauthorized changes to auditing configurations may indicate attempts to hide malicious activity or interfere with monitoring and control processes.

Automating the detection of these types of changes is essential to guarantee transparency in system activities and the protection of the infrastructure against possible malicious manipulations. This report makes it easy to identify unauthorized modifications to audit policies, allowing preventive measures to be taken before they affect system security.

Automated monitoring of these types of events ensures that any alterations to audit configurations are detected quickly, allowing security teams to respond immediately to threats or suspicious activities. Additionally, it contributes to CMMC Level 4 compliance by strengthening the organization''s ability to proactively detect and respond to unauthorized changes to security systems.', null, null, null, null, null, null, null, null, null, 506, true, 291, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Restoration of default security policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (781, 'This report compiles relevant information from the Windows logs generated by event 4946, which is triggered when a change is made to the audit policies related to the system''s security configuration. This event is essential to comply with CMMC Level 4 control CM.4.070, which requires automation in the detection of unauthorized changes to systems.

Event 4946 provides details about changes to security auditing configurations, which could be used by malicious actors to modify auditing parameters in order to hide their activities or interfere with incident detection mechanisms. Monitoring this event makes it easier to identify unauthorized alterations to auditing configurations, allowing administrators to detect attempts to tamper with the system and act quickly.

Automating the detection of these changes is crucial to ensure that the security infrastructure remains intact and that any alterations to audit policies are detected without delay. This report helps organizations prevent malicious or unauthorized changes from going undetected, ensuring that systems integrity and audit policies are not compromised.

Automated monitoring of these types of events also contributes to CMMC Level 4 compliance by improving the organization''s ability to quickly detect and respond to security incidents, increasing overall threat protection and strengthening network security posture. ', null, null, null, null, null, null, null, null, null, 506, true, 346, 'TEMPLATE', null, null, 'Windows Level 4 (CM.4.070): Firewall Exception List Changed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (782, 'This report compiles relevant information from the Windows logs generated by event 4728, which is triggered when a user is added to a group with elevated privileges on the system. This event is key to complying with CMMC Level 2 control AC.2.007, which requires the implementation of the "least privilege" principle to ensure that users only have the permissions necessary to perform their tasks.

Event 4728 provides details about changes to user groups, particularly those related to the assignment of elevated privileges. By monitoring this event, organizations can check whether unauthorized or inappropriate changes are being made to user permissions, which could violate the principle of least privilege.

Detecting these changes is essential to ensure that users do not gain more privileges than necessary to perform their functions, thereby minimizing the risk of privilege abuse, unauthorized access, or privilege escalations. Additionally, constant monitoring of this event allows for rapid response to any attempts to assign excessive privileges to unauthorized users.

This report not only helps maintain tighter control over the assignment of privileges within the infrastructure, but also reinforces security practices based on the principle of least privilege, which is essential for CMMC Level 2 compliance.', null, null, null, null, null, null, null, null, null, 508, true, 316, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Additions to Security Groups', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (783, 'This report compiles relevant information from the Windows logs generated by event 4729, which is triggered when a user is removed from a group with elevated privileges on the system. This event is key to complying with CMMC Level 2 control AC.2.007, which establishes the need to apply the principle of "least privilege" to ensure that users only have the permissions strictly necessary to perform their tasks.

Event 4729 provides details on changes affecting user groups, especially those linked to the removal of elevated privileges. By monitoring this event, organizations can verify that users are being appropriately removed from groups with additional privileges when they no longer need them or have a valid justification for maintaining them.

Monitoring and reviewing these types of events ensures that security is maintained within the IT infrastructure, minimizing the risk of privilege abuse or unauthorized access. Proper removal of excessive privileges is essential to prevent privilege escalations or improper access to sensitive systems and applications.

This report is essential to strengthen CMMC Level 2 compliance by ensuring that the principle of least privilege is consistently implemented and respected within the organization, reducing the risk of potential internal or external threats associated with unnecessary privileges.', null, null, null, null, null, null, null, null, null, 508, true, 317, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Security Group Member Removal', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (784, 'This report compiles relevant information from the Windows logs generated by event 4732, which is triggered when a user is added to a group with elevated privileges on the system. This event is essential to comply with CMMC Level 2 control AC.2.007, which requires the implementation of the "least privilege" principle, ensuring that users are only given the permissions necessary to perform their tasks.

Event 4732 provides details about adding users to security groups, especially those with elevated privileges, such as administrators or users with access to sensitive resources. Monitoring this event allows organizations to ensure that users are not assigned to these groups without adequate justification and that permissions are granted only to those who truly need them to fulfill their functions.

Proper monitoring of this event is key to avoiding privilege overload within the IT infrastructure, which could result in the risk of unauthorized access or escalation of privileges. Reviewing and auditing the information contained in event 4732 ensures that the principle of least privilege is maintained and that the risk of improper access to sensitive systems or applications is minimized.

This report is essential for CMMC Level 2 compliance, as it ensures that permissions and privileges are appropriately managed and that the principle of least privilege is correctly implemented to prevent potential internal and external threats.', null, null, null, null, null, null, null, null, null, 508, true, 320, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (785, 'This report compiles relevant information from the Windows logs generated by event 4733, which is triggered when a user is removed from a group with elevated privileges on the system. This event is essential to comply with CMMC Level 2 control AC.2.007, which requires the implementation and monitoring of the "least privilege" principle. This principle establishes that users should have only the permissions strictly necessary to perform their tasks, avoiding the unnecessary granting of elevated privileges.

Event 4733 provides details on removing users from elevated security groups, which is critical to properly managing access within the IT infrastructure. Monitoring this event ensures that users who no longer need special permissions are promptly removed from such groups, which helps prevent misuse of elevated privileges.

The analysis of this event allows us to detect possible violations of the principle of least privilege, such as the unauthorized permanence of a user in a privileged group, which could generate risks of unauthorized access to sensitive systems or resources. It is a preventative measure to minimize entry points into systems, ensuring that only users with a legitimate need maintain such privileges.

This report is key to CMMC Level 2 compliance, as it helps ensure that privilege management is carried out in a controlled manner and that access is appropriate, helping to prevent both internal and external threats.', null, null, null, null, null, null, null, null, null, 508, true, 321, 'TEMPLATE', null, null, 'Windows Level 2 (AC.2.007): Local Security Group Member Removal', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (787, 'This report collects relevant information from the Windows logs generated by event 4672, which is triggered when a user obtains elevated privileges when logging into the system. This event is crucial to comply with CMMC Level 3 control AC.3.027, which requires the implementation of measures to monitor and restrict the use of privileged access.

Event 4672 provides details about logins for users who have been granted elevated privileges, such as administrators or members of other groups with access to critical system functions. Monitoring this event is essential to ensure that privileged access is used appropriately and only by users authorized to perform specific tasks that require such privileges.

This report allows security teams to detect unauthorized access or inappropriate use of elevated privileges, whether by mistake or due to malicious behavior. It also helps identify potential risks related to abuse of administrative privileges, ensuring these are closely monitored to prevent uncontrolled access to sensitive systems.

Analysis of this event reinforces CMMC Level 3 compliance, as it helps ensure that the use of privileged access is strictly controlled and that any anomalies are detected in time, mitigating the risk of compromising system security. This type of monitoring contributes to implementing a more robust and efficient security strategy.', null, null, null, null, null, null, null, null, null, 508, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (788, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user logs on to the system. The event is especially important when it comes to logging in with elevated privileges, such as an administrator, and is key to complying with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Event 4624 provides details on successful login attempts, and in particular, those involving privileged accounts. This information allows us to identify users who access systems with elevated privileges and whether such access is being used appropriately.

Monitoring this access is essential to ensure that elevated accounts are used only by authorized users and for the specific tasks for which they have been assigned such access. Additionally, information from 4624 events helps detect anomalous or potentially dangerous behavior that could indicate abuse of privileges, unauthorized access, or malicious movements within the infrastructure.

This report supports security teams in the implementation of access controls and privilege management, thus contributing to the prevention of possible security incidents. In doing so, it reinforces compliance with CMMC Level 3 control AC.3.027, ensuring that privileged access is strictly controlled, monitored and restricted according to the operational and security needs of the organization.', null, null, null, null, null, null, null, null, null, 508, true, 265, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (789, 'This report compiles relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt is rejected due to incorrect credentials or unauthorized access. This event is crucial for compliance with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Event 4625 provides details about failed login attempts, including those involving privileged accounts. Monitoring these events is essential to detect unauthorized access attempts to critical systems, especially those seeking to gain elevated privileges, such as administrator privileges. Additionally, this type of information is useful for identifying patterns of behavior that could indicate malicious activity, such as brute force attacks or credential exploitation attempts.

This report helps organizations track failed access attempts to privileged accounts, enabling alerts and corrective actions to be implemented in the event of suspicious activity or security policy violations. Thus, it helps restrict privileged access only to authorized users and ensures that preventive measures are taken to prevent abuse of such privileges.

The report also plays an important role in improving security posture by identifying potential access gaps before attackers can exploit them. It directly contributes to compliance with control AC.3.027 of CMMC Level 3, strengthening the monitoring and control mechanisms of privileged access within the organization.', null, null, null, null, null, null, null, null, null, 508, true, 266, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (790, 'This report compiles relevant information from the Windows logs generated by events 4673 and 4674, which are related to monitoring the activity of privileged accounts. Event 4673 is triggered when a privileged user attempts to access a sensitive action, while event 4674 signals the performance of a privileged type operation on a system. Both events are critical to complying with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access in the IT infrastructure.

Event 4673 provides information about the initiation of an attempt to use elevated privileges, and event 4674 is associated with the actual execution of these actions, such as installing software, modifying critical configurations, or accessing sensitive information. Together, they provide detailed insight into how and when privileged users interact with the system, which is essential for detecting and preventing inappropriate uses of privileges.

This report contributes to security by identifying patterns of activity that could indicate privilege abuse or attempted exploitation of privileged accounts, allowing stricter controls to be applied to restrict unauthorized access and closely monitor critical actions performed by privileged users. . In addition, it is a key tool to ensure that security policies and segregation of privileges are respected, minimizing the risks of unwanted or malicious access.

Monitoring these events directly contributes to compliance with AC.3.027 of CMMC Level 3, improving the organization''s capabilities to restrict and monitor the use of privileged access, and ensuring that only authorized users can perform critical activities on the systems.', null, null, null, null, null, null, null, null, null, 508, true, 286, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Use of Elevated Privileges', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (791, 'This report compiles relevant information from the Windows logs generated by event 4688, which is triggered every time a new process is created on the system, providing crucial details about process execution attempts by users, including those with privileges. elevated. This event is key to comply with CMMC Level 3 control AC.3.027, which requires monitoring and restricting the use of privileged access.

Monitoring 4688 events allows administrators to detect when a potentially risky or unauthorized process is running on the system, especially when it is launched by a user with elevated privileges.

This report is essential for the early detection of suspicious activities, as it can identify attempts to run malicious programs or the execution of critical processes by users who should not have access to them. It also allows detecting anomalous behavior, such as the unauthorized use of administrative tools or the execution of commands that could compromise the security of the system.

By providing visibility into what processes are being executed and by whom, this report helps identify and restrict inappropriate use of elevated privileges, directly contributing to compliance with CMMC Level 3 AC.3.027. This monitoring is an essential tool for protecting systems. of possible risks related to the abuse of privileged access and strengthen security and access control policies.', null, null, null, null, null, null, null, null, null, 508, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AC.3.027): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (792, 'This report compiles relevant information from Windows logs associated with Account Manipulation, Domain Policy Modification, Impair Defenses, and Account Access Removal alerts, which are key events for the detection and prevention of privilege escalation in the IT environment. This information is used to verify compliance with CMMC Level 4 control AC.4.028, which requires automation of privilege escalation detection.

Account Manipulation events include activities such as modifying user accounts, assigning roles and privileges, which may indicate attempts to gain elevated access in an unauthorized manner. Domain Policy Modification alerts reflect changes to domain policies that could allow privilege escalation at the network level, and Impair Defenses alerts detect modifications that affect security measures implemented to protect the system. Finally, Account Access Removal alerts record attempts to remove account access, which may be a sign of an attempt to cover the tracks of an attack.

Monitoring these events helps identify anomalous patterns or suspicious actions related to unauthorized elevation of privileges, which is crucial to preventing unauthorized access and potential security compromises. Automating the detection of these events ensures a faster and more accurate response to any attempted privilege escalation, minimizing the risk that an attacker can gain access to critical resources without being detected.

This report contributes significantly to compliance with AC.4.028 by providing a centralized, automated view of key events related to privilege escalation. By automating detection, you strengthen your organization''s security posture, enabling you to efficiently detect and mitigate privilege escalation attacks before they severely impact sensitive data and infrastructure.', null, null, null, null, null, null, null, null, null, 508, true, 347, 'TEMPLATE', null, null, 'Windows Level 4 (AC.4.028): Privilege Escalation Alerts', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (793, 'This report collects relevant information from the Windows logs generated by event 7031, which is triggered when the Service Control Manager (SCM) detects that a service has ended unexpectedly. The event is especially important when such termination is unplanned or may be related to malicious activities, such as malware infections, and is key to complying with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 7031 provides details about services that have stopped unexpectedly. These events allow security teams to detect possible attempts by attackers to disable critical system services through malware or other forms of manipulation.

Monitoring these types of events is essential to identify anomalous or malicious activities that may compromise the stability and security of systems. Collecting 7031 event information allows security teams to act quickly on unexpected termination of services, which could indicate that malware is attempting to interfere with system processes.

This report is essential to ensure that malware infections are detected in time and that essential system services are restored and protected. In addition, it contributes to compliance with CMMC Level 1 control SI.1.210, ensuring that systems are continuously monitored and protected against threats that may affect their operation and security.', null, null, null, null, null, null, null, null, null, 507, true, 341, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Unexpected Service Failures', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (794, 'Este reporte recopila información relevante de los logs de Windows generados por el evento 4688, el cual se activa cuando un proceso es creado en el sistema. El evento es particularmente importante para identificar actividades sospechosas, como la ejecución de procesos maliciosos, que podrían estar relacionados con infecciones de malware, y es esencial para cumplir con el control SI.1.210 de CMMC Level 1, que exige identificar y corregir infecciones de malware.

El evento 4688 proporciona detalles sobre los procesos que se inician, incluyendo el nombre del ejecutable, la ruta, el ID del proceso padre y otros detalles asociados. Estos datos permiten detectar si un proceso está relacionado con malware o comportamientos no autorizados en el sistema. La creación de nuevos procesos no autorizados o el comportamiento inusual de procesos conocidos puede ser un indicio de una infección activa o un ataque en curso.

Monitorear los eventos 4688 es crucial para identificar posibles infecciones de malware en sus primeras etapas, así como para detectar actividades anómalas relacionadas con la ejecución de código malicioso. Esta información permite a los equipos de seguridad tomar medidas inmediatas, como la detención de procesos maliciosos, la cuarentena de archivos o el análisis forense para determinar el origen y el impacto de la amenaza.

Este reporte es una herramienta clave para fortalecer las capacidades de detección de malware dentro de la infraestructura de la organización, contribuyendo así al cumplimiento del control SI.1.210 de CMMC Level 1.', null, null, null, null, null, null, null, null, null, 507, true, 284, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (795, 'This report compiles relevant information from the Windows logs generated by event 4719, which is activated when a modification is made to the system audit policy. This event is important for identifying unauthorized changes that may be related to disabling security auditing or attempts to hide traces of malware infections. It is key to complying with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 4719 provides details about the modifications made to the auditing configuration. Auditing configurations are essential for recording system security-related events such as logins, file modifications, and system configuration changes.

Monitoring this event allows security teams to detect suspicious changes to audit policies that may have been made by an attacker to eliminate evidence of malicious activity. Additionally, identifying these changes early can help prevent the spread of malware and ensure that the system maintains its ability to detect and record malicious user actions or processes.

This report supports security teams in implementing controls to detect and correct malware infections, thus contributing to compliance with CMMC Level 1 control SI.1.210, and ensuring that system audit policies are correctly configured to detect behaviors anomalous and malware attacks.', null, null, null, null, null, null, null, null, null, 507, true, 280, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (796, 'This report collects relevant information from the Windows logs generated by event 5158, which is triggered when the Windows Filtering Platform (WFP) blocks a network connection due to configured filtering rules. The event is particularly important for CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

The Windows Filtering Platform (WFP) is an infrastructure that enables filtering of network traffic, providing fine-grained control over incoming and outgoing connections. When a connection is blocked by network filtering policies, event 5158 records information related to that action, which helps identify suspicious traffic patterns, unauthorized access attempts, or the communication of malware across the network. .

Monitoring these types of events is crucial to detect malicious activity in real time, such as malware attempts to exfiltrate information or connect to command and control servers. This event provides key details about network connections that have been stopped by WFP filtering rules, allowing security teams to identify, investigate, and mitigate potential threats before they can compromise the system.

This report is essential to ensure that network infrastructure protection measures are working correctly, contributing to compliance with CMMC Level 3 control SI.3.219 by enabling effective monitoring of endpoints and early detection of malware and cyber attacks.', null, null, null, null, null, null, null, null, null, 507, true, 296, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Filtering Platform', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (798, 'This report compiles relevant information from the Windows logs generated by event 4697, which is activated when the installation of a new service on the system is detected. This event is key to complying with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4697 provides details about the services installed on the system. Monitoring these types of events is essential to detect the installation of unauthorized services that could be used by malicious actors to execute malicious code or establish persistence on the system.

Analyzing these events allows security teams to identify suspicious activity, such as the installation of malware or exploitation tools attempting to covertly execute commands through a new service. Additionally, proactive monitoring of service installation ensures that any unauthorized changes are detected in time, helping to prevent attacks and maintain the integrity of systems.

This report is an essential tool for effective endpoint monitoring, as it allows you to identify and investigate new service installations that could be indicative of a malware infection. By doing so, it contributes to compliance with CMMC Level 3 control SI.3.219, helping to strengthen detection and response to threats on network endpoints.', null, null, null, null, null, null, null, null, null, 507, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Service Installed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (800, 'This report compiles relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is essential for compliance with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4720 provides details about the creation of new user accounts, which is an important event to detect unauthorized changes or malicious activities on the system. The creation of unauthorized user accounts could be a sign that a malicious actor has compromised a system and is attempting to gain additional access with elevated privileges, which could make it easier to spread malware or execute attacks.

Monitoring these events allows security teams to quickly identify the creation of unusual or unexpected user accounts, which is key to detecting the presence of malicious actors. This type of surveillance is essential to prevent unauthorized user accounts from being used to spread malware or make lateral movements within the organization''s infrastructure.

This report supports security by providing visibility into changes to user accounts, allowing administrators to investigate any suspicious activity and quickly take corrective action. Additionally, it contributes to compliance with CMMC Level 3 control SI.3.219 by ensuring endpoint monitoring tools are properly deployed to detect and mitigate malware threats before they cause harm.', null, null, null, null, null, null, null, null, null, 507, true, 267, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (801, 'This report compiles relevant information from the Windows logs generated by event 4726, which is triggered when a user account is deleted from the system. This event is crucial for compliance with CMMC Level 3 control SI.3.219, which requires the implementation of endpoint monitoring for malware detection.

Event 4726 provides details about deleting user accounts, which is an important activity to identify suspicious or malicious behavior on the system. Deleting user accounts without proper authorization could be an indication that a malicious actor has compromised the infrastructure and is attempting to remove traces of their activity or restrict access to legitimate users, which could facilitate the spread of malware or interfere with incident response capacity.

Monitoring user account deletion can detect unusual activities that could be related to malicious manipulation of system settings. This visibility is essential to prevent account deletion from being used as a tactic to destabilize the organization''s security or to hide evidence of the presence of malware.

This report helps security teams maintain tight control over user accounts, ensuring deletion processes are legitimate and properly managed. Additionally, it contributes to compliance with CMMC Level 3 control SI.3.219, ensuring that endpoint monitoring is properly configured to effectively detect and mitigate potential malware threats.', null, null, null, null, null, null, null, null, null, 507, true, 272, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (802, 'This event is logged when a Windows service fails to start due to an error and may be linked to system services that are responsible for managing and controlling other services, including those involved in system security and monitoring.

The Service Control Manager manages interactions between Windows services, and when a service that should be monitoring or protecting the system against threats (such as malware detection) fails, event 7030 is an indication that something has gone wrong. This event is important because it can alert you to attempts to disable critical services that help protect the system.

In the context of CMMC Level 4, where automation of malware detection and response is required, the logs generated by SCM allow the identification of failures that could have been caused by a malicious attempt to disable security or monitoring services.

So, event 7030, being part of the SCM logs, has a direct relationship with monitoring the health of system services, especially those related to security and incident response, which is crucial to comply with CMMC Level 4 control SI.4.221.', null, null, null, null, null, null, null, null, null, 507, true, 323, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Service Control Manager Log Information', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (807, 'This report collects relevant information from the Windows logs generated by event 1102, which is activated when a reboot or cleaning of the security logs is performed. This event is critical to compliance with CMMC Level 4 control SI.4.221, which requires automation of malware detection and response.

Event 1102 provides details on cleaning the system event logs, which is critical for automated detection of suspicious or malicious activity. Deleting or modifying security logs can be an indication that a malicious actor is trying to cover their tracks, posing a significant threat to systems integrity.

Monitoring this event in an automated way allows you to identify when changes or deletions are made to the security logs, which can signal cover-up attempts after an attack or intrusion. Detecting and responding to these incidents automatically is essential to ensure the continued protection of the organization''s IT environment.

This report is key to supporting security teams in implementing automatic controls that not only detect possible intrusions or cloaking attempts, but also provide immediate responses to mitigate any potential threats. By doing so, you contribute to CMMC Level 4 compliance, ensuring that detection and response to security incidents is carried out in an efficient and automated manner.', null, null, null, null, null, null, null, null, null, 507, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SI.4.221): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (808, 'This report compiles relevant information from the Windows logs generated by events 5061, 4673 and 4674, which are related to the access and manipulation of security objects and policies in the system. These events are crucial to compliance with CMMC Level 4 control SI.4.221, which requires automation of malware detection and response.

Event 5061: This event is triggered when a cryptography operation is performed, which may indicate malicious encryption attempts, such as ransomware attacks.
Events 4673 and 4674: These events are generated when significant changes are made to security policies, such as the creation, modification, or deletion of critical objects, which could be an attempt to alter system configuration to facilitate attacks or circumvent security measures. security.

Automated collection and analysis of these events can detect patterns of anomalous behavior associated with the presence of malware, such as manipulation of security settings or execution of malicious encryption processes. Automation in the detection and response to these events is vital to mitigate the impact of any attempted infection or alteration of systems quickly and efficiently.

This report helps security teams implement automatic controls to monitor and respond to incidents related to security policy manipulation and cryptography, contributing to the prevention of attacks and strengthening the organization''s security posture. In addition, it reinforces compliance with CMMC Level 4 control SI.4.221, ensuring that the detection and response to possible threats is carried out in an effective and automated manner.', null, null, null, null, null, null, null, null, null, 507, true, 286, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Use of Elevated Privileges', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (809, 'This report gathers relevant information from the Windows logs generated by Windows Defender events 2001, 2003 and 3002, which record the actions taken by the protection system against detected threats. These events are key to compliance with CMMC Level 1 control SI.1.210, which focuses on the identification and correction of system failures, including the detection and response to malware.

Event 2001: This event indicates that Windows Defender has detected a threat on the system and has taken protective action, such as removing or quarantining malicious files.
Event 2003: Records additional actions that Windows Defender may have taken, such as scanning in the background or responding to threats on critical files or locations.
Event 3002: Provides additional details on the execution of threat mitigation measures, including user or administrator intervention if necessary, and the status of affected files.

Collecting these events allows you to verify that Windows Defender is actively monitoring and responding to system threats, which is critical to mitigating the risk of malware infections and other vulnerabilities. These logs provide detailed information about the threats detected and the actions implemented to contain or eliminate those threats, allowing security teams to monitor the effectiveness of protection responses.

This report contributes to compliance with CMMC Level 1 control SI.1.210 by ensuring that system failures caused by malware or malicious activities are detected and appropriately acted upon. Correctly configuring and monitoring Windows Defender and collecting these logs provides a solid foundation for conducting regular audits, evaluating the effectiveness of mitigation actions, and ultimately protecting critical systems from potential cyber threats.', null, null, null, null, null, null, null, null, null, 507, true, 348, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Windows Defender Action Against Detected Threat', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (810, 'This report compiles relevant information from the Windows logs generated by event 4689, which is activated when a process finishes executing on the system. This event is crucial for the detection of suspicious activities, such as the termination of malware-related processes, and is essential to comply with CMMC Level 1 control SI.1.210, which requires identifying and correcting malware infections.

Event 4689 provides details about processes that have terminated. This information is valuable for correlating malicious processes with their initial creation and determining whether a malicious process was appropriately killed or stopped. Monitoring process termination is essential to identify if an attack has been contained or if a suspicious process has been stopped in time.

Tracking these events allows security teams to analyze process termination patterns, detect potential malware infections that could have been neutralized, and ensure that legitimate processes have not been stopped inappropriately. Additionally, early detection of terminating malicious processes may indicate an attempt by an attacker to conceal or remove evidence.

This report supports security teams in the identification and correction of malware infections, thus contributing to compliance with CMMC Level 1 control SI.1.210.', null, null, null, null, null, null, null, null, null, 507, true, 302, 'TEMPLATE', null, null, 'Windows Level 1 (SI.1.210): Process Termination', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (812, 'This report collects relevant information from the Windows logs generated by events 5156, 5158 and 5159, which are related to monitoring system network activity and allowed network connections. These events are essential to comply with CMMC Level 3 control SI.3.219, which requires implementing endpoint monitoring for malware detection.

Event 5156: Provides details about the network connections that have been allowed between the system and other devices on the network, helping to identify suspicious communications that could be related to malicious activity.
Event 5158: Logs blocked network connections, which may indicate unauthorized access attempts or the spread of malware attempting to establish connections to other machines.
Event 5159: Provides details about network connections allowed or denied based on security policies, which is crucial for identifying traffic that could be associated with malware behavior on an endpoint.

These events identify unusual patterns of network traffic that could be indicative of a malware attack, such as connection attempts to unknown or blocked IP addresses, communication attempts by unauthorized processes, or unusual use of network ports. Monitoring these events is essential to quickly detect malicious behavior and prevent the spread of malware within the corporate network.

This report facilitates the implementation of security controls that allow you to identify, block and mitigate the impact of malware on the organization''s endpoints. Additionally, it supports security teams in the proactive detection of threats, contributing to compliance with CMMC Level 3 control SI.3.219, ensuring that endpoints are adequately monitored to detect malicious activities and prevent security incidents.', null, null, null, null, null, null, null, null, null, 507, true, 349, 'TEMPLATE', null, null, 'Windows Level 3 (SI.3.219): Connections and Port Assignments', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (813, 'This report compiles relevant information from the Windows logs generated by event 4624, which is triggered when a user logs on to the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4624 provides details about successful login attempts to the system. These logs are essential to track user activities on the system and to identify unauthorized or unusual access.

Collecting and reviewing logs from this event is crucial to comply with security audit policies and ensure system accesses are appropriately monitored. Analysis of 4624 events can detect anomalous behavior patterns, which may indicate unauthorized access attempts or potential security breaches.

This report contributes to the implementation of appropriate audit practices, facilitating the capture and review of relevant user activity records, in accordance with CMMC Level 1 regulations. Additionally, it reinforces the ability of security teams to identify and correct vulnerabilities related to access to systems, helping to maintain the integrity and availability of data.', null, null, null, null, null, null, null, null, null, 509, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (814, 'This report collects relevant information from the Windows logs generated by event 4625, which is triggered when a login attempt fails on the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4625 provides details about failed login attempts. This type of information is crucial for detecting unauthorized access or security breach attempts, such as brute force attacks or password guessing attempts.

Collecting and reviewing logs from this event is essential to comply with security audit policies, allowing security teams to quickly identify and respond to suspicious patterns or repeated failed system access attempts. Additionally, these logs are useful for performing forensic analysis in the event of security incidents, contributing to the improvement of preventive defenses.

This report supports the implementation of appropriate auditing practices, ensuring that user activity logs are captured and reviewed, in line with CMMC Level 1 requirements. Through this review, adequate control over access can be maintained. to systems and detect potential security threats before they compromise infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (815, 'This report collects relevant information from the Windows logs generated by event 4648, which is triggered when a user attempts to log on to a system with explicit credentials, such as a username and password. This event is key to compliance with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review.

Event 4648 provides details about login attempts. This information is vital for tracking system access activities, allowing security teams to detect potential unauthorized attempts or suspicious access.

Collecting these logs also helps identify unusual or malicious access patterns, such as access attempts through compromised accounts, which helps improve incident response capabilities. Additionally, detailed information about login attempts is essential for conducting security audits, especially when investigating the integrity of user accounts and access to critical systems.

This report supports security teams in capturing and reviewing audit logs related to access to systems, ensuring that adequate control is maintained over login attempts, and contributes to compliance with security policies and access control, as established in control AU.1.001 of CMMC Level 1.', null, null, null, null, null, null, null, null, null, 509, true, 281, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (816, 'This report collects relevant information from the Windows logs generated by event 4720, which is triggered when a new user account is created on the system. This event is critical to compliance with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4720 provides details on creating user accounts. This information is essential to maintaining control over account management in the system, allowing security teams to verify that accounts are being created in an authorized manner and in accordance with the organization''s access policies.

Monitoring the creation of user accounts is vital to identify unauthorized changes to the system, such as the creation of malicious or elevated accounts without proper approval. Additionally, by recording this information, organizations can conduct audits and review user accounts to ensure they are aligned with roles and operational needs.

This report helps ensure that complete and accurate audit logs are maintained for every action related to the creation of user accounts, contributing to effective infrastructure security management and compliance with CMMC Level 1 control AU.1.001.', null, null, null, null, null, null, null, null, null, 509, true, 267, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (817, 'This report compiles relevant information from the Windows logs generated by event 4722, which is triggered when a user account is enabled on the system. This event is key to complying with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4722 provides details about enabling user accounts. This information is crucial to properly monitor and manage user accounts within the infrastructure, ensuring that enabled accounts are legitimate and authorized.

Monitoring user account enablement helps identify any unauthorized changes, such as the reactivation of accounts that should have been disabled for security or compliance reasons. Additionally, it allows you to detect if a malicious actor tries to restore access to a previously disabled account.

This report contributes to the creation of a more robust security environment by ensuring that all events related to the enablement of user accounts are recorded and monitored. In this way, it helps comply with CMMC Level 1 control AU.1.001, ensuring the correct capture and review of audit logs for unusual or potentially malicious activities.', null, null, null, null, null, null, null, null, null, 509, true, 293, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Accounts Enabled', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (818, 'This report collects relevant information from the Windows logs generated by event 4723, which is triggered when a user tries to change their password. This event is critical to comply with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4723 provides details about password change attempts. This type of information is essential for tracking and auditing credential modification attempts, allowing unusual or unauthorized activity to be detected.

Monitoring password change events is key to ensuring that authentication processes follow proper procedures and preventing malicious actors from gaining access to user accounts through unauthorized password changes. It also helps identify potential attack attempts, such as password guessing or privilege abuse.

This report contributes to compliance with AU.1.001 by ensuring that all events related to password change attempts are effectively recorded, monitored, and reviewed. In this way, it facilitates the detection of inappropriate actions and reinforces the security of the system, protecting access credentials and sensitive data.', null, null, null, null, null, null, null, null, null, 509, true, 294, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Password Reset Attempt', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (819, 'This report collects relevant information from the Windows logs generated by event 4724, which is triggered when a system administrator attempts to reset the password for a user account. This event is crucial to comply with CMMC Level 1 control AU.1.001, which requires capturing audit logs for review.

Event 4724 provides details about password reset attempts. This information allows you to track and audit changes to user account credentials, which is essential for identifying unauthorized access or malicious behavior.

Monitoring password reset attempts is vital to detect suspicious activity, such as attempts to bypass security controls, abuse of administrative privileges, or unauthorized access to critical accounts. This event also helps ensure that password change policies are followed appropriately.

This report contributes to compliance with AU.1.001 by ensuring that all password reset attempts are recorded, monitored, and reviewed. By doing so, it helps protect the integrity of access credentials, ensuring that control over access to critical systems and resources is maintained, strengthening the security of the organization''s infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 312, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Password Reset Attempts', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (820, 'This report collects relevant information from the Windows logs generated by event 4738, which is triggered when a change is made to the user account information, such as modifying account attributes. This event is critical to comply with CMMC Level 1 control AU.1.001, which requires capturing and reviewing audit logs of changes to user accounts.

Event 4738 provides details about modifications made to an account. This information allows you to audit account changes and detect suspicious or unauthorized activity, such as unauthorized access to privileged accounts or alteration of critical accounts.

Monitoring changes to user accounts is essential to ensure the integrity of credentials and access permissions within the organization. This event helps identify whether changes were made in accordance with security policies and whether there were attempts to modify accounts without proper authorization.

This report supports compliance with AU.1.001 by ensuring that all changes to user accounts are appropriately recorded and monitored. By doing so, you help protect the organization''s infrastructure against unauthorized account manipulation, ensuring that logs are reviewed to identify potential security incidents and maintaining traceability of actions taken on user accounts.', null, null, null, null, null, null, null, null, null, 509, true, 308, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Account Attributes Changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (821, 'This report compiles relevant information from the Windows logs generated by event 4662, which is triggered when an object in the system is accessed, modified or deleted. This event is key to complying with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review in order to maintain the integrity of the systems.

Event 4662 provides details about access to objects within the system. These logs allow you to monitor changes and access made to critical files or configurations, which is essential to detect suspicious or unauthorized activities.

Monitoring these events contributes to the early identification of unauthorized access or malicious actions, helping to ensure that system configurations and data are protected from tampering or improper access. Additionally, collecting this information ensures that a detailed analysis can be performed on any security incidents that may arise.

This report is essential to support the implementation of an effective audit monitoring strategy, ensuring that CMMC Level 1 control AU.1.001 is met by capturing and reviewing audit logs, which reinforces security and operational integrity within of the organization''s technological infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 297, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Protected Object Access Operation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (822, 'This report collects relevant information from the Windows logs generated by event 4670, which is triggered when the permission settings of an object, including files, folders, or registry keys, are modified. This event is crucial to comply with CMMC Level 1 control AU.1.001, which requires the capture and review of audit logs to ensure the security of the computing environment.

Event 4670 provides details about changes made to access permissions to system objects. This information is essential to monitor and audit access to sensitive resources within the system.

Monitoring modifications to object permissions is essential to detect unauthorized changes that may indicate attempted privilege escalation, malicious moves, or manipulations of critical configurations. In addition, the collection of these logs allows a detailed review of the actions taken, which is key to ensuring that access controls are being applied appropriately and in accordance with security policies.

This report facilitates compliance with CMMC Level 1 control AU.1.001, ensuring that audit logs related to permit modifications are adequately captured and reviewed, contributing to the detection and mitigation of possible security incidents within the company''s infrastructure. organization.', null, null, null, null, null, null, null, null, null, 509, true, 274, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Protected Object Permission Change', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (823, 'This report compiles relevant information from the Windows logs generated by event 4907, which is activated when changes occur in the system audit policies. This event is essential to comply with CMMC Level 1 control AU.1.001, which requires the capture and review of audit logs to guarantee the integrity and security of information systems.

Event 4907 provides details about the modification of audit policies. This type of information is key to identifying unauthorized alterations to audit policies, which could indicate an attempt to hide malicious activity or avoid detection of anomalous behavior in the system.

Monitoring these changes is crucial to ensure that audit policies are configured correctly and consistently, allowing for proper collection of security events. Reviewing these logs makes it easier to identify inappropriate settings that could weaken the organization''s ability to detect suspicious activity.

This report supports compliance with CMMC Level 1 control AU.1.001, ensuring that appropriate audit configurations are maintained and that changes to audit policies are recorded and reviewed, contributing to the early detection of potential security incidents within the organization. organization infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 291, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): Restoration of default security policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (824, 'This report collects relevant information from the Windows logs generated by event 4663, which is triggered when a user performs an access operation on system objects, such as reading, writing or deleting files and folders. This event is crucial to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 4663 provides details about operations performed on system objects. This allows detailed tracking of interactions with critical files and resources within the system. Maintaining a proper record of these events is essential to ensure that any unauthorized access or modification to the organization''s resources can be tracked and audited effectively.

Ensuring that logs of these types of events are available for review and analysis is essential for the early identification of security incidents, such as unauthorized access, malicious modifications or security policy violations. This report contributes to the organization''s ability to investigate and respond to incidents efficiently, ensuring that the information necessary for a complete investigation can be accessed.

In this way, the report supports compliance with CMMC Level 3 control AU.3.045, ensuring that the relevant logs are properly managed, stored and available for review at any time, facilitating a rapid and effective response to security incidents and contributing to the protection of organizational infrastructure.', null, null, null, null, null, null, null, null, null, 509, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (825, 'This report compiles relevant information from the Windows logs generated by events 5140 and 5145, which are activated when a user accesses or makes modifications to shared resources on the network, such as files or directories, through SMB protocols. These events are essential to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 5140 is triggered when a network connection is established to a share, while event 5145 is triggered when a file or directory is accessed through a network share. The details of these logs are essential for tracking activities related to access to data and shared files, which can be indicative of suspicious or unauthorized activity.

Ensuring that logs of these events are available for review is key to investigating and auditing access to critical resources within the organization''s network. These events allow us to identify unauthorized access, malicious movements or inappropriate changes in the permissions of shared resources. Having a complete and accessible record of these activities is essential for incident response, allowing an accurate assessment of what happened and contributing to the identification of security gaps.

This report, therefore, supports compliance with CMMC Level 3 control AU.3.045, ensuring that relevant logs regarding access and modification of shared resources are available and appropriately managed, facilitating investigations and improving the ability to the organization to respond quickly to security threats or incidents.', null, null, null, null, null, null, null, null, null, 509, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to Shared Resources', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (826, 'This report compiles relevant information from the Windows logs generated by event 4660, which is triggered when an object, such as a file or directory, is opened or modified. This event is especially important to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for investigation in the event of security incidents.

Event 4660 provides details about actions performed on system objects. Additionally, it includes information about the user who performed the action, the exact date and time, and the identifier of the affected object. This information is crucial for detailed tracking of activities performed on critical data and resources within the organization''s technological infrastructure.

Monitoring 4660 events is essential to identify suspicious changes to file systems, such as unauthorized deletion or alteration of important files, which may be indicative of a security breach or malicious activity. By keeping these logs available for review, incident investigation and forensic analysis are facilitated, allowing the origins and scope of potential security compromises to be traced.

This report supports compliance with CMMC Level 3 control AU.3.045, by ensuring that the logs of critical events related to the manipulation of objects and system resources are accessible, well managed and prepared to be analyzed during security investigations, improving the organization''s ability to detect and respond to threats.', null, null, null, null, null, null, null, null, null, 509, true, 298, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Object Deletion', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (828, 'This report compiles relevant information from the Windows logs generated by event 5158, which is triggered when a new network connection is allowed through a specific port on a system. This event is essential to comply with CMMC Level 3 control AU.3.045, which requires ensuring that logs are available for security investigations.

Event 5158 provides details about established network connections. Additionally, event 5158 shows whether the connection was allowed or blocked by system security policies, which is key to detecting unauthorized access or anomalous behavior in the network infrastructure.

Monitoring 5158 events is crucial to track the flow of information and accesses through the network, allowing you to identify suspicious connection attempts, possible vulnerabilities or malicious activities, such as a privilege escalation attack or lateral movement within the network. By keeping these logs available, organizations can conduct effective investigations in the event of a security incident, analyzing the source, connection type, and impact of any unauthorized access.

This report supports compliance with CMMC Level 3 control AU.3.045, ensuring that detailed logs on network connections are adequately stored, accessible and are part of the investigation process for potential incidents, strengthening threat response capacity and improving security. security on the corporate network.', null, null, null, null, null, null, null, null, null, 509, true, 313, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Windows Connection blocked by Windows Firewall', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (829, 'This report compiles relevant information from the Windows logs generated by event 1102, which is activated when a shutdown or restart of the security logs is performed on the system. This event is crucial to comply with CMMC Level 3 control AU.3.045, which requires ensuring audit logs are available for review during security investigations.

Event 1102 provides details about when and why security logs were closed or reset, which is essential for monitoring the integrity of audit logs. In the context of security management, it is essential to ensure that logs are not lost or tampered with, as they could contain critical information about past security events, such as unauthorized access attempts or malicious activities within the network.

Monitoring this event allows security teams to detect if logs were closed or restarted by unauthorized users, which could indicate an attempt to hide illicit activities or tamper with evidence in the event of an attack or security incident. The correct management and storage of these logs are essential for the investigation after any security incident, ensuring that all necessary information is available for analysis and possible recovery.

This report contributes to compliance with CMMC Level 3 control AU.3.045 by ensuring that security logs remain accessible and are securely stored for review, allowing security teams to conduct detailed investigations into any suspicious activity or incident. that has taken place in the system.', null, null, null, null, null, null, null, null, null, 509, true, 295, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (830, 'This report collects relevant information from the Windows logs generated by event 4776, which is triggered when there is an attempt to authenticate a user using a username and password in a network environment. This event is key to meeting CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensic analysis capabilities to detect and respond to security incidents.

Event 4776 provides details about authentication attempts that were not successful. This information is crucial for identifying attack patterns, such as unauthorized access attempts, brute force attacks, or phishing attempts.

Monitoring this event with an advanced forensic approach allows security teams to perform deeper analysis on failed authentication attempts. For example, they can correlate multiple failed attempts from different locations, which could indicate a distributed attack or privilege escalation effort. Additionally, this event can provide valuable information to trace an attacker''s path through the network and improve incident response capabilities.

This report contributes to compliance with CMMC Level 4 control AU.4.053 by providing detailed analysis of failed authentication attempts and improving auditing capabilities through an advanced forensic approach. By doing so, it helps strengthen security by more effectively detecting and analyzing threats that could put the organization''s infrastructure at risk.', null, null, null, null, null, null, null, null, null, 509, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Account Authentication Using NTLM', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (831, 'This report collects relevant information from the Windows logs generated by event 4771, which is triggered when a Kerberos authentication attempt fails due to a problem with the user''s credentials. This event is critical to meeting CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensics capabilities to detect and respond to security incidents.

Event 4771 provides details about failed Kerberos authentication attempts. This information is valuable in identifying attack patterns, such as unauthorized access attempts, brute force attacks, or issues related to system configuration.

Monitoring this event with an advanced forensic approach allows security teams to perform a thorough analysis of failed authentication attempts, helping to identify potential spoofing or privilege escalation attempts. Additionally, event 4771 allows failed attempts to be correlated with other security events on the network, providing broader context to detect persistent threats and suspicious activity.

This report contributes to compliance with CMMC Level 4 control AU.4.053 by providing a detailed analysis of failed Kerberos authentication attempts. By improving audit logs and using advanced forensics, the organization can improve its ability to detect and respond to security incidents more effectively, strengthening protection against unauthorized access and attacks.', null, null, null, null, null, null, null, null, null, 509, true, 310, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Kerberos pre-authentication failed', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (832, 'This report compiles relevant information from the Windows logs generated by event 4688, which is activated every time a new process is created in the system. This event is essential to comply with CMMC Level 4 control AU.4.053, which requires enhancing audit logs with advanced forensic analysis capabilities to more effectively detect, investigate, and respond to security incidents.

Event 4688 provides details about creating processes on the system. This information is key to identifying the execution of suspicious or unauthorized processes, which can be indicative of malicious activities such as the execution of malware or the use of tools to carry out attacks.

Monitoring event 4688 with an advanced forensic approach allows security teams to trace the origin and behavior of executed processes, identify anomalous patterns that may indicate a security breach or evasion attempt, and perform detailed analysis of executed processes. in the system. Correlating this event with other security logs can provide a complete picture of attacker activities, helping to proactively detect suspicious behavior.

This report contributes to compliance with CMMC Level 4 control AU.4.053, by providing a detailed analysis of the processes executed in the system. By improving audit logs and applying advanced forensic analysis capabilities, the organization can strengthen its ability to identify, investigate and respond to security incidents, improving protection against persistent threats and unauthorized activities.', null, null, null, null, null, null, null, null, null, 509, true, 284, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.053): Process Creation', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (836, 'This report collects relevant information from the Windows logs generated by event 4647, which is triggered when a user actively logs out of the system. This event is key to compliance with CMMC Level 1 control AU.1.001, which requires the capture of audit logs for review.

Event 4647 provides details about a user''s logout action. The collection of these logs is essential to monitor user activities within systems and ensure that sessions are closed correctly, which is a preventative measure against unauthorized or unmonitored access.

Analyzing these logs allows security teams to detect anomalous activities, such as logouts at unexpected times or by unauthorized users, which could indicate potential security breaches. Furthermore, having a clear record of logout events is crucial for conducting complete audits, especially in forensic investigation situations related to security incidents.

This report supports the audit policies established at CMMC Level 1, ensuring that logs related to user login and logout are appropriately collected and reviewed. In this way, it contributes to greater visibility and control over user actions within the system, helping to detect possible threats and ensure compliance with security regulations.', null, null, null, null, null, null, null, null, null, 509, true, 351, 'TEMPLATE', null, null, 'Windows Level 1 (AC.1.001): User Account Logoff', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (837, 'This report compiles relevant information from the Windows logs generated by event 4005, which is activated when the system registers a failure in a user''s login to the system. This event is essential to comply with CMMC Level 3 control AU.3.045, which requires that logs be available for security investigations in the event of incidents.

Event 4005 provides details about failed login attempts. Monitoring these events allows security teams to identify possible threats and take preventive measures in situations that may put the integrity of the infrastructure at risk.

The availability of these logs is essential to enable detailed investigations in the event of a security incident, such as an unauthorized access attempt or a targeted attack on the IT infrastructure. The information from event 4005 allows you to trace failed login attempts, helping to identify vulnerabilities or security gaps that can be exploited.

This report contributes to compliance with CMMC Level 3 control AU.3.045 by ensuring that logs of failed login attempts are stored and accessible for review in the context of security incident investigations. This improves threat detection capabilities and facilitates rapid response to potential security breaches.', null, null, null, null, null, null, null, null, null, 509, true, 352, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Unexpected Logon Process Termination', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (838, e'The Windows Account Logon Success Report provides a comprehensive view of successful logon events, serving as a crucial tool for compliance within the Banking Audit framework. This report ensures alignment with security controls that manage and monitor user access, safeguarding sensitive financial information and meeting regulatory requirements.
• Banking Regulations: Supports compliance with financial regulations, such as the Safeguards Rule under GLBA, by demonstrating a security program that protects customer data.
• Access Control: Reinforces principles of access management by tracking and validating that only authorized users can access banking systems, aligning with PCI DSS Requirement 8.
• Audit Readiness: Provides evidence for maintaining security and access control, essential for audits and adherence to standards like ISO 27001 and SOC2 Type 2, ensuring secure access is granted only to legitimate users.
• Incident Detection and Prevention: Helps detect unauthorized access attempts by analyzing patterns of successful logons, thereby reducing the risk of data breaches.
• Data Protection: Aligns with global frameworks such as GDPR Article 32, ensuring access to sensitive financial data is restricted to authorized individuals to prevent unauthorized data processing.

By centralizing and monitoring logon events, this report strengthens an organization’s ability to maintain cybersecurity resilience, protect financial systems, and achieve compliance with stringent banking audit requirements.', null, null, null, null, null, null, null, null, null, 703, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (839, e'The Windows Account Logon Failure Report provides a consolidated overview of failed logon attempts, playing a vital role in compliance within the Banking Audit framework. This report enables organizations to monitor, detect, and address unauthorized access attempts, ensuring the protection of sensitive financial systems and data.
• Banking Regulations: Supports compliance with financial regulations, such as the Safeguards Rule under GLBA, by demonstrating measures to prevent unauthorized access to customer data.
• Access Control: Tracks failed logon attempts to identify potential unauthorized access or brute force attacks, aligning with PCI DSS Requirement 10 for monitoring access control events.
• Audit Readiness: Provides evidence of failed access attempts, contributing to the transparency required by standards like SOC2 Type 2 and ISO 27001, ensuring security incidents are logged and reviewed.
• Incident Response: Enhances threat detection by identifying patterns of failed logon attempts, enabling organizations to respond to suspicious activity promptly.
• Data Protection: Aligns with global frameworks such as GDPR Article 32, showcasing controls that prevent unauthorized access to financial systems, protecting sensitive customer data.

By centralizing data on logon failures, this report empowers organizations to enhance their security posture, reduce the risk of data breaches, and comply with stringent banking audit requirements.', null, null, null, null, null, null, null, null, null, 703, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (840, 'The Windows Account Logoff Report provides a comprehensive view of user logoff events, serving as a critical compliance tool within the Banking Audit framework. This report ensures transparency and accountability in user sessions, enabling organizations to track session terminations and ensure adherence to access control policies.', null, null, null, null, null, null, null, null, null, 703, true, 350, 'TEMPLATE', null, null, 'Windows Account Logoff', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (841, 'The Windows Logins with Explicit Credentials Report provides a detailed record of login events where explicit credentials (e.g., usernames and passwords) were used. This report plays a vital role in ensuring compliance within the Banking Audit framework by monitoring authentication activities and safeguarding sensitive financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (842, 'The Windows Cleaned Event Log Report provides a detailed record of actions where system event logs have been cleared. This report is critical within the Banking Audit framework, as it helps detect potential tampering with log integrity and supports regulatory compliance by monitoring log management activities.', null, null, null, null, null, null, null, null, null, 703, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (843, 'The Windows Policy Changes Report provides a comprehensive record of system policy modifications, including changes to group policies, security configurations, and access controls. This report is critical within the Banking Audit framework, ensuring traceability and compliance with regulatory requirements by monitoring configuration changes that could impact the security of financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (844, 'The Windows User Accounts Created Report provides a detailed record of all user account creation events in the system. This report plays a vital role in ensuring compliance within the Banking Audit framework by monitoring and controlling user account management processes to protect sensitive financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (845, 'The Windows Password Reset Attempts Report provides a comprehensive overview of password reset activities, tracking both successful and failed attempts. This report is a critical tool in the Banking Audit framework, ensuring accountability and security in the management of user credentials.The Windows Password Reset Attempts Report provides a comprehensive overview of password reset activities, tracking both successful and failed attempts. This report is a critical tool in the Banking Audit framework, ensuring accountability and security in the management of user credentials.', null, null, null, null, null, null, null, null, null, 703, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (846, 'The Windows User Accounts Deleted Report provides a detailed record of all user account deletion events within the system. This report is critical for maintaining accountability and ensuring compliance within the Banking Audit framework, as it helps monitor access control changes and detect potential security risks.', null, null, null, null, null, null, null, null, null, 703, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted ', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (893, e'The Windows User Accounts Deleted Report provides detailed logs of events where user accounts are removed from the system. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as account deletions can indicate unauthorized actions, insider threats, or security policy violations.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of account deletions to safeguard sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that user account deletions are logged and reviewed to prevent unauthorized actions.
• Real-Time Alerting: Captures and notifies administrators immediately when accounts are deleted, enabling prompt investigation and response to potential threats.
• Incident Detection: Identifies unauthorized or suspicious account deletions, which could indicate malicious intent, such as erasing traces of compromised accounts.
• Audit Readiness: Tracks account deletions to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable user management practices.', null, null, null, null, null, null, null, null, null, 701, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1187, 'This report captures key information from Windows Event 4726 logs, which are generated when a user account is deleted. Event 4726 is critical for monitoring changes to identification and authentication credentials, in compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of all account changes, additions, or deletions, as well as the creation of new accounts or elevation of privileges. This audit log is essential for ensuring control and tracking of credential changes, facilitating the detection of unauthorized or anomalous actions and providing key support for forensic analysis of security-related events.', null, null, null, null, null, null, null, null, null, 809, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1168, 'This report collects and analyzes 4726 events (User Account Deletion) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. User account deletions are monitored to ensure that access for terminated users is revoked immediately, in accordance with Section 8.2.5. Inactive accounts are also validated as being deleted or disabled within the stipulated 90-day period, in line with Section 8.2.6. This analysis helps ensure that account lifecycle management is strict and complies with the security and authentication controls defined in PCI DSS.', null, null, null, null, null, null, null, null, null, 808, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (639, 'This report collects and analyzes security events identified by ID 4726 on Windows systems. Event 4726 records user account deletions, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account deletions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (923, e'The Windows User Accounts Deleted report provides detailed logs of events where user accounts are removed from a Windows system. This report is critical for tracking account management activities, detecting unauthorized deletions, and ensuring compliance with security frameworks and audit requirements.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by maintaining a record of user account deletions to demonstrate proper management of identity and access controls.
• Account Management Monitoring: Tracks the deletion of user accounts, ensuring that such actions are authorized, justified, and performed in alignment with internal policies.
• Event Correlation: Links account deletion events with administrative actions, user accounts, and originating systems, creating a comprehensive audit trail for analysis.
• Real-Time Alerts: Sends immediate notifications when user accounts are deleted, particularly for privileged or critical accounts, enabling quick investigation of potential threats.
• Incident Detection: Identifies suspicious account deletions, such as removal of high-privilege accounts or bulk deletions, which may indicate insider threats, malicious activity, or administrative errors.
• Audit Readiness: Logs detailed information for each deletion, including the account deleted, the user or process responsible, the originating machine, and the timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1071, 'This report collects 4726 events generated by the Windows system, which record user account deletions. Analyzing these events is critical to verifying compliance with PCI DSS Requirements, ensuring that roles and responsibilities for managing the creation, enabling, and deletion of user accounts are properly documented, assigned, and understood. It also provides visibility into account deletion, ensuring that operational procedures and security policies are followed when managing access within the infrastructure.', null, null, null, null, null, null, null, null, null, 807, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1213, 'This report compiles relevant information from 4656 events in Windows logs, which are critical for verifying compliance with PCI DSS Requirement 12.1, which requires that an information security policy be established, published, maintained, and disseminated to all relevant employees, vendors, and business partners.

4656 events are logged when access requests are made to an object or resource in the system, providing key insights into user interactions with information assets. By analyzing these events, we can confirm that access controls and related policies are being effectively enforced, supporting that the information security policy is adequately disseminated to relevant parties, as required by PCI DSS.

In addition, these logs help verify that the information security policy is reviewed at least once every 12 months and updated as needed to reflect changes in business objectives or environmental risks. They also help validate that security responsibilities are clearly defined for all staff and that ultimate responsibility for security is assigned to a trained CISO or executive.', null, null, null, null, null, null, null, null, null, 811, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (884, e'The Windows Attempt to Access a Protected Object Report provides a detailed log of both successful and failed attempts to access protected objects, such as files, directories, or system components. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework by tracking access to sensitive resources and enforcing security policies.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of access attempts to safeguard financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access to critical resources to detect unauthorized activities.
• Real-Time Alerting: Captures and notifies of unauthorized or suspicious access attempts in real-time, enabling immediate response to potential threats.
• Incident Detection: Identifies patterns of unauthorized access, such as brute force attacks or privilege escalation attempts, which could indicate security breaches.
• Audit Readiness: Provides traceability of access attempts to ensure accountability and compliance with frameworks like SOC2 Type 2 and ISO 27001.', null, null, null, null, null, null, null, null, null, 701, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1209, 'This report aims to assess compliance with PCI DSS Requirement 11.5.2, which establishes the need to implement a change detection mechanism (e.g., file integrity monitoring tools) to alert staff about unauthorized modifications (including changes, additions, and deletions) to critical files. Using Windows event 4656 logs, the report gathers relevant information on access attempts to protected and critical system files, allowing identification of unauthorized modifications. Additionally, it ensures that critical file comparisons are performed at least once a week, as required by the PCI DSS standard, ensuring that any file alterations are detected and reported in a timely manner to prevent potential security risks.', null, null, null, null, null, null, null, null, null, 810, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1226, 'This report analyzes Object Access Request events (Event ID 4656) on Windows systems to assess compliance with PCI DSS requirements A1.1.2 and A1.1.3 in multi-tenant environments. This event is generated when a process requests access to a protected object, such as files, registry keys, or system services. Therefore, its analysis allows verification that each client only attempts to access its own cardholder information (CDE) and the resources assigned to it, preventing unauthorized access to other clients'' data or systems. Details are examined that contribute to the validation of access controls, ensuring proper segregation of data and resources, and reducing the risk of exposure in shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (644, 'This report collects and analyzes security events identified by ID 4670 on Windows systems. Event 4670 records changes to security permissions for system objects, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of changes in access permissions to system resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (847, 'The Windows Protected Object Permission Change Report provides a comprehensive overview of permission changes to critical system objects such as files, folders, registry keys, and other sensitive resources. This report is essential for compliance within the Banking Audit framework, ensuring the integrity of access control mechanisms and safeguarding sensitive financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (907, e'The Windows Protected Object Permission Change Report provides detailed logs of events where permissions on protected objects, such as files, folders, or registry keys, are modified. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized changes to permissions can compromise data security and system integrity.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of permission changes to safeguard financial systems and sensitive customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access permissions are restricted to authorized users and tracked for changes.
• Real-Time Alerting: Captures and notifies administrators immediately of permission changes on protected objects, enabling prompt investigation and mitigation of potential risks.
• Incident Detection: Identifies unauthorized or suspicious permission modifications, which could indicate insider threats, privilege escalation, or attempts to bypass security controls.
• Audit Readiness: Tracks all permission change events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access and configuration management.', null, null, null, null, null, null, null, null, null, 701, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1061, 'This report compiles relevant information from logs generated by Windows events 4663 and 4656, which are related to access and modification of system files and objects, including Network Security Controls (NSC) configuration files.

Event 4663 is generated when a user attempts to access a file or directory, providing details about the type of access requested. Event 4656 is triggered when a request is made to access an object, indicating whether the request was approved or denied. These events are essential for auditing access to NSC configuration files, ensuring that unauthorized access to these critical files is not occurring.

Analyzing these events is key to complying with PCI DSS Requirements, which states that NSC configuration files must be protected from unauthorized access and maintained consistent with the active network. These logs allow verification that appropriate access controls are in place, ensuring that only authorized users can modify configuration files and that any changes are properly logged to maintain the integrity of the network''s security configuration.', null, null, null, null, null, null, null, null, null, 807, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (677, 'This report collects and analyzes security events identified by ID 4670 on Windows systems. Event 4670 records attempts to modify permissions or properties of an object protected by a DACL (Discretionary Access Control List), providing relevant information about changes to security settings and access to critical resources. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of attempts to modify permissions, ensuring that changes to security settings are appropriately monitored, logged, and reviewed to maintain the integrity and protection of critical systems.', null, null, null, null, null, null, null, null, null, 601, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1155, 'This report collects information from Windows 4670 events, which record access and modification events on security objects. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which ensures that access to system components and data is defined and assigned according to the principle of least privilege. These logs verify that access to specific resources is properly managed and assigned to users according to their roles and responsibilities, ensuring that excessive or inappropriate permissions are not granted, and protecting the integrity of sensitive data and critical applications.', null, null, null, null, null, null, null, null, null, 805, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1109, 'This report compiles relevant information from 4670 events (Permissions on an object were changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirements 3.1 and 3.1.1. This requirement establishes that processes and mechanisms for protecting stored account data must be defined and understood, and that related security policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4670 allows you to audit changes made to the permissions of audit objects, providing visibility into changes in access and rights related to sensitive data. This event allows you to identify whether any changes have been made to access permissions on stored account data, ensuring that these changes align with established security policies and that access is appropriate and controlled.', null, null, null, null, null, null, null, null, null, 802, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1102, 'This report gathers relevant information from 4670 events (Permissions on an object were changed) generated in Windows, with the purpose of verifying compliance with PCI DSS Requirement 2.1.1. This requirement mandates that all security policies and operating procedures be documented, up-to-date, in use, and known to all affected parties.

Event 4670 allows you to audit changes to permissions on critical system objects, including configuration files and security policies, ensuring that only authorized users can modify these elements and that the integrity of security configurations is maintained in accordance with established policies.', null, null, null, null, null, null, null, null, null, 801, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1056, 'This report compiles relevant information from logs generated by Windows event 4670, which records changes in access permissions to system objects, such as files or directories. Although this event is related to auditing access and security permission changes, it can be useful for verifying whether modifications to the network security infrastructure affect connections between the Cardholder Data Environment (CDE) and other networks, including wireless networks. Additionally, the logged information helps ensure that network and data flow diagrams are kept up-to-date and accurately reflect any changes to the environment, such as the assignment of permissions or access to systems that handle sensitive data. Proper auditing of these changes helps ensure that network diagrams and data flows remain consistent with changes made to the infrastructure.', null, null, null, null, null, null, null, null, null, 807, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (651, 'This report collects and analyzes security events identified by ID 5145 on Windows systems. Event 5145 records detailed access to files and folders within network shares, providing relevant information on attempts to read, write, modify, or delete data that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to sensitive files, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 275, 'TEMPLATE', null, null, 'Windows Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (716, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to identify potential malicious activity. By analyzing event ID 5145 on Windows systems, the report facilitates the monitoring of access to shared resources and files, which may reveal unauthorized attempts to manipulate or access sensitive data. Monitoring these types of events allows for the detection of unusual patterns or suspicious activity that could jeopardize the security of the network infrastructure, ensuring a swift response to threats and maintaining the integrity of systems and information.', null, null, null, null, null, null, null, null, null, 604, true, 275, 'TEMPLATE', null, null, 'Windows Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1182, 'This report aggregates relevant information from Windows Event 4670 logs, which are generated when permissions are changed on a protected object on the system, such as files, folders, or other resources with specific security settings. The purpose of this report is to track and document changes to access permissions on sensitive objects, contributing to access control policy compliance and the protection of critical data in the environment. This information is essential for detecting and preventing unauthorized access to important resources, aligning with security best practices on Windows systems.', null, null, null, null, null, null, null, null, null, 809, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1225, 'This report collects and analyzes object permission modification events (event ID 4670) on Windows systems to validate that access controls are properly implemented according to PCI DSS requirements A1.1.2 and A1.1.3. Through analysis of these logs, it is verified that each client only has permissions to their own cardholder information (CDE) and cannot access unassigned resources. Details are examined to support the assessment of data and resource segregation, ensuring that security controls are effective in multi-tenant environments and reducing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 812, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (951, 'This report compiles relevant information from the logs of Windows event 5145, which is generated when a file or folder on a network share is accessed. This event is crucial to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of key events for compliance and incident response. By monitoring these logs, organizations can identify unauthorized access, data exfiltration attempts, or suspicious activity on shared resources. The analysis of these events allows us to strengthen security, detect possible internal or external threats and ensure the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (902, e'The Windows Account Locks Report provides detailed logs of events where user accounts are locked due to failed login attempts or security policy enforcement. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as account locks can indicate brute force attacks, phishing attempts, or compromised accounts.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of account lock events to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring that account lockouts are tracked and monitored to detect unauthorized access attempts.
• Real-Time Alerting: Captures and notifies administrators immediately when accounts are locked, enabling rapid investigation and response to potential threats.
• Incident Detection: Identifies patterns of suspicious login attempts, such as brute force attacks or repeated lockouts, which may indicate targeted attacks or misuse.
• Audit Readiness: Tracks all account lock events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1085, 'This report compiles relevant information from Windows event 4740 logs, which relates to user account lockouts due to failed login attempts. It is used to verify compliance with PCI DSS Requirements, which mandates that anti-spoofing measures must be implemented to detect and block spoofed source IP addresses attempting to access the trusted network. This event helps identify unauthorized attempts that could be related to phishing activities, helping to ensure that access to the trusted network is protected from attacks using spoofed or deceptive IP addresses.', null, null, null, null, null, null, null, null, null, 807, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1207, 'This report aims to assess compliance with PCI DSS requirement 11.4.3, which establishes that external penetration tests must be performed according to the organization''s defined methodology, at least once every 12 months, and after any significant change to the infrastructure or applications. Using Windows event 4740 logs, the report collects information on user account lockouts due to multiple failed login attempts, which may indicate penetration testing activities or unauthorized access attempts. This analysis verifies that external penetration tests are executed according to the organization''s defined methodology, ensuring compliance with the established frequency and with qualified personnel, whether internal or external, as required by PCI DSS. It also ensures that these tests are performed after any significant changes to the infrastructure or applications.', null, null, null, null, null, null, null, null, null, 810, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1189, 'This report compiles relevant information from Windows Event 4740 logs, which is generated when a user account is locked out due to failed authentication attempts. This event is key for monitoring changes to identification and authentication credentials, as it may indicate unauthorized access attempts or suspicious activity related to account management.

The report contributes to compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of events related to account and credential changes, including account lockouts that may lead to privilege escalation attempts or improper access. Its analysis strengthens security in environments that process cardholder data and facilitates the detection and response to security incidents.', null, null, null, null, null, null, null, null, null, 809, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1173, 'Report that compiles relevant information from Windows Event 4740 logs to verify compliance with PCI DSS Requirement 8.3 on strong authentication. It addresses aspects such as multi-factor authentication, the use of strong cryptography, control of failed attempts and account lockouts, and password change and complexity policies, ensuring that best practices are followed to protect user credentials.', null, null, null, null, null, null, null, null, null, 808, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (848, 'The Windows Access to Critical Files or Specific Directories Report provides detailed insights into access attempts—both successful and failed—on critical files and directories within the system. This report is a cornerstone for compliance within the Banking Audit framework, ensuring the protection of sensitive financial data and monitoring access to critical resources.', null, null, null, null, null, null, null, null, null, 703, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (865, e'The Windows Access to Critical Files or Specific Directories Report provides a detailed record of attempts—both successful and unsuccessful—to access sensitive files and directories. This report is essential for compliance within the Banking Audit framework, as it ensures visibility into access attempts and protects critical financial data from unauthorized access.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of file and directory access to protect sensitive financial information.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of all access to critical resources to detect unauthorized activities.
• Audit Readiness: Tracks access to files and directories, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure access management.
• Incident Detection: Identifies unauthorized or suspicious access attempts, such as attempts to copy, delete, or modify critical data, which could indicate insider threats or compromised accounts.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict access to sensitive financial data, protecting it from unauthorized processing.', null, null, null, null, null, null, null, null, null, 701, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1200, 'This report focuses on assessing compliance with PCI DSS requirement 11.1.2, which relates to the documentation, assignment, and understanding of roles and responsibilities for security testing activities. By analyzing logs generated by Windows event 4733, any changes to user roles can be verified, specifically the removal of a member from a security group, which is relevant to ensuring that security responsibilities are correctly assigned. This report ensures that the management of roles and privileges within the system remains aligned with the security processes defined and understood by all involved parties.', null, null, null, null, null, null, null, null, null, 810, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (654, 'This report collects and analyzes security events identified by ID 4663 on Windows systems. Event 4663 records access to security objects, providing relevant information about the reading, writing, or deletion of protected files or resources within a system containing ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to sensitive resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (917, e'The Windows Access to Critical Files or Specific Directories report provides detailed logs of events where users or processes access sensitive files or directories. This report is crucial for monitoring unauthorized access, ensuring compliance with security policies, and detecting potential threats to system integrity and data confidentiality.
• Regulatory Compliance: Supports standards such as PCI DSS, HIPAA, and ISO 27001, by logging access to critical files and directories, ensuring adherence to data protection and access control requirements.
• Sensitive Data Monitoring: Tracks access attempts to protected files or directories to ensure that only authorized users or processes can read, modify, or delete sensitive information.
• Event Correlation: Links file and directory access events with user accounts, processes, and originating systems to build a comprehensive security and audit trail.
• Real-Time Alerts: Sends immediate notifications for access attempts to critical files or directories, particularly for unauthorized users, allowing administrators to respond promptly to potential security incidents.
• Incident Detection: Identifies suspicious activities, such as repeated access attempts by unauthorized accounts, which may indicate insider threats, malware, or misconfigurations.
• Audit Readiness: Records detailed information about each access event, including the file or directory accessed, the user or process involved, the type of access (read, write, delete), and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1114, 'This report compiles relevant information from 4663 events (An attempt was made to access an object) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.2. This requirement establishes that account data storage must be kept to a minimum, through the implementation of appropriate policies, procedures, and processes for data retention and deletion.

Event 4663 allows for auditing attempts to access objects in the system, providing visibility into the processes for manipulating stored data. This event can detect unauthorized or inappropriate access to sensitive account data, which could indicate unnecessary storage or a failure to comply with data retention policies. Additionally, this event helps verify that secure deletion processes or the disabling of stored data are being carried out in accordance with defined policies, thereby minimizing the risk of information exposure beyond the time necessary to comply with legal, regulatory, or business requirements.', null, null, null, null, null, null, null, null, null, 802, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1212, 'This report gathers relevant information from 4663 events in Windows logs, which are essential for verifying compliance with PCI DSS Requirement 12.1, which establishes that the information security policy must be known and updated. 4663 events are generated when attempts are made to access files or directories, which is critical to ensuring that information security policies are effectively applied to the entity''s information assets.

By analyzing these events, it is possible to verify that the information security policy is established, published, maintained, and appropriately disseminated to all relevant personnel, including suppliers and business partners, as required by the PCI DSS standard. Furthermore, the logs verify that the policy is reviewed at least every 12 months and updated in response to changes in business risks and objectives. This analysis also confirms that security responsibilities are clearly defined for all staff and that ultimate responsibility rests with a CISO or security executive with the necessary expertise.', null, null, null, null, null, null, null, null, null, 811, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1208, 'This report assesses compliance with PCI DSS Requirement 11.5.2, which requires a change detection mechanism (e.g., file integrity monitoring tools) to alert staff of unauthorized modifications (including changes, additions, and deletions) to critical files. Using Windows Event 4663 logs, the report compiles information on access and actions performed on critical files, providing evidence of modification and access activity. This analysis ensures that the change detection mechanism is properly configured to perform comparisons of critical files at least once a week and alerts staff of any unauthorized actions, thereby contributing to the protection and integrity of key files for PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 810, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1181, 'This report compiles relevant information from Windows event 4663 logs, which document access to system audit logs. Its objective is to verify that all activity related to access to audit logs is captured, in compliance with PCI DSS requirement 10.2.1.3. This control ensures the integrity and traceability of access to audit logs, enabling the detection of potential unauthorized access and facilitating forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1055, 'This report compiles relevant information from logs generated by Windows event 4663, which records access to specific files and directories. Although this event is not directly related to network diagrams, it can be useful for monitoring access to key files or resources that may contain critical information related to the network infrastructure or account data flow. Auditing these accesses allows you to verify that modifications to the network environment, such as changes to service or protocol configurations, are being appropriately monitored, which helps keep network and data flow diagrams up to date with changes in the environment.', null, null, null, null, null, null, null, null, null, 807, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1054, 'This report compiles relevant information from logs generated by Windows event 4657, which records configuration changes to security objects or system policies. This event is essential for auditing and verifying that changes made to network connection configurations and network security controls (NSC) have been made appropriately and in accordance with established control processes. This event ensures that all changes are approved and managed according to appropriate procedures, ensuring that the security infrastructure remains effective and free from unnecessary risks.', null, null, null, null, null, null, null, null, null, 807, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (888, e'The Windows Special Privileges Assigned to New Logon Report provides a detailed record of logon events where special privileges, such as administrative or elevated rights, are assigned to users. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as the misuse of special privileges can pose significant security risks.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of privilege assignment to protect financial systems and sensitive customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that privileged access is restricted to authorized users and monitored for unauthorized assignments.
• Real-Time Alerting: Captures and alerts administrators of special privilege assignments in real-time, enabling immediate action to mitigate risks.
• Incident Detection: Identifies suspicious or unauthorized privilege assignments, which could indicate insider threats, privilege escalation, or account compromise.
• Audit Readiness: Provides traceability of privileged logon events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management.', null, null, null, null, null, null, null, null, null, 701, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1135, 'This report presents information extracted from Windows event 4672 logs, used to verify compliance with PCI DSS Requirement 6.1. Event 4672 is generated when a user gains administrative privileges, which is crucial to ensure that the security policies and procedures defined in Requirement 6 are documented, up-to-date, in use, and known to all affected parties. It also helps verify that roles and responsibilities related to the management and secure development of systems and software are clearly assigned and understood. Reviewing this event ensures that security configurations and practices are aligned with organizational policies and defined responsibilities for system security.', null, null, null, null, null, null, null, null, null, 806, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (659, 'This report collects and analyzes security events identified by ID 4672 on Windows systems. Event 4672 records the assignment of special privileges to users, such as administrator privileges or access to critical system functions. These events provide key information about who has been granted elevated permissions and when, which is critical for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of changes in access privileges, ensuring that access to critical system functions is monitored and controlled, and that all key activities are properly logged to maintain security and regulatory compliance.', null, null, null, null, null, null, null, null, null, 601, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (919, e'The Windows Special Privileges Assigned to New Logon report provides detailed logs of events where special privileges are granted to a user during the logon process. This report is critical for tracking privilege escalations, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting privilege assignments at logon to ensure adherence to least privilege principles and audit requirements.
• Privilege Management Monitoring: Tracks the assignment of privileges such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeBackupPrivilege, which could be misused if assigned improperly.
• Event Correlation: Links privilege assignment events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail for security analysis.
• Real-Time Alerts: Notifies administrators of special privilege assignments to users, especially for privileged accounts, enabling immediate investigation of potential threats.
• Incident Detection: Identifies suspicious privilege assignments, such as repeated assignments to the same user or assignments outside of expected workflows, which may indicate insider threats or configuration errors.
• Audit Readiness: Logs comprehensive details, including the user or account, the privileges assigned, the logon session ID, and the timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1075, 'This report collects 4672 events generated by the Windows system, which records logons of accounts with elevated privileges. Analysis of these events is essential to verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities of users with special privileges are clearly documented, assigned, and understood. Additionally, it provides visibility into the activities performed by users with administrative privileges, ensuring that access and permissions are assigned appropriately, in accordance with defined security policies and operating procedures, and that activities are managed by the responsible individuals.', null, null, null, null, null, null, null, null, null, 807, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1178, 'This report gathers relevant information from Windows Event 4672 logs, which indicates the assignment of special privileges to an account. Its purpose is to verify the enablement and activation of audit logs on all system components and environments that handle cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also facilitates the detection of unusual or suspicious activity and enables forensic analysis of events related to the use of elevated privileges.', null, null, null, null, null, null, null, null, null, 809, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1167, 'This report collects and analyzes 4672 events (Special Privileges Assigned to a New Session) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies the use of elevated privileges assigned to users and administrators, ensuring that each account has a unique ID and that privileged access is properly managed and controlled. It also monitors the use of shared accounts, the administration of account additions, deletions, and modifications, and the attribution of actions to individual users, ensuring strict account lifecycle management and compliance with authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (685, 'This report collects and analyzes security events identified by ID 4690 on Windows systems. Event 4690 records attempts to modify the permissions of protected objects, such as files, folders, or critical resources that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of changes in access permissions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 279, 'TEMPLATE', null, null, 'Windows Failed logon attempt', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (703, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activities to detect malicious behavior. By analyzing event ID 4672 on Windows systems, this report allows monitoring of highly privileged account logins, which can be a critical point in network security. Monitoring these events helps identify potentially suspicious or unauthorized access, enabling a rapid response to malicious activity. This approach helps ensure the continuous protection and security of network assets.', null, null, null, null, null, null, null, null, null, 604, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (859, e'The Windows Failed Logon Attempt Report provides detailed logs of unsuccessful login attempts, capturing essential information such as the user account, timestamp, source IP address, and reason for failure. This report is crucial within the Banking Audit framework, ensuring visibility into unauthorized access attempts and supporting compliance with stringent security regulations.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of failed logon attempts to protect financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access attempts, successful or failed, to detect unauthorized activities.
• Audit Readiness: Tracks failed logon attempts, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in access management.
• Incident Detection: Identifies patterns of unauthorized access attempts, such as brute force attacks, password spraying, or account enumeration efforts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict unauthorized access attempts to systems handling sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 279, 'TEMPLATE', null, null, 'Windows Failed logon attempt', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (843, 'The Windows Policy Changes Report provides a comprehensive record of system policy modifications, including changes to group policies, security configurations, and access controls. This report is critical within the Banking Audit framework, ensuring traceability and compliance with regulatory requirements by monitoring configuration changes that could impact the security of financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (683, 'This report collects and analyzes security events identified by ID 4719 on Windows systems. Event 4719 records changes to the system''s audit policy configuration, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of audit policy changes, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1110, 'This report compiles relevant information from events 4719 (System audit policy was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirements 3.1 and 3.1.1. This requirement establishes that processes and mechanisms for protecting stored account data must be defined and understood, and that related security policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4719 allows auditing of changes made to system audit policy settings, which is crucial to ensuring that audit policies remain appropriate, up-to-date, and aligned with security requirements. This event allows verification that system audit settings are being reviewed and managed correctly, which contributes to maintaining traceability and control over activities related to stored account data.', null, null, null, null, null, null, null, null, null, 802, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1106, 'This report compiles relevant information from 4719 events (System audit policy was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.2.6, which requires that system security parameters be configured to prevent misuse.

Event 4719 allows you to audit changes to the system audit policy, providing visibility into modifications that could weaken security or allow unauthorized access. This event can detect unauthorized changes in audit logs, ensuring that security configurations remain aligned with best practices and compliance standards.', null, null, null, null, null, null, null, null, null, 801, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1195, 'This report gathers and analyzes security events associated with Windows Event 4719, which indicates changes to the system''s audit configuration. The information provided allows verification of the application and updating of security policies in accordance with PCI DSS Requirement 11.1.1, ensuring that operational and security procedures are documented, up-to-date, in use, and known to affected parties.

Analyzing these events helps detect unauthorized or unexpected modifications to audit controls, ensuring the integrity of monitoring mechanisms and validating that security processes are regularly evaluated.', null, null, null, null, null, null, null, null, null, 810, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1176, 'This report compiles relevant information from Windows Event 4719 logs, which indicate changes to system audit policy settings. Its purpose is to verify the activation and maintenance of audit logs on all system components and environments that process cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also facilitates the detection of unauthorized modifications to audit policies, contributing to the identification of suspicious activity and forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1147, 'This report collects and analyzes Windows 4719 events, which record changes to the system''s audit policy. Its purpose is to assess compliance with PCI DSS Requirement 7.1, ensuring that processes and mechanisms for restricting access to system components and cardholder data are defined, understood, and in use. Monitoring these events can detect unauthorized changes to audit policies, ensuring they are documented, updated, and effectively enforced.', null, null, null, null, null, null, null, null, null, 805, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1068, 'This report consolidates the 4719 events generated by the Windows system, which record changes to the system audit policy configuration. Analysis of these events is key to verifying compliance with PCI DSS requirements, ensuring that audit policies related to the installation and maintenance of security controls are documented, up-to-date, and in use according to defined operating procedures. Additionally, it provides visibility into the adequacy and consistency of audit configurations, ensuring that security practices stipulated by organizational policies are followed.', null, null, null, null, null, null, null, null, null, 807, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1132, 'This report collects and analyzes information from Windows event 4719, which indicates changes to system audit settings. Since event monitoring and logging are critical for detecting malicious activity, this report assesses compliance with PCI DSS Requirement 5.1, ensuring that processes and mechanisms for protecting systems and networks against malicious software are properly defined and operational.

Analyzing these events can identify unauthorized modifications to audit policies, which could compromise the ability to detect and respond to security threats.', null, null, null, null, null, null, null, null, null, 804, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (679, 'This report collects and analyzes security events identified by ID 4648 on Windows systems. Event 4648 records explicit authentication attempts using programmatically provided credentials, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of authenticated access and contributes to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (711, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4719 on Windows systems, this report facilitates the monitoring of changes to security audit policies, which may indicate unauthorized adjustments that could compromise log integrity or conceal malicious activity. Monitoring these types of events can detect suspicious changes to security settings, strengthening incident response capabilities and ensuring constant surveillance of the network infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (841, 'The Windows Logins with Explicit Credentials Report provides a detailed record of login events where explicit credentials (e.g., usernames and passwords) were used. This report plays a vital role in ensuring compliance within the Banking Audit framework by monitoring authentication activities and safeguarding sensitive financial systems.', null, null, null, null, null, null, null, null, null, 703, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (892, e'The Windows Logins with Explicit Credentials Report provides a detailed record of logon events where users explicitly supply credentials, including remote or delegated authentication attempts. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as explicit credential use can be targeted in attacks like pass-the-hash or credential theft.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of logins with explicit credentials to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring secure authentication practices and monitoring of logon events involving credential entry.
• Real-Time Alerting: Captures and alerts administrators of explicit credential logins, particularly from untrusted or unusual sources, in real-time for rapid response.
• Incident Detection: Identifies suspicious or unauthorized use of explicit credentials, which could indicate credential theft, phishing, or misuse of privileged accounts.
• Audit Readiness: Tracks all logins with explicit credentials, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure and accountable access management.', null, null, null, null, null, null, null, null, null, 701, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (924, e'The Windows Logins with Explicit Credentials report provides detailed logs of events where users or applications perform logins using explicit credentials. This report is essential for monitoring account usage, detecting unauthorized access, and ensuring compliance with security frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by documenting logins with explicit credentials to ensure adherence to access control policies and audit requirements.
• Credential Management Monitoring: Tracks logins where explicit credentials are supplied, ensuring such access aligns with internal security policies and identifying unauthorized credential usage.
• Event Correlation: Links login events with explicit credentials to the originating user, process, and system, providing a comprehensive audit trail for security analysis and compliance.
• Real-Time Alerts: Sends notifications for logins with explicit credentials, especially for sensitive accounts or from untrusted sources, enabling rapid response to potential threats.
• Incident Detection: Identifies anomalies, such as repeated login attempts with explicit credentials, use of outdated or compromised credentials, or logins originating from unusual locations or systems.
• Audit Readiness: Logs detailed information, including the account used, the user or process initiating the login, the target system, and the timestamp, ensuring robust records for investigations and audits.', null, null, null, null, null, null, null, null, null, 702, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1076, 'This report collects 4648 events generated by the Windows system, which record authentication attempts using specific user account credentials. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities for authentication and access to critical systems are clearly documented, assigned, and understood by all responsible parties. Additionally, the report provides visibility into authentication attempts involving specific credentials, ensuring that access is managed appropriately and in line with defined security policies and operational procedures.', null, null, null, null, null, null, null, null, null, 807, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1145, 'This report collects and analyzes relevant information from Windows event 4648 logs, which record the use of explicit credentials for authentication on the system. Its objective is to assess compliance with PCI DSS Requirement 6.4, ensuring that public web applications are protected against attacks. Analysis of these events allows for the detection of suspicious authentication attempts, misuse of privileged credentials, or potential phishing attacks. It also reviews whether access controls, authentication management, and credential protection mechanisms comply with security best practices to minimize exploitation risks. This approach contributes to the early detection of threats, ensuring the protection of web applications against vulnerabilities and aligning them with the security controls required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1221, 'This report compiles relevant information from Windows 4648 events, which record login attempts with explicit credentials, which is crucial for the early detection of potential security incidents. The report validates compliance with PCI DSS 12.10, which states that suspected or confirmed security incidents that may affect the Card Data Environment (CDE) must be responded to immediately.

4648 events provide evidence of access and actions that could be related to security incidents, facilitating rapid detection and response. The report also verifies that the incident response plan is up-to-date, tested, and ready to be activated when necessary. It also confirms that specific people have been designated to respond to security incidents 24/7 and that the personnel responsible for these incidents have been regularly trained. The report includes monitoring and response strategies for security systems, such as intrusion detection systems, network security controls, and mechanisms for detecting changes to critical files.', null, null, null, null, null, null, null, null, null, 811, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1230, 'This report collects and analyzes explicit credentials login events (Event ID 4648) on Windows systems to assess compliance with PCI DSS Requirement A1.2.2, which establishes the implementation of processes and mechanisms to facilitate rapid forensic investigations in the event of a suspected or confirmed security incident. Event 4648 is generated when a login process uses explicit credentials to authenticate a session, which may indicate unusual or suspicious access requiring further investigation. This analysis verifies that mechanisms are in place to support the collection and analysis of relevant logs, enabling timely forensic investigations in the event of security incidents. The findings in this report ensure that the system is configured to provide the necessary information for incident resolution and support security investigations, aligning with PCI DSS controls for incident response and evidence preservation.', null, null, null, null, null, null, null, null, null, 812, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (704, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 4648 on Windows systems, this report facilitates the monitoring of login attempts using credentials from a different account, which may indicate anomalous or malicious behavior. This continuous monitoring allows suspicious activity to be identified and preventive or corrective actions to be taken in a timely manner, contributing to network protection and system security.', null, null, null, null, null, null, null, null, null, 604, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (709, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity for malicious activity. By analyzing events identified by IDs 4768, 4769, and 4771 on Windows systems, this report facilitates the monitoring of authentication attempts in the network environment, including failures and errors related to account authentication. Monitoring these events allows for the identification of unusual or suspicious patterns that could indicate malicious activity, facilitating a rapid and proactive response to potential security incidents.', null, null, null, null, null, null, null, null, null, 604, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (849, e'The Windows Connection Blocked by Windows Firewall Report provides a detailed overview of network connection attempts that were denied by the firewall. This report is a critical compliance tool within the Banking Audit framework, helping organizations monitor and enforce network security policies while safeguarding sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring the protection of customer information by monitoring and controlling unauthorized network activity.
• Network Security Compliance: Supports compliance with PCI DSS Requirement 1, which mandates the implementation of robust firewall configurations to secure sensitive networks.
• Audit Readiness: Documents blocked connections, providing evidence for frameworks like SOC2 Type 2 and ISO 27001, demonstrating proper enforcement of network access policies.
• Incident Detection: Identifies repeated or suspicious connection attempts, which could indicate network scanning, unauthorized access attempts, or malicious activity.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that protect sensitive data by preventing unauthorized network connections to critical systems.', null, null, null, null, null, null, null, null, null, 703, true, 313, 'TEMPLATE', null, null, 'Windows Connection blocked by Windows Firewall', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (850, e'The Windows Changes in Account Status Report provides a detailed record of all modifications to user account status, such as activations, deactivations, or lockouts. This report is critical within the Banking Audit framework to ensure compliance with access control policies and to protect sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring proper monitoring and control over account status changes to safeguard customer information.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, ensuring that account status changes are tracked, authorized, and appropriately managed.
• Audit Readiness: Provides traceability for account status modifications, meeting the requirements of frameworks like SOC2 Type 2 and ISO 27001, ensuring secure account management.
• Incident Detection: Identifies unauthorized or suspicious account status changes, such as unexpected activations or lockouts, which could indicate compromised accounts or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict unauthorized changes to account status that could expose sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 282, 'TEMPLATE', null, null, 'Windows Changes in account status', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (698, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which mandates protective monitoring of data at rest and in transit. By analyzing events identified by IDs 4768, 4769, and 4771 on Windows systems, this report facilitates the oversight of processes related to authentication and access to protected resources. By monitoring authentication attempts and Kerberos ticket requests, it ensures that access to sensitive data is properly managed and logged. This contributes to protecting the confidentiality, integrity, and availability of data, ensuring effective monitoring of critical activities and compliance with established security policies.', null, null, null, null, null, null, null, null, null, 601, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (851, e'The Windows Kerberos Ticket Requests Report provides detailed records of Kerberos ticket requests, including Ticket Granting Ticket (TGT) and service ticket activities. This report is essential for ensuring compliance within the Banking Audit framework, as it helps monitor authentication activities and detect potential security risks.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of authentication processes to protect customer information and secure financial systems.
• Authentication Compliance: Supports compliance with PCI DSS Requirement 8, demonstrating that strong authentication mechanisms like Kerberos are effectively managed and monitored.
• Audit Readiness: Provides traceability of authentication events, meeting requirements for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure credential management.
• Incident Detection: Identifies suspicious or unauthorized Kerberos ticket requests, such as anomalies in TGT or service ticket usage, which could indicate compromised accounts or privilege escalation attempts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that restrict unauthorized access and secure sensitive data through proper authentication tracking.', null, null, null, null, null, null, null, null, null, 703, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1058, 'This report compiles relevant information from the logs generated by Windows events 4768, 4769, and 4771, which are related to the Kerberos authentication process on the system. Events 4768 and 4769 are generated when a Kerberos authentication ticket is issued and when a user attempts to authenticate using a Kerberos ticket, respectively. Event 4771 is generated when Kerberos authentication fails.

These events are important for verifying compliance with PCI DSS as they allow auditing authentication attempts and the validity of access tickets for services, protocols, and ports used. By reviewing these events, it is possible to ensure that the services and protocols in use are properly configured with defined security features, such as secure authentication using Kerberos, and that access attempts are not insecure or unauthorized. This helps mitigate the risks associated with using services and protocols that could be vulnerable if not properly protected by security controls.', null, null, null, null, null, null, null, null, null, 807, true, 283, 'TEMPLATE', null, null, 'Windows Windows Kerberos ticket requests', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1172, 'This report collects and analyzes events 4768 (Kerberos Authentication Ticket Request), 4769 (Kerberos Authentication Ticket Grant), and 4771 (Kerberos Authentication Ticket Grant Attempt Failed) in the Windows logs to verify compliance with PCI DSS Requirement 8.3. Specifically, it reviews the use of strong authentication for users and administrators, ensuring that system access is validated using factors such as passwords, token devices, or smart cards, and that authentication factors are encrypted both in transit and in storage. It also verifies that restrictions are applied to failed authentication attempts, with a maximum of 10 attempts and user lockouts as established. The password policy is evaluated, ensuring that they are unique, changed regularly, and of appropriate complexity, complying with PCI DSS guidelines. In addition, it ensures that authentication factors such as smart cards or tokens are individually assigned and that physical and logical controls exist for their exclusive use.', null, null, null, null, null, null, null, null, null, 808, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (705, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4688 on Windows systems, this report allows monitoring the creation of new processes on the system, which may indicate the execution of malicious software or unauthorized activity. This continuous monitoring facilitates early threat detection and enables a rapid response to potential security incidents, helping to maintain the integrity and security of the network and systems.', null, null, null, null, null, null, null, null, null, 604, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1161, 'This report compiles relevant information from Windows events 4768, 4769, and 4771, which are related to the user authentication process via the Kerberos protocol, used for access management on Windows systems. These events provide key information for verifying compliance with PCI DSS Requirement 7.3, which establishes that access to system components and data must be managed through an access control system.

Event 4768: Indicates the issuance of a Kerberos Authentication Ticket (TGT), confirming that a user has been authenticated to the system.
Event 4769: Records the issuance of a Kerberos Service Ticket, detailing authorized access to specific applications or services.
Event 4771: Reports failures in the Kerberos authentication attempt, providing information on unauthorized access. These events allow for auditing the authentication and access control process in systems, ensuring that only authenticated and authorized users can access resources, in accordance with PCI DSS access control principles. This report is essential for validating that access to systems and data is being properly managed and audited.', null, null, null, null, null, null, null, null, null, 805, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (680, 'This report collects and analyzes security events identified by ID 4688 on Windows systems. Event 4688 records the creation of new processes, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification of executed processes, their origin, and associated permissions, contributing to the implementation and monitoring of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (895, e'The Windows Process Creation Report provides detailed logs of events where processes are initiated on a system, including the name, execution path, user, and timestamp. This report is essential for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as monitoring process creation helps detect unauthorized or malicious activities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of process creation to protect financial systems and sensitive customer data.
• Threat Detection: Identifies suspicious or unauthorized processes, such as malware execution, privilege escalation attempts, or unauthorized script launches.
• Real-Time Alerting: Captures and notifies administrators in real-time of process creation events that deviate from normal behavior, enabling immediate investigation.
• Audit Readiness: Tracks all process creation activities, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of system activities.
• System Integrity: Supports compliance with PCI DSS Requirement 10, ensuring visibility into system-level activities for secure operations.', null, null, null, null, null, null, null, null, null, 701, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (920, e'The Windows Process Creation report provides detailed logs of events where new processes are created on a Windows system. This report is essential for monitoring system activities, detecting malicious behavior, and ensuring compliance with security frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by logging process creation events to provide an auditable trail of system activities.
• System Activity Monitoring: Tracks the creation of processes, ensuring that only legitimate applications and scripts are executed within the environment.
• Event Correlation: Links process creation events with user accounts, parent processes, command-line arguments, and originating systems to build a comprehensive security audit trail.
• Real-Time Alerts: Generates notifications for the creation of suspicious or unauthorized processes, allowing for rapid investigation and mitigation of potential threats.
• Incident Detection: Identifies anomalies, such as the execution of processes from unusual locations, processes spawned by suspicious parents, or unexpected command-line arguments, which may indicate malware or privilege abuse.
• Audit Readiness: Logs detailed information for each process creation, including the process name, parent process, user or account responsible, command-line arguments, and timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (663, 'This report collects and analyzes security events identified with ID 4688 on Windows systems. Event 4688 records the creation of new processes. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which requires the logging of key system activities. This report facilitates the identification of critical process execution and allows you to audit system activity to ensure all key actions are monitored and logged, contributing to the implementation of appropriate security policies and system protection.', null, null, null, null, null, null, null, null, null, 601, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1134, 'This report collects and analyzes Windows 4688 events, which record the creation of new processes on the system. Since PCI DSS Requirement 5.4 establishes the need for protection mechanisms against phishing attacks, this report identifies the execution of suspicious or malicious processes related to phishing attempts, such as the opening of malicious scripts, dangerous attachments, or exploit tools.

Analyzing these events helps evaluate the effectiveness of implemented anti-phishing solutions, ensuring that threat detection and response controls are adequate and operational.', null, null, null, null, null, null, null, null, null, 804, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1115, 'This report compiles relevant information from 4688 events (A new process has been created) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.2. This requirement establishes that account data storage must be kept to a minimum through the implementation of appropriate policies, procedures, and processes for data retention and deletion.

Event 4688 allows the creation of new processes in the system to be audited, helping to identify activities that could generate, process, or store account data. This event allows you to verify that applications and processes that handle sensitive data are aligned with defined retention policies, ensuring that account data is retained only in the necessary locations and for the duration stipulated in the policies. Additionally, this event helps verify that, if the data is no longer needed, secure deletion or data deprecation processes are carried out in accordance with established procedures. This ensures that data storage is limited and complies with legal, regulatory, and business requirements, and that data is not retained beyond the required period.', null, null, null, null, null, null, null, null, null, 802, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1104, 'This report compiles relevant information from 4688 events (A new process has been created) generated in Windows, with the aim of verifying compliance with PCI DSS requirement 2.2.3. This requirement establishes that core functions requiring different levels of security must be managed appropriately, either by ensuring that each system contains only one core function, isolating functions with different security levels, or applying the highest security level if they share a single system.

Event 4688 allows the auditing of process creation in the system, providing visibility into which applications and services are running. Through this event, it is possible to identify processes associated with critical functions, verify the correct segmentation of tasks within systems, and detect potential misconfigurations that allow functions with different security levels to coexist in the same component.', null, null, null, null, null, null, null, null, null, 801, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1136, 'This report collects relevant information extracted from Windows event logs (Event 4688) used to verify compliance with PCI DSS Requirement 6.1. Requirement 6.1 establishes that processes and mechanisms for developing and maintaining secure systems and software must be defined and understood by all involved parties.

Event 4688 is generated each time a new process is started in the system, allowing tracking of program execution and role assignment. This information is critical for verifying that the security policies and operational procedures identified in Requirement 6.1.1 are being properly implemented. Specifically, this event verifies that policies related to software and process execution are documented, up-to-date, and in use.

Additionally, the event helps identify the assignment of roles and responsibilities within software processes, ensuring that the tasks described in Requirement 6.1.2, such as secure system development and maintenance activities, are documented, assigned, and understood by the responsible personnel.

The report generated with this information allows for auditing and validating that the actions of users and processes interacting with the system are consistent with the organization''s security policies and procedures, thus meeting PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 806, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (700, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing events identified by IDs 5140 and 5145 on Windows systems, this report facilitates the monitoring of connections and access to shared network resources. It allows for the identification of suspicious or potentially malicious behavior patterns, which helps mitigate risks and strengthen system security. This continuous monitoring ensures that security policies are in place, contributing to the protection of data and technological infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 285, 'TEMPLATE', null, null, 'Windows Network Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1065, 'This report collects and analyzes the 4688 events generated by the Windows system, which record the creation and execution of critical processes. The analysis of these events is essential to ensure compliance with PCI DSS requirement, as it allows verifying that the processes related to the installation, configuration and maintenance of security controls are documented, updated and in proper use. In addition, it allows identifying the execution of relevant security tools and scripts, ensuring that operational practices are aligned with defined security policies and procedures.', null, null, null, null, null, null, null, null, null, 807, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1214, 'This report compiles relevant information from 4688 events in the Windows logs, which are generated each time a new process is created in the system. These events are essential for verifying compliance with PCI DSS Requirement 12.2.1, which establishes that acceptable use policies for end-user technologies must be documented and implemented.

Analyzing these events determines that explicit approvals from authorized authorities are being properly implemented, ensuring that users only use the technologies they have been authorized to use. Furthermore, the logs verify that acceptable use of technologies is being followed, verifying that users are only using approved tools for purposes permitted by the company. This includes both approved hardware and software usage, ensuring that the company maintains an up-to-date inventory of products permitted for employee use.

This report is critical to demonstrating that the company is compliant with PCI DSS regulations by ensuring that acceptable use policies for technology are effectively implemented and monitored through event logging in systems.', null, null, null, null, null, null, null, null, null, 811, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1206, 'This report aims to assess compliance with PCI DSS Requirement 11.3.1.3, which establishes that internal vulnerability scans must be performed after any significant change to system infrastructure. Using Windows event 4688 logs, which record the creation of new processes, the report gathers information on command execution and the installation of new applications or configurations that may indicate significant changes to the systems. This analysis verifies that, following these changes, internal vulnerability scans were performed to identify and resolve high-risk or critical vulnerabilities, in accordance with the risk classifications defined in PCI DSS Requirement 6.3.1. Furthermore, the report ensures that rescans are performed when necessary and that scans are conducted by qualified personnel, ensuring proper management and mitigation of vulnerabilities in the system environment following significant changes.', null, null, null, null, null, null, null, null, null, 810, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (898, e'The Windows Access to Shared Resources Report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or shared drives. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as shared resource access can expose sensitive data if not properly monitored.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of shared resource access to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access to shared resources is restricted to authorized users and activities are logged.
• Real-Time Alerting: Captures and notifies administrators immediately of unauthorized or suspicious access to shared resources, enabling rapid response to potential threats.
• Incident Detection: Identifies patterns of unauthorized access, excessive data downloads, or unusual access times, which may indicate insider threats or compromised accounts.
• Audit Readiness: Tracks all access events to shared resources, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure resource-sharing practices.', null, null, null, null, null, null, null, null, null, 701, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (922, e'The Windows Access to Shared Resources report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or other network-shared assets on a Windows system. This report is essential for monitoring resource usage, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks such as PCI DSS, HIPAA, and ISO 27001, by documenting access to shared resources, ensuring adherence to data protection and resource management standards.
• Resource Usage Monitoring: Tracks who accessed shared resources, when the access occurred, and the type of operations performed (read, write, delete, etc.), ensuring accountability and transparency.
• Event Correlation: Links shared resource access events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail for analysis.
• Real-Time Alerts: Generates notifications for access attempts to critical shared resources, especially by unauthorized users or from untrusted systems, enabling immediate investigation.
• Incident Detection: Identifies suspicious activities, such as repeated unauthorized access attempts, access from unusual locations, or unexpected operations on shared resources, which may indicate insider threats or compromised accounts.
• Audit Readiness: Logs detailed information for each access event, including the resource accessed, the user or system performing the operation, the access type, and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1227, 'This report analyzes shared resource access and permission modification events (Event IDs 5140 and 5145) on Windows systems to assess compliance with PCI DSS Requirement A1.2, which relates to enabling auditing capabilities and incident response in multi-tenant environments. These events provide key information to ensure that auditing and incident response controls are effective, protecting the integrity of multi-tenant environments and complying with established security regulations.', null, null, null, null, null, null, null, null, null, 812, true, 285, 'TEMPLATE', null, null, 'Windows Network Access to shared resource', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (652, 'This report collects and analyzes security events identified by IDs 5140 and 5145 on Windows systems. Event 5140 records access to network shares, while event 5145 provides specific details about access to files and folders within those shares. Both events provide relevant information for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of access to shared resources, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 285, 'TEMPLATE', null, null, 'Windows Network Access to shared resource', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (852, e'The Windows Use of Elevated Privileges Report provides a comprehensive log of actions performed using elevated or administrative privileges. This report is critical for ensuring compliance within the Banking Audit framework, helping organizations monitor privileged user activities and safeguard sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control over the use of administrative privileges to protect customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, ensuring that elevated privileges are restricted and monitored to prevent unauthorized access to critical resources.
• Audit Readiness: Documents all privileged operations, meeting the requirements of frameworks like SOC2 Type 2 and ISO 27001, ensuring traceability and accountability for administrative actions.
• Incident Detection: Identifies suspicious or unauthorized use of elevated privileges, such as privilege escalation or misuse of administrative accounts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to restrict and monitor access to sensitive data through elevated privileges.', null, null, null, null, null, null, null, null, null, 703, true, 286, 'TEMPLATE', null, null, 'Windows Use of Elevated Privileges', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (853, e'The Windows Registry Value Modification Report provides detailed logs of changes made to critical Windows registry values. This report is essential for ensuring compliance within the Banking Audit framework, as the registry is a central component for system configuration and security settings.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight and monitoring of configuration changes to protect sensitive financial systems.
• System Integrity Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring system component changes to detect unauthorized modifications.
• Audit Readiness: Tracks registry value changes, ensuring traceability and accountability as required by frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious registry changes, which could indicate malware activity, privilege escalation, or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict unauthorized changes that might expose sensitive data.', null, null, null, null, null, null, null, null, null, 703, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (854, e'The Windows Changes to Defender Settings Report provides a detailed overview of modifications made to Microsoft Defender settings, including changes to real-time protection, firewall rules, and other security configurations. This report is critical for compliance within the Banking Audit framework, ensuring that endpoint protection settings are managed securely and consistently.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control of endpoint security configurations to safeguard financial systems and customer information.
• System Security Compliance: Supports compliance with PCI DSS Requirement 5, ensuring that antivirus and other endpoint protections are configured and maintained securely.
• Audit Readiness: Logs all changes to Defender settings, providing traceability for audits under frameworks like SOC2 Type 2 and ISO 27001, ensuring secure management of endpoint defenses.
• Incident Detection: Identifies unauthorized or suspicious changes to Defender settings, which could indicate attempts to disable security protections or introduce vulnerabilities.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that secure endpoint configurations and prevent unauthorized access to sensitive data.', null, null, null, null, null, null, null, null, null, 703, true, 287, 'TEMPLATE', null, null, 'Windows Changes to Defender settings', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1129, 'This report compiles relevant information from events 4673 (Attempt to access an audit object) and 4674 (Action performed on an audit object) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 4.2.2. This requirement establishes that the PAN (cardholder account number) must be protected using strong cryptography whenever it is sent via messaging technologies used by end users.

Events 4673 and 4674 are essential for auditing actions performed on audit objects that involve the transmission of PAN. These events allow for the identification and monitoring of attempts to access sensitive information and actions performed on card account data, ensuring that only authorized users can interact with said information.

By analyzing these events, it is verified that the PAN transmission is adequately protected with strong cryptography technologies, ensuring that the information remains confidential during its transfer via messaging channels used by users. This control is essential to meet the security requirements established by PCI DSS, ensuring that cardholder data is not exposed to unnecessary risks during transmission.', null, null, null, null, null, null, null, null, null, 803, true, 286, 'TEMPLATE', null, null, 'Windows Use of Elevated Privileges', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (690, 'This report collects and analyzes security events identified by ID 4103 on Windows systems. Event 4103 records the execution of PowerShell scripts with detailed information about the executed commands and their parameters, providing relevant data for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. This report facilitates the identification and monitoring of PowerShell activities that could affect the integrity of monitoring and logging systems, contributing to the implementation of secure access policies and appropriate oversight.', null, null, null, null, null, null, null, null, null, 602, true, 288, 'TEMPLATE', null, null, 'Windows PowerShell Script Block Registration', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (855, e'The Windows PowerShell Script Block Registration Report provides a detailed record of PowerShell script block execution and registration events. This report is essential for compliance within the Banking Audit framework, enabling organizations to monitor and control the use of scripting, which can be a common vector for cyber threats.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of scripting activities to protect financial systems and sensitive customer data.
• Script Execution Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring logging and monitoring of script activities to detect unauthorized or suspicious behavior.
• Audit Readiness: Provides traceability for all script block registrations, meeting the requirements of frameworks like SOC2 Type 2 and ISO 27001, ensuring visibility into scripting activities.
• Threat Detection: Identifies unauthorized or suspicious script execution, such as attempts to execute malicious scripts or escalate privileges via PowerShell.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that restrict and monitor the execution of scripts to prevent unauthorized data access or manipulation.', null, null, null, null, null, null, null, null, null, 703, true, 288, 'TEMPLATE', null, null, 'Windows PowerShell Script Block Registration', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1133, 'This report collects and analyzes Windows 5007 events, which indicate changes to Windows Defender security policy settings. Since PCI DSS Requirement 5.3 establishes the need for anti-malware mechanisms and processes to be active, maintained, and monitored, this report helps identify unauthorized or unexpected changes to the security solution''s configuration.

Monitoring these events helps ensure the integrity and effectiveness of anti-malware measures, ensuring that critical settings are not altered inappropriately and that malware protection remains operational at all times.', null, null, null, null, null, null, null, null, null, 804, true, 287, 'TEMPLATE', null, null, 'Windows Changes to Defender settings', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (856, e'The Windows PowerShell Remote Session Creation Report provides a detailed log of remote PowerShell session creation events, including details about the initiating user, target system, and session activity. This report is critical within the Banking Audit framework, as PowerShell remote sessions can be used to manage systems but also pose significant security risks if misused.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring the monitoring of remote session activities to protect sensitive financial systems and customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, ensuring secure authentication and access control for remote sessions.
• Audit Readiness: Tracks remote PowerShell session creation events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in remote system management.
• Threat Detection: Identifies unauthorized or suspicious remote session activity, which could indicate compromised accounts, insider threats, or lateral movement by attackers.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict unauthorized remote access to systems handling sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 289, 'TEMPLATE', null, null, 'Windows PowerShell Remote Session Creation', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (857, e'The Windows Installation of Services Report provides detailed logs of service installation events within the system. This report is essential for compliance within the Banking Audit framework, as unauthorized or malicious services can compromise system integrity and sensitive financial data.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating control and oversight over installed services to ensure the security of financial systems and customer information.
• System Configuration Compliance: Supports compliance with PCI DSS Requirement 2, ensuring only authorized services are installed and that configurations are securely managed.
• Audit Readiness: Tracks service installation activities, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability for system changes.
• Incident Detection: Identifies unauthorized or suspicious service installations, which could indicate malware, privilege escalation, or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that restrict and monitor the installation of services to protect sensitive financial data from unauthorized processing or breaches.', null, null, null, null, null, null, null, null, null, 703, true, 290, 'TEMPLATE', null, null, 'Windows Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1105, 'This report compiles relevant information from 7045 events (A service was installed in the system) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.2.4. This requirement establishes that only services, protocols, daemons, and functions necessary for system operation should be enabled, and that all unnecessary functionality should be removed or disabled.

Event 7045 allows you to audit the installation of new services on the system, providing visibility into the activation of software that could introduce security risks. This event allows you to identify unauthorized services, verify that only essential processes are running, and detect improper configurations that could expose the infrastructure to unnecessary threats.', null, null, null, null, null, null, null, null, null, 801, true, 290, 'TEMPLATE', null, null, 'Windows Installation of Services', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (897, e'The Windows Installation of Services Report provides detailed logs of events where new services are installed on the system, capturing information such as the service name, installation path, initiating user, and timestamp. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized or suspicious service installations can indicate potential security threats.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of service installations to protect sensitive financial systems and customer data.
• Threat Detection: Identifies unauthorized or malicious service installations, which could be used to execute malware or maintain unauthorized access.
• Real-Time Alerting: Captures and alerts administrators immediately when new services are installed, enabling prompt investigation and action.
• Audit Readiness: Tracks all service installation activities, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of system changes.
• System Integrity: Supports compliance with PCI DSS Requirement 10, ensuring secure system configurations by monitoring all service-related activities.', null, null, null, null, null, null, null, null, null, 701, true, 290, 'TEMPLATE', null, null, 'Windows Installation of Services', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1205, 'This report assesses compliance with PCI DSS Requirement 11.3.1.3, which establishes that internal vulnerability scans must be performed after any significant system changes. Using Windows Event 7045 logs, the report collects information on the installation of new services and drivers, which may be indicative of significant changes to the system infrastructure. This analysis verifies that, after these changes were made, internal vulnerability scans were performed to detect and resolve high-risk or critical vulnerabilities, in accordance with the risk classifications defined in PCI DSS Requirement 6.3.1. It also ensures that rescans are performed when necessary and that scans are conducted by qualified personnel, ensuring effectiveness and an appropriate response to system vulnerabilities following significant changes.', null, null, null, null, null, null, null, null, null, 810, true, 290, 'TEMPLATE', null, null, 'Windows Installation of Services', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1228, 'This report collects and analyzes user account modification events (event ID 4738) on Windows systems to assess compliance with PCI DSS Requirement A1.2.3. This event is generated when a modification is made to a user account, which may indicate changes affecting system security or related security incidents. This analysis verifies that processes and mechanisms are in place to report and address security incidents and vulnerabilities, allowing customers to securely report any incidents or vulnerabilities to the vendor. Additionally, it assesses whether the vendor takes appropriate actions to address and remediate security incidents in accordance with PCI DSS Requirement 6.3.1. Records of this event provide evidence of how account modifications are handled, allowing potential security incidents to be detected and ensuring that vulnerabilities are appropriately managed. The findings in this report ensure that incident response processes are effective and aligned with the controls established by PCI DSS.', null, null, null, null, null, null, null, null, null, 812, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (684, 'This report collects and analyzes security events identified by ID 4907 on Windows systems. Event 4907 records changes in audit policy settings related to access to system resources, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of audit policy adjustments, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (894, e'The Windows Restoration of Default Security Policies Report provides detailed logs of events where system security policies are reset to their default configurations. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as such actions can impact the security posture and may indicate unauthorized changes or recovery efforts.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of policy restoration activities to safeguard sensitive financial systems and customer data.
• System Integrity Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring that changes to security policies, including restorations, are logged and monitored.
• Real-Time Alerting: Captures and notifies administrators immediately when default security policies are restored, enabling rapid investigation and response.
• Incident Detection: Identifies unauthorized or suspicious policy restorations, which could indicate an attempt to bypass hardened security configurations or revert critical controls.
• Audit Readiness: Tracks all events of policy restoration, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure configuration management practices.', null, null, null, null, null, null, null, null, null, 701, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (686, 'This report collects and analyzes security events identified by ID 4902 on Windows systems. Event 4902 records changes to local audit policy settings, providing relevant information about modifications to the rules that govern access and activity monitoring on systems that may contain ePHI (Electronic Protected Health Information). This event is essential for verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of audit policy modifications, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 292, 'TEMPLATE', null, null, 'Windows Audit Policy Change', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (695, 'This report collects and analyzes security events identified by ID 4907 on Windows systems. Event 4907 records changes to the configuration of centralized access control lists (Audit Policy Changes), providing relevant information about modifications to system audit policies. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of audit policy adjustments, ensuring that any modifications are appropriately logged, reviewed, and approved to maintain effective and continuous monitoring of critical system activities.', null, null, null, null, null, null, null, null, null, 601, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (669, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data at rest and in transit. By analyzing event ID 4724 on Windows systems, this report facilitates the monitoring of activities related to user account password resets. By logging and auditing password change attempts, it ensures that access to sensitive data is properly managed, protecting the integrity and confidentiality of the information. This monitoring contributes to data protection by detecting and preventing unauthorized access, ensuring compliance with established security policies.', null, null, null, null, null, null, null, null, null, 601, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1053, 'This report compiles relevant information from logs generated by Windows event 4907, which indicates changes to the system''s network filter configurations. This event is key to ensuring that any changes made to network connection configurations and network security controls (NSC) have been managed in a controlled manner and properly approved. Analyzing these events allows for verification that changes to network configurations have been made according to established procedures, ensuring that the security infrastructure remains consistent, secure, and aligned with organizational policies.', null, null, null, null, null, null, null, null, null, 807, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (858, e'The Windows Service Control Manager Log Information Report provides a detailed record of activities related to the Service Control Manager (SCM), including service starts, stops, failures, and configuration changes. This report is critical for compliance within the Banking Audit framework, ensuring visibility into the management of services that impact system security and performance.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control of service activities to protect financial systems and sensitive customer data.
• System Monitoring Compliance: Supports compliance with PCI DSS Requirement 10, ensuring logging and monitoring of critical service activities to detect unauthorized or suspicious changes.
• Audit Readiness: Tracks all SCM events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability and secure management of service operations.
• Incident Detection: Identifies unauthorized service manipulations, abnormal service failures, or configuration changes, which could indicate malware activity or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and secure services that may process or protect sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 323, 'TEMPLATE', null, null, 'Windows Service Control Manager Log Information', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (859, e'The Windows Failed Logon Attempt Report provides detailed logs of unsuccessful login attempts, capturing essential information such as the user account, timestamp, source IP address, and reason for failure. This report is crucial within the Banking Audit framework, ensuring visibility into unauthorized access attempts and supporting compliance with stringent security regulations.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of failed logon attempts to protect financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access attempts, successful or failed, to detect unauthorized activities.
• Audit Readiness: Tracks failed logon attempts, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in access management.
• Incident Detection: Identifies patterns of unauthorized access attempts, such as brute force attacks, password spraying, or account enumeration efforts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict unauthorized access attempts to systems handling sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 279, 'TEMPLATE', null, null, 'Windows Failed logon attempt', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (860, e'The Windows Credential Access Report provides detailed logs of events related to credential access, including successful and failed attempts to retrieve or use user credentials, such as password hashes, security tokens, or Kerberos tickets. This report is critical within the Banking Audit framework to monitor unauthorized credential access and ensure the protection of sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control over credential access to safeguard sensitive customer data and financial systems.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, which mandates secure authentication and management of user credentials to prevent unauthorized access.
• Audit Readiness: Tracks credential access events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in credential management.
• Incident Detection: Identifies unauthorized or suspicious attempts to access credentials, such as pass-the-hash attacks, keylogging, or unauthorized Kerberos ticket usage.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor, restrict, and secure credential access to prevent unauthorized data breaches.', null, null, null, null, null, null, null, null, null, 703, true, 315, 'TEMPLATE', null, null, 'Windows Credential Access', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (861, e'The Windows Member Addition to a Security Local Group Report provides a comprehensive log of events where users or accounts are added to local security groups. This report is vital within the Banking Audit framework to monitor and control group membership changes, ensuring compliance with access management policies and protecting sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of group membership changes to safeguard financial data and prevent unauthorized access.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, which mandates restricting access to critical systems to authorized personnel through proper group membership management.
• Audit Readiness: Tracks all member additions to local security groups, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure and accountable access management.
• Incident Detection: Identifies unauthorized or suspicious additions to privileged groups, such as the Administrators group, which could indicate potential insider threats or compromised accounts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict group membership changes that could expose sensitive financial data to unauthorized users.', null, null, null, null, null, null, null, null, null, 703, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (862, e'The Windows Account Logon Success Report provides a detailed record of successful logon events, capturing essential data such as the user account, timestamp, source IP address, and authentication method. This report is a critical compliance tool within the Banking Audit framework, ensuring traceability of access to sensitive financial systems and supporting regulatory requirements.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring visibility into authorized system access to protect customer information and financial data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, validating that only authorized users gain access to critical systems through secure authentication processes.
• Audit Readiness: Tracks successful logons, providing evidence for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability and secure access management.
• Threat Detection: Identifies unusual access patterns, such as logons from unexpected geographic locations, which could indicate compromised credentials.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that prevent unauthorized access to systems containing sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (863, e'The Windows Account Logon Failure Report provides detailed logs of unsuccessful login attempts, capturing key information such as the user account, timestamp, source IP address, and failure reason. This report is critical for compliance within the Banking Audit framework, ensuring visibility into unauthorized access attempts and supporting security and regulatory requirements.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of failed logon attempts to detect and mitigate potential threats to financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access attempts to detect unauthorized activities.
• Audit Readiness: Tracks failed logon events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in access control management.
• Threat Detection: Identifies patterns of suspicious behavior, such as brute force attacks, password spraying, or repeated failed logins from specific locations.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that restrict and monitor unauthorized attempts to access systems containing sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (864, e'The Windows Policy Changes Report provides detailed logs of modifications to system policies, such as group policies, security settings, and access controls. This report is critical within the Banking Audit framework, as it ensures accountability and compliance with regulatory standards for system configuration and access management.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight of policy changes to protect sensitive financial systems and customer data.
• Configuration Management Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring of system component changes to detect unauthorized modifications.
• Audit Readiness: Tracks policy changes, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in maintaining secure configurations.
• Incident Detection: Identifies unauthorized or suspicious changes to critical policies, which could indicate potential insider threats or attempts to weaken system security.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls that restrict and monitor changes to system policies to prevent unauthorized access or breaches.', null, null, null, null, null, null, null, null, null, 701, true, 280, 'TEMPLATE', null, null, 'Windows Policy changes', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (865, e'The Windows Access to Critical Files or Specific Directories Report provides a detailed record of attempts—both successful and unsuccessful—to access sensitive files and directories. This report is essential for compliance within the Banking Audit framework, as it ensures visibility into access attempts and protects critical financial data from unauthorized access.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of file and directory access to protect sensitive financial information.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of all access to critical resources to detect unauthorized activities.
• Audit Readiness: Tracks access to files and directories, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure access management.
• Incident Detection: Identifies unauthorized or suspicious access attempts, such as attempts to copy, delete, or modify critical data, which could indicate insider threats or compromised accounts.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict access to sensitive financial data, protecting it from unauthorized processing.', null, null, null, null, null, null, null, null, null, 701, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (866, e'The Windows Audit Policy Change Report provides a detailed log of modifications to audit policies, such as changes to audit settings, logging configurations, and retention policies. This report is a critical component of the Banking Audit framework, ensuring transparency and control over how audit data is captured and managed.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight of audit policy changes to protect the integrity of financial systems and sensitive customer data.
• Compliance with Monitoring Standards: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of audit policy modifications to detect unauthorized changes.
• Audit Readiness: Tracks audit policy changes to provide traceability and accountability, meeting the requirements of frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious audit policy changes, which could indicate attempts to disable monitoring or obscure malicious activity.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict changes to audit settings to prevent data breaches or unauthorized access.', null, null, null, null, null, null, null, null, null, 701, true, 292, 'TEMPLATE', null, null, 'Windows Audit Policy Change', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (867, e'The Windows User Accounts Created Report provides a comprehensive log of all user account creation events within the system. This report is crucial within the Banking Audit framework to monitor, control, and document account creation, ensuring compliance with regulatory requirements and secure access management.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of account creation to safeguard sensitive financial systems and customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, mandating that only authorized personnel can create accounts and ensuring accounts are assigned appropriate access levels.
• Audit Readiness: Tracks account creation events to provide traceability and accountability, meeting requirements for frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious account creation, which could indicate insider threats or compromised administrative credentials.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict the creation of user accounts that could expose sensitive financial data.', null, null, null, null, null, null, null, null, null, 701, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (868, e'The Windows User Accounts Enabled Report provides detailed logs of events where disabled user accounts are re-enabled within the system. This report is essential for compliance within the Banking Audit framework, ensuring visibility and control over account status changes to protect sensitive financial systems and data.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of account re-enablement to safeguard financial systems and customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, ensuring that account re-enablement is authorized and properly monitored to prevent unauthorized access.
• Audit Readiness: Tracks all account re-enablement events, providing traceability and accountability for frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious account re-enablement, which could indicate insider threats or compromised administrative actions.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that monitor and restrict the enabling of accounts to prevent unauthorized data access.', null, null, null, null, null, null, null, null, null, 701, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (913, e'The Windows User Accounts Enabled report provides detailed logs of events where previously disabled user accounts are re-enabled on a Windows system. This report is critical for monitoring account management activities, detecting unauthorized actions, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Aligns with frameworks such as PCI DSS, ISO 27001, and SOC2, by maintaining records of account enablement activities to support access control and audit requirements.
• Account Management Monitoring: Tracks the re-enabling of user accounts, allowing administrators to ensure that such actions are performed only through authorized workflows and for legitimate reasons.
• Event Correlation: Links account enablement events with other related activities, such as privilege escalations, group modifications, or logon attempts, to provide a comprehensive audit trail.
• Real-Time Alerts: Sends immediate notifications when accounts are re-enabled, particularly for high-privilege accounts or accounts that could pose a security risk if reactivated.
• Incident Detection: Helps identify unauthorized actions, such as the reactivation of dormant accounts, which could indicate insider threats, privilege abuse, or malicious activities.
• Audit Readiness: Logs detailed information, including the account name, enabling user or process, originating machine, and timestamp, ensuring comprehensive records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1141, 'This report compiles and analyzes relevant information from Windows event 4722 logs, which indicate the activation of previously disabled user accounts. Its objective is to assess compliance with PCI DSS Requirement 6.2, ensuring that custom software development is carried out securely and in accordance with established standards. Analysis of these events allows for the detection of potential irregularities in access management and the evaluation of whether the activated accounts comply with secure authentication and privilege management controls. It also verifies that account management and access auditing practices contribute to mitigating security risks, preventing unauthorized access to development, testing, and production environments, in alignment with the security principles required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1217, 'This report gathers relevant information from Windows 4722 events, which record changes to user accounts, such as account activation or deactivation. These events are crucial for verifying compliance with security policies and the PCI DSS compliance program.

The report ensures that quarterly reviews of security-related activities, such as log review, security configuration assessment, and alert response, have been conducted. It also documents the corrective actions taken for any deviations found during the reviews, ensuring that the PCI DSS compliance program is being properly implemented.', null, null, null, null, null, null, null, null, null, 811, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1150, 'This report collects and analyzes Windows 4722 events, which record the activation of user accounts. Its purpose is to assess compliance with PCI DSS Requirement 7.2, ensuring that access to system components and data is appropriately defined and assigned. Monitoring these events allows for the detection of reactivation of inactive or disabled accounts, verification of access management in accordance with job functions, and enforcement of the principle of least privilege.', null, null, null, null, null, null, null, null, null, 805, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1186, 'This report compiles relevant information from Windows event 4722 logs, which are generated when a user account is enabled or activated on the system. This event is essential for compliance with PCI DSS requirement 10.2.1.5, which requires the capture of all changes related to identification and authentication credentials, including the creation of new accounts, elevation of privileges, and any modification, addition, or deletion of accounts. Monitoring these events allows for the detection of critical credential changes, which is critical for forensic analysis and identifying suspicious activity in environments that handle cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1163, 'This report collects and analyzes 4722 events (User Account Enablement) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that account activation is properly authorized and documented, ensuring that each user has a unique ID before accessing the systems. It also examines that accounts disabled due to inactivity or disassociation are not reactivated without proper justification and approval, and that third-party accounts are managed in a controlled manner. This analysis helps ensure proper account lifecycle management, reinforcing security and access traceability.', null, null, null, null, null, null, null, null, null, 808, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1070, 'This report collects the 4722 events generated by the Windows system, which indicate the enabling of user accounts. The analysis of these events is key to verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with the management of user accounts and their access to critical systems are properly documented, assigned, and understood. In addition, it provides visibility into the enabling of accounts and ensures that the activated accounts are aligned with established security policies and operating procedures.', null, null, null, null, null, null, null, null, null, 807, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (691, 'This report collects and analyzes security events identified by ID 4723 on Windows systems. Event 4723 records attempts to change a user''s password, providing relevant information for verifying compliance with the NIST CSF PR.AC-1 requirement, which establishes that access to systems and assets should be limited based on defined roles. This report facilitates the identification and monitoring of successful or failed password change attempts, contributing to adequate access control and the implementation of identity and role management policies.', null, null, null, null, null, null, null, null, null, 602, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (710, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which establishes the need for continuous monitoring of network activity to detect malicious activity. By analyzing event ID 1102 on Windows systems, this report facilitates monitoring the cleanup of security logs, which may indicate an attempt to conceal unauthorized or malicious activity. Monitoring these types of events allows for the detection of log alterations that could compromise system security, enabling an immediate response to security incidents and ensuring the integrity of the network and data.', null, null, null, null, null, null, null, null, null, 604, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (842, 'The Windows Cleaned Event Log Report provides a detailed record of actions where system event logs have been cleared. This report is critical within the Banking Audit framework, as it helps detect potential tampering with log integrity and supports regulatory compliance by monitoring log management activities.', null, null, null, null, null, null, null, null, null, 703, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (914, e'The Windows User Password Reset Attempt report provides detailed logs of events where a user password reset attempt is made within a Windows system. This report is critical for monitoring account security, detecting unauthorized password changes, and ensuring compliance with security frameworks.
• Regulatory Compliance: Ensures alignment with standards such as PCI DSS, ISO 27001, and SOC2, by documenting all password reset attempts to maintain an auditable trail of account security events.
• Account Security Monitoring: Tracks password reset attempts to ensure they are initiated through authorized processes and to identify potential misuse or unauthorized actions.
• Event Correlation: Links password reset attempts with associated user accounts, originating machines, and administrative actions to create a comprehensive audit trail for security analysis.
• Real-Time Alerts: Generates alerts for password reset attempts, especially for privileged or sensitive accounts, allowing administrators to respond to potential threats immediately.
• Incident Detection: Identifies suspicious activities, such as repeated or unexpected password reset attempts, which may indicate brute force attacks, compromised accounts, or insider threats.
• Audit Readiness: Logs detailed information about each password reset attempt, including the username, time of the attempt, originating IP address, and the user or process initiating the reset, ensuring comprehensive records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (692, 'This report collects and analyzes security events identified by ID 4723 on Windows systems. Event 4723 records attempts to change a user''s password, providing relevant information for verifying compliance with the NIST CSF PR.AC-1 requirement, which establishes that access to systems and assets should be limited based on defined roles. This report facilitates the identification and monitoring of successful or failed password change attempts, contributing to adequate access control and the implementation of identity and role management policies.', null, null, null, null, null, null, null, null, null, 602, true, 300, 'TEMPLATE', null, null, 'Windows Monitoring of Critical System Services Status', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (885, e'The Windows Cleaned Event Log Report provides detailed logs of events where system event logs have been cleared. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as log clearing can indicate attempts to hide malicious activity or compromise system integrity.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of log management activities to protect financial systems and sensitive data.
• Real-Time Alerting: Captures and notifies administrators in real-time when event logs are cleared, enabling immediate investigation and response to potential incidents.
• Incident Detection: Identifies unauthorized or suspicious log clearing activities, which could indicate insider threats or attempts to conceal malicious actions.
• Audit Readiness: Provides traceability for log clearing events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure log management practices.
• Data Integrity Protection: Supports compliance with PCI DSS Requirement 10, ensuring that all log management activities, including clearing logs, are monitored and documented.', null, null, null, null, null, null, null, null, null, 701, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1067, 'This report captures Windows system event 1102, which indicates the cleanup of system audit logs. Analysis of these events is essential to verify compliance with PCI DSS requirements, ensuring that audit policies and procedures are documented, up-to-date, and in use. It also monitors the integrity of audit logs, ensuring that they are not inappropriately altered or deleted, and that defined operational best practices for security are followed.', null, null, null, null, null, null, null, null, null, 807, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1116, 'This report compiles relevant information from 1102 events (The audit log was cleared) generated in Windows, with the aim of verifying compliance with PCI DSS Requirement 3.2.1. This requirement establishes that account data storage must be kept to a minimum, ensuring that data is stored only in the necessary locations and for the time period determined by data retention and deletion policies.

Event 1102 allows auditing the deletion or clearing of audit logs in the system, providing visibility into when and why records were deleted. This event is relevant to verify that account data retention policies are being applied correctly and that audit logs, which may contain sensitive information, have not been deleted before the minimum retention period defined in the policy is reached. It also helps verify that, once the defined retention period has elapsed, account data is deleted or rendered unrecoverable in accordance with established procedures. This ensures that sensitive information is not stored beyond the necessary time, complying with legal, regulatory, and business requirements.', null, null, null, null, null, null, null, null, null, 802, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1107, 'This report compiles relevant information from 1102 events (Audit log was cleared) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 2.3, which establishes that wireless environments must be configured and managed securely.

Event 1102 indicates that audit logs have been cleared, which may be a sign of an attempt to hide unauthorized changes to critical configurations, including management of security parameters on wireless networks, such as default encryption keys, access point passwords, and SNMP settings. Monitoring this event helps detect potential attempts to circumvent security controls and ensure that wireless network configurations remain aligned with required security standards.', null, null, null, null, null, null, null, null, null, 801, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1139, 'This report compiles and analyzes relevant information extracted from Windows Event 1102 logs, used to assess compliance with PCI DSS Requirement 6.2, which addresses security in custom software development. The analysis focuses on how security best practices and standards are implemented throughout the software development lifecycle, including secure authentication, event logging, and code review, with the goal of identifying vulnerabilities and mitigating risks related to common software attacks. It also examines compliance with development staff training criteria, the use of software engineering techniques to prevent vulnerabilities, and the methodologies applied to ensure software complies with the security regulations required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1211, 'This report compiles key information from 1102 events in Windows logs, used to assess compliance with PCI DSS Requirement 12.1, which requires an information security policy that is known, established, published, maintained, and appropriately distributed to all relevant personnel, as well as to suppliers and business partners. Event 1102 is linked to the audit event log, and its analysis helps ensure that information security policies are reviewed and updated at least once every 12 months, reflecting changes in business risks and objectives.

The report verifies that the information security policy is in place and that all relevant individuals within the organization have access to it. It also helps validate that information security responsibilities are clearly defined and assigned, and that security responsibility is formally delegated to a senior executive with the necessary knowledge, as required by the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 811, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1196, 'This report consolidates relevant information from Windows Event Viewer 1102 events, which indicate audit log deletion. Tracking these events is essential for compliance with PCI DSS Requirement 11.1.1, as it ensures that security policies and operating procedures are documented, updated, utilized, and understood by affected parties. The deletion of audit logs may represent an attempt to conceal malicious activity or operational mismanagement. Therefore, this report helps detect, investigate, and mitigate potential security breaches by providing audit evidence of attempts to manipulate critical records on monitored systems. This analysis contributes to maintaining the integrity of security logs, enabling the implementation of corrective and preventive controls that reinforce compliance with PCI DSS standards.', null, null, null, null, null, null, null, null, null, 810, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1131, 'This report collects and analyzes information generated by Windows 1102 events, which indicate the deletion of records in the system''s Event Viewer. Since log integrity is critical for monitoring and detecting malicious activity, this report assesses compliance with PCI DSS Requirement 5.1, ensuring that malware protection mechanisms are documented, updated, and in use.

Analyzing these events helps identify potential attempts to hide suspicious activity, ensuring that the security infrastructure maintains adequate records for threat detection and prevention.', null, null, null, null, null, null, null, null, null, 804, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (869, e'The Windows User Password Reset Attempt Report provides a detailed record of password reset activities, capturing both successful and failed attempts. This report is critical within the Banking Audit framework to monitor credential management processes and ensure compliance with access control policies.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of password reset attempts to protect financial systems and sensitive customer data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, which mandates secure authentication and password management practices.
• Audit Readiness: Tracks all password reset attempts, providing traceability and accountability for frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious password reset attempts, which could indicate account compromise, phishing attacks, or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, demonstrating controls to monitor and restrict unauthorized password reset activities to prevent unauthorized access to sensitive data.', null, null, null, null, null, null, null, null, null, 701, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (870, 'This report presents detailed logs of access attempts to the AWS console, focused on verifying that only authorized users have access to the system. Login activity is analyzed using the ConsoleLogin event to ensure that access is limited to authenticated and authorized users, in accordance with CMMC practice AC.1.001, which establishes the need to restrict access to systems to only authorized users. The report includes key information such as authentication status (with/without MFA), source IP address, and login username, to monitor and prevent unauthorized access.', null, null, null, null, null, null, null, null, null, 510, true, 353, 'TEMPLATE', null, null, 'AWS Level 1 (AC.1.001): Console Login', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (871, 'This report presents a detailed analysis of AssumeRole events in AWS, with the objective of verifying that access to the systems is restricted to authorized users only. Through role assumption records, compliance with CMMC practice AC.1.001 is reviewed, which establishes the limitation of access to systems and data to duly authorized users and roles. The report includes key details such as the role assumed, among others, ensuring that only legitimate actors can obtain additional privileges on the systems.', null, null, null, null, null, null, null, null, null, 510, true, 354, 'TEMPLATE', null, null, 'AWS Level 1 (AC.1.001): Access Roles Assumption', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (872, 'This report presents a detailed analysis of CreateRole events in AWS, focused on verifying the implementation of role-based access controls (RBAC) to ensure compliance with CMMC practice AC.2.007. The goal is to ensure that the creation and assignment of roles in the AWS infrastructure is done in a controlled manner and aligned with the principles of minimum access and segregation of duties. The report includes critical information such as the name of the role created, the associated policy, the AWS account involved, and details about the source of the request, allowing you to verify that only the appropriate roles are defined for access to sensitive resources and that They are maintained in accordance with established safety requirements.', null, null, null, null, null, null, null, null, null, 510, true, 354, 'TEMPLATE', null, null, 'AWS Level 2 (AC.2.007): Access Roles Assumption', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (873, 'This report compiles and presents relevant information about AttachRolePolicy events in AWS, with the objective of verifying compliance with CMMC practice AC.2.007. It focuses on ensuring that access policies are properly associated with roles, ensuring that role-based access controls (RBAC) are implemented correctly. The report includes key details about the policies assigned to the roles, the specific role affected, the accounts involved, and the source of the request. This information is crucial to verify that access to sensitive resources is strictly controlled by assigning appropriate permissions based on user roles, ensuring that the principle of least privilege is maintained and risks of unauthorized access are minimized.', null, null, null, null, null, null, null, null, null, 510, true, 356, 'TEMPLATE', null, null, 'AWS Level 2 (AC.2.007): Attach Role Policy', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (874, 'This report compiles and presents relevant information about ConsoleLogin events in AWS, with the objective of verifying compliance with CMMC practice AU.1.001. It focuses on ensuring that AWS console logins are properly audited, ensuring that access to the system is effectively monitored. The report includes key details about login attempts, such as the user involved, the source IP address, and whether multi-factor authentication (MFA) was used. This information is crucial to verify that console accesses are recorded in a way that detects unauthorized activities, ensuring the integrity of the systems and compliance with audit requirements to protect sensitive data.', null, null, null, null, null, null, null, null, null, 510, true, 353, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): Console Login', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (875, 'This report compiles and presents relevant information about CreateRole events in AWS, with the objective of verifying compliance with CMMC practice AU.1.001. It focuses on ensuring that role creation in AWS is properly audited, ensuring that changes to role configurations are effectively logged. The report includes key details about the roles created, such as the role name, the account involved, and the source of the request. This information is crucial to verify that actions related to role management in the system are correctly monitored, ensuring that access to sensitive resources is managed and documented in accordance with security policies. This allows any unauthorized activity or unapproved changes to be detected, helping to maintain the security and integrity of the system.', null, null, null, null, null, null, null, null, null, 511, true, 355, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): Access Roles Assumption', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (876, 'This report compiles and presents relevant information about AssumeRole events in AWS, with the objective of verifying compliance with CMMC level 2 practice AU.2.042. The main focus is to ensure that audit logs related to role assumption are collected comprehensively, allowing security events to be detected and analyzed. The report includes details such as the identity of the user assuming the role, the ARN of the assumed role, the account involved, and the source of the request. This information is essential to monitor critical activities, identify unusual patterns, and ensure that necessary logs are available to support event analysis and respond effectively to potential security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 357, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Roles Assumption', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (877, 'This report compiles and presents relevant information about AttachRolePolicy events in AWS, with the objective of verifying compliance with CMMC level 2 practice AU.2.042. It focuses on ensuring that audit logs related to the association of policies to roles are collected effectively, allowing the detection and analysis of security events. The report includes key details such as the identity of the user performing the action, the ARN of the attached policy, the affected role, the account involved, and the source of the request. This information is critical to monitoring permission changes, detecting unauthorized activity, and ensuring that necessary logs are available to support event analysis and improve response to potential security incidents.', null, null, null, null, null, null, null, null, null, 511, true, 356, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Attach Role Policy', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (878, 'This report compiles and presents relevant information about PutBucketPolicy events in AWS, with the objective of verifying compliance with CMMC practice AU.2.042. It focuses on ensuring that S3 bucket policies are properly monitored and logged to detect and analyze security events.

The report includes key details such as the affected account, the bucket in question, the policy applied, the identity of the user who performed the action, and the source of the request. This information is critical to ensuring that changes to bucket access policies are tracked, allowing for effective response to potential misconfigurations or unauthorized access.', null, null, null, null, null, null, null, null, null, 511, true, 358, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.042): Bucket Access Policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (879, 'This report collects relevant information about event 4634 (Logoff) in Windows logs, with the objective of verifying compliance with CMMC Level 1 practice AU.1.001, which requires the implementation of audit logs to track activities in the system .

Event 4634 indicates when a user session has ended successfully, which is critical for access monitoring and detecting anomalous activity. The report includes details such as the user ID, logout time, event source, and workstation used.

This analysis is key to ensuring that all user sessions are effectively logged, allowing for security audits and detection of potential incidents, such as unauthorized access or attempts to evade session controls.', null, null, null, null, null, null, null, null, null, 511, true, 350, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logoff', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (880, 'This report compiles relevant information from the Windows logs generated by events 4728 and 4732, which are triggered when changes are made to user security groups within the system. These events are critical to complying with CMMC control SI.5.223, which requires improving detection capabilities on endpoints using advanced tools.

Event 4728 is triggered when a user is added to a security group, while event 4732 is triggered when a user is added to a privileged type security group. These events are key to monitoring and detecting changes in access configurations to critical resources and privileged groups, which could be indicative of an attempt to escalate privileges or unauthorized modification of user permissions.

By collecting these events, you can quickly detect inappropriate assignment of users to privileged groups, behavior that could be an indication of malicious activity. In addition, this type of monitoring, supported by advanced tools, strengthens threat detection capabilities on endpoints, allowing a more agile response to incidents related to the manipulation of access permissions and the potential abuse of privileges.

This report is key to improving visibility of activities within the system, helping security teams detect unauthorized changes and respond effectively to any threats. Additionally, it contributes to CMMC compliance by ensuring that advanced tools are applied to protect endpoints and detect suspicious or malicious behavior.', null, null, null, null, null, null, null, null, null, 502, true, 316, 'TEMPLATE', null, null, 'Windows Level 5 (SI.5.223): Additions to Security Groups', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (881, e'The Windows Filtering Platform Report provides detailed insights into network traffic filtering events, including allowed and blocked connections, policy updates, and rule modifications. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework by detecting unauthorized network activity and ensuring security policies are enforced.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of network activity to protect sensitive financial systems and customer data.
• Network Security Monitoring: Supports compliance with PCI DSS Requirement 1, which mandates robust firewall and traffic filtering mechanisms to safeguard network environments.
• Real-Time Detection: Captures and reports policy violations or suspicious traffic patterns in real-time, enabling immediate response to potential threats.
• Incident Response: Identifies unauthorized changes to filtering policies or attempts to bypass security rules, ensuring a proactive approach to threat mitigation.
• Audit Readiness: Provides traceability of filtering events, meeting requirements for frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of network security.', null, null, null, null, null, null, null, null, null, 701, true, 296, 'TEMPLATE', null, null, 'Windows Filtering Platform', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (882, e'The Windows Protected Object Access Operation Report provides a detailed log of access attempts—both successful and unsuccessful—on protected objects such as files, folders, registry keys, and other critical resources. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring in the Banking Audit framework, enabling visibility into access to sensitive resources and the enforcement of security controls.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of access attempts to protect critical financial systems and sensitive customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access to critical resources to detect unauthorized activities.
• Real-Time Detection: Captures and reports unauthorized or suspicious access attempts in real-time, enabling immediate incident response.
• Incident Detection and Mitigation: Identifies patterns of unauthorized access, such as privilege escalation or brute force attempts, which could indicate potential threats.
• Audit Readiness: Provides traceability of protected object access events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001.', null, null, null, null, null, null, null, null, null, 701, true, 297, 'TEMPLATE', null, null, 'Windows Protected Object Access Operation', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1057, 'This report compiles relevant information from logs generated by Windows event 5158, which is related to Windows Filtering Platform (WFP) configuration and network filtering rule changes. Event 5158 indicates when a service has started listening on a specific port, allowing you to audit and verify which services, protocols, and ports are enabled on the system. This event is essential for verifying that all allowed services, protocols, and ports have been identified, approved, and have a defined business need, as required by the PCI DSS standard. The information in this event helps ensure that only legitimate traffic necessary for the services to function is allowed, preventing potential vulnerabilities resulting from incorrect or unnecessary network configurations.', null, null, null, null, null, null, null, null, null, 807, true, 296, 'TEMPLATE', null, null, 'Windows Filtering Platform', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (883, e'The Windows Object Deletion Report provides a detailed record of deletion events for critical objects, such as files, folders, registry keys, and system components. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, enabling visibility and control over sensitive operations that may impact system integrity and data security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of deletion activities to safeguard financial systems and sensitive customer data.
• Incident Detection: Identifies unauthorized or suspicious deletion events, which could indicate malicious activity, insider threats, or system misuse.
• Real-Time Monitoring: Captures deletion activities as they occur, enabling immediate response to unauthorized or risky operations.
• Audit Readiness: Provides traceability for deletion events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure management of critical objects.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict unauthorized deletion of data or configuration files.', null, null, null, null, null, null, null, null, null, 701, true, 298, 'TEMPLATE', null, null, 'Windows Object Deletion', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1156, 'This report compiles information from Windows 4662 events, which record audit actions on security objects, such as the creation, modification, or deletion of permissions on specific files or directories. The purpose is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. These logs verify that access to systems and resources is properly controlled and assigned according to user roles, following the principle of least privilege and ensuring that only the permissions strictly necessary to perform job duties are granted.', null, null, null, null, null, null, null, null, null, 805, true, 297, 'TEMPLATE', null, null, 'Windows Protected Object Access Operation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1138, 'This report compiles relevant information from Windows Event 4662 logs to verify compliance with PCI DSS Requirement 6.1. Event 4662 provides details on attempts to modify or access objects, enabling verification that security policies and operational procedures are properly documented, up-to-date, and in use (6.1.1), and that roles and responsibilities related to developing and maintaining secure systems are documented, assigned, and understood (6.1.2), as required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 297, 'TEMPLATE', null, null, 'Windows Protected Object Access Operation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1160, 'This report compiles relevant information from Windows 4776 events, which record authenticated login attempts using user credentials. 4776 events are key to assessing compliance with PCI DSS Requirement 7.3, which requires access to system components and data to be managed by an access control system. Data from these events allows verification that authenticated access attempts are adequately controlled, confirming that the access control system is functioning correctly to allow only authorized access. This report facilitates auditing of implemented access controls, ensuring that user credentials are properly managed and validated for access to critical systems and data.', null, null, null, null, null, null, null, null, null, 805, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (929, e'The Windows Object Deletion report provides detailed logs of events where objects such as files, directories, registry keys, or other system resources are deleted. This report is crucial for tracking changes, detecting unauthorized actions, and ensuring compliance with security policies and audit frameworks.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting deletion events to demonstrate proper governance and adherence to change management processes.
• Object Management Monitoring: Tracks the deletion of critical objects, ensuring such actions are authorized and aligned with internal policies to protect data integrity and system reliability.
• Event Correlation: Links deletion events to user accounts, originating systems, and preceding activities, providing a comprehensive audit trail for root cause analysis and compliance reporting.
• Real-Time Alerts: Sends notifications for deletions of critical objects, enabling immediate investigation of unauthorized or suspicious activities.
• Incident Detection: Identifies anomalies such as bulk deletions, deletions during off-hours, or removal of protected system objects, which may indicate malicious intent, insider threats, or operational errors.
• Audit Readiness: Logs detailed information for each deletion event, including the object name, location, user or process initiating the deletion, and the timestamp, ensuring robust documentation for compliance and forensic investigations.', null, null, null, null, null, null, null, null, null, 702, true, 298, 'TEMPLATE', null, null, 'Windows Object Deletion', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1117, 'This report compiles relevant information from 4660 events (An object was deleted) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3, which states that sensitive authentication data (SAD) should not be stored after authorization.

Event 4660 allows you to audit the deletion of objects from the system, providing visibility into when and what data is deleted. This event is essential for verifying that sensitive authentication data, such as card details, verification code, and PIN, are either deleted or rendered unrecoverable after authorization. Auditing this event ensures that any sensitive content, including the full content of the tracks, the card verification code, or the PIN, is not unnecessarily retained in the system after the authorization transaction is completed.

By analyzing the logs for this event, it is possible to verify that the mechanisms and processes for deleting sensitive data are correctly implemented, aligning with PCI DSS requirements for the protection of confidential information. This ensures that the principles of minimal storage and secure handling of sensitive authentication data are not violated.', null, null, null, null, null, null, null, null, null, 802, true, 298, 'TEMPLATE', null, null, 'Windows Object Deletion', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1171, 'This report collects system events related to NTLM authentication attempts (Windows event 4776), both successful and failed, to assess compliance with authentication controls and access management in accordance with PCI DSS Requirement 8.3. Relevant information from these logs is used to verify that user and administrator authentication is properly implemented and managed in accordance with strong authentication requirements. This includes verifying that all access attempts are properly authenticated using one or more authentication factors, and that failed attempts are handled according to lockout and access control policies.', null, null, null, null, null, null, null, null, null, 808, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1185, 'This report compiles relevant information from Windows event 4776 logs, which are generated when an account authentication attempt is made using the NTLM protocol. Event 4776 captures both successful and failed access attempts, allowing for the identification of invalid access attempts. This information is crucial for complying with PCI DSS requirement 10.2.1.4, which requires the capture of all invalid logical access attempts. Analyzing these events facilitates the detection of suspicious activity and forensic analysis of potential security incidents in environments that handle cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (693, 'This report collects and analyzes security events identified by ID 7036 on Windows systems. Event 7036 records changes in the status of system services, such as the start or stop of key services. These events provide relevant information for verifying compliance with the HITRUST CSF 01.v requirement, which establishes the obligation to log key system activities. This report facilitates the identification and monitoring of essential services, ensuring that critical system activities are properly logged and audited, and contributing to the implementation of monitoring policies and adequate control of system activities.', null, null, null, null, null, null, null, null, null, 601, true, 300, 'TEMPLATE', null, null, 'Windows Monitoring of Critical System Services Status', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (884, e'The Windows Attempt to Access a Protected Object Report provides a detailed log of both successful and failed attempts to access protected objects, such as files, directories, or system components. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework by tracking access to sensitive resources and enforcing security policies.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of access attempts to safeguard financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of access to critical resources to detect unauthorized activities.
• Real-Time Alerting: Captures and notifies of unauthorized or suspicious access attempts in real-time, enabling immediate response to potential threats.
• Incident Detection: Identifies patterns of unauthorized access, such as brute force attacks or privilege escalation attempts, which could indicate security breaches.
• Audit Readiness: Provides traceability of access attempts to ensure accountability and compliance with frameworks like SOC2 Type 2 and ISO 27001.', null, null, null, null, null, null, null, null, null, 701, true, 273, 'TEMPLATE', null, null, 'Windows Attempt to Access a Protected Object', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (885, e'The Windows Cleaned Event Log Report provides detailed logs of events where system event logs have been cleared. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as log clearing can indicate attempts to hide malicious activity or compromise system integrity.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of log management activities to protect financial systems and sensitive data.
• Real-Time Alerting: Captures and notifies administrators in real-time when event logs are cleared, enabling immediate investigation and response to potential incidents.
• Incident Detection: Identifies unauthorized or suspicious log clearing activities, which could indicate insider threats or attempts to conceal malicious actions.
• Audit Readiness: Provides traceability for log clearing events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure log management practices.
• Data Integrity Protection: Supports compliance with PCI DSS Requirement 10, ensuring that all log management activities, including clearing logs, are monitored and documented.', null, null, null, null, null, null, null, null, null, 701, true, 295, 'TEMPLATE', null, null, 'Windows Cleaned Event Log', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (886, e'The Windows Critical Hardware Failure Report provides detailed logs of hardware-related issues, such as disk failures, memory errors, or overheating events. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as hardware failures can lead to data loss, downtime, or system vulnerabilities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring that critical hardware failures are monitored and mitigated to protect financial systems and sensitive data.
• Real-Time Alerting: Captures and notifies administrators in real-time of hardware issues, enabling immediate action to minimize risks and prevent system downtime.
• Incident Response: Identifies patterns of recurring hardware issues, supporting root cause analysis and proactive maintenance planning.
• Audit Readiness: Provides traceability of hardware failure events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and reliable system operations.
• Data Protection: Supports compliance with PCI DSS Requirement 5, ensuring the availability and integrity of hardware components critical to financial systems.', null, null, null, null, null, null, null, null, null, 701, true, 299, 'TEMPLATE', null, null, 'Windows Critical Hardware Failure', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (887, e'The Windows Monitoring of Critical System Services Status Report provides detailed insights into the operational state of critical system services, tracking events such as service starts, stops, crashes, or failures. This report is essential for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as service disruptions can compromise system reliability and security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of critical system services to safeguard financial systems and sensitive customer data.
• Real-Time Alerting: Captures and notifies administrators of service disruptions or failures in real-time, enabling immediate response to restore functionality and prevent downtime.
• Incident Detection: Identifies recurring service failures or unauthorized modifications, which could indicate security threats or system misconfigurations.
• Audit Readiness: Provides traceability of service status events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring and management practices.
• System Reliability: Supports compliance with PCI DSS Requirement 10, ensuring critical services remain operational to maintain secure and reliable financial operations.', null, null, null, null, null, null, null, null, null, 701, true, 300, 'TEMPLATE', null, null, 'Windows Monitoring of Critical System Services Status', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1121, 'This report compiles relevant information from Windows 4776 events to verify compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when using remote access technologies, technical controls must be implemented to prevent the copying and/or relocation of the PAN (Primary Account Number) by anyone except those with explicit, documented authorization and a defined, legitimate business need.

Event 4776 provides information on user authentication attempts, specifically related to the use of credentials to log in remotely. This event is useful for tracking remote access and ensuring that technical controls are operating properly to prevent unauthorized access and manipulation of the PAN.

This event can be used to verify that remote access is being performed only by authorized personnel with valid credentials and the necessary permissions to manipulate sensitive data such as the PAN, in compliance with the remote access policies defined by PCI DSS. The report allows you to review compliance with security measures and appropriate access controls, ensuring that account data is protected throughout the remote access process.', null, null, null, null, null, null, null, null, null, 802, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (717, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which requires continuous monitoring of network activities to detect potential malicious activity. By analyzing event ID 4776 on Windows systems, the report enables monitoring of authentication attempts, specifically those involving credential validation on networks and systems. Monitoring these events helps identify unusual access patterns or unauthorized authentication attempts that could be indicative of an attack, such as an unauthorized access attempt or a brute-force attack. This continuous monitoring is essential for detecting potential threats and maintaining the security of the IT infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 301, 'TEMPLATE', null, null, 'Windows Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (888, e'The Windows Special Privileges Assigned to New Logon Report provides a detailed record of logon events where special privileges, such as administrative or elevated rights, are assigned to users. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as the misuse of special privileges can pose significant security risks.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of privilege assignment to protect financial systems and sensitive customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that privileged access is restricted to authorized users and monitored for unauthorized assignments.
• Real-Time Alerting: Captures and alerts administrators of special privilege assignments in real-time, enabling immediate action to mitigate risks.
• Incident Detection: Identifies suspicious or unauthorized privilege assignments, which could indicate insider threats, privilege escalation, or account compromise.
• Audit Readiness: Provides traceability of privileged logon events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management.', null, null, null, null, null, null, null, null, null, 701, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (889, e'he Windows Member Addition to a Security Local Group Report provides detailed logs of events where users or accounts are added to local security groups. This report is critical within the Banking Audit framework to ensure compliance with Real-Time Alerting and Monitoring, as group membership changes can directly impact access control and system security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and control over group membership changes to protect financial systems and sensitive data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, ensuring restricted access to critical resources and tracking all group membership changes.
• Real-Time Alerting: Captures and notifies administrators of member additions in real-time, enabling immediate review and action to address unauthorized changes.
• Incident Detection: Identifies unauthorized or suspicious additions to privileged groups, such as the Administrators group, which could indicate insider threats or compromised accounts.
• Audit Readiness: Provides traceability of group membership changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (890, e'The Windows Registry Value Modification Report provides detailed logs of changes to critical registry values, capturing modifications, deletions, or additions. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized registry modifications can compromise system security and stability.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of registry modifications to safeguard financial systems and sensitive customer data.
• System Integrity Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of system configuration changes.
• Real-Time Alerting: Captures and notifies administrators in real-time of unauthorized or suspicious registry changes, enabling immediate investigation and mitigation.
• Incident Detection: Identifies potential threats such as malware activity, privilege escalation, or insider misuse that may involve registry tampering.
• Audit Readiness: Provides traceability of registry changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure system configuration practices.', null, null, null, null, null, null, null, null, null, 701, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (891, e'The Windows Account Authentication Using NTLM Report provides detailed logs of authentication events involving NTLM (NT LAN Manager), including successful and failed attempts. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as NTLM-based authentication can be a target for credential theft and relay attacks.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of NTLM authentication attempts to protect sensitive financial systems and customer data.
• Authentication Monitoring: Supports compliance with PCI DSS Requirement 8, which mandates secure authentication practices and tracking of all login attempts.
• Real-Time Alerting: Captures and alerts administrators of NTLM authentication failures or unusual patterns in real-time, enabling rapid response to potential security threats.
• Incident Detection: Identifies suspicious activities such as NTLM relay attacks, brute force attempts, or compromised account usage.
• Audit Readiness: Provides traceability for NTLM authentication events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 301, 'TEMPLATE', null, null, ' Windows Account Authentication Using NTLM', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (694, 'This report collects and analyzes security events identified by ID 4689 on Windows systems. Event 4689 records the termination of a process on the system, providing relevant information about which processes have been stopped, who executed them, and when. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which requires the logging of key system activities. This report facilitates the identification and auditing of terminated processes, contributing to the comprehensive monitoring of system activities, ensuring that all key activities are logged and audited to comply with security and control standards.', null, null, null, null, null, null, null, null, null, 601, true, 302, 'TEMPLATE', null, null, 'Windows Process Termination', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1137, 'This report collects relevant information from Windows Event 4689 logs to assess compliance with PCI DSS Requirement 6.1. Event 4689 provides details on process terminations within the system, allowing validation that security policies and operational procedures are documented, up-to-date, and in use, in accordance with 6.1.1. It also ensures that the roles and responsibilities associated with developing and maintaining secure systems are clearly defined and understood, as required by 6.1.2.', null, null, null, null, null, null, null, null, null, 806, true, 302, 'TEMPLATE', null, null, 'Windows Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (892, e'The Windows Logins with Explicit Credentials Report provides a detailed record of logon events where users explicitly supply credentials, including remote or delegated authentication attempts. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as explicit credential use can be targeted in attacks like pass-the-hash or credential theft.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of logins with explicit credentials to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring secure authentication practices and monitoring of logon events involving credential entry.
• Real-Time Alerting: Captures and alerts administrators of explicit credential logins, particularly from untrusted or unusual sources, in real-time for rapid response.
• Incident Detection: Identifies suspicious or unauthorized use of explicit credentials, which could indicate credential theft, phishing, or misuse of privileged accounts.
• Audit Readiness: Tracks all logins with explicit credentials, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure and accountable access management.', null, null, null, null, null, null, null, null, null, 701, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (893, e'The Windows User Accounts Deleted Report provides detailed logs of events where user accounts are removed from the system. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as account deletions can indicate unauthorized actions, insider threats, or security policy violations.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of account deletions to safeguard sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that user account deletions are logged and reviewed to prevent unauthorized actions.
• Real-Time Alerting: Captures and notifies administrators immediately when accounts are deleted, enabling prompt investigation and response to potential threats.
• Incident Detection: Identifies unauthorized or suspicious account deletions, which could indicate malicious intent, such as erasing traces of compromised accounts.
• Audit Readiness: Tracks account deletions to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable user management practices.', null, null, null, null, null, null, null, null, null, 701, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (894, e'The Windows Restoration of Default Security Policies Report provides detailed logs of events where system security policies are reset to their default configurations. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as such actions can impact the security posture and may indicate unauthorized changes or recovery efforts.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of policy restoration activities to safeguard sensitive financial systems and customer data.
• System Integrity Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring that changes to security policies, including restorations, are logged and monitored.
• Real-Time Alerting: Captures and notifies administrators immediately when default security policies are restored, enabling rapid investigation and response.
• Incident Detection: Identifies unauthorized or suspicious policy restorations, which could indicate an attempt to bypass hardened security configurations or revert critical controls.
• Audit Readiness: Tracks all events of policy restoration, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure configuration management practices.', null, null, null, null, null, null, null, null, null, 701, true, 291, 'TEMPLATE', null, null, 'Windows Restoration of default security policies', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (895, e'The Windows Process Creation Report provides detailed logs of events where processes are initiated on a system, including the name, execution path, user, and timestamp. This report is essential for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as monitoring process creation helps detect unauthorized or malicious activities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of process creation to protect financial systems and sensitive customer data.
• Threat Detection: Identifies suspicious or unauthorized processes, such as malware execution, privilege escalation attempts, or unauthorized script launches.
• Real-Time Alerting: Captures and notifies administrators in real-time of process creation events that deviate from normal behavior, enabling immediate investigation.
• Audit Readiness: Tracks all process creation activities, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of system activities.
• System Integrity: Supports compliance with PCI DSS Requirement 10, ensuring visibility into system-level activities for secure operations.', null, null, null, null, null, null, null, null, null, 701, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (896, e'The Windows Process Termination Report provides detailed logs of events where processes are terminated on a system, including information about the process name, termination path, initiating user, and timestamp. This report is essential for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as monitoring process termination helps detect unauthorized or malicious activities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of process terminations to protect financial systems and sensitive customer data.
• Threat Detection: Identifies suspicious or unauthorized process terminations, such as forced terminations of security services or critical system processes, which may indicate malicious activity.
• Real-Time Alerting: Captures and alerts administrators immediately of abnormal process termination events, enabling rapid response and investigation.
• Audit Readiness: Tracks all process termination events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of system activities.
• System Integrity: Supports compliance with PCI DSS Requirement 10, ensuring visibility into system-level activities for secure and reliable operations.', null, null, null, null, null, null, null, null, null, 701, true, 302, 'TEMPLATE', null, null, 'Windows Process Termination', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1215, 'This report compiles relevant information from 4689 events in Windows logs, which are generated when a process completes its execution. These events are crucial for verifying compliance with PCI DSS Requirement 12.3, which establishes that risks to the cardholder data environment (CDE) must be formally identified, assessed, and managed.

4689 events allow tracking of process execution in systems, which facilitates the identification of protected assets and provides valuable information for assessing threats that may impact those assets. The logs verify that risk assessments are being conducted and updated continuously, which contributes to active risk management in the CDE environment.

This analysis also allows for observing the factors that contribute to the likelihood and/or impact of threats, and how the organization''s established processes minimize the identified risks. Additionally, 4689 events can be used to ensure that a risk assessment is conducted at least once every 12 months, as required by the PCI DSS, to ensure the security environment is always up-to-date and in line with emerging threats.

This report is essential to demonstrate that the organization is adequately managing the risks associated with the cardholder data environment in accordance with PCI DSS standards, and that security policies and procedures are aligned with risk analysis requirements.', null, null, null, null, null, null, null, null, null, 811, true, 302, 'TEMPLATE', null, null, 'Windows Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (897, e'The Windows Installation of Services Report provides detailed logs of events where new services are installed on the system, capturing information such as the service name, installation path, initiating user, and timestamp. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized or suspicious service installations can indicate potential security threats.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and oversight of service installations to protect sensitive financial systems and customer data.
• Threat Detection: Identifies unauthorized or malicious service installations, which could be used to execute malware or maintain unauthorized access.
• Real-Time Alerting: Captures and alerts administrators immediately when new services are installed, enabling prompt investigation and action.
• Audit Readiness: Tracks all service installation activities, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust monitoring of system changes.
• System Integrity: Supports compliance with PCI DSS Requirement 10, ensuring secure system configurations by monitoring all service-related activities.', null, null, null, null, null, null, null, null, null, 701, true, 290, 'TEMPLATE', null, null, 'Windows Installation of Services', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (898, e'The Windows Access to Shared Resources Report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or shared drives. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as shared resource access can expose sensitive data if not properly monitored.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of shared resource access to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access to shared resources is restricted to authorized users and activities are logged.
• Real-Time Alerting: Captures and notifies administrators immediately of unauthorized or suspicious access to shared resources, enabling rapid response to potential threats.
• Incident Detection: Identifies patterns of unauthorized access, excessive data downloads, or unusual access times, which may indicate insider threats or compromised accounts.
• Audit Readiness: Tracks all access events to shared resources, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure resource-sharing practices.', null, null, null, null, null, null, null, null, null, 701, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', null); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (900, e'The Windows System Time Settings Changes Report provides detailed logs of events where system time, time zone, or clock settings are modified. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as changes to time settings can disrupt time-sensitive operations, affect audit log integrity, or indicate unauthorized activity.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of time settings changes to maintain the integrity of financial systems and customer data.
• System Integrity Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring that time settings changes are logged and monitored to maintain reliable audit trails.
• Real-Time Alerting: Captures and notifies administrators immediately when system time settings are altered, enabling rapid investigation and response.
• Incident Detection: Identifies suspicious changes to system time, which could indicate attempts to bypass security measures, manipulate logs, or hide unauthorized activities.
• Audit Readiness: Tracks time setting changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust configuration and log management practices.', null, null, null, null, null, null, null, null, null, 701, true, 303, 'TEMPLATE', null, null, 'Windows System Time Settings Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1188, 'This report collects relevant information from Windows event 4738 logs, which are generated when a change is made to a user account, such as modifications to identification and authentication credentials. Event 4738 captures actions such as new account creation, privilege escalation, and all user account changes, additions, or deletions. This information is essential for compliance with PCI DSS Requirement 10.2.1.5, which establishes the need to capture all changes related to access credentials. Analyzing these events allows for auditing and detecting potentially unauthorized or malicious actions related to account and privilege management in environments that process cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 303, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (901, e'The Windows Certificate Configuration Changes Report provides detailed logs of modifications to certificate stores, such as the addition, deletion, or modification of certificates or trust settings. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as certificate changes can directly impact secure communication and trust relationships.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of certificate configuration changes to safeguard sensitive financial systems and customer data.
• Security Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates monitoring and logging of system configuration changes, including certificates.
• Real-Time Alerting: Captures and notifies administrators immediately when certificate changes occur, enabling rapid response to potential threats.
• Incident Detection: Identifies suspicious changes to certificates, such as unauthorized trust additions or the removal of critical certificates, which could indicate malicious activity.
• Audit Readiness: Tracks all certificate-related changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust configuration management practices.', null, null, null, null, null, null, null, null, null, 701, true, 304, 'TEMPLATE', null, null, 'Windows Certificate Configuration Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (902, e'The Windows Account Locks Report provides detailed logs of events where user accounts are locked due to failed login attempts or security policy enforcement. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as account locks can indicate brute force attacks, phishing attempts, or compromised accounts.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of account lock events to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring that account lockouts are tracked and monitored to detect unauthorized access attempts.
• Real-Time Alerting: Captures and notifies administrators immediately when accounts are locked, enabling rapid investigation and response to potential threats.
• Incident Detection: Identifies patterns of suspicious login attempts, such as brute force attacks or repeated lockouts, which may indicate targeted attacks or misuse.
• Audit Readiness: Tracks all account lock events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 276, 'TEMPLATE', null, null, 'Windows Account Locks', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (903, e'The Windows Kerberos Ticket Requests Report provides detailed logs of Kerberos authentication events, including ticket-granting ticket (TGT) requests, service ticket requests, and renewal attempts. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as Kerberos ticket requests can reveal authentication misuse or security breaches.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of authentication events to safeguard sensitive financial systems and customer data.
• Authentication Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring secure authentication mechanisms and tracking Kerberos ticket activities.
• Real-Time Alerting: Captures and alerts administrators immediately when unusual Kerberos ticket requests occur, enabling rapid investigation and mitigation.
• Incident Detection: Identifies suspicious Kerberos activities, such as golden ticket attacks, ticket reuse, or brute force attempts, which could indicate compromised accounts or insider threats.
• Audit Readiness: Tracks all Kerberos ticket events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable authentication practices.', null, null, null, null, null, null, null, null, null, 701, true, 283, 'TEMPLATE', null, null, 'Windows Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (904, e'The Windows Local Security Group Member Removal Report provides detailed logs of events where users or accounts are removed from local security groups. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as group membership changes directly affect access control and system security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of group membership changes to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access to critical resources is controlled and membership changes are tracked.
• Real-Time Alerting: Captures and alerts administrators immediately when members are removed from security groups, enabling rapid response to potential unauthorized changes.
• Incident Detection: Identifies suspicious or unauthorized member removals, which may indicate insider threats, account compromise, or policy violations.
• Audit Readiness: Tracks all member removal events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (905, e'The Windows Service Installed Report provides detailed logs of events where new services are installed on a system, including information about the service name, installation path, initiating user, and timestamp. This report is crucial for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized service installations can pose significant security risks.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of service installations to protect financial systems and sensitive customer data.
• System Configuration Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring that all system changes, including service installations, are logged and monitored.
• Real-Time Alerting: Captures and alerts administrators immediately when a new service is installed, enabling rapid investigation and response to unauthorized or malicious activities.
• Incident Detection: Identifies suspicious service installations that could indicate malware deployment, privilege escalation, or attempts to maintain unauthorized access.
• Audit Readiness: Tracks all service installation events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure system configuration management.', null, null, null, null, null, null, null, null, null, 701, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1101, 'This report gathers key information from 4697 events recorded in Windows logs, which are generated when a new service or component is installed on a system. These events are important for verifying that security configuration standards are being implemented in accordance with PCI DSS Requirement 2.2.1, which requires configurations to be consistent with system hardening best practices or vendor recommendations, address all known vulnerabilities, and be updated as new threats are identified.

4697 events allow for auditing the installation of new services or components on the system, providing evidence that these components are being properly configured to meet security standards before being connected to the production network. Additionally, these events help verify that configuration updates are being applied in a timely manner, as required by PCI DSS regarding the application of secure configurations and the management of new vulnerabilities.

This report ensures that security configurations are continuously maintained and audited, and that PCI DSS requirements related to the secure configuration of system components are met.', null, null, null, null, null, null, null, null, null, 801, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (706, 'This report supports compliance with the NIST CSF DE.CM-1 requirement, which establishes the need to continuously monitor network activity to detect malicious activity. By analyzing event ID 4697 on Windows systems, this report facilitates monitoring the installation of new services on the system, which may indicate unauthorized changes or the execution of malicious activity. This continuous monitoring allows for rapid detection and response to potential threats, helping to protect the network infrastructure and ensuring that security policies remain effective.', null, null, null, null, null, null, null, null, null, 604, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (921, e'The Windows Service Installed report provides detailed logs of events where new services are installed on a Windows system. This report is essential for monitoring system integrity, detecting unauthorized installations, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting service installations to maintain a clear audit trail of system modifications.
• System Integrity Monitoring: Tracks the installation of services to ensure that only authorized services are added, preventing potential malware or unnecessary services from compromising system performance or security.
• Event Correlation: Links service installation events with administrative actions, user accounts, and originating systems to build a comprehensive audit trail for analysis.
• Real-Time Alerts: Notifies administrators of new service installations, particularly those installed by unauthorized users or from suspicious sources, enabling timely response to potential threats.
• Incident Detection: Identifies unusual service installations, such as those with obscure names, running from unexpected directories, or configured with excessive privileges, which may indicate malicious activity.
• Audit Readiness: Logs detailed information for each service installed, including the service name, executable path, user or account responsible for the installation, and the timestamp, ensuring robust records for audits and investigations.

By monitoring and correlating Windows Service Installed events, this report strengthens system security, supports compliance with audit requirements, and provides actionable insights for threat detection and response.', null, null, null, null, null, null, null, null, null, 702, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1091, 'The report consolidates relevant information from Windows event 4697 logs, providing evidence for assessing compliance with PCI DSS Requirements. This event allows monitoring the installation of new services on devices that have connectivity to both untrusted networks and the CDE, facilitating the identification of potential configurations that could introduce risks to the network. By analyzing these logs, it is possible to verify that security controls are active, that the installation of unauthorized services is restricted, and that any modifications to device configurations are properly documented and approved in accordance with established security policies.', null, null, null, null, null, null, null, null, null, 807, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1194, 'This report compiles relevant information from Windows Event 1100 logs, which indicate the unexpected closure of the audit log. Interruption of audit mechanisms can be an indicator of failures in critical security controls.

Analyzing these events is critical to ensuring compliance with PCI DSS Requirement 10.7.2, which requires detection, alerting, and response to breaches in critical security control systems, including audit mechanisms. Collecting and monitoring these logs can identify potential attempts at log manipulation, configuration errors, or security disruptions, facilitating a timely response to mitigate risks in environments that handle cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 314, 'TEMPLATE', null, null, 'Windows Event Logging Service Shut Down', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (906, e'The Windows PowerShell Remote Session Creation Report provides detailed logs of events where remote PowerShell sessions are established, capturing information such as the initiating user, source IP address, session commands, and timestamps. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as remote PowerShell sessions can be exploited for unauthorized access or malicious activities.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of remote session activities to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 10, ensuring all remote access attempts and activities are logged and monitored.
• Real-Time Alerting: Captures and notifies administrators immediately of remote PowerShell session creations, enabling rapid response to potential threats.
• Incident Detection: Identifies unauthorized or suspicious remote session activities, such as from unusual IP addresses or privilege escalation attempts, which may indicate account compromise or insider threats.
• Audit Readiness: Tracks all remote PowerShell session events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure and accountable access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 289, 'TEMPLATE', null, null, 'Windows PowerShell Remote Session Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (907, e'The Windows Protected Object Permission Change Report provides detailed logs of events where permissions on protected objects, such as files, folders, or registry keys, are modified. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized changes to permissions can compromise data security and system integrity.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of permission changes to safeguard financial systems and sensitive customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access permissions are restricted to authorized users and tracked for changes.
• Real-Time Alerting: Captures and notifies administrators immediately of permission changes on protected objects, enabling prompt investigation and mitigation of potential risks.
• Incident Detection: Identifies unauthorized or suspicious permission modifications, which could indicate insider threats, privilege escalation, or attempts to bypass security controls.
• Audit Readiness: Tracks all permission change events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access and configuration management.', null, null, null, null, null, null, null, null, null, 701, true, 274, 'TEMPLATE', null, null, 'Windows Protected Object Permission Change', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (908, e'The Windows User Accounts Enumeration Report provides detailed logs of attempts to list or enumerate user accounts on a system. This report is crucial for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized enumeration activities can indicate reconnaissance efforts by attackers or insider threats.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of user enumeration events to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 8, ensuring that access to user account information is restricted and monitored.
• Real-Time Alerting: Captures and alerts administrators immediately of suspicious enumeration activities, enabling rapid investigation and mitigation.
• Incident Detection: Identifies unauthorized enumeration attempts, which could indicate reconnaissance, brute force attacks, or credential harvesting.
• Audit Readiness: Tracks all user enumeration events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure access and identity management practices.', null, null, null, null, null, null, null, null, null, 701, true, 306, 'TEMPLATE', null, null, 'Windows User Accounts Enumeration', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (909, e'The Windows Group Membership Enumerated Report provides detailed logs of events where group membership information is queried or enumerated. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized enumeration can indicate reconnaissance activities by attackers or insider threats attempting to identify privileged groups.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of group membership enumeration to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access to group membership details is restricted and tracked.
• Real-Time Alerting: Captures and alerts administrators immediately when group membership enumeration is detected, enabling rapid investigation and mitigation of potential threats.
• Incident Detection: Identifies unauthorized or suspicious queries of group membership, which may indicate attempts to map privileged accounts or escalate privileges.
• Audit Readiness: Tracks all group membership enumeration events, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 307, 'TEMPLATE', null, null, 'Windows Group Membership Enumerated', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1157, 'This report compiles relevant information from Windows 4798 events, which record queries and access to specific system objects, such as changes to user groups and assigned permissions. The purpose of this report is to verify compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. Through 4798 events, the correct assignment of privileges can be tracked and audited, ensuring that access to systems and data is consistent with business needs and the principle of least privilege, and that permissions are granted only to those users whose role warrants it.', null, null, null, null, null, null, null, null, null, 805, true, 307, 'TEMPLATE', null, null, 'Windows Group Membership Enumerated', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1087, 'This report compiles relevant information from Windows event 4799 logs, which refers to network configuration changes involving access and disclosure of internal IP address and routing information. This event is key to verifying compliance with PCI DSS Requirements, which establishes that disclosure of internal IP addresses and routing information must be limited to authorized parties only. By reviewing these events, unauthorized access to sensitive network configurations can be monitored, ensuring that only authorized personnel have visibility into this critical information.', null, null, null, null, null, null, null, null, null, 807, true, 306, 'TEMPLATE', null, null, 'Windows User Accounts Enumeration', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1108, 'This report compiles relevant information from 4738 events (A user account was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.3.2, which establishes that wireless encryption keys must be changed in specific situations, such as the departure of employees with knowledge of the keys or when there is a suspicion of compromise.

Event 4738 records changes to user accounts, which can help identify changes in privileges or access by personnel who may have had knowledge of the wireless network''s encryption keys. Monitoring these events ensures that keys are updated in a timely manner, reducing the risk of unauthorized access to networks that transmit sensitive data.', null, null, null, null, null, null, null, null, null, 801, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1169, 'This report collects and analyzes 4738 events (User Account Modification) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. Changes to user accounts are monitored, including changes to privileges, authentication information, and other key attributes, ensuring that all modifications are properly authorized and documented. Additionally, the assignment of unique IDs, restriction on the use of shared accounts, immediate revocation of access for inactive or deregistered users, and attribution of actions to individual users are verified, ensuring strict account lifecycle management in accordance with required authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (681, 'This report collects and analyzes security events identified by ID 4738 on Windows systems. Event 4738 records changes to user account properties, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of user account modifications, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (696, 'This report collects and analyzes security events identified with ID 4738 on Windows systems. Event 4738 records changes to user account properties, providing relevant information essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates the identification and auditing of changes to user accounts, ensuring that all changes are appropriately monitored, logged, and reviewed to maintain security, integrity, and compliance with controlled access policies.', null, null, null, null, null, null, null, null, null, 601, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (918, e'The Windows User Account Attributes Changes report provides detailed logs of events where attributes of user accounts, such as group memberships, permissions, or profile settings, are modified. This report is vital for monitoring changes to account configurations, detecting unauthorized modifications, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Aligns with standards like PCI DSS, ISO 27001, and SOC2, by maintaining an auditable trail of account attribute changes to support access control and security policies.
• Account Management Monitoring: Tracks changes to user account attributes, ensuring they are performed through authorized administrative actions and comply with internal security policies.
• Event Correlation: Links attribute change events with associated user accounts, administrative actions, and originating systems, providing a comprehensive security audit trail.
• Real-Time Alerts: Sends notifications for critical attribute changes, such as updates to group memberships, privilege escalations, or security settings, enabling rapid incident response.
• Incident Detection: Identifies suspicious or unauthorized modifications to account attributes, which may indicate insider threats, administrative errors, or malicious activities.
• Audit Readiness: Logs detailed information, including the affected account, the specific attributes changed, the user or process initiating the change, and the timestamp, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (699, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which establishes the need to protectively monitor data both at rest and in transit. By analyzing event ID 4771 on Windows systems, this report facilitates the monitoring of authentication failures during the Kerberos ticket request process. This monitoring allows for the detection of unauthorized access attempts or potential security breaches, ensuring the continuous protection of sensitive data. Logging these events ensures the maintenance of information integrity and availability and strengthens secure access policies in the IT infrastructure.', null, null, null, null, null, null, null, null, null, 601, true, 310, 'TEMPLATE', null, null, 'Windows Kerberos pre-authentication failed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (928, e'The Windows Application Errors report provides detailed logs of events where applications encounter errors on a Windows system. This report is essential for identifying software issues, monitoring system health, and ensuring compliance with operational and security frameworks.
• Regulatory Compliance: Supports frameworks such as ISO 27001, SOC2, and ITIL, by documenting application errors to ensure adherence to incident management and operational reliability standards.
• Application Health Monitoring: Tracks error occurrences, helping administrators identify and resolve application issues that may impact user experience or operational efficiency.
• Event Correlation: Links application error events to user actions, system configurations, or external dependencies, providing a comprehensive audit trail for root cause analysis.
• Real-Time Alerts: Generates immediate notifications for critical application errors, enabling rapid investigation and mitigation to minimize downtime or service disruptions.
• Incident Detection: Identifies patterns such as repeated crashes, errors in high-priority applications, or issues stemming from configuration changes, which may indicate underlying problems or security threats.
• Audit Readiness: Logs comprehensive details, including the application name, error code, user or process involved, and timestamp, ensuring robust records for compliance and forensic investigations.', null, null, null, null, null, null, null, null, null, 702, true, 309, 'TEMPLATE', null, null, 'Windows Application Errors', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (682, 'This report collects and analyzes security events identified by ID 4724 on Windows systems. Event 4724 records password reset attempts on user accounts, providing relevant information for verifying compliance with HIPAA requirement 164.312(a)(1). This requirement establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that store or process ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of password changes, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (660, 'This report collects and analyzes security events identified by IDs 6005 and 6006 on Windows systems. Event 6005 records the start of the event log service, while event 6006 records its stop, both providing relevant information on the status of system log collection. These events are essential for verifying compliance with the HITRUST CSF 01.v requirement, which mandates the logging of key system activities. This report facilitates validation that the system is configured to properly log relevant events, contributing to adequate security governance and the implementation of effective monitoring policies for critical system activities.', null, null, null, null, null, null, null, null, null, 601, true, 311, 'TEMPLATE', null, null, 'Windows Event Log Service', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1103, 'This report compiles relevant information from 4724 events (An attempt was made to reset an account''s password) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 2.2.2. This requirement requires that default vendor accounts be managed securely, ensuring that if used, their passwords are changed, and if not, they are deleted or disabled.

Event 4724 allows for auditing password reset attempts on system accounts, which is key to identifying potential changes to default vendor accounts and ensuring that adequate controls are in place to mitigate security risks associated with default credentials.', null, null, null, null, null, null, null, null, null, 801, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (845, 'The Windows Password Reset Attempts Report provides a comprehensive overview of password reset activities, tracking both successful and failed attempts. This report is a critical tool in the Banking Audit framework, ensuring accountability and security in the management of user credentials.The Windows Password Reset Attempts Report provides a comprehensive overview of password reset activities, tracking both successful and failed attempts. This report is a critical tool in the Banking Audit framework, ensuring accountability and security in the management of user credentials.', null, null, null, null, null, null, null, null, null, 703, true, 312, 'TEMPLATE', null, null, 'Windows Password Reset Attempts', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (849, e'The Windows Connection Blocked by Windows Firewall Report provides a detailed overview of network connection attempts that were denied by the firewall. This report is a critical compliance tool within the Banking Audit framework, helping organizations monitor and enforce network security policies while safeguarding sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring the protection of customer information by monitoring and controlling unauthorized network activity.
• Network Security Compliance: Supports compliance with PCI DSS Requirement 1, which mandates the implementation of robust firewall configurations to secure sensitive networks.
• Audit Readiness: Documents blocked connections, providing evidence for frameworks like SOC2 Type 2 and ISO 27001, demonstrating proper enforcement of network access policies.
• Incident Detection: Identifies repeated or suspicious connection attempts, which could indicate network scanning, unauthorized access attempts, or malicious activity.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls that protect sensitive data by preventing unauthorized network connections to critical systems.', null, null, null, null, null, null, null, null, null, 703, true, 313, 'TEMPLATE', null, null, 'Windows Connection blocked by Windows Firewall', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1174, 'This report consolidates relevant information from Windows Event 1100 logs, which indicates the closure of the audit log. Its purpose is to verify the implementation and activation of audit logs on all system components and in environments that process cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also enables the detection of anomalous activity and forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 314, 'TEMPLATE', null, null, 'Windows Event Logging Service Shut Down', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1118, 'This report compiles relevant information from 5379 (Credential Validation) events generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3.3. This requirement establishes that the storage of sensitive authentication data (SAD) must be limited to what is necessary for legitimate business purposes and must be adequately secured.

Event 5379 allows for auditing credential validation, which is essential to ensure that access to sensitive authentication data is restricted to authorized users or systems and that appropriate security requirements are met to protect this data. By analyzing this event, it is possible to verify that access and transactions related to SAD storage are subject to strict validation and access controls, and that the information is handled in accordance with the organization''s security policies.

This report helps assess whether SAD storage meets legitimate business needs and whether security best practices are followed to ensure that such data is adequately protected, minimizing the risk of unauthorized access and ensuring compliance with PCI DSS requirements for the protection of sensitive data.', null, null, null, null, null, null, null, null, null, 802, true, 315, 'TEMPLATE', null, null, 'Windows Credential Access', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (697, 'This report contributes to compliance with the NIST CSF PR.DS-3 requirement, which establishes the need to protectively monitor data both at rest and in transit. By collecting key events on Windows systems, this report enables continuous information security monitoring, ensuring that activities related to the access and use of sensitive data are adequately monitored and logged. This guarantees the protection of the confidentiality, integrity, and availability of critical data, helping to prevent unauthorized access or tampering.', null, null, null, null, null, null, null, null, null, 601, true, 315, 'TEMPLATE', null, null, 'Windows Credential Access', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (860, e'The Windows Credential Access Report provides detailed logs of events related to credential access, including successful and failed attempts to retrieve or use user credentials, such as password hashes, security tokens, or Kerberos tickets. This report is critical within the Banking Audit framework to monitor unauthorized credential access and ensure the protection of sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control over credential access to safeguard sensitive customer data and financial systems.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 8, which mandates secure authentication and management of user credentials to prevent unauthorized access.
• Audit Readiness: Tracks credential access events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability in credential management.
• Incident Detection: Identifies unauthorized or suspicious attempts to access credentials, such as pass-the-hash attacks, keylogging, or unauthorized Kerberos ticket usage.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor, restrict, and secure credential access to prevent unauthorized data breaches.', null, null, null, null, null, null, null, null, null, 703, true, 315, 'TEMPLATE', null, null, 'Windows Credential Access', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1151, 'This report collects and analyzes Windows 4728 events, which record the addition of users to security groups. The objective of this report is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be properly defined and assigned. By monitoring these events, we ensure that users are assigned to the appropriate groups based on their job functions, ensuring the principle of least privilege is applied and that access to data and systems is restricted according to business needs.', null, null, null, null, null, null, null, null, null, 805, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1113, 'This report compiles relevant information from 4728 events (A member was added to a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4728 allows for auditing the addition of members to local security groups, providing visibility into changes to roles and responsibilities within the system. This event allows for verifying that the correct users are assigned to the appropriate roles, ensuring that tasks related to the protection of account data are performed by authorized and properly trained personnel. This contributes to maintaining the integrity of roles and responsibilities management, as required by the security policies defined in the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 802, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1197, 'This report presents a detailed analysis of Windows security events with ID 4728, which record the addition of users to global security groups. The information collected verifies compliance with PCI DSS Requirement 11.1.2, ensuring that roles and responsibilities for system and network security activities are documented, assigned, and understood by the appropriate parties.

This analysis validates that privilege and role assignments in the system are carried out in accordance with established policies and that any changes are audited and traceable, contributing to security and PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 810, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1095, 'This report compiles relevant information from Windows Event 4728 logs, which is used to verify the proper implementation of security controls on devices connecting to both untrusted networks and the Cardholder Data Entity (CDE). Event 4728, related to the addition of members to a security group, is analyzed to ensure that the devices in question have specific configurations that prevent threats to the entity''s network. Additionally, it verifies that security controls are active and cannot be modified by device users, except when there are documented authorizations approved by management in limited situations. This report ensures compliance with security policies for both company and employee-owned devices, contributing to the protection of the CDE and risk mitigation in accordance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 807, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1180, 'This report compiles relevant information from Windows Event 4728 logs, which are triggered when a user is added to a group with administrative privileges. Its purpose is to verify that all audit logs capture actions performed by individuals with administrative access, including any interactive use of application or system accounts. This ensures compliance with PCI DSS Requirement 110.2.1.2, which establishes the need to audit the activities of users with administrative privileges to ensure the integrity and security of the environment.', null, null, null, null, null, null, null, null, null, 809, true, 316, 'TEMPLATE', null, null, 'Windows Additions to Security Groups', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1153, 'This report collects and analyzes Windows 4729 events, which record the removal of users from security groups on the system. Its objective is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. By reviewing these events, it is verified that access is appropriately revoked when users no longer require access to specific resources or data, ensuring effective privilege management and ensuring that only authorized users retain access based on their role and needs.', null, null, null, null, null, null, null, null, null, 805, true, 317, 'TEMPLATE', null, null, 'Windows Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1198, 'This report consolidates events generated by ID 4729 in Windows, which indicates the removal of a user from a global security group. The collection and analysis of these events allows for verification of compliance with PCI DSS requirement 11.1.2, ensuring that roles and responsibilities for executing security activities are documented, assigned, and understood.

The report provides information on changes to security groups, including affected users, modified groups, accounts responsible for the changes, and timestamps. This allows for the identification of potential unauthorized changes or inconsistencies in role management, ensuring proper segregation of duties and compliance with established security policies.', null, null, null, null, null, null, null, null, null, 810, true, 317, 'TEMPLATE', null, null, 'Windows Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (861, e'The Windows Member Addition to a Security Local Group Report provides a comprehensive log of events where users or accounts are added to local security groups. This report is vital within the Banking Audit framework to monitor and control group membership changes, ensuring compliance with access management policies and protecting sensitive financial systems.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight of group membership changes to safeguard financial data and prevent unauthorized access.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, which mandates restricting access to critical systems to authorized personnel through proper group membership management.
• Audit Readiness: Tracks all member additions to local security groups, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring secure and accountable access management.
• Incident Detection: Identifies unauthorized or suspicious additions to privileged groups, such as the Administrators group, which could indicate potential insider threats or compromised accounts.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict group membership changes that could expose sensitive financial data to unauthorized users.', null, null, null, null, null, null, null, null, null, 703, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (889, e'he Windows Member Addition to a Security Local Group Report provides detailed logs of events where users or accounts are added to local security groups. This report is critical within the Banking Audit framework to ensure compliance with Real-Time Alerting and Monitoring, as group membership changes can directly impact access control and system security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring visibility and control over group membership changes to protect financial systems and sensitive data.
• Access Control Compliance: Supports compliance with PCI DSS Requirement 7, ensuring restricted access to critical resources and tracking all group membership changes.
• Real-Time Alerting: Captures and notifies administrators of member additions in real-time, enabling immediate review and action to address unauthorized changes.
• Incident Detection: Identifies unauthorized or suspicious additions to privileged groups, such as the Administrators group, which could indicate insider threats or compromised accounts.
• Audit Readiness: Provides traceability of group membership changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1111, 'This report compiles relevant information from 4732 events (A member was added to a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4732 allows for auditing the assignment of users to local security groups, providing visibility into the delegation of roles and responsibilities within the system. This event allows for verifying that the appropriate roles are being assigned to the right people, ensuring that tasks related to the protection of account data are clearly defined and that those responsible understand their duties. This helps ensure that access controls and role management are consistent with established security policies.', null, null, null, null, null, null, null, null, null, 802, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (646, 'This report collects and analyzes security events identified by ID 4732 on Windows systems. Event 4732 records the addition of a user to a local security group, providing relevant information for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. This report facilitates the identification and monitoring of changes in security group membership, especially those with access privileges to monitoring systems and log data, contributing to appropriate access control and the implementation of effective security policies.', null, null, null, null, null, null, null, null, null, 602, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (910, e'The Windows Account Logon Success report provides detailed records of events where a user account successfully authenticates on a Windows system. This report is essential for tracking login activities and correlating events across systems, enabling effective monitoring, detection of anomalies, and compliance with security frameworks.
• Regulatory Compliance: Aligns with frameworks like GLBA, PCI DSS, and ISO 27001, ensuring that successful logon activities are logged and available for audits to demonstrate robust access control mechanisms.
• User Activity Monitoring: Tracks successful logins to provide visibility into authorized access and helps identify unusual patterns, such as logins from unexpected locations or outside of normal business hours.
• Event Correlation: Links logon events with subsequent system activities, such as file access, process creation, or privilege escalation, to establish a comprehensive security audit trail.
• Real-Time Alerts: Captures successful logons in real-time and notifies administrators of activity from sensitive accounts or systems, enabling rapid incident response.
• Incident Detection: Helps identify suspicious behavior, such as frequent logins from multiple IP addresses or use of compromised credentials, which could indicate an ongoing attack.
• Audit Readiness: Provides detailed information on successful logons, including username, logon time, originating IP address, and authentication method, ensuring compliance with audit requirements.', null, null, null, null, null, null, null, null, null, 702, true, 265, 'TEMPLATE', null, null, 'Windows Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (911, e'The Windows Account Logon Failure report provides detailed records of failed authentication attempts on a Windows system. This report is essential for identifying unauthorized access attempts, detecting suspicious activity, and maintaining compliance with security and audit frameworks.
• Regulatory Compliance: Ensures alignment with standards like GLBA, PCI DSS, and ISO 27001, by tracking failed login attempts as part of a comprehensive audit trail for access controls.
• Unauthorized Access Monitoring: Detects and records failed login attempts, providing visibility into potential brute-force attacks, use of invalid credentials, or attempts to access sensitive systems.
• Event Correlation: Links failed login events with related activities, such as IP addresses, user accounts, or repeated attempts, to detect potential threat patterns or misconfigurations.
• Real-Time Alerts: Captures failed logon attempts in real-time, triggering alerts for administrators when thresholds are met or when sensitive accounts are targeted, enabling rapid response.
• Incident Detection: Identifies unusual or repeated failed attempts, such as those from unexpected locations or outside normal business hours, which may indicate a security threat or compromised account.
• Audit Readiness: Documents all failed logon attempts with details such as username, logon type, originating IP, timestamp, and error codes, ensuring that comprehensive records are available for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 266, 'TEMPLATE', null, null, 'Windows Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (912, e'The Windows User Accounts Created report provides detailed logs of events where new user accounts are created on a Windows system. This report is crucial for tracking account creation activities, ensuring compliance with security standards, and detecting unauthorized account provisioning.
• Regulatory Compliance: Ensures adherence to frameworks such as PCI DSS, ISO 27001, and SOC2, by maintaining records of all user account creation activities to support access control and audit requirements.
• Account Management Monitoring: Tracks the creation of user accounts, allowing administrators to verify that accounts are provisioned through authorized processes and for legitimate purposes.
• Event Correlation: Links user account creation events to administrative actions, IP addresses, and associated events (e.g., privilege escalations or group assignments) for a comprehensive audit trail.
• Real-Time Alerts: Notifies administrators of new account creation in real-time, particularly for privileged accounts or accounts created outside of standard provisioning workflows.
• Incident Detection: Helps identify unauthorized account creation, which could indicate insider threats, privilege misuse, or malicious activities such as backdoor account setups.
• Audit Readiness: Logs all details of account creation events, including the account name, creation time, associated user or process, and originating machine, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 267, 'TEMPLATE', null, null, 'Windows User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (913, e'The Windows User Accounts Enabled report provides detailed logs of events where previously disabled user accounts are re-enabled on a Windows system. This report is critical for monitoring account management activities, detecting unauthorized actions, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Aligns with frameworks such as PCI DSS, ISO 27001, and SOC2, by maintaining records of account enablement activities to support access control and audit requirements.
• Account Management Monitoring: Tracks the re-enabling of user accounts, allowing administrators to ensure that such actions are performed only through authorized workflows and for legitimate reasons.
• Event Correlation: Links account enablement events with other related activities, such as privilege escalations, group modifications, or logon attempts, to provide a comprehensive audit trail.
• Real-Time Alerts: Sends immediate notifications when accounts are re-enabled, particularly for high-privilege accounts or accounts that could pose a security risk if reactivated.
• Incident Detection: Helps identify unauthorized actions, such as the reactivation of dormant accounts, which could indicate insider threats, privilege abuse, or malicious activities.
• Audit Readiness: Logs detailed information, including the account name, enabling user or process, originating machine, and timestamp, ensuring comprehensive records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 293, 'TEMPLATE', null, null, 'Windows User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (914, e'The Windows User Password Reset Attempt report provides detailed logs of events where a user password reset attempt is made within a Windows system. This report is critical for monitoring account security, detecting unauthorized password changes, and ensuring compliance with security frameworks.
• Regulatory Compliance: Ensures alignment with standards such as PCI DSS, ISO 27001, and SOC2, by documenting all password reset attempts to maintain an auditable trail of account security events.
• Account Security Monitoring: Tracks password reset attempts to ensure they are initiated through authorized processes and to identify potential misuse or unauthorized actions.
• Event Correlation: Links password reset attempts with associated user accounts, originating machines, and administrative actions to create a comprehensive audit trail for security analysis.
• Real-Time Alerts: Generates alerts for password reset attempts, especially for privileged or sensitive accounts, allowing administrators to respond to potential threats immediately.
• Incident Detection: Identifies suspicious activities, such as repeated or unexpected password reset attempts, which may indicate brute force attacks, compromised accounts, or insider threats.
• Audit Readiness: Logs detailed information about each password reset attempt, including the username, time of the attempt, originating IP address, and the user or process initiating the reset, ensuring comprehensive records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 294, 'TEMPLATE', null, null, 'Windows User Password Reset Attempt', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (915, e'The Windows Member Addition to a Security Local Group report provides detailed logs of events where a user or object is added to a local security group on a Windows system. This report is critical for monitoring privilege changes, detecting unauthorized modifications, and ensuring compliance with security frameworks.
• Regulatory Compliance: Supports standards such as PCI DSS, ISO 27001, and SOC2, by maintaining a record of all group membership changes to ensure access control policies are enforced.
• Privilege Management Monitoring: Tracks additions to local security groups to verify that privilege escalations are authorized and comply with internal policies.
• Event Correlation: Links group membership changes with associated user accounts, administrative actions, and originating machines to create a complete security audit trail.
• Real-Time Alerts: Generates immediate notifications when users are added to critical groups, such as Administrators or Remote Desktop Users, enabling rapid response to potential threats.
• Incident Detection: Identifies unauthorized or unexpected additions to security groups, which may indicate insider threats, privilege misuse, or malicious activities.
• Audit Readiness: Logs comprehensive details, including the name of the group, the member added, the user or process performing the action, and the timestamp, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1099, 'This report gathers relevant information from 4732 events generated in Windows logs, which correspond to the addition of a member to a security group. Event 4732 is used to verify compliance with PCI DSS Requirement 2.1.2, which establishes that the roles and responsibilities for performing the activities defined in Requirement 2 must be documented, assigned, and understood by all involved parties.

This event allows you to audit which users have been assigned to specific security groups in the system. This is crucial for verifying that the individuals responsible for performing activities related to configuring and maintaining the security of system components are clearly identified and have adequate access to the required functions.

This report ensures that security policies and access responsibilities are aligned, ensuring that roles for implementing and managing secure configurations are correctly assigned and that the responsibilities of the individuals involved are clear and understood. Additionally, it helps confirm that secure configurations and operational procedures are being followed in accordance with PCI DSS.', null, null, null, null, null, null, null, null, null, 801, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (904, e'The Windows Local Security Group Member Removal Report provides detailed logs of events where users or accounts are removed from local security groups. This report is critical for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as group membership changes directly affect access control and system security.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of group membership changes to protect sensitive financial systems and customer data.
• Access Control Monitoring: Supports compliance with PCI DSS Requirement 7, ensuring that access to critical resources is controlled and membership changes are tracked.
• Real-Time Alerting: Captures and alerts administrators immediately when members are removed from security groups, enabling rapid response to potential unauthorized changes.
• Incident Detection: Identifies suspicious or unauthorized member removals, which may indicate insider threats, account compromise, or policy violations.
• Audit Readiness: Tracks all member removal events to ensure compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating robust access management practices.', null, null, null, null, null, null, null, null, null, 701, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1210, 'This report presents a detailed analysis of events logged under Event ID 4732 in Windows logs, used to verify compliance with PCI DSS Requirement 12.1, which establishes the need for a well-defined, published, maintained, and disseminated information security policy to relevant employees, suppliers, and business partners. Event 4732 relates to the modification of security groups, which is crucial to validate that information security roles and responsibilities are correctly assigned and communicated.

Reviewing these events provides evidence to confirm that security policies are established, periodically reviewed, and updated in response to changing business risks and objectives, and that all relevant personnel are aware of them. It also helps ensure that responsibility for information security is formally assigned to a member of senior management with appropriate knowledge, as required by the PCI DSS.', null, null, null, null, null, null, null, null, null, 811, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1218, 'This report compiles relevant information from Windows 4732 events, which record changes to user groups and their permissions. This is important for validating and documenting the scope of PCI DSS compliance. These events help ensure that changes to user configurations and permissions are managed in accordance with security policies and the defined scope.

The report validates that an up-to-date inventory of system components within the PCI DSS scope has been maintained, ensuring that all data flows, system components, and segmentation controls that affect the security of the infrastructure that handles card data have been identified. It also confirms that the scope of PCI DSS compliance has been reviewed and validated at least once a year, or after significant changes in the entity''s environment.', null, null, null, null, null, null, null, null, null, 811, true, 320, 'TEMPLATE', null, null, 'Windows Member Addition to a Security Local Group', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1112, 'This report compiles relevant information from 4733 events (A member was removed from a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4733 allows for auditing the removal of users from local security groups, providing visibility into changes to roles and responsibilities within the system. This event allows for verification that roles assigned to the correct individuals are kept up to date, and that improper changes that could affect the security of account data are prevented. This helps ensure that responsibilities related to information protection are properly managed and understood, as established in security policies.', null, null, null, null, null, null, null, null, null, 802, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (647, 'This report collects and analyzes security events identified by ID 7036 on Windows systems. Event 7036 records changes in the status of system services (starting or stopping), providing relevant information for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to registry data and monitoring systems must be controlled. This report facilitates the identification and monitoring of modifications to critical services, contributing to adequate access control and the implementation of secure monitoring policies.', null, null, null, null, null, null, null, null, null, 602, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1154, 'This report compiles information from Windows 4733 events, which record the removal of a user from a security group, indicating a change in system access privileges. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which requires that access to system components and data be properly defined and assigned. By analyzing these logs, it is ensured that access is revoked appropriately and in a timely manner, ensuring that users have only the privileges necessary to perform their functions and thus protecting the security of sensitive data and system resources.', null, null, null, null, null, null, null, null, null, 805, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1127, 'This report compiles relevant information from 4733 events (A user was removed from a security group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.2. This requirement establishes that the roles and responsibilities associated with the protection of cardholder data, particularly in the context of secure data transmission, must be documented, assigned, and understood by all involved parties.

Event 4733 is crucial for monitoring access management to security groups within the system infrastructure. It identifies changes in permissions or the removal of users from groups responsible for implementing security controls over the transmission of sensitive data. This event is key to ensuring that assigned roles are aligned with documented security policies and that users with critical responsibilities remain appropriate.

Analyzing this event helps ensure that access is managed correctly and that roles related to data protection are up-to-date and understood by users, minimizing the risk of unauthorized access or improper modification.', null, null, null, null, null, null, null, null, null, 803, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1073, 'This report compiles 4733 events generated by the Windows system, which record the removal of users from security groups. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities for access and privilege management are clearly documented, assigned, and understood by all responsible parties. Additionally, this report provides visibility into changes in security group membership, ensuring that user removal is performed in accordance with established security policies and operating procedures, ensuring that activities are appropriately managed by the responsible individuals.', null, null, null, null, null, null, null, null, null, 807, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (649, 'This report collects and analyzes security events identified by ID 4657 on Windows systems. Event 4657 records changes to a system''s security objects, providing relevant information about modifications to the permission settings or attributes of objects that store or process ePHI (Electronic Protected Health Information). This event is key to verifying compliance with HIPAA requirement 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of changes in access permissions, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (853, e'The Windows Registry Value Modification Report provides detailed logs of changes made to critical Windows registry values. This report is essential for ensuring compliance within the Banking Audit framework, as the registry is a central component for system configuration and security settings.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, ensuring oversight and monitoring of configuration changes to protect sensitive financial systems.
• System Integrity Compliance: Supports compliance with PCI DSS Requirement 10, which mandates monitoring system component changes to detect unauthorized modifications.
• Audit Readiness: Tracks registry value changes, ensuring traceability and accountability as required by frameworks like SOC2 Type 2 and ISO 27001.
• Incident Detection: Identifies unauthorized or suspicious registry changes, which could indicate malware activity, privilege escalation, or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and restrict unauthorized changes that might expose sensitive data.', null, null, null, null, null, null, null, null, null, 703, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (890, e'The Windows Registry Value Modification Report provides detailed logs of changes to critical registry values, capturing modifications, deletions, or additions. This report is vital for ensuring compliance with Real-Time Alerting and Monitoring within the Banking Audit framework, as unauthorized registry modifications can compromise system security and stability.
• Regulatory Compliance: Aligns with the GLBA Safeguards Rule, ensuring oversight of registry modifications to safeguard financial systems and sensitive customer data.
• System Integrity Monitoring: Supports compliance with PCI DSS Requirement 10, which mandates logging and monitoring of system configuration changes.
• Real-Time Alerting: Captures and notifies administrators in real-time of unauthorized or suspicious registry changes, enabling immediate investigation and mitigation.
• Incident Detection: Identifies potential threats such as malware activity, privilege escalation, or insider misuse that may involve registry tampering.
• Audit Readiness: Provides traceability of registry changes, ensuring compliance with frameworks like SOC2 Type 2 and ISO 27001, demonstrating secure system configuration practices.', null, null, null, null, null, null, null, null, null, 701, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1100, 'This report gathers relevant information from 4657 events recorded in Windows logs, which are triggered when a change is made to a system''s configuration. This type of event is crucial for compliance with PCI DSS Requirement 2.2.1, which requires the development, implementation, and maintenance of configuration standards for all system components, covering all known security areas and aligning with industry- or vendor-accepted system hardening recommendations.

Through 4657 events, all changes made to system configurations can be tracked and audited, allowing verification of whether security configuration standards are being applied appropriately, whether updates are being made in accordance with newly identified vulnerabilities, and whether they are being applied in a timely manner when a new system is configured.

This report provides evidence that security configurations are being maintained and updated in accordance with PCI DSS best practices and requirements, ensuring that all system components are securely configured before being connected to the production environment.', null, null, null, null, null, null, null, null, null, 801, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1219, 'This report compiles relevant information from Windows 4657 events, which record changes to system objects, including files and settings, which may require updates related to the security awareness program. Data from these events is used to verify that the organization is implementing a security awareness program, properly informing all staff about security policies and procedures, as well as their role in protecting credit card data.

The report ensures that ongoing security training is conducted, with an annual review of the program and updates based on new threats or vulnerabilities. It also confirms that staff receive training on specific threats such as phishing, social engineering, and acceptable use of endpoint technologies, ensuring that the security policy is understood and acknowledged annually by all employees.', null, null, null, null, null, null, null, null, null, 811, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (712, 'This report contributes to compliance with the NIST CSF DE.CM-1 requirement, which requires continuous monitoring of network activity to detect potential malicious activity. By analyzing event ID 4657 on Windows systems, the report facilitates the monitoring of changes to system security objects, which may indicate unauthorized actions that alter system configuration or allow unauthorized access. Monitoring these events is crucial for identifying suspicious alterations or modifications that may affect security, enabling a rapid and proactive response to security incidents and ensuring the integrity of the network infrastructure.', null, null, null, null, null, null, null, null, null, 604, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (676, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data both at rest and in transit. By collecting and analyzing specific events on Windows systems, this report facilitates continuous monitoring of activities related to critical data management. This ensures that any changes to security settings or access to sensitive information are adequately detected, logged, and audited, contributing to the protection of data confidentiality, integrity, and availability within the IT infrastructure.', null, null, null, null, null, null, null, null, null, 601, true, 322, 'TEMPLATE', null, null, 'Windows Registry Value Modification', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (858, e'The Windows Service Control Manager Log Information Report provides a detailed record of activities related to the Service Control Manager (SCM), including service starts, stops, failures, and configuration changes. This report is critical for compliance within the Banking Audit framework, ensuring visibility into the management of services that impact system security and performance.
• Banking Regulations: Aligns with the GLBA Safeguards Rule, demonstrating oversight and control of service activities to protect financial systems and sensitive customer data.
• System Monitoring Compliance: Supports compliance with PCI DSS Requirement 10, ensuring logging and monitoring of critical service activities to detect unauthorized or suspicious changes.
• Audit Readiness: Tracks all SCM events, providing traceability for frameworks like SOC2 Type 2 and ISO 27001, ensuring accountability and secure management of service operations.
• Incident Detection: Identifies unauthorized service manipulations, abnormal service failures, or configuration changes, which could indicate malware activity or insider threats.
• Data Protection: Ensures compliance with GDPR Article 32, showcasing controls to monitor and secure services that may process or protect sensitive financial data.', null, null, null, null, null, null, null, null, null, 703, true, 323, 'TEMPLATE', null, null, 'Windows Service Control Manager Log Information', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (723, 'This report supports compliance with HIPAA Security Rule 164.312(b), which establishes the need to implement mechanisms to log and examine system activity. By analyzing FileAccessed events in Office 365, this report enables monitoring of activities associated with the use and manipulation of sensitive data. This continuous monitoring helps ensure that all interactions with information are properly logged, which contributes to protecting the confidentiality, integrity, and availability of data, ensuring compliance with system security and audit policies.', null, null, null, null, null, null, null, null, null, 601, true, 325, 'TEMPLATE', null, null, 'Office 365 File Accessed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (725, 'This report gathers and analyzes logs generated by the AWS DescribeLogStreams operation. This operation lists log streams in a specific log group, providing relevant information about who accesses and views log data that may contain ePHI (Electronic Protected Health Information). This report is essential for verifying compliance with HIPAA 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI. This report facilitates the identification and monitoring of access to log streams, contributing to adequate access control and the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 332, 'TEMPLATE', null, null, 'AWS DescribeLogStreams Logs', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (727, 'This report gathers and analyzes relevant information generated by PutObject events in AWS, which record the upload of objects to an Amazon S3 bucket. This event provides details about data access and storage, essential for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. The report makes it easy to identify who uploaded objects, from which location, and with what permissions, allowing validation of the proper implementation of access and control policies for log data and monitoring systems, thus ensuring their protection and compliance.', null, null, null, null, null, null, null, null, null, 602, true, 333, 'TEMPLATE', null, null, 'AWS PutObject Logs', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (728, 'This report gathers and analyzes relevant information generated by GetBucketAcl events in AWS, which record access requests to the access control list (ACL) of an Amazon S3 bucket. This event provides details on who has viewed or modified the permissions associated with the buckets, which is crucial for verifying compliance with the HITRUST CSF 01.p requirement, which establishes that access to log data and monitoring systems must be controlled. The report makes it easy to identify access to bucket permissions, ensuring that only authorized individuals can view or modify access controls to critical data and monitoring systems.', null, null, null, null, null, null, null, null, null, 602, true, 334, 'TEMPLATE', null, null, 'AWS GetBucketAcl Logs', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (726, 'This report gathers and analyzes relevant information generated by the DescribeLogGroups action in AWS. This action lists the log groups configured in Amazon CloudWatch Logs, providing essential information for verifying compliance with HIPAA 164.312(a)(1), which establishes the implementation of technical policies to ensure that only authorized individuals have access to electronic systems that maintain ePHI (Electronic Protected Health Information). This report facilitates the identification and monitoring of available log groups, allowing you to validate the correct configuration of permissions and associated access controls, contributing to the implementation of secure access policies.', null, null, null, null, null, null, null, null, null, 602, true, 335, 'TEMPLATE', null, null, 'AWS DescribeLogGroups Logs', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (724, 'This report supports compliance with the NIST CSF PR.DS-3 requirement, which requires protective monitoring of data both at rest and in transit. By analyzing events related to the FileDownloaded operation in Office 365, this report facilitates the monitoring of file download-related activities, allowing for the detection of unauthorized access or suspicious activity. This continuous monitoring helps ensure the protection of sensitive data, ensuring its integrity, confidentiality, and availability throughout its entire lifecycle.', null, null, null, null, null, null, null, null, null, 601, true, 331, 'TEMPLATE', null, null, 'Office 365 OneDrive File Download', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1119, 'This report compiles relevant information from 5038 (Code Integrity Policy Change) events generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3.3. This requirement establishes that the storage of sensitive authentication data (SAD) must be limited to what is necessary for legitimate business purposes and must be adequately secured.

Event 5038 provides logs of changes to code integrity policies, which is crucial for ensuring that configurations related to SAD storage have not been modified unauthorizedly. Through this event, changes to security policies that affect the protection of sensitive authentication data can be tracked, ensuring that any SAD storage is subject to strict controls and remains within the parameters necessary for business operations.

This report facilitates the assessment of whether SAD storage meets legitimate business needs by providing evidence that security policies are appropriately configured to protect such data and prevent unauthorized access, in compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 802, true, 337, 'TEMPLATE', null, null, 'Windows Audit File integrity Validation Failed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1142, 'This report collects and analyzes relevant information from the logs of Windows event 5038, which indicates that the system integrity policy configuration has been compromised. Its purpose is to assess compliance with PCI DSS Requirement 6.3, ensuring that security vulnerabilities are effectively identified and addressed. Analysis of these events allows for the detection of potential alterations to system integrity, which could indicate the presence of threats or unauthorized configurations that increase the risk of vulnerability exploitation. It also reviews whether response and mitigation measures, such as the application of security patches and vulnerability management in custom and third-party software, meet the timelines and criteria established by PCI DSS. This approach contributes to the protection of system components against known vulnerabilities, reducing the impact of potential attacks and ensuring environmental security.', null, null, null, null, null, null, null, null, null, 806, true, 337, 'TEMPLATE', null, null, 'Windows Audit File integrity Validation Failed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1190, 'This report consolidates key information from Windows Event 4767 logs, which is generated when a user account is unlocked. This event is relevant for compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of all changes to identification and authentication credentials.

Account unlocking is an indicator of potential unauthorized access attempts or compromised credential management. Analyzing these events allows for the detection of anomalous patterns, such as brute-force attacks or unauthorized access attempts, contributing to the security and traceability of the cardholder data environment.', null, null, null, null, null, null, null, null, null, 809, true, 336, 'TEMPLATE', null, null, 'Windows Unlocked Account', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (916, e'The Windows Local Security Group Member Removal report provides detailed logs of events where a user or object is removed from a local security group on a Windows system. This report is essential for monitoring privilege adjustments, detecting unauthorized modifications, and ensuring compliance with access control policies.
• Regulatory Compliance: Ensures alignment with frameworks such as PCI DSS, ISO 27001, and SOC2, by documenting all group membership removals to maintain an auditable trail of privilege management activities.
• Privilege Management Monitoring: Tracks removals from local security groups to confirm that privilege reductions align with organizational policies and prevent unintended loss of access.
• Event Correlation: Links group membership removal events with related administrative actions, user accounts, and originating systems to build a comprehensive security audit trail.
• Real-Time Alerts: Sends notifications when members are removed from critical groups, such as Administrators or Remote Desktop Users, enabling timely response to unauthorized actions or configuration changes.
• Incident Detection: Identifies unexpected or unauthorized removals from security groups, which may indicate insider threats, administrative errors, or malicious activities.
• Audit Readiness: Logs detailed information for each event, including the name of the group, the removed member, the user or process performing the action, and the timestamp, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 321, 'TEMPLATE', null, null, 'Windows Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (917, e'The Windows Access to Critical Files or Specific Directories report provides detailed logs of events where users or processes access sensitive files or directories. This report is crucial for monitoring unauthorized access, ensuring compliance with security policies, and detecting potential threats to system integrity and data confidentiality.
• Regulatory Compliance: Supports standards such as PCI DSS, HIPAA, and ISO 27001, by logging access to critical files and directories, ensuring adherence to data protection and access control requirements.
• Sensitive Data Monitoring: Tracks access attempts to protected files or directories to ensure that only authorized users or processes can read, modify, or delete sensitive information.
• Event Correlation: Links file and directory access events with user accounts, processes, and originating systems to build a comprehensive security and audit trail.
• Real-Time Alerts: Sends immediate notifications for access attempts to critical files or directories, particularly for unauthorized users, allowing administrators to respond promptly to potential security incidents.
• Incident Detection: Identifies suspicious activities, such as repeated access attempts by unauthorized accounts, which may indicate insider threats, malware, or misconfigurations.
• Audit Readiness: Records detailed information about each access event, including the file or directory accessed, the user or process involved, the type of access (read, write, delete), and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 277, 'TEMPLATE', null, null, 'Windows Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (918, e'The Windows User Account Attributes Changes report provides detailed logs of events where attributes of user accounts, such as group memberships, permissions, or profile settings, are modified. This report is vital for monitoring changes to account configurations, detecting unauthorized modifications, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Aligns with standards like PCI DSS, ISO 27001, and SOC2, by maintaining an auditable trail of account attribute changes to support access control and security policies.
• Account Management Monitoring: Tracks changes to user account attributes, ensuring they are performed through authorized administrative actions and comply with internal security policies.
• Event Correlation: Links attribute change events with associated user accounts, administrative actions, and originating systems, providing a comprehensive security audit trail.
• Real-Time Alerts: Sends notifications for critical attribute changes, such as updates to group memberships, privilege escalations, or security settings, enabling rapid incident response.
• Incident Detection: Identifies suspicious or unauthorized modifications to account attributes, which may indicate insider threats, administrative errors, or malicious activities.
• Audit Readiness: Logs detailed information, including the affected account, the specific attributes changed, the user or process initiating the change, and the timestamp, ensuring robust records for audits and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 308, 'TEMPLATE', null, null, 'Windows User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (919, e'The Windows Special Privileges Assigned to New Logon report provides detailed logs of events where special privileges are granted to a user during the logon process. This report is critical for tracking privilege escalations, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting privilege assignments at logon to ensure adherence to least privilege principles and audit requirements.
• Privilege Management Monitoring: Tracks the assignment of privileges such as SeDebugPrivilege, SeTakeOwnershipPrivilege, or SeBackupPrivilege, which could be misused if assigned improperly.
• Event Correlation: Links privilege assignment events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail for security analysis.
• Real-Time Alerts: Notifies administrators of special privilege assignments to users, especially for privileged accounts, enabling immediate investigation of potential threats.
• Incident Detection: Identifies suspicious privilege assignments, such as repeated assignments to the same user or assignments outside of expected workflows, which may indicate insider threats or configuration errors.
• Audit Readiness: Logs comprehensive details, including the user or account, the privileges assigned, the logon session ID, and the timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 278, 'TEMPLATE', null, null, 'Windows Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (920, e'The Windows Process Creation report provides detailed logs of events where new processes are created on a Windows system. This report is essential for monitoring system activities, detecting malicious behavior, and ensuring compliance with security frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by logging process creation events to provide an auditable trail of system activities.
• System Activity Monitoring: Tracks the creation of processes, ensuring that only legitimate applications and scripts are executed within the environment.
• Event Correlation: Links process creation events with user accounts, parent processes, command-line arguments, and originating systems to build a comprehensive security audit trail.
• Real-Time Alerts: Generates notifications for the creation of suspicious or unauthorized processes, allowing for rapid investigation and mitigation of potential threats.
• Incident Detection: Identifies anomalies, such as the execution of processes from unusual locations, processes spawned by suspicious parents, or unexpected command-line arguments, which may indicate malware or privilege abuse.
• Audit Readiness: Logs detailed information for each process creation, including the process name, parent process, user or account responsible, command-line arguments, and timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 284, 'TEMPLATE', null, null, 'Windows Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (921, e'The Windows Service Installed report provides detailed logs of events where new services are installed on a Windows system. This report is essential for monitoring system integrity, detecting unauthorized installations, and ensuring compliance with security and audit frameworks.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting service installations to maintain a clear audit trail of system modifications.
• System Integrity Monitoring: Tracks the installation of services to ensure that only authorized services are added, preventing potential malware or unnecessary services from compromising system performance or security.
• Event Correlation: Links service installation events with administrative actions, user accounts, and originating systems to build a comprehensive audit trail for analysis.
• Real-Time Alerts: Notifies administrators of new service installations, particularly those installed by unauthorized users or from suspicious sources, enabling timely response to potential threats.
• Incident Detection: Identifies unusual service installations, such as those with obscure names, running from unexpected directories, or configured with excessive privileges, which may indicate malicious activity.
• Audit Readiness: Logs detailed information for each service installed, including the service name, executable path, user or account responsible for the installation, and the timestamp, ensuring robust records for audits and investigations.

By monitoring and correlating Windows Service Installed events, this report strengthens system security, supports compliance with audit requirements, and provides actionable insights for threat detection and response.', null, null, null, null, null, null, null, null, null, 702, true, 305, 'TEMPLATE', null, null, 'Windows Service Installed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (922, e'The Windows Access to Shared Resources report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or other network-shared assets on a Windows system. This report is essential for monitoring resource usage, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks such as PCI DSS, HIPAA, and ISO 27001, by documenting access to shared resources, ensuring adherence to data protection and resource management standards.
• Resource Usage Monitoring: Tracks who accessed shared resources, when the access occurred, and the type of operations performed (read, write, delete, etc.), ensuring accountability and transparency.
• Event Correlation: Links shared resource access events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail for analysis.
• Real-Time Alerts: Generates notifications for access attempts to critical shared resources, especially by unauthorized users or from untrusted systems, enabling immediate investigation.
• Incident Detection: Identifies suspicious activities, such as repeated unauthorized access attempts, access from unusual locations, or unexpected operations on shared resources, which may indicate insider threats or compromised accounts.
• Audit Readiness: Logs detailed information for each access event, including the resource accessed, the user or system performing the operation, the access type, and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (923, e'The Windows User Accounts Deleted report provides detailed logs of events where user accounts are removed from a Windows system. This report is critical for tracking account management activities, detecting unauthorized deletions, and ensuring compliance with security frameworks and audit requirements.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by maintaining a record of user account deletions to demonstrate proper management of identity and access controls.
• Account Management Monitoring: Tracks the deletion of user accounts, ensuring that such actions are authorized, justified, and performed in alignment with internal policies.
• Event Correlation: Links account deletion events with administrative actions, user accounts, and originating systems, creating a comprehensive audit trail for analysis.
• Real-Time Alerts: Sends immediate notifications when user accounts are deleted, particularly for privileged or critical accounts, enabling quick investigation of potential threats.
• Incident Detection: Identifies suspicious account deletions, such as removal of high-privilege accounts or bulk deletions, which may indicate insider threats, malicious activity, or administrative errors.
• Audit Readiness: Logs detailed information for each deletion, including the account deleted, the user or process responsible, the originating machine, and the timestamp, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 272, 'TEMPLATE', null, null, 'Windows User Accounts Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (924, e'The Windows Logins with Explicit Credentials report provides detailed logs of events where users or applications perform logins using explicit credentials. This report is essential for monitoring account usage, detecting unauthorized access, and ensuring compliance with security frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by documenting logins with explicit credentials to ensure adherence to access control policies and audit requirements.
• Credential Management Monitoring: Tracks logins where explicit credentials are supplied, ensuring such access aligns with internal security policies and identifying unauthorized credential usage.
• Event Correlation: Links login events with explicit credentials to the originating user, process, and system, providing a comprehensive audit trail for security analysis and compliance.
• Real-Time Alerts: Sends notifications for logins with explicit credentials, especially for sensitive accounts or from untrusted sources, enabling rapid response to potential threats.
• Incident Detection: Identifies anomalies, such as repeated login attempts with explicit credentials, use of outdated or compromised credentials, or logins originating from unusual locations or systems.
• Audit Readiness: Logs detailed information, including the account used, the user or process initiating the login, the target system, and the timestamp, ensuring robust records for investigations and audits.', null, null, null, null, null, null, null, null, null, 702, true, 281, 'TEMPLATE', null, null, 'Windows Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (925, e'The Windows PowerShell Script Block Registration report provides detailed logs of events where PowerShell script blocks are registered for execution. This report is critical for monitoring the use of PowerShell, detecting potential security threats, and ensuring compliance with security policies and audit frameworks.
• Regulatory Compliance: Supports frameworks such as PCI DSS, ISO 27001, and SOC2, by logging PowerShell script block executions to ensure adherence to access control and script execution policies.
• PowerShell Activity Monitoring: Tracks all script blocks executed via PowerShell, ensuring visibility into administrative tasks, automation scripts, and potentially malicious activity.
• Event Correlation: Links PowerShell script block registration events with user accounts, originating systems, and subsequent activities, providing a comprehensive audit trail.
• Real-Time Alerts: Sends notifications for suspicious or unauthorized script block registrations, enabling rapid response to potential threats or misconfigurations.
• Incident Detection: Identifies anomalies, such as obfuscated scripts, scripts executed with elevated privileges, or script blocks executed from unusual sources, which may indicate malware or insider threats.
• Audit Readiness: Logs detailed information for each registered script block, including the script content (if available), the user or account responsible, the execution host, and the timestamp, ensuring robust documentation for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 288, 'TEMPLATE', null, null, 'Windows PowerShell Script Block Registration', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (926, e'The Windows Logging Unexpected System Shutdowns report provides detailed records of events where a Windows system experiences an unexpected shutdown. This report is critical for identifying root causes, monitoring system health, and ensuring compliance with operational and audit requirements.
• Regulatory Compliance: Supports frameworks like ISO 27001, SOC2, and ITIL, by documenting unexpected shutdowns to ensure system reliability and demonstrate adherence to incident management practices.
• System Health Monitoring: Tracks unexpected shutdowns to detect patterns, identify hardware or software failures, and assess the impact on operational continuity.
• Event Correlation: Links shutdown events with preceding activities, such as application crashes, power failures, or hardware errors, providing a comprehensive audit trail for root cause analysis.
• Real-Time Alerts: Sends notifications for unexpected shutdowns, enabling administrators to respond promptly and mitigate potential disruptions or data loss.
• Incident Detection: Identifies anomalies such as repeated shutdowns, shutdowns during critical operations, or those affecting key systems, which may indicate security incidents, hardware issues, or environmental factors.
• Audit Readiness: Logs comprehensive details for each shutdown, including the time of the event, potential triggers, and user or system actions preceding the event, ensuring robust records for compliance and investigations.', null, null, null, null, null, null, null, null, null, 702, true, 340, 'TEMPLATE', null, null, 'Windows Logging Unexpected System Shutdowns', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1202, 'This report compiles and presents relevant information extracted from the logs generated by Windows Event 1001 to assess compliance with PCI DSS Requirement 11.3. This requirement mandates internal vulnerability scans at least every three months, prioritizing high-risk or critical vulnerabilities. This report verifies that scans are performed in accordance with the organization''s standards, that critical vulnerabilities are resolved, and that rescans are executed to confirm the correction.', null, null, null, null, null, null, null, null, null, 810, true, 339, 'TEMPLATE', null, null, 'Windows Error Reporting', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1122, 'This report compiles relevant information from Windows 4769 events, with the goal of verifying compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when using remote access technologies, technical controls must be implemented to prevent the copying and/or relocation of the PAN (Primary Account Number) by anyone except those with explicit, documented authorization and a legitimate, defined business need.

Event 4769 refers to the issuance of a service grant ticket (TGT) to a user in the context of a Kerberos-based authentication system. This event is key for tracking and verifying remote authentication requests through a domain controller, providing details on authorized or denied access and allowing auditing of whether the remote access requests were made by personnel with valid permissions.

This report allows you to monitor and ensure that the technical controls implemented to prevent the copying and/or relocation of PAN are functioning properly, allowing only users with documented authorization and a legitimate business need to access sensitive data. It also allows you to verify whether remote access is being properly managed, following the remote access policies defined by PCI DSS.', null, null, null, null, null, null, null, null, null, 802, true, 343, 'TEMPLATE', null, null, 'Windows Kerberos Service Ticket', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1064, 'This report consolidates 4946 Windows system events, which record the creation of new firewall rules on the system. Its analysis allows you to verify compliance with PCI DSS Requirements, ensuring that network security policies and procedures are documented, up-to-date, and in use. It also provides visibility into firewall configuration changes, helping to identify unauthorized modifications or inconsistencies in the implementation of security controls.', null, null, null, null, null, null, null, null, null, 807, true, 346, 'TEMPLATE', null, null, 'Windows Firewall Exception List Changed', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (840, 'The Windows Account Logoff Report provides a comprehensive view of user logoff events, serving as a critical compliance tool within the Banking Audit framework. This report ensures transparency and accountability in user sessions, enabling organizations to track session terminations and ensure adherence to access control policies.', null, null, null, null, null, null, null, null, null, 703, true, 350, 'TEMPLATE', null, null, 'Windows Account Logoff', null); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1223, 'This report analyzes logoff events (Event ID 4634) on Windows systems to evaluate the effectiveness of logical separation in multi-tenant environments in accordance with PCI DSS Requirement A1.1. Activity logs are reviewed to verify that sessions initiated in the customer and vendor environments are properly closed and that there is no unauthorized access or persistence of unauthorized sessions between environments. The analysis considers key information that facilitates the validation of access controls, ensuring regulatory compliance and minimizing the risk of prolonged or unauthorized access in shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 350, 'TEMPLATE', null, null, 'Windows Account Logoff', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1165, 'This report collects and analyzes 4634 (Logoff) events recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that each user session is properly terminated, ensuring that unauthorized access is prevented and accounts are properly managed. It also reviews the use of unique IDs, the management of inactive accounts, and proper monitoring of third-party access, ensuring that all actions are attributable to individual users and strengthening the security of the environment.', null, null, null, null, null, null, null, null, null, 808, true, 350, 'TEMPLATE', null, null, 'Windows Account Logoff', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1083, 'This report compiles relevant information obtained from the Windows event logs 5156, 5158, and 5159, which are related to the Windows Filtering Platform (WFP). These events are analyzed to verify that Network Security Controls (NSC) are correctly implemented between trusted and untrusted networks, as required by PCI DSS requirements. The information extracted from these logs allows monitoring of inter-network traffic and ensures that only authorized traffic, corresponding to communications necessary for permitted services, is being properly managed. It also ensures that network security policies are being correctly applied to protect the integrity of the systems within the CDE.', null, null, null, null, null, null, null, null, null, 807, true, 349, 'TEMPLATE', null, null, 'Windows Connections and Port Assignments', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1060, 'This report compiles relevant information from logs generated by Windows event 4985, which is related to auditing activity related to changes in system object configurations. Event 4985 is triggered when an action is taken that affects security policies or access configurations, which may include relevant changes to network security controls (NSCs). This event is useful for confirming that NSC configurations are being regularly reviewed and that any modifications to the security infrastructure are properly documented. Analyzing these events allows verification that network controls are aligned with PCI DSS requirements, ensuring that NSC configurations are reviewed and adjusted, where necessary, to maintain their effectiveness and relevance.', null, null, null, null, null, null, null, null, null, 807, true, 369, 'TEMPLATE', null, null, 'Windows File System Transaction Status Changes', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1220, 'This report compiles relevant information from Windows 4698 events, which record configuration and modifications to security policies and user accounts. These events are critical to ensuring that staff receive ongoing security education, in accordance with PCI DSS Requirement 12.6.

The report validates that the organization has implemented a formal security awareness program, reviewed and updated annually to reflect new threats and vulnerabilities. It also ensures that staff receive security training at least once a year, utilizing various communication methodologies, and that employees'' understanding of security policies is confirmed.

It also confirms that the training covers threats such as phishing, social engineering, and acceptable use of end-user technologies, in accordance with the guidelines established in the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 811, true, 372, 'TEMPLATE', null, null, 'Windows Scheduled Task Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1130, 'This report gathers relevant information from event 4698 generated in Windows logs, with the aim of assessing compliance with PCI DSS requirement 4.2.2. This requirement establishes that the PAN (cardholder account number) must be protected using strong cryptography whenever it is transmitted through messaging technologies used by end users.

Event 4698 allows for auditing configurations related to the use of messaging technologies, ensuring that the necessary security controls are in place to protect the transmission of the PAN. This includes verifying that the cryptographic methods used are appropriate and that sensitive information is properly encrypted in transit.

This analysis ensures compliance with the PAN protection policy during transmission through messaging channels, validating that security and cryptographic technologies are configured correctly and that the information is adequately protected against unauthorized access, in accordance with the requirements established by PCI DSS.', null, null, null, null, null, null, null, null, null, 803, true, 372, 'TEMPLATE', null, null, 'Windows Scheduled Task Creation', ''); - INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1128, 'This report compiles relevant information from event 36874 (Use of Certificate or Private Key) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.2.1. This requirement establishes the implementation of robust cryptography and security protocols to protect the PAN (Cardholder Account Number) during transmission over public and open networks.

Event 36874 is essential for auditing the use of certificates and private keys during the transmission of sensitive data, confirming that only trusted keys and certificates are accepted, that they are valid, and that they have not expired or been revoked. Additionally, this event verifies that the protocols used in PAN transmission comply with security standards, avoiding insecure versions, outdated algorithms, inadequate key sizes, or vulnerable implementations.

This analysis helps ensure that the encryption methods implemented are adequate and maintain the integrity and confidentiality of cardholder data, thereby protecting information during transmission over open public networks.', null, null, null, null, null, null, null, null, null, 803, true, 374, 'TEMPLATE', null, null, 'Windows TLS protocol Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (927, e'The Windows Access to Shared Resources report provides detailed logs of events where users or systems access shared resources, such as files, folders, printers, or other network-shared assets. This report is critical for tracking resource usage, detecting unauthorized access, and ensuring compliance with access control policies.
• Regulatory Compliance: Supports frameworks such as PCI DSS, HIPAA, and ISO 27001, by documenting access to shared resources to demonstrate adherence to data protection and resource usage policies.
• Resource Usage Monitoring: Tracks who accessed shared resources, what operations were performed (read, write, delete), and when the access occurred, ensuring transparency and accountability.
• Event Correlation: Links shared resource access events with user accounts, originating systems, and subsequent activities to provide a comprehensive audit trail.
• Real-Time Alerts: Generates notifications for access to critical shared resources, especially by unauthorized users or from suspicious locations, enabling immediate investigation.
• Incident Detection: Identifies suspicious behaviors, such as repeated unauthorized access attempts, unusual resource usage patterns, or access from untrusted systems, which may indicate insider threats or account compromise.
• Audit Readiness: Logs detailed information, including the resource accessed, the user or system performing the action, the type of access (read, write, delete), and the timestamp, ensuring robust documentation for compliance and forensic analysis.', null, null, null, null, null, null, null, null, null, 702, true, 285, 'TEMPLATE', null, null, 'Windows Access to Shared Resources', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (928, e'The Windows Application Errors report provides detailed logs of events where applications encounter errors on a Windows system. This report is essential for identifying software issues, monitoring system health, and ensuring compliance with operational and security frameworks.
• Regulatory Compliance: Supports frameworks such as ISO 27001, SOC2, and ITIL, by documenting application errors to ensure adherence to incident management and operational reliability standards.
• Application Health Monitoring: Tracks error occurrences, helping administrators identify and resolve application issues that may impact user experience or operational efficiency.
• Event Correlation: Links application error events to user actions, system configurations, or external dependencies, providing a comprehensive audit trail for root cause analysis.
• Real-Time Alerts: Generates immediate notifications for critical application errors, enabling rapid investigation and mitigation to minimize downtime or service disruptions.
• Incident Detection: Identifies patterns such as repeated crashes, errors in high-priority applications, or issues stemming from configuration changes, which may indicate underlying problems or security threats.
• Audit Readiness: Logs comprehensive details, including the application name, error code, user or process involved, and timestamp, ensuring robust records for compliance and forensic investigations.', null, null, null, null, null, null, null, null, null, 702, true, 309, 'TEMPLATE', null, null, 'Windows Application Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (929, e'The Windows Object Deletion report provides detailed logs of events where objects such as files, directories, registry keys, or other system resources are deleted. This report is crucial for tracking changes, detecting unauthorized actions, and ensuring compliance with security policies and audit frameworks.
• Regulatory Compliance: Supports frameworks like PCI DSS, ISO 27001, and SOC2, by documenting deletion events to demonstrate proper governance and adherence to change management processes.
• Object Management Monitoring: Tracks the deletion of critical objects, ensuring such actions are authorized and aligned with internal policies to protect data integrity and system reliability.
• Event Correlation: Links deletion events to user accounts, originating systems, and preceding activities, providing a comprehensive audit trail for root cause analysis and compliance reporting.
• Real-Time Alerts: Sends notifications for deletions of critical objects, enabling immediate investigation of unauthorized or suspicious activities.
• Incident Detection: Identifies anomalies such as bulk deletions, deletions during off-hours, or removal of protected system objects, which may indicate malicious intent, insider threats, or operational errors.
• Audit Readiness: Logs detailed information for each deletion event, including the object name, location, user or process initiating the deletion, and the timestamp, ensuring robust documentation for compliance and forensic investigations.', null, null, null, null, null, null, null, null, null, 702, true, 298, 'TEMPLATE', null, null, 'Windows Object Deletion', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (930, 'This report collects and analyzes relevant information from AWS logs about the DeleteUser event, used to verify compliance with CMMC Level 1 (SI.1.210): Identify and correct security flaws in a timely manner.

The DeleteUser event in AWS IAM records the deletion of user accounts, which can pose a security risk if not handled properly. This report allows you to identify and correct possible vulnerabilities by monitoring user deletions, detecting unauthorized access, suspicious changes and ensuring the integrity of access controls in the organization.

Analysis of these events helps to:
-Identify unauthorized or accidental user deletions.
-Verify which accounts have been deleted and who performed the action.
-Review the origin of the request and the devices or IP addresses involved.
-Evaluate compliance with security controls related to user management.

This report helps ensure that user removal actions are legitimate and that any suspicious activity is investigated and corrected in a timely manner, aligning with the security requirements established by CMMC.', null, null, null, null, null, null, null, null, null, 503, true, 359, 'TEMPLATE', null, null, 'AWS Level 1 (AU.1.001): IAM User Deletion', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (931, 'This report gathers relevant information from AWS logs related to the ListAccessKeys event, which is generated when a user''s access keys are listed in AWS IAM. The analysis of these events is essential to comply with CMMC Level 3 control SI.3.217, which requires the use of monitoring tools to detect possible attacks.

Unauthorized or suspicious access to the access key enumeration may indicate reconnaissance attempts by malicious actors within the cloud infrastructure. This report provides key details such as the user''s identity, source IP address, the source of the event, and the time it occurred, allowing for proactive security assessment and identification of potential threats.', null, null, null, null, null, null, null, null, null, 503, true, 360, 'TEMPLATE', null, null, 'AWS Level 3 (SI.3.217): ListAccessKeys Logs', null); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (932, 'This report collects and analyzes relevant information from AWS logs related to the ConsoleLogin event, with the objective of verifying compliance with the Level 2 requirement (AU.2.044) of the CMMC framework. Reviewing these logs can detect inappropriate behavior, such as unauthorized access attempts, access from unusual locations, or multiple failed login attempts. By monitoring these events, you strengthen the security of your environment and facilitate early identification of potential insider threats or compromised credentials.', null, null, null, null, null, null, null, null, null, 501, true, 353, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): Console Login', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (933, 'This report collects and analyzes relevant information from AWS logs related to the DeleteUser event, with the objective of verifying compliance with the Level 2 requirement (AU.2.044) of the CMMC framework. Reviewing these logs can detect potentially inappropriate activities, such as unauthorized deletion of user accounts, actions taken outside of business hours, or from unusual locations. By monitoring these events, you improve your ability to identify potential insider threats, administrative errors, or malicious attempts to remove evidence of unauthorized activity.', null, null, null, null, null, null, null, null, null, 501, true, 359, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): IAM User Deletion', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (934, 'This report collects and analyzes relevant information from AWS logs about the DetachUserPolicy event, with the objective of verifying compliance with the Cybersecurity Maturity Model Certification (CMMC) Level 2 control (AU.2.044).

The DetachUserPolicy event is raised when a policy attached to a user is deleted in AWS IAM, which may indicate changes to access permissions. The periodic review of these events allows us to detect possible inappropriate activities, unauthorized access or incorrect security configurations that could compromise the integrity and security of the infrastructure.

The review of these records contributes to the strengthening of auditing and monitoring practices for the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 501, true, 361, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): User Policies Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (935, 'This report collects and analyzes AWS log events related to the ListUsers action in Amazon Cognito. Its purpose is to provide visibility into user listing requests within the environment, allowing unusual or potentially inappropriate behavior to be detected.

The report contributes to compliance with CMMC Level 2 (AU.2.044), which requires periodic review of audit logs to identify suspicious or unauthorized activities. By monitoring ListUsers events, you can detect unusual accesses, user enumeration attempts, or anomalous activity from unknown IP addresses.

The data includes key information that makes it easy to identify access patterns and implement corrective measures in case of suspicious activity.', null, null, null, null, null, null, null, null, null, 501, true, 362, 'TEMPLATE', null, null, 'AWS Level 2 (AU.2.044): User Listing Activity', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (936, 'This report collects and analyzes AWS log events related to the AssumeRole action, used for role assumption in AWS IAM. Its objective is to provide visibility over remote access to sensitive systems, allowing possible misuse or unauthorized access to be identified.

The report contributes to compliance with Level 3 (AC.3.032) of CMMC, which requires monitoring and controlling remote access to systems that contain sensitive information. Reviewing AssumeRole events can detect unexpected privilege changes, accesses from unusual locations, or the use of compromised credentials.', null, null, null, null, null, null, null, null, null, 501, true, 354, 'TEMPLATE', null, null, 'AWS Level 3 (AC.3.032): Access Roles Assumption', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (937, 'This report collects and analyzes AWS log events related to DescribeInstances, with the objective of evaluating compliance with CMMC Level 3 control (AC.3.032), which requires monitoring and controlling remote access to sensitive systems.

The DescribeInstances event allows you to obtain information about EC2 instances in AWS, which could indicate attempts to enumerate resources within the infrastructure. Analyzing these events helps detect unusual access, identify suspicious usage patterns, and strengthen the security of your cloud environment.

The data presented includes key details. This information is essential to identify possible internal threats or unauthorized access attempts, allowing a proactive response to security risks.', null, null, null, null, null, null, null, null, null, 501, true, 363, 'TEMPLATE', null, null, 'AWS Level 3 (AC.3.032): Querying EC2 Instances', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (938, 'This report collects and analyzes AWS log events related to ListAccessKeys, with the objective of evaluating compliance with CMMC Level 4 control (AU.4.053), which requires the detection of anomalous user behavior using automated tools.

The ListAccessKeys event is used to list the access keys associated with an AWS account, which can be an indicator of suspicious activity or credential scanning attempts. Continuous monitoring of this event allows us to detect unusual access, identify possible account compromises and mitigate risks associated with exposed or misused credentials.

Analysis of these logs includes key information such as the user or role that executed the action, the source IP address, the service from which the request was made, and the frequency of these events. Correlation with automated behavioral analysis tools allows irregular patterns to be identified and alerts generated for potential threats, contributing to a proactive approach to cloud infrastructure security.', null, null, null, null, null, null, null, null, null, 501, true, 360, 'TEMPLATE', null, null, 'AWS Level 4 (AU.4.053): ListAccessKeys Logs', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (939, 'This report consolidates relevant information from the alert logs that have generated security incidents, providing visibility on critical events and their management. Its objective is to demonstrate compliance with CMMC''s Level 1 requirement (IR.1.002), ensuring that a basic incident response capability is in place. It includes key details about the alerts and incidents created, allowing you to evaluate the effectiveness of the process and ensure adequate detection and management of threats.', null, null, null, null, null, null, null, null, null, 512, true, 364, 'TEMPLATE', null, null, 'Level 1 (IR.1.002): Incidents Generated from Alerts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (940, 'This report compiles relevant information from Threat Intelligence activity logs used to improve incident response, aligning with compliance with CMMC''s Level 3 requirement (IR.3.098). It contains details on the indicators of attack (IOCs) identified, the analysis methods applied and how this data was used to optimize incident responses. The report allows us to evaluate how threat indicators are integrated into incident response operations, strengthening the ability to detect and mitigate cybersecurity risks.', null, null, null, null, null, null, null, null, null, 512, true, 252, 'TEMPLATE', null, null, 'Level 3 (IR.3.098): Threat Intelligence Activity', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (941, 'This report compiles and analyzes relevant information from Threat Intelligence Activity logs to evaluate compliance with CMMC level 5 (IR.5.102), which emphasizes improving incident response through the use of machine learning and advanced analytics. Through data correlation, detection of anomalous patterns, and prediction of emerging threats, this report enables proactive response to security incidents. Additionally, it provides insights into how automated systems identify, classify and mitigate sophisticated threats, ensuring more effective protection against advanced attacks targeting critical infrastructure and sensitive data.', null, null, null, null, null, null, null, null, null, 512, true, 365, 'TEMPLATE', null, null, 'Level 5 (IR.5.102): Threat Detection and Response using SOC AI', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (942, 'This report consolidates relevant information from the Windows event 4624 logs to evaluate compliance with the CMMC Level 1 requirement (AU.1.001), which requires the capture of basic security events. By recording successful logins, these logs provide evidence of activity in the system, allowing the organization to maintain access traceability and strengthen its monitoring and incident response capabilities. The collection and analysis of these logs contributes to the early detection of threats, facilitating audits and ensuring compliance with established security controls.', null, null, null, null, null, null, null, null, null, 513, true, 265, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (943, 'This report compiles relevant information from the logs of Windows event 4625, which is activated in cases of failed login attempts, to verify compliance with the Level 1 requirement (AU.1.001) of CMMC. This event is critical to detecting and documenting unauthorized or failed access attempts to systems, providing an additional layer of monitoring on the organization''s systems. Through the capture of these logs, traceability and visibility of possible threats is ensured, which allows preventive or corrective measures to be taken against possible intrusion attempts, and supports compliance with the basic security controls required by CMMC.', null, null, null, null, null, null, null, null, null, 513, true, 266, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (944, 'This report collects relevant information from the logs of Windows event 4634, which is generated when a user logs out of a system. This event is essential for verifying compliance with CMMC''s Level 1 requirement (AU.1.001), which establishes the need to capture logs of basic security events. Event 4634 provides important data about user sessions, allowing organizations to monitor and audit login and logout activities. Capturing these logs ensures traceability of user actions and helps identify potential suspicious or unusual behavior, contributing to overall system security and compliance with CMMC audit controls.', null, null, null, null, null, null, null, null, null, 513, true, 350, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Account Logoff', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (945, 'This report gathers relevant information from the logs of Windows event 4672, which is generated when a user logs on with administrative or high-level privileges. This event is crucial to verify compliance with CMMC''s Level 1 requirement (AU.1.001), which establishes the obligation to capture logs of basic security events. Event 4672 provides a detailed log of activities performed by elevated users, allowing access and usage of administrative accounts to be audited. Capturing and analyzing these logs makes it easier to detect unauthorized access or unusual activities, improving monitoring capabilities and responding effectively to potential security incidents, thereby ensuring that auditing and monitoring practices are aligned with CMMC requirements.', null, null, null, null, null, null, null, null, null, 513, true, 278, 'TEMPLATE', null, null, 'Windows Level 1 (AU.1.001): Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (946, 'This report collects relevant information from the logs of Windows event 1102, which is generated when the system audit log is deleted. This event is essential to verify compliance with the CMMC Level 2 requirement (AU.2.041), which requires the retention of audit logs for security events. Detecting and documenting audit log deletion is key to ensuring data integrity and preventing attempts to hide malicious activity. The analysis of these events allows us to identify possible evidence manipulation attempts, strengthening the system''s ability to maintain reliable traceability and comply with the security standards required by CMMC.', null, null, null, null, null, null, null, null, null, 513, true, 295, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (947, 'This report gathers relevant information from the logs of Windows event 4719, which is generated when the system audit policy configuration is modified. This event is crucial to verify compliance with CMMC''s Level 2 requirement (AU.2.041), which requires retention of audit logs for security events. Altering audit policies may indicate attempts to evade detection of malicious activity or unauthorized administrative changes. Analysis of these events allows you to monitor the integrity of security logs, ensure traceability of changes, and strengthen the monitoring capabilities necessary to comply with CMMC standards.', null, null, null, null, null, null, null, null, null, 513, true, 280, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (948, 'This report collects relevant information from the logs of Windows event 4907, which is generated when the audit policy retention configuration is modified. This event is essential to verify compliance with CMMC''s Level 2 requirement (AU.2.041), which requires the retention of audit logs for security events. Monitoring this event can detect changes in the way records are stored and retained, which can impact an organization''s ability to track security incidents and meet regulatory requirements. Analyzing these logs helps ensure audit integrity and the availability of critical data for security investigations and reviews.', null, null, null, null, null, null, null, null, null, 513, true, 291, 'TEMPLATE', null, null, 'Windows Level 2 (AU.2.041): Restoration of default security policies', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (949, 'This report compiles relevant information from the logs of Windows event 4688, which is generated when a new process is created in the system. This event is essential to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of key events for compliance and incident response. Monitoring these logs allows you to track process execution, identify suspicious activity, and provide visibility into potential threats or malicious actions within the environment. By analyzing this data, organizations can strengthen their detection, response and compliance capabilities, ensuring effective security incident management.', null, null, null, null, null, null, null, null, null, 513, true, 284, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (950, 'This report gathers relevant information from the logs of Windows event 4697, which is generated when a service is installed on the system. This event is key to verifying compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of critical events for compliance and incident response. Installing new services can indicate legitimate configurations, but can also be a sign of malicious activity, such as malware persistence or lateral movements within the network. By analyzing these logs, organizations can identify unauthorized changes, improve threat detection, and strengthen their ability to respond to potential security incidents.', null, null, null, null, null, null, null, null, null, 513, true, 305, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Service Installed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (951, 'This report compiles relevant information from the logs of Windows event 5145, which is generated when a file or folder on a network share is accessed. This event is crucial to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of key events for compliance and incident response. By monitoring these logs, organizations can identify unauthorized access, data exfiltration attempts, or suspicious activity on shared resources. The analysis of these events allows us to strengthen security, detect possible internal or external threats and ensure the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 275, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (952, 'This report compiles relevant information from the logs of Windows event 4720, which is generated when a new user account is created on the system. This event is critical to verify compliance with CMMC''s Level 3 requirement (AU.3.045), which requires auditing of critical events for compliance and incident response. Monitoring the creation of user accounts allows us to detect possible malicious activities, unauthorized access or improper configurations that may compromise the security of the environment. By analyzing these logs, organizations can strengthen their access controls, improve visibility into infrastructure changes, and ensure the protection of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 267, 'TEMPLATE', null, null, 'Windows Level 3 (AU.3.045): User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (953, 'This report compiles relevant information from the logs of Windows event 4689, which is generated when a process ends in the system. This event is key to verify compliance with CMMC''s Level 4 requirement (AU.4.052), which emphasizes improving audit logs to support advanced threat detection. By monitoring process termination, you can identify anomalous behavior, possible security evasion attempts, or the unexpected termination of critical processes. The analysis of these logs, combined with advanced correlation and threat detection techniques, allows you to strengthen the security of your environment, respond more quickly to potential incidents, and improve your ability to defend against sophisticated attacks.', null, null, null, null, null, null, null, null, null, 513, true, 302, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (954, 'This report collects relevant information from the logs of Windows event 4776, which is generated when an authentication attempt on the domain controller is processed by NTLM. This event is essential to verify compliance with CMMC''s Level 4 requirement (AU.4.052), which emphasizes improving audit logs for advanced threat detection. By analyzing these events, it is possible to identify suspicious authentication patterns, such as repeated failed login attempts or authentications from unusual locations, which may indicate attack attempts such as brute force or lateral movement within the network. The correlation of this data with other sources of events allows us to improve threat detection and strengthen the security of the infrastructure, facilitating rapid and automated responses to possible compromises.', null, null, null, null, null, null, null, null, null, 513, true, 301, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (955, 'This report compiles and presents key information from the Windows event 4826 logs, focused on the modification of system security settings. Event 4826 is related to the loading of the "Boot Configuration Data" (BCD) and is crucial to detect any attempted changes to security settings that may compromise the integrity of the operating system, such as enabling or disabling advanced protection options.

This type of information is essential to comply with CMMC Level 4 (AU.4.052), which requires strengthening audit logs to support advanced threat detection. The report provides details on changes to configurations such as advanced options, access policies, and kernel and virtualization debugging settings, among others, helping to identify anomalous behavior and potential threats.

The analyzed logs and their corresponding alerts allow a better correlation of events and improve the response capacity to incidents related to unauthorized modifications to the system''s security, which is essential to improve the security posture in highly sensitive environments, such as those that handle CUI (Controlled Unclassified Information).', null, null, null, null, null, null, null, null, null, 513, true, 366, 'TEMPLATE', null, null, 'Windows Level 4 (AU.4.052): BitLocker Settings Modification Attempts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (956, 'This report gathers and analyzes relevant information from Windows events 5140 and 5145, which record file access and sharing on the network. These events are key to monitoring access to Controlled Unclassified Information (CUI) and detecting possible attempts at unauthorized transfer or leakage of sensitive data.

The collection of these logs allows you to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, ensuring that protected information is adequately controlled during its transmission over the network. Through this analysis, suspicious access, changes in sharing permissions and unusual activities that could compromise data security can be identified, thus strengthening information loss prevention measures.', null, null, null, null, null, null, null, null, null, 514, true, 285, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Network Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (957, 'This report collects and analyzes the logs for Windows event 4660, which indicates the deletion of an object within the system, such as files, folders, or registry keys. This event is crucial to monitor the manipulation of Controlled Unclassified Information (CUI) and detect possible attempts at unauthorized deletion of sensitive data.

Reviewing these logs allows you to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, ensuring that protected information is protected against improper modifications or deletions. Through this analysis, suspicious activities, unauthorized access and possible attempts to exfiltrate or destroy critical information can be identified, thus strengthening data security and information loss prevention strategies.', null, null, null, null, null, null, null, null, null, 514, true, 298, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Object Deletion', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (958, 'This report collects and analyzes the logs of Windows event 4663, which captures information about accesses and modifications to objects within the system, such as files or directories. Event 4663 is essential for tracking activities related to data access and manipulation, especially when it involves Controlled Unclassified Information (CUI).

The analysis of these logs is essential to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since it allows identifying unauthorized access or attempts to transfer sensitive data, ensuring that the CUI is not compromised during its handling or transport. This report allows you to monitor and mitigate risks of data leakage or loss, strengthening the protection of critical information against unauthorized access and manipulation.', null, null, null, null, null, null, null, null, null, 514, true, 277, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (959, 'This report gathers relevant information extracted from the logs of Windows event 4670, which is designed to record changes in the permissions of system objects, such as files or folders. Event 4670 is triggered whenever an object''s access control lists (ACLs) are modified, allowing you to track and audit who has access to what data and what permissions have been granted or removed.

The analysis of these records is crucial to ensure compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since it allows monitoring and controlling access to Controlled Unclassified Information (CUI), guaranteeing that there are no unauthorized modifications to access permissions that could put the integrity or confidentiality of sensitive data at risk. This report contributes to identifying and mitigating any attempted tampering with the security of the CUI, which reinforces protection measures against data loss or leak during handling and transportation.', null, null, null, null, null, null, null, null, null, 514, true, 274, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (960, 'This report compiles relevant information from the Windows event 4663 and 4656 logs, which are used to track access and actions performed on protected objects on the system, such as files and folders. Event 4663 records actions performed on specific objects, such as reading, writing or deleting files, while event 4656 captures when an access attempt is made to a protected object, detailing the type of access requested and the success or failure of that attempt.

These events are essential to verify compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, as they provide visibility into how users interact with sensitive data (CUI) and if there are attempts to access or manipulate it without proper authorization. By analyzing these logs, you can ensure that data in transit is protected, preventing loss, unauthorized access or alteration during handling and transportation. In addition, they allow us to identify possible security breaches that could put the confidentiality and integrity of the CUI at risk.', null, null, null, null, null, null, null, null, null, 514, true, 273, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (961, 'This report gathers relevant information extracted from the event logs generated by Windows event 5142, which is related to the creation and configuration of network shares. This type of event is crucial for compliance with CMMC Level 3 control (MP.3.123), which establishes the need to protect the CUI during its transport and prevent any loss or exposure of it.

Windows event 5142 is triggered when a share is created on the system, which could involve exposing sensitive data if not configured properly. Through this report, the activity related to the creation of shared resources is monitored and audited, ensuring that these resources are configured correctly to prevent unauthorized access to CUI and guaranteeing that security controls are applied in accordance with the best practices established in the CMMC.

This report helps identify any shared resource creation events that may represent a risk in terms of CUI protection. In addition, it allows verifying the correct configuration of access and use policies for shared resources on the network, thus supporting the implementation of protection measures in the transport of CUI. In combination with other data monitoring and security measures, these logs provide key evidence to meet information protection requirements during its transfer in the corporate environment.', null, null, null, null, null, null, null, null, null, 514, true, 367, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Shared Network Object Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (962, 'This report collects relevant information about security events identified with ID 5143 on Windows, which are generated when access rules are added or modified on shared resources.

The analysis of these events is essential to audit changes in the configuration of shared resource permissions on the network, ensuring that access is controlled and aligned with the organization''s security policies.

This monitoring is especially critical in the context of compliance with CMMC Level 3 (MP.3.123), since it allows verifying the adequate protection of the CUI (Controlled Unclassified Information) during its transport and preventing data loss by detecting changes in the access configuration to shared resources.', null, null, null, null, null, null, null, null, null, 514, true, 368, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Shared Resource Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (963, 'This report gathers relevant information from security events recorded with ID 4985 in Windows, which indicate that the state of a transaction has changed within the system. These events allow monitoring modifications in transactional processes that may be related to the management and protection of sensitive information.

In the context of CMMC Level 3 (MP.3.123) compliance, tracking these events is essential to ensure the protection of the CUI (Controlled Unclassified Information) during its transport and prevent data loss. Auditing changes to system transactions helps detect suspicious activity, improper access, or potential vulnerabilities in the manipulation of protected data.

Analysis of these events allows organizations to improve their security controls, detect unauthorized modifications and strengthen data protection in environments where classified or critical information is handled.', null, null, null, null, null, null, null, null, null, 514, true, 369, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): File System Transaction Status Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (964, 'This report gathers relevant information from security events logged with ID 4658 in Windows, which indicate that an object handler has been closed on the system. These events are essential for tracking access and manipulation of sensitive resources, such as files, registry keys, and other system objects.

In the context of CMMC Level 3 compliance (MP.3.123), monitoring these events is key to protecting controlled unclassified information (CUI) during its transport and preventing data loss. Auditing these closures allows us to verify whether the data has been handled securely, detect possible unauthorized access and ensure that critical information has not been compromised.

The analysis of these events allows organizations to strengthen their security controls, guarantee the integrity of protected data and detect possible vulnerabilities in the access and manipulation of critical information.', null, null, null, null, null, null, null, null, null, 514, true, 370, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Handle Closure in Security System', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (965, 'This report consolidates information from Windows events 6416, which record the recognition of new external devices in the system. Its monitoring is essential to ensure compliance with CMMC Level 3 (MP.3.123): Protect CUI during transport and prevent data loss, since the connection of unauthorized devices can represent a risk to information security.

The analysis of these events allows us to identify possible vulnerabilities and strengthen control measures to prevent the loss or exposure of Controlled Unclassified Information (CUI).', null, null, null, null, null, null, null, null, null, 514, true, 371, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): External Device Connection', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (966, 'This report collects information from Windows events 4719, which record changes to system audit settings. Its monitoring is essential for compliance with CMMC Level 4 (MP.4.125): Automate DLP processes to secure sensitive information, since modifications to these policies may affect the ability to detect and prevent data loss (DLP).

The analysis of these events allows us to identify unauthorized or suspicious adjustments to security records, ensuring that processes for protecting sensitive information are consistent and automated to minimize risks of exposure.', null, null, null, null, null, null, null, null, null, 514, true, 280, 'TEMPLATE', null, null, 'Windows Level 4 (MP.4.125): Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (967, 'This report gathers relevant information from event 4698 (A scheduled task was created) logs on Windows, used to evaluate compliance with CMMC Level 4 control MP.4.125. This control requires the automation of Data Loss Prevention (DLP) processes to protect sensitive information, including Controlled Unclassified Information (CUI) during processing and storage.

The analysis of these events allows us to identify the creation of scheduled tasks in the system, ensuring that unauthorized processes are not implemented that could compromise the security of the information. In addition, it facilitates the detection of changes in the configuration of critical tasks and possible persistence attempts through automated execution of scripts or applications.', null, null, null, null, null, null, null, null, null, 514, true, 372, 'TEMPLATE', null, null, 'Windows Level 4 (MP.4.125): Scheduled Task Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (968, 'This report gathers relevant information from the security events recorded in the Windows event 4659 logs. Such an event indicates that an identifier has been requested for an object with the intention of deleting it, which may represent a risk to the protection of Controlled Unclassified Information (CUI).

The objective of this analysis is to evaluate compliance with CMMC Level 3 control MP.3.123, which requires the protection of the CUI during its transport and the prevention of data loss. By reviewing these records, we seek to detect suspicious or unauthorized activities related to the deletion of files that contain sensitive information, guaranteeing the implementation of appropriate security measures to avoid improper access or loss of data.', null, null, null, null, null, null, null, null, null, 514, true, 373, 'TEMPLATE', null, null, 'Windows Level 3 (MP.3.123): Delete Object Attempt', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (969, 'This report collects and analyzes Windows Security Auditing ID 4672 (Special Privileges Assigned to New Logon) events, used to verify compliance with CMMC Level 3 (SC.3.177), which requires the implementation of cryptographic protections for Controlled Unclassified Information (CUI). Event 4672 is crucial because it indicates when an account is granted special administrative privileges upon login, which could include access to security settings, cryptographic keys, and encryption mechanisms for data in transit and at rest. Its analysis allows you to identify accounts with access to critical encryption operations, detect possible improper access or changes in encryption policies and correlate this event with other security logs, such as 5061 – Cryptographic Operation and 1102 – Audit Log Cleared, to identify attempts to manipulate encryption or audit evasion. This ensures the correct assignment and monitoring of administrative privileges in environments that manage CUI, helps prevent unauthorized access to cryptographic configurations, and allows effective auditing of critical events related to data security. In this way, this report contributes to strengthening the security posture and compliance with the requirements of CMMC Level 3 (SC.3.177), ensuring the confidentiality and integrity of the CUI.', null, null, null, null, null, null, null, null, null, 515, true, 278, 'TEMPLATE', null, null, 'Windows Level 3 (SC.3.177): Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (970, 'This report gathers relevant information from the logs of Windows Security Auditing event 5145 (A network share object was accessed), used to verify compliance with CMMC Level 4 (SC.4.229), which requires the improvement of cryptographic protections through advanced tools. Event 5145 is triggered when a shared object is accessed on the network, and its analysis allows monitoring how sensitive data is protected and accessed, especially those protected by cryptographic mechanisms. This type of access is crucial to verify if information, including CUI, is properly handled with encryption both at rest and in transit, using advanced tools that ensure the confidentiality and integrity of the data.

This report helps identify unauthorized access, potential vulnerabilities in encryption tools, and ensures that cryptographic policies are properly enforced and verified in environments that handle critical information.', null, null, null, null, null, null, null, null, null, 515, true, 275, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (971, 'This report compiles relevant information from the logs of Windows Security Auditing event 4826 (Cryptographic operation performed), used to verify compliance with CMMC Level 4 (SC.4.229), which requires improving cryptographic protections using advanced tools. Event 4826 is triggered when a cryptographic operation is performed on the system, such as encryption, decryption, or validation of cryptographic signatures. This logging is essential to monitor the use and integrity of cryptography tools deployed in the environment, especially those that protect sensitive information, such as CUI (Controlled Unclassified Information). By analyzing these events, it can be verified that cryptographic operations are being carried out in accordance with established policies, ensuring that the cryptographic technologies and algorithms used are appropriate and that advanced tools are working correctly to protect data both at rest and in transit. In addition, it can be identified whether cryptographic operations are carried out properly, without vulnerabilities or poor configurations that could compromise the protection of confidential information.', null, null, null, null, null, null, null, null, null, 515, true, 366, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): BitLocker Settings Modification Attempts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (972, 'This report compiles relevant information from the logs of Windows Security Auditing event 1058 (Group Policy Management: The system failed to apply Group Policy settings), used to verify compliance with CMMC Level 4 (SC.4.229), which requires improving cryptographic protections using advanced tools. This event is raised when the system is unable to enforce a group policy, which could include policies related to cryptography settings and key management. The information contained in this log is key to monitoring possible failures in the implementation of cryptographic policies, ensuring that information protection policies, especially those related to CUI (Controlled Unclassified Information), are applied correctly. The report can be used to identify problems in the application of configurations that could affect the integrity of advanced cryptographic tools, facilitating early intervention to correct erroneous configurations and maintain the appropriate level of cryptographic protection for sensitive information.', null, null, null, null, null, null, null, null, null, 515, true, 344, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Application of Group Policies Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (973, 'This report compiles relevant information from the logs of Windows Security Auditing event 1102 (Audit log cleared), used to verify compliance with CMMC Level 4 (SC.4.229), which seeks to improve cryptographic protections with advanced tools. Event 1102 is generated when the security audit log is deleted, which could affect the integrity of cryptographic tools and processes that protect sensitive information, including Controlled Unclassified Information (CUI). Monitoring these types of events is essential to detect attempts to tamper with or delete audit logs, which could include activities related to the use of cryptography or key management. This report provides visibility into actions that may compromise the traceability of crypto-related events, allowing administrators to take immediate action if an anomaly is identified that puts the security and integrity of the organization''s cryptographic infrastructure at risk.', null, null, null, null, null, null, null, null, null, 515, true, 295, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (974, 'This report compiles relevant information from the logs of Windows Security Auditing event 4616 (The system time was changed), used to verify compliance with CMMC Level 4 (SC.4.229), which seeks to improve cryptographic protections with advanced tools. Event 4616 is generated when a change is made to the system time, which can affect the validation and synchronization of cryptographic certificates, encryption keys, and other components essential to cryptographic security. An unauthorized change to the system time could compromise the integrity of cryptographic tools and affect the protection of sensitive information, including CUI (Controlled Unclassified Information). Monitoring this event is crucial to detect alterations in time synchronization, which is essential for the correct implementation and verification of cryptographic policies, ensuring that encrypted communications and data are not compromised. This report allows you to identify any deviations that may interfere with security controls related to cryptography.', null, null, null, null, null, null, null, null, null, 515, true, 303, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): System Time Settings Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (975, 'This report consolidates and analyzes Windows log event ID 36874, generated by Schannel when a TLS connection attempt fails due to a lack of compatibility between the ciphers supported by the client and the server. The information collected is key to verify compliance with CMMC Level 3 control SC.3.177, which requires the implementation of cryptographic protections for controlled unclassified information (CUI). The analysis of these events makes it possible to identify failed TLS connection attempts, evaluating whether the encryption algorithms in use meet the required security standards, detect insecure configurations, such as the absence of modern protocols or the use of obsolete cipher suites, and verify the integrity of the communication channel, ensuring that information in transit is protected against unauthorized access and man-in-the-middle (MITM) attacks. This report is essential for the audit and optimization of cryptographic mechanisms in the organization, ensuring that the transmission of CUI is carried out under adequate security standards.', null, null, null, null, null, null, null, null, null, 515, true, 374, 'TEMPLATE', null, null, 'Windows Level 3 (SC.3.177): TLS protocol Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (976, 'This report consolidates and analyzes Windows registry ID 5061 events generated when cryptographic operations are performed on the system, such as accessing, using, or modifying keys stored in security providers. The information collected is key to verify compliance with CMMC Level 4 control SC.4.229, which requires the improvement of cryptographic protections through advanced tools. This analysis allows monitoring the use of cryptographic keys, identifying unauthorized or unusual access that may compromise the security of the information, verifying the integrity and correct implementation of encryption algorithms in the system, ensuring that the keys used comply with the required security standards, and detecting possible attempts at exploitation or misuse of protected keys within the security environment. This report provides visibility into critical cryptographic operations, allowing you to defense strengthens against advanced threats and ensuring effective protection of controlled unclassified information (CUI).', null, null, null, null, null, null, null, null, null, 515, true, 375, 'TEMPLATE', null, null, 'Windows Level 4 (SC.4.229): Protected Files Decryption', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (977, 'This report presents an analysis of Windows activity logs to demonstrate that the SIEM monitors third-party risks, in compliance with CMMC requirements. Through the collection and analysis of logs, access, changes in privileges, process execution and data manipulation are monitored in systems that manage CUI.

Monitoring allows you to identify unauthorized access, detect suspicious activities and verify that third parties comply with established security policies. In addition, event triggering mechanisms and automatic alerts are implemented to respond to possible threats in real time.

This approach reinforces CMMC compliance, ensuring effective oversight of third parties and reducing the risks associated with their access to critical systems. The information presented demonstrates that the SIEM contributes to the protection of sensitive data and the strengthening of security in Windows environments.', null, null, null, null, null, null, null, null, null, 516, true, 376, 'TEMPLATE', null, null, 'Windows Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (978, 'This report presents a detailed analysis of the security events recorded by Bitdefender GravityZone in Windows environments, with the objective of demonstrating effective monitoring of third-party risks, in accordance with the requirements of the Cybersecurity Maturity Model Certification (CMMC).

Analysis includes detecting and monitoring unauthorized access, port scans, exploitation attempts, changes to security configurations, and other suspicious activity generated by users, devices, or third-party services interacting with critical systems. Key events related to real-time protection, firewalls, and intrusion prevention mechanisms are examined, providing visibility into external threats that could compromise information integrity.

Through the correlation of logs in the SIEM, a rapid response to anomalies is ensured and an audit history is generated that allows evaluating the effectiveness of the implemented controls. This report supports CMMC compliance by ensuring that third-party activities are continually monitored and alerts are triggered for any deviation from established security policies.', null, null, null, null, null, null, null, null, null, 516, true, 377, 'TEMPLATE', null, null, 'Bitdefender Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (979, 'This report demonstrates how the SIEM monitors and analyzes activity logs on Linux servers with the objective of monitoring risks associated with third parties, in compliance with CMMC guidelines. The events captured in the systems are presented, allowing the identification of accesses, changes in critical configurations, unusual activities and possible security threats.

Analyzing these logs can detect anomalous behavior, such as unauthorized access attempts, modifications to key files, and suspicious system activity. Likewise, relevant details are included such as the affected host, IP addresses involved, type of logged events, log messages and occurrence times, providing visibility into third-party activity in the Linux environment.

This monitoring is essential to ensure information security and compliance with CMMC controls, ensuring that third parties interacting with the systems are effectively monitored and that any suspicious activity is identified and managed in a timely manner.', null, null, null, null, null, null, null, null, null, 516, true, 378, 'TEMPLATE', null, null, 'Linux Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (980, 'This report presents a detailed analysis of firewall logs with the goal of demonstrating that the SIEM monitors third-party risks in Windows environments, meeting CMMC requirements. Key events such as incoming and outgoing network traffic, unauthorized access, suspicious DNS queries, and other security activities that may indicate potential threats are examined.

Through the collection and correlation of these logs, continuous surveillance of third-party connections is ensured, allowing early detection of anomalous behavior and the application of mitigation measures. Monitoring includes information about source and destination IP addresses, ports, protocols used, policies applied, and security events detected.

This monitoring contributes to the identification and reduction of risks associated with external suppliers and access to critical systems, aligning with the best cybersecurity practices established by the CMMC.', null, null, null, null, null, null, null, null, null, 516, true, 380, 'TEMPLATE', null, null, 'Firewall Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (981, 'This report aims to demonstrate that the security information and event management (SIEM) system effectively monitors user activities in Office 365, with an emphasis on identifying and mitigating risks associated with third parties. Through the analysis of the logs generated by Office 365, detailed information is recorded about the operations carried out, such as access to mailboxes, user activity and communications with external sources. Critical data, such as access IP addresses, actions taken (such as access to mail items), and validation of the operation (whether it was successful or not), allow comprehensive monitoring of third-party risks and verification that these accesses comply with established security policies.

Event monitoring in Office 365 aligns with CMMC (Cybersecurity Maturity Model Certification) practices, especially regarding external user access monitoring, authentication, and protection of sensitive data. This ensures that third party activities are recorded, analyzed and evaluated to meet critical data protection requirements, especially those related to access to CUI (Controlled Unclassified Information).', null, null, null, null, null, null, null, null, null, 516, true, 381, 'TEMPLATE', null, null, 'Office 365 Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (982, 'This report is intended to demonstrate that the SIEM system monitors third-party risks in AWS environments, in compliance with the security requirements established by CMMC for Windows systems. The SIEM is configured to analyze and correlate activity logs from AWS, specifically CloudTrail events, to detect potential threats, unauthorized access, and anomalous behavior on the monitored infrastructure. Continuous monitoring of AWS logs through the SIEM allows us to detect third-party risks in the infrastructure, aligning with the CMMC security guidelines for the protection of Windows systems. Proactive access and configuration monitoring helps mitigate vulnerabilities and ensure the integrity of cloud environments.', null, null, null, null, null, null, null, null, null, 516, true, 382, 'TEMPLATE', null, null, 'AWS Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (983, 'This report aims to demonstrate third-party risk monitoring in Windows environments within the Azure infrastructure, in compliance with CMMC (Cybersecurity Maturity Model Certification) requirements. The security monitoring system analyzes events generated in Azure, recording administrative activities, accesses and modifications to critical resources. Logs of operations on virtual machines, computing resources, storage and networks are collected and analyzed to detect possible threats and unauthorized access. The main data sources analyzed include Azure Activity Logs, which record administrative activities; Azure Security Center Logs, which contain security events related to access and configurations; and Azure AD Logs, which monitor suspicious authentications and logins.

Key data analyzed include the type of action performed, the user ID and source IP, the affected resource, the status of the operation, and the correlation ID for tracking and auditing. Thanks to the analysis of these logs, risks such as access from suspicious IP addresses, administrative operations outside established hours and changes in virtual machine configurations without authorization have been identified and mitigated.

Active monitoring of activity logs in Azure helps ensure the security of Windows systems, reducing risks associated with third parties and complying with CMMC guidelines for the protection of data and resources in the cloud.', null, null, null, null, null, null, null, null, null, 516, true, 383, 'TEMPLATE', null, null, 'Azure Activity Monitoring', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (984, 'This report collects and analyzes relevant information from Windows Event Viewer events ID 6008, which indicate unexpected system shutdowns. Monitoring these events is essential to evaluate the availability and stability of the systems within the framework of compliance with Disaster Recovery and Business Continuity Monitoring according to the requirements of CMMC (Cybersecurity Maturity Model Certification).

The analysis of these logs allows us to identify unplanned interruptions, possible hardware or software failures, and evaluate the effectiveness of disaster recovery plans, ensuring operational resilience and business continuity.', null, null, null, null, null, null, null, null, null, 517, true, 340, 'TEMPLATE', null, null, 'Windows Logging Unexpected System Shutdowns', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (985, 'This report presents a detailed analysis of Windows Event Viewer events ID 6005 and ID 6006, which record events related to system startup and shutdown. Event 6005 indicates the start of a Windows event log event, while event 6006 signals a controlled system shutdown.

The collection and evaluation of these events is essential for the validation of Disaster Recovery and Business Continuity, according to CMMC (Cybersecurity Maturity Model Certification) standards and requirements. By analyzing these logs, it is ensured that the system is being booted and shut down correctly, which helps confirm the correct implementation of recovery strategies, effective monitoring, and continued availability of services.', null, null, null, null, null, null, null, null, null, 517, true, 311, 'TEMPLATE', null, null, 'Windows Event Log Service', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (986, 'This report presents an analysis of Windows Event Viewer events ID 1001, which are related to system shutdown errors or unexpected failures in the operating system. Event 1001 is generated when the system detects an unexpected shutdown or system crash, which may be an indication of problems related to system availability.

Tracking these events is crucial to meeting Disaster Recovery and Business Continuity requirements, as stipulated in the CMMC (Cybersecurity Maturity Model Certification) model. The collection and analysis of event ID 1001 logs allows the identification of critical failures that could affect the continued operation of the system, helping to ensure that recovery and contingency mechanisms are implemented and functioning correctly to maintain system stability and availability in the event of unexpected incidents.c', null, null, null, null, null, null, null, null, null, 517, true, 339, 'TEMPLATE', null, null, 'Windows Error Reporting', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (987, 'This report presents the relevant data from the logs of Windows event ID 41, which indicates that the system has rebooted without shutting down cleanly. This type of event is crucial for monitoring system availability, as it can be indicative of unexpected interruptions that affect the operational continuity of the technological infrastructure. The analysis of these events allows us to verify the system''s ability to recover from unexpected failures and maintain its proper functioning, fundamental aspects within the principles of Disaster Recovery and Business Continuity Monitoring established by the Cybersecurity Maturity Model Certification (CMMC).', null, null, null, null, null, null, null, null, null, 517, true, 384, 'TEMPLATE', null, null, 'Windows Unexpected System Reboot', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (988, 'This report presents key information extracted from the Windows event logs (event 1074) related to planned system shutdowns and restarts. The goal is to ensure that shutdown and restart activities are performed in a controlled and documented manner, which is critical to compliance with Disaster Recovery and Business Continuity Monitoring policies as required by CMMC. The collection of this data guarantees the traceability of actions related to the maintenance and operational availability of the systems.', null, null, null, null, null, null, null, null, null, 517, true, 385, 'TEMPLATE', null, null, 'Windows Scheduled System Shutdowns and Restarts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (989, 'This report collects and analyzes critical Windows system events, specifically events 7023 and 7026, recorded in the system log. These events are related to the unexpected termination of essential services and the failure to load drivers during system startup.

The purpose of this report is to provide visibility into possible failures in the technological infrastructure, identifying incidents that may affect the availability, resilience and operational continuity of the Windows environment. The information presented is key to evaluating compliance with the Disaster Recovery and Business Continuity Monitoring requirements established within the CMMC (Cybersecurity Maturity Model Certification) framework.', null, null, null, null, null, null, null, null, null, 517, true, 386, 'TEMPLATE', null, null, 'Windows Failure to load system services', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (990, 'This report collects and analyzes 1000 events in the Windows event log, which are errors from applications that have failed unexpectedly.

The purpose of this report is to identify applications that experience recurring failures, evaluate their impact on system stability, and determine potential risks to operational continuity. The information presented is essential to monitor and improve the resilience of the technological environment, guaranteeing compliance with the requirements of Disaster Recovery and Business Continuity Monitoring within the framework of CMMC (Cybersecurity Maturity Model Certification).', null, null, null, null, null, null, null, null, null, 517, true, 387, 'TEMPLATE', null, null, 'Windows Application failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (991, 'This report consolidates and analyzes Windows event log 1026 events, which indicate unhandled exceptions in applications that use the .NET Framework environment.

The objective of the report is to identify applications that experience failures due to execution errors in .NET, evaluate their impact on system stability, and determine potential risks to operational continuity. This information is crucial to monitor the resilience of the technological environment and ensure compliance with the Disaster Recovery and Business Continuity Monitoring requirements within the CMMC (Cybersecurity Maturity Model Certification) framework.

The report includes key details that facilitate the analysis of trends and the implementation of corrective measures to mitigate interruptions in critical services.', null, null, null, null, null, null, null, null, null, 517, true, 388, 'TEMPLATE', null, null, 'Windows .NET Runtime Error', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (992, 'This report consolidates and analyzes Windows event log events 11707, which record successful installation of applications through the MsiInstaller service.

The purpose of the report is to provide visibility into the installation of software on the monitored systems, ensuring that changes to the infrastructure are controlled and comply with Disaster Recovery and Business Continuity Monitoring policies within the CMMC (Cybersecurity Maturity Model Certification) framework.

The report includes key details that allow you to verify the correct implementation of critical applications, guaranteeing the stability and availability of essential services.', null, null, null, null, null, null, null, null, null, 517, true, 388, 'TEMPLATE', null, null, 'Windows Software installation completed successfully', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (993, 'This report collects and analyzes Windows event log events 11708, which indicate failures in installing software through the MsiInstaller service.

The purpose of the report is to identify and evaluate failed application installation attempts on monitored systems, allowing for proactive review of potential configuration, permissions, or software integrity issues.

Within the framework of CMMC''s Disaster Recovery and Business Continuity Monitoring (Cybersecurity Maturity Model Certification), this report contributes to change management and operational continuity, ensuring that critical systems are not affected by errors in software implementation. Key details relevant to incident resolution are included.', null, null, null, null, null, null, null, null, null, 517, true, 390, 'TEMPLATE', null, null, 'Windows Software installation failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (994, 'This report collects and analyzes Windows registry events 10016, which indicate permissions problems in activating COM (Component Object Model) components. These events can signal misconfigurations in the security of critical services and applications, impacting business continuity and disaster recovery.

Analysis of these events is essential to ensure compliance with Disaster Recovery and Business Continuity Monitoring requirements within the CMMC (Cybersecurity Maturity Model Certification) framework, ensuring that COM component permissions are correctly configured to avoid disruptions to key systems. This report helps identify and correct permission configurations that could compromise the operational resilience and security of the infrastructure.', null, null, null, null, null, null, null, null, null, 517, true, 391, 'TEMPLATE', null, null, 'Windows Permissions issues in DCOM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (995, 'This report compiles and presents key information from the Windows Event 15 logs, which reflects the reorganization of system registry hives, a process related to disk space management. Data from these events is crucial for identifying potential performance issues or hard drive failures that could impact system stability. This information is essential to monitor and ensure disaster recovery and business continuity, meeting CMMC requirements. Analysis of these events allows you to detect storage-related anomalies and prevent interruptions in critical system services.', null, null, null, null, null, null, null, null, null, 517, true, 392, 'TEMPLATE', null, null, 'Windows Possible Disk Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (996, 'his report compiles the records of Windows log events 18, 19, and 20, which correspond to system startup and shutdown activities. The information extracted from these events is used to verify compliance with the Disaster Recovery and Business Continuity Monitoring requirements of the CMMC framework. These events are critical in ensuring that the system initiates and shuts down in a controlled and reliable manner, in accordance with organizational policies for system availability and recovery.

The report includes details of system startup and shutdown times, as well as any anomalies or failures that may indicate potential issues with system availability. By analyzing these events, the report helps validate the effectiveness of disaster recovery procedures and business continuity plans, ensuring that the system can be restored promptly in case of a failure or disruption.', null, null, null, null, null, null, null, null, null, 517, true, 393, 'TEMPLATE', null, null, 'Windows System Boots and Shutdowns', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (997, 'This report provides a detailed analysis of file deletion events (FileDeleted) in the O365 (SharePoint) environment, with the objective of verifying compliance with the controls established in CMMC Level 3 (AC.3.014). The report collects information on file deletion activities to ensure that sensitive data, including CUI, is managed according to access and protection policies. The purpose of the report is to monitor the flow of CUI, ensuring that files containing this information are deleted according to expiration and retention policies, without unauthorized deletions. In addition, it verifies that only users with appropriate permissions are carrying out the deletion of sensitive files, ensuring that deletion operations are tracked and audited to detect any suspicious or unauthorized activity. It also allows you to identify patterns and unusual events related to the deletion of sensitive files, providing a key tool to ensure the protection of information and compliance with CMMC Level 3 regulations.', null, null, null, null, null, null, null, null, null, 510, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 3 (AC.3.014): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (998, 'This report provides a detailed analysis of file sharing events (SharingSet) in the O365 environment (OneDrive/SharePoint), with the aim of verifying compliance with the controls established in CMMC Level 2 (AC.2.007).

The purpose of this monitoring is to ensure that only users and groups with the appropriate privileges can access sensitive files, avoiding unnecessary exposure or improper access. In addition, it allows identifying possible risks, such as the use of public links or the assignment of excessive permissions, and detecting unusual activity patterns in permission management.

This report is a key tool to ensure that the principles of least privilege and segregation of duties are correctly applied in the O365 environment, contributing to the protection of information and compliance with CMMC Level 2 requirements.', null, null, null, null, null, null, null, null, null, 510, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AC.2.007): Sharing Set', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (999, 'This report provides a detailed analysis of login events (UserLoggedIn) in the O365 environment with the goal of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information about user accesses, which allows validating that login events are being properly logged, providing visibility into access activity in the organization

The purpose of this monitoring is to ensure that all logins are properly audited, detect failed or unusual access attempts that may indicate potential threats, and provide evidence for security review and access auditing in the organization

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of access to its O365 environment, contributing to the protection of information and the detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 511, true, 265, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1000, 'This report provides a detailed analysis of file access events (FileAccessed) in the O365 environment with the objective of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information about file accesses which allows validating that file access events are being correctly recorded providing visibility into user interaction with information stored in the organization

The purpose of this monitoring is to ensure that all file accesses are properly audited, detect unusual accesses that may represent a security risk, and provide evidence for the review and audit of activities in the organization''s information repositories

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of file accesses in its O365 environment contributing to the protection of information and the detection of suspicious activities.', null, null, null, null, null, null, null, null, null, 511, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1001, 'This report provides a detailed analysis of FileDeleted events in the O365 environment with the goal of verifying compliance with CMMC Level 1 control AU.1.001, which requires the implementation of audit logs

The report collects key information which allows validating that file deletions are being properly logged providing visibility into data deletion activities in the organization

The purpose of this monitoring is to ensure that all file deletions are properly audited, detect unauthorized or suspicious deletions, and provide evidence for the review and audit of sensitive information deletion actions

This report serves as an essential tool for CMMC Level 1 compliance by ensuring that the organization maintains a reliable and verifiable record of file deletions in its O365 environment contributing to the protection of information and the detection of unauthorized activities.', null, null, null, null, null, null, null, null, null, 511, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1002, 'This report provides a detailed analysis of file sharing events (SharingSet) in the O365 environment with the objective of verifying compliance with CMMC Level 2 control AU.2.042, which requires ensuring that logs are collected to detect and analyze security events

The report collects key information about file sharing actions, which allows detecting unusual or risky activities related to file sharing, such as assigning excessive permissions or sharing sensitive information with unauthorized users

The purpose of this monitoring is to ensure that file sharing actions are correctly recorded and audited, identifying behavioral patterns that could represent a security threat and providing data for incident analysis

This report is an essential tool for CMMC Level 2 compliance, ensuring that file sharing events are correctly collected and analyzed to detect possible security incidents in the O365 environment, contributing to the protection of information and the prevention of unauthorized access authorized.', null, null, null, null, null, null, null, null, null, 511, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.042): Sharing Set', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1003, 'This report provides a detailed analysis of FileSyncDownloadedFull events in the O365 environment to verify compliance with CMMC Level 2 control AU.2.042, which requires ensuring that logs are collected to detect and analyze security events.

The report collects key information about file synchronizations, allowing you to identify unusual or suspicious activities related to file synchronization, such as unauthorized access or sensitive file transfers that could pose a security risk.

The purpose of this monitoring is to ensure that file synchronization actions are properly audited, detecting behavioral patterns that could indicate threats and providing relevant data for incident analysis.

This report is a key tool for CMMC Level 2 compliance, ensuring that all file synchronization events are collected and analyzed, contributing to the protection of information and the improvement of security in the O365 environment.', null, null, null, null, null, null, null, null, null, 511, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.042): File Synchronization', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1004, 'This report provides a detailed analysis of mailbox permission assignment (Add-MailboxPermission) events in the Office 365 (Exchange) environment, with the objective of verifying compliance with the control established in CMMC Level 3 (AU.3.045). The report collects relevant information from audit logs to correlate permission assignment actions with security events, allowing for a more effective analysis of activities related to mailbox access and management.', null, null, null, null, null, null, null, null, null, 511, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.045): Mailbox Permission Assigning', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1005, 'This report presents a detailed analysis of FileRenamed events in the Office 365 (SharePoint) environment to verify compliance with CMMC Level 3 control AU.3.045. Key information is collected to correlate audit records and facilitate analysis of security events.

The purpose of this report is to improve visibility into changes to sensitive files, detect unusual activity, and support the identification of potential security incidents by escalating events within the system for audit purposes.', null, null, null, null, null, null, null, null, null, 511, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.045): File Renamed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1006, 'This report collects and analyzes UserLoggedIn event logs in Office 365 to verify compliance with CMMC Level 1 (SI.1.210), which requires the identification and correction of security breaches in a timely manner.

Monitoring logins allows you to detect potential unauthorized access, connection attempts from unusual locations or devices, and anomalous activities that may indicate security risks. By centralizing these events, the report facilitates the evaluation of user behavior, helping to identify suspicious patterns or potential vulnerabilities in the authentication infrastructure.

In addition, this analysis contributes to the implementation of timely corrective measures, ensuring a rapid response to security incidents and strengthening platform access controls.', null, null, null, null, null, null, null, null, null, 503, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (SI.1.210): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1007, 'This report collects and analyzes FileAccessed event logs in Office 365 to verify compliance with CMMC Level 1 (SI.1.210), which requires the identification and correction of security breaches in a timely manner.

Access to sensitive files is a critical point in information security, and monitoring these events allows you to detect possible unauthorized access, unusual activities, and usage patterns that may indicate vulnerabilities in access controls. This report identifies the users, files, and locations involved in each access event, facilitating audit review and analysis of suspicious behavior.

By consolidating this information, the report helps you take preventive and corrective measures in a timely manner, ensuring that data is protected in accordance with established security policies and reducing the risk of sensitive information being exposed.', null, null, null, null, null, null, null, null, null, 503, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (SI.1.210): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1008, 'This report gathers relevant information from the SharingSet event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (SI.2.212), which requires the implementation of mechanisms for real-time monitoring of security events.

The SharingSet event is generated when a file or folder is shared with other users inside or outside the organization. Monitoring these actions is essential to detect misuse configurations, accidental sharing of sensitive information, or malicious attempts at data exfiltration.

This report provides key details that allow identifying behavior patterns and detecting any anomalies in the management of permissions and access to critical information.

The collection and analysis of these events in real time contribute to strengthening security controls, facilitating rapid response to possible incidents and minimizing the risk of sensitive data exposure.', null, null, null, null, null, null, null, null, null, 503, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (SI.2.212): Sharing Set', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1009, 'This report collects key information from the Add-MailboxPermission event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (SI.2.212), which requires the implementation of mechanisms for real-time monitoring of security events.

The Add-MailboxPermission event is generated when permissions are granted on a mailbox to another user or entity. Monitoring these events is essential to detect unauthorized access, improper changes in email permissions, and possible attempts at data exfiltration.

The report includes relevant information that allows for the detection of anomalies in privilege management, ensuring the protection of sensitive information contained in emails.

The collection and real-time analysis of these events strengthens organizational security, allowing a rapid response to possible security incidents and helping to prevent improper access to critical information.', null, null, null, null, null, null, null, null, null, 503, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 2 (SI.2.212): Mailbox Permission Assigning', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1010, 'This report collects relevant information from the FileDeleted event logs in Office 365, used to verify compliance with CMMC Level 3 (SI.3.217), which establishes the need to use monitoring tools to detect potential attacks.

The FileDeleted event is generated when a file is deleted within the Office 365 environment, which may indicate a legitimate or potentially malicious action. Deleting critical files, especially those containing sensitive or controlled information, requires close monitoring to detect suspicious activities that may be associated with ransomware attacks, unauthorized deletion of data, or attempts to hide evidence of an attack.

The report includes essential details such as the ID of the deleted file, the user who performed the action, the source and destination of the file, as well as the date and time the deletion occurred. In addition, the location from which the deletion was performed and the device involved are recorded.

Monitoring file deletion events is a key tool for identifying anomalous activity patterns, such as mass file deletion or deletion to unauthorized locations. This report facilitates the detection of security incidents, enabling a rapid response to mitigate any potential attack or malicious behavior that compromises data integrity.', null, null, null, null, null, null, null, null, null, 503, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 3 (SI.3.217): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1011, 'This report gathers relevant information from the FileRenamed event logs in Office 365, used to verify compliance with CMMC Level 3 (SI.3.217), which establishes the need to use monitoring tools to detect potential attacks.

The FileRenamed event is generated when a file within Office 365 is renamed, which could be an indication of an attempt to hide the content or origin of the file, especially in cases of cyberattacks, such as ransomware or unauthorized access to critical information. File renaming can be an indicator of suspicious behavior that could compromise data integrity or regulatory compliance.

Monitoring file renaming events allows you to identify unauthorized changes to data or infrastructure, detecting possible attempts to hide information or illegitimate activities. This report facilitates early detection of security incidents, allowing a rapid response to mitigate any potential threats and protect critical information in the Office 365 environment.', null, null, null, null, null, null, null, null, null, 503, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 3 (SI.3.217): File Renamed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1012, 'This report presents relevant information extracted from Office 365 UserLoggedIn event logs, designed to assist in compliance with CMMC Level 2 (AU.2.043) control. The control establishes the need to review logs and correlate events to detect inappropriate activities that may compromise the security of the organization.

UserLoggedIn event logs contain essential data about user login attempts to Office 365 systems, allowing you to detect unauthorized access, unusual patterns of behavior, and potential malicious access attempts. This report facilitates the identification of security incidents by analyzing access data in real time and correlating it with other relevant security events.

This report provides a solid foundation for security audits and incident response, ensuring that access events are reviewed and correlated to quickly detect and respond to potential threats that may affect the integrity of systems and data in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1013, 'This report collects relevant information from the FileAccessed event logs in Office 365, with the purpose of verifying compliance with CMMC Level 2 (AU.2.043) control. The control establishes the need to review logs and correlate events to identify inappropriate activities that may indicate potential risks to information security, particularly those affecting the integrity of sensitive files and data.

FileAccessed event logs provide details on file access and modification in Office 365, allowing you to detect unusual or unauthorized behavior, such as access to sensitive documents outside established patterns or by unauthorized users. This report allows you to perform a comprehensive review of files accessed by users, including information about the documents, the applications used, the dates and times of access, as well as the IP address of the devices.

By correlating these events with other security activities on the platform, the report makes it easier to detect inappropriate access or suspicious patterns of behavior, which is crucial to preventing information leaks, unauthorized manipulation, or misuse of files.

Analysis of these logs provides a solid foundation for conducting effective security audits, responding quickly to incidents, and improving critical data access management practices. By reviewing and correlating these events, the organization can ensure that only the appropriate users have access to relevant documents and that any activity that does not comply with security policies is identified in a timely manner.', null, null, null, null, null, null, null, null, null, 504, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1014, 'This report collects relevant information from the FileDeleted event logs in Office 365, with the aim of verifying compliance with CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate logs to detect inappropriate activities that may put data integrity and information security at risk, especially when it comes to sensitive or confidential files.

FileDeleted event logs provide details about file deletion within Office 365, which is essential for identifying unauthorized or suspicious deletions, such as access to high-risk files by unauthorized users or deletions outside of normal operating patterns.

By correlating these events with other activity logs on the platform, the report makes it easier to detect potential security incidents, such as malicious data manipulation or attempts to delete critical information without justification. It also allows for accurate tracking and auditing of actions performed on files, ensuring that any unauthorized or policy-infringed deletion is identified early.

This analysis is essential to ensure data protection and facilitate rapid responses to any incidents related to inappropriate file deletion, which contributes to compliance with security regulations and preserving the integrity of information stored in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1015, 'This report collects relevant information from the SharingSet event logs in Office 365, with the objective of verifying compliance with the CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate the logs to detect inappropriate activities that may compromise data security, especially when it comes to sensitive or controlled information within the organization.

The SharingSet event logs provide details about the permission settings and the assignment of access to share files and documents within Office 365, including SharePoint and OneDrive, which allows identifying incorrect or inappropriate configurations that may expose sensitive data in an unauthorized manner.

The analysis of these logs is crucial to detect suspicious activities, such as the assignment of access permissions to unauthorized users or changes in permissions that are not aligned with the organization''s security policies. In addition, it allows the identification of anomalous patterns of behavior related to information sharing, such as unexpected or external access to documents that should be restricted.

By correlating these events with other user activity and system access logs, the report helps detect possible security incidents, such as information leaks or malicious access, which could put data confidentiality at risk. In this way, the report facilitates the early identification of risks, ensures compliance with regulations and improves the response to inappropriate activities, guaranteeing the protection of information assets in Office 365.', null, null, null, null, null, null, null, null, null, 504, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): Sharing Set', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1016, 'This report collects relevant information from the FileRenamed event logs in Office 365, with the aim of verifying compliance with CMMC Level 2 control (AU.2.043). This control establishes the need to review and correlate logs to detect inappropriate activities that may compromise data security and the integrity of files stored in the organization.

The FileRenamed event provides details about the name changes made to files within SharePoint and OneDrive. This information is crucial to identify suspicious actions, such as unauthorized changes to sensitive documents, which could be an indication of tampering or unauthorized access.

By reviewing these logs and correlating them with other events related to file access and permissions, the report can detect inappropriate behavior, such as the modification of critical file names without proper justification or the renaming of documents related to confidential or controlled information. This analysis helps identify anomalous behavior patterns, such as unauthorized users renaming files in order to evade monitoring or manipulate information.

This report helps improve visibility of file changes and facilitates early detection of security incidents, helping to mitigate risks related to improper access and manipulation of information. By correlating this event with other relevant logs, compliance with the organization''s security policies is ensured, guaranteeing that files are not altered or renamed inappropriately.', null, null, null, null, null, null, null, null, null, 504, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Renamed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1017, 'This report collects relevant information from the Add-MailboxPermission event logs in Office 365, in order to verify compliance with CMMC Level 3 (AU.3.045) control, which requires correlating security events to identify suspicious behavior. The Add-MailboxPermission event records actions related to the assignment of permissions to mailboxes in Exchange, including details about which permissions were granted to which users and on which mailboxes.

The information contained in this event is critical for monitoring permission assignment, as unauthorized changes to mailbox permissions can indicate unusual behavior, such as privilege escalation or improper access to sensitive data. This report helps identify which users have been granted additional access to mailboxes, whether the access was appropriate and authorized, or whether it is a suspicious change that could be indicative of an insider threat or compromise attempt.

Correlating these logs with other related events, such as access to sensitive files or changes to mailbox security settings, makes it easier to detect unusual patterns that could indicate malicious or unauthorized activity. This correlation of events also helps to identify potential fraudulent behavior, such as assigning permissions to unauthorized users to gain access to sensitive or controlled information.

This report contributes to the early identification of potential threats and the implementation of preventive measures, which reinforces the overall security of the system and ensures that mailbox permissions are properly managed, avoiding risks of improper access or loss of critical data.', null, null, null, null, null, null, null, null, null, 504, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.045): Mailbox Permission Assigning', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1018, 'This report collects relevant information from the FileSyncDownloadedFull event logs in Office 365, in order to verify compliance with CMMC Level 4 (AU.4.054) control, which requires the implementation of advanced event correlation to detect evolving threats. The FileSyncDownloadedFull event is generated when a file is fully synchronized through OneDrive or SharePoint, implying a highly relevant file transfer or access to information that could be associated with CUI (Controlled Unclassified Information).

The analysis of this event is crucial to detect unusual patterns in the download of sensitive files, such as those related to mass synchronization of important documents or unauthorized access to files that should be restricted. Through advanced event correlation, this report allows you to identify whether file download activity is linked to other suspicious behavior, such as logins from unusual locations, simultaneous access attempts, or changes in security settings.

Implementing advanced event correlation techniques enables the detection of evolving threats, such as data exfiltration attacks or lateral movement within the network. An example of this type of threat could be an attacker who first accesses a file and then synchronizes it to transfer it to an unauthorized location, all while hiding their actions by executing multiple events at different points in the system.

This report provides a detailed and correlated view of file synchronization activities within the Office 365 infrastructure, making it easier to identify advanced persistent threats (APTs) that may have evaded traditional detection methods. Through this advanced correlation, security teams can quickly respond to incidents, mitigating risks and ensuring that critical files are not compromised or transferred inappropriately.

In short, the report contributes to continuous monitoring and proactive detection of complex threats that affect information integrity, which is essential to prevent data l', null, null, null, null, null, null, null, null, null, 504, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 4 (AU.4.054): File Synchronization', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1021, 'This report collects and analyzes UserLoggedIn events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed for inappropriate behavior.

Monitoring these events helps identify unusual access patterns, such as logins from unexpected geographic locations, unauthorized devices, or attempts to access sensitive resources outside of normal business hours. By analyzing these activities, it is possible to detect potential improper access, compromised credentials, or suspicious behavior that may indicate internal or external threats.

The information obtained in this report is key to strengthening user behavior monitoring within Office 365, facilitating early detection of security incidents and ensuring compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1022, 'This report collects and analyzes UserLoginFailed events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed for inappropriate behavior.

Monitoring these events helps identify patterns of failed authentication attempts that could indicate suspicious activity, such as brute force attacks, compromised credentials, or attempts to log in from unauthorized locations or devices. Detecting anomalous behavior in login attempts helps prevent unauthorized access and facilitates corrective action to mitigate security risks.

The information obtained in this report is key to strengthening user behavior monitoring within Office 365, ensuring an effective response to potential threats and ensuring compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 262, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1023, 'This report collects and analyzes FileAccessed events in Office 365 to assess compliance with CMMC Level 2 requirement AU.2.044, which requires audit logs to be reviewed to detect inappropriate behavior.

Monitoring these events helps identify file accesses that may indicate suspicious activity, such as mass viewing of sensitive documents, access to restricted information by unauthorized users, or unusual behavior patterns when interacting with files. By analyzing logs, it is possible to detect attempts at data exfiltration, improper access, or misuse of information within the Office 365 environment.

The information obtained in this report helps strengthen monitoring of user behavior, ensuring early detection of potential security incidents and guaranteeing compliance with the audit practices established in CMMC Level 2.', null, null, null, null, null, null, null, null, null, 501, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.044): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1024, 'This report collects relevant information from the FileSyncDownloadedFull event logs in Office 365, providing a detailed view of completed file downloads performed through OneDrive and SharePoint synchronization. Its purpose is to support CMMC Level 1 (AU.1.001) compliance, which requires capturing audit logs for basic security events.

The report allows you to identify which users have downloaded files, from which location, and at what time, making it easier to monitor data access and movement within the corporate environment. Capturing these events enables the ability to track the flow of information and detect potential unauthorized activities or file management anomalies.

Additionally, this report can serve as a reference tool to assess usage patterns, strengthen data security, and comply with regulatory requirements related to auditing and retention of security event logs.', null, null, null, null, null, null, null, null, null, 513, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1025, 'This report consolidates key information from logs generated by the FileAccessed event in Office 365, providing detailed insight into file accesses in environments such as OneDrive and SharePoint. It is intended to support CMMC Level 1 (AU.1.001) compliance, which requires capturing audit logs for basic security events.

Logging these events is critical to establishing information traceability, assisting in the investigation of security incidents, and ensuring compliance with auditing and data protection policies. Additionally, this report provides a foundation for future improvements in the security and monitoring of the organization''s digital environment.', null, null, null, null, null, null, null, null, null, 513, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1026, 'This report compiles key information from logs generated by the FileDeleted event in Office 365, providing visibility into file deletion on platforms such as OneDrive and SharePoint. Its purpose is to support CMMC Level 1 (AU.1.001) compliance, which requires the capture of audit logs for basic security events.

The report documents essential details that enable security administrators to track file deletion activities, identify accidental or malicious actions, and prevent the loss of critical information.

Maintaining an accurate record of these events is critical for information traceability, incident investigation, and enforcement of security controls. Additionally, this report can contribute to the improvement of data access and retention policies within the organization, ensuring better information management and regulatory compliance.', null, null, null, null, null, null, null, null, null, 513, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1027, 'This report compiles relevant information from the logs generated by the FileRenamed event in Office 365, providing visibility into file renaming on platforms such as OneDrive and SharePoint. It is intended to support CMMC Level 1 (AU.1.001) compliance, which requires the capture of audit logs for basic security events.

The report documents key data that allows security administrators to monitor file modifications, detect possible attempts to conceal suspicious activities, and ensure the integrity of stored information.

Logging and analyzing these events is crucial for data traceability, identifying potential security incidents, and maintaining a secure and compliant work environment. Additionally, this report can be used to enforce change control policies and improve document management within the organization.', null, null, null, null, null, null, null, null, null, 513, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Renamed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1028, 'This report compiles relevant information from the logs generated by the Add-MailboxPermission event in Office 365, providing visibility into the assignment of permissions on mailboxes within the Exchange Online environment. Its objective is to support compliance with CMMC Level 2 (AU.2.041), which requires the retention of audit logs for security events, ensuring the traceability of access and modifications in systems.

The report documents key data that allows you to detect suspicious activities, identify unauthorized changes to mailbox permissions, and strengthen your ability to respond to potential security incidents.

Retaining these events in audit logs is essential to ensure regulatory compliance, provide evidence in security investigations, and improve internal access controls to confidential information. In addition, it allows administrators to effectively monitor and manage access to corporate mailboxes, minimizing risks associated with the exposure of sensitive data.', null, null, null, null, null, null, null, null, null, 513, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Mailbox Permission Assigning', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1029, 'This report compiles relevant information from the logs generated by the SharingSet event in Office 365, providing visibility into file and folder sharing actions within the SharePoint and OneDrive environment. Its goal is to support CMMC Level 2 (AU.2.041) compliance, which requires audit log retention for security events, ensuring traceability of information access and sharing within the organization.

The report documents key data whose log retention is critical for security and compliance, allowing organizations to identify potential exposures of sensitive data, detect unauthorized sharing, and improve monitoring of access to critical information. This data also facilitates incident response, risk assessment, and the implementation of more effective access controls to protect the confidentiality of information.', null, null, null, null, null, null, null, null, null, 513, true, 395, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Sharing Set', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1030, 'This report gathers relevant information from the logs generated by the FileSyncDownloadedFull event in Office 365, which records when a user downloads a full file from SharePoint or OneDrive using file synchronization. Its purpose is to support compliance with CMMC Level 2 (AU.2.041), which requires the retention of audit logs for security events, ensuring traceability of interactions with the organization''s critical data.

The report provides key details that allow identifying access patterns, detecting suspicious downloads of confidential information, and setting alerts for possible data exfiltrations.

Retaining these logs is essential for security and regulatory compliance, as it facilitates incident investigation, information access control, and the implementation of data protection strategies. By maintaining a detailed audit of these events, organizations can reinforce their security policies and mitigate risks associated with the loss or leakage of sensitive information.', null, null, null, null, null, null, null, null, null, 513, true, 396, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): File Synchronization', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1031, 'This report collects relevant audit events associated with the use of the SendOnBehalf permission in Office 365. The SendOnBehalf event indicates when a user has sent an email message on behalf of another user, which may involve sensitive activities within the organization.

Analyzing these logs helps verify that logs related to SendOnBehalf activity are maintained appropriately and available for review. This is critical to meeting the security log retention requirements set out in CMMC Level 2, which requires audit logs to be maintained to facilitate the detection of inappropriate activities and ensure the integrity of operations.', null, null, null, null, null, null, null, null, null, 513, true, 399, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.041): Email access', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1032, 'This report compiles relevant information from FileAccessed events in Office 365, recording file accesses within the organization''s environment. The information contained in this report demonstrates compliance with CMMC Level 1 requirement AU.1.001, ensuring the capture and retention of basic audit records for review.

Analysis of these events provides visibility into who, when, and from where files are accessed, allowing for the detection of usage patterns, unusual accesses, and ensuring traceability of activity on data stored in the cloud.', null, null, null, null, null, null, null, null, null, 505, true, 325, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1033, 'This report compiles relevant information from FileDeleted events in Office 365, recording the deletion of files within the organization''s environment. The information contained in this report demonstrates compliance with CMMC Level 1 requirement AU.1.001, ensuring the capture and retention of basic audit records for review.

Analysis of these events provides visibility into which files have been deleted, by whom, when, and from what location or device. This facilitates the detection of unauthorized activities, the recovery of information in the event of accidental deletion, and the assurance of data traceability within the cloud environment.', null, null, null, null, null, null, null, null, null, 505, true, 394, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): File Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1034, 'This report gathers key information from UserLoggedIn events in Office 365, recording login attempts within the organization''s environment. The information contained in this report supports compliance with CMMC Level 1 requirement AU.1.001, ensuring that essential audit logs are captured and retained for review and analysis.

Monitoring these events helps identify successful and failed accesses, logged in users, source IP addresses, devices used, and geographic locations. This is critical for detecting unauthorized access, auditing user activity, and reinforcing the organization''s security through regular reviews of authentication logs.', null, null, null, null, null, null, null, null, null, 505, true, 261, 'TEMPLATE', null, null, 'Office 365 Level 1 (AU.1.001): Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1035, 'This report compiles key information about FileRenamed events in Office 365, ensuring the protection and retention of audit records against unauthorized modifications, in compliance with CMMC Level 2 requirement AU.2.043.

Analysis of these events allows you to track when and by whom files have been renamed within your organization''s environment, verify changes to sensitive documents, and ensure record integrity. The information included in this report is essential for detecting suspicious activity, auditing file modifications, and implementing controls that prevent unauthorized alteration of audit logs.', null, null, null, null, null, null, null, null, null, 505, true, 398, 'TEMPLATE', null, null, 'Office 365 Level 2 (AU.2.043): File Renamed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1036, 'This report compiles relevant information about Add-MailboxPermission events in Office 365, ensuring audit log retention for advanced review and incident response, in compliance with CMMC Level 3 requirement AU.3.044.

Analysis of these events allows monitoring and auditing changes to mailbox access permissions, identifying privilege assignments that could compromise information security. This report is essential for detecting unauthorized access, investigating security incidents, and ensuring that logs remain intact and accessible for forensic analysis in the event of suspicious activity or potential security breaches.', null, null, null, null, null, null, null, null, null, 505, true, 397, 'TEMPLATE', null, null, 'Office 365 Level 3 (AU.3.044): Mailbox Permission Assigning', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1053, 'This report compiles relevant information from logs generated by Windows event 4907, which indicates changes to the system''s network filter configurations. This event is key to ensuring that any changes made to network connection configurations and network security controls (NSC) have been managed in a controlled manner and properly approved. Analyzing these events allows for verification that changes to network configurations have been made according to established procedures, ensuring that the security infrastructure remains consistent, secure, and aligned with organizational policies.', null, null, null, null, null, null, null, null, null, 807, true, 291, 'TEMPLATE', null, null, 'Windows 1.2 Restoration of default security policies', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1054, 'This report compiles relevant information from logs generated by Windows event 4657, which records configuration changes to security objects or system policies. This event is essential for auditing and verifying that changes made to network connection configurations and network security controls (NSC) have been made appropriately and in accordance with established control processes. This event ensures that all changes are approved and managed according to appropriate procedures, ensuring that the security infrastructure remains effective and free from unnecessary risks.', null, null, null, null, null, null, null, null, null, 807, true, 322, 'TEMPLATE', null, null, 'Windows 1.2 Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1055, 'This report compiles relevant information from logs generated by Windows event 4663, which records access to specific files and directories. Although this event is not directly related to network diagrams, it can be useful for monitoring access to key files or resources that may contain critical information related to the network infrastructure or account data flow. Auditing these accesses allows you to verify that modifications to the network environment, such as changes to service or protocol configurations, are being appropriately monitored, which helps keep network and data flow diagrams up to date with changes in the environment.', null, null, null, null, null, null, null, null, null, 807, true, 277, 'TEMPLATE', null, null, 'Windows 1.2 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1056, 'This report compiles relevant information from logs generated by Windows event 4670, which records changes in access permissions to system objects, such as files or directories. Although this event is related to auditing access and security permission changes, it can be useful for verifying whether modifications to the network security infrastructure affect connections between the Cardholder Data Environment (CDE) and other networks, including wireless networks. Additionally, the logged information helps ensure that network and data flow diagrams are kept up-to-date and accurately reflect any changes to the environment, such as the assignment of permissions or access to systems that handle sensitive data. Proper auditing of these changes helps ensure that network diagrams and data flows remain consistent with changes made to the infrastructure.', null, null, null, null, null, null, null, null, null, 807, true, 274, 'TEMPLATE', null, null, 'Windows 1.1 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1057, 'This report compiles relevant information from logs generated by Windows event 5158, which is related to Windows Filtering Platform (WFP) configuration and network filtering rule changes. Event 5158 indicates when a service has started listening on a specific port, allowing you to audit and verify which services, protocols, and ports are enabled on the system. This event is essential for verifying that all allowed services, protocols, and ports have been identified, approved, and have a defined business need, as required by the PCI DSS standard. The information in this event helps ensure that only legitimate traffic necessary for the services to function is allowed, preventing potential vulnerabilities resulting from incorrect or unnecessary network configurations.', null, null, null, null, null, null, null, null, null, 807, true, 296, 'TEMPLATE', null, null, 'Windows 1.2 Filtering Platform', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1058, 'This report compiles relevant information from the logs generated by Windows events 4768, 4769, and 4771, which are related to the Kerberos authentication process on the system. Events 4768 and 4769 are generated when a Kerberos authentication ticket is issued and when a user attempts to authenticate using a Kerberos ticket, respectively. Event 4771 is generated when Kerberos authentication fails.

These events are important for verifying compliance with PCI DSS as they allow auditing authentication attempts and the validity of access tickets for services, protocols, and ports used. By reviewing these events, it is possible to ensure that the services and protocols in use are properly configured with defined security features, such as secure authentication using Kerberos, and that access attempts are not insecure or unauthorized. This helps mitigate the risks associated with using services and protocols that could be vulnerable if not properly protected by security controls.', null, null, null, null, null, null, null, null, null, 807, true, 283, 'TEMPLATE', null, null, 'Windows 1.2 Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1060, 'This report compiles relevant information from logs generated by Windows event 4985, which is related to auditing activity related to changes in system object configurations. Event 4985 is triggered when an action is taken that affects security policies or access configurations, which may include relevant changes to network security controls (NSCs). This event is useful for confirming that NSC configurations are being regularly reviewed and that any modifications to the security infrastructure are properly documented. Analyzing these events allows verification that network controls are aligned with PCI DSS requirements, ensuring that NSC configurations are reviewed and adjusted, where necessary, to maintain their effectiveness and relevance.', null, null, null, null, null, null, null, null, null, 807, true, 369, 'TEMPLATE', null, null, 'Windows 1.2 File System Transaction Status Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1061, 'This report compiles relevant information from logs generated by Windows events 4663 and 4656, which are related to access and modification of system files and objects, including Network Security Controls (NSC) configuration files.

Event 4663 is generated when a user attempts to access a file or directory, providing details about the type of access requested. Event 4656 is triggered when a request is made to access an object, indicating whether the request was approved or denied. These events are essential for auditing access to NSC configuration files, ensuring that unauthorized access to these critical files is not occurring.

Analyzing these events is key to complying with PCI DSS Requirements, which states that NSC configuration files must be protected from unauthorized access and maintained consistent with the active network. These logs allow verification that appropriate access controls are in place, ensuring that only authorized users can modify configuration files and that any changes are properly logged to maintain the integrity of the network''s security configuration.', null, null, null, null, null, null, null, null, null, 807, true, 273, 'TEMPLATE', null, null, 'Windows 1.2 Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1064, 'This report consolidates 4946 Windows system events, which record the creation of new firewall rules on the system. Its analysis allows you to verify compliance with PCI DSS Requirements, ensuring that network security policies and procedures are documented, up-to-date, and in use. It also provides visibility into firewall configuration changes, helping to identify unauthorized modifications or inconsistencies in the implementation of security controls.', null, null, null, null, null, null, null, null, null, 807, true, 346, 'TEMPLATE', null, null, 'Windows 1.1 Firewall Exception List Changed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1065, 'This report collects and analyzes the 4688 events generated by the Windows system, which record the creation and execution of critical processes. The analysis of these events is essential to ensure compliance with PCI DSS requirement, as it allows verifying that the processes related to the installation, configuration and maintenance of security controls are documented, updated and in proper use. In addition, it allows identifying the execution of relevant security tools and scripts, ensuring that operational practices are aligned with defined security policies and procedures.', null, null, null, null, null, null, null, null, null, 807, true, 284, 'TEMPLATE', null, null, 'Windows 1.1 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1067, 'This report captures Windows system event 1102, which indicates the cleanup of system audit logs. Analysis of these events is essential to verify compliance with PCI DSS requirements, ensuring that audit policies and procedures are documented, up-to-date, and in use. It also monitors the integrity of audit logs, ensuring that they are not inappropriately altered or deleted, and that defined operational best practices for security are followed.', null, null, null, null, null, null, null, null, null, 807, true, 295, 'TEMPLATE', null, null, 'Windows 1.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1068, 'This report consolidates the 4719 events generated by the Windows system, which record changes to the system audit policy configuration. Analysis of these events is key to verifying compliance with PCI DSS requirements, ensuring that audit policies related to the installation and maintenance of security controls are documented, up-to-date, and in use according to defined operating procedures. Additionally, it provides visibility into the adequacy and consistency of audit configurations, ensuring that security practices stipulated by organizational policies are followed.', null, null, null, null, null, null, null, null, null, 807, true, 280, 'TEMPLATE', null, null, 'Windows 1.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1069, 'This report collects 4720 events generated by the Windows system, which record the creation of new user accounts. Analysis of these events helps verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with user account management are properly documented, assigned, and understood. Additionally, it provides visibility into the assignment of new accounts and their relationship to security activities, helping to ensure that the right people are assigned to perform critical security activities appropriately.', null, null, null, null, null, null, null, null, null, 807, true, 267, 'TEMPLATE', null, null, 'Windows 1.1 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1070, 'This report collects the 4722 events generated by the Windows system, which indicate the enabling of user accounts. The analysis of these events is key to verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with the management of user accounts and their access to critical systems are properly documented, assigned, and understood. In addition, it provides visibility into the enabling of accounts and ensures that the activated accounts are aligned with established security policies and operating procedures.', null, null, null, null, null, null, null, null, null, 807, true, 293, 'TEMPLATE', null, null, 'Windows 1.1 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1071, 'This report collects 4726 events generated by the Windows system, which record user account deletions. Analyzing these events is critical to verifying compliance with PCI DSS Requirements, ensuring that roles and responsibilities for managing the creation, enabling, and deletion of user accounts are properly documented, assigned, and understood. It also provides visibility into account deletion, ensuring that operational procedures and security policies are followed when managing access within the infrastructure.', null, null, null, null, null, null, null, null, null, 807, true, 272, 'TEMPLATE', null, null, 'Windows 1.1 User Accounts Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1072, 'This report collects 4732 events generated by the Windows system, which record the addition of users to security groups. Analyzing these events is essential for verifying compliance with PCI DSS Requirements, ensuring that roles and responsibilities for managing access to resources and privileges within the infrastructure are clearly documented, assigned, and understood. Additionally, this report provides visibility into the assignment of users to security groups, ensuring that access and permissions are granted according to defined security policies and procedures, and that activities are performed by the appropriate people.', null, null, null, null, null, null, null, null, null, 807, true, 320, 'TEMPLATE', null, null, 'Windows 1.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1073, 'This report compiles 4733 events generated by the Windows system, which record the removal of users from security groups. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities for access and privilege management are clearly documented, assigned, and understood by all responsible parties. Additionally, this report provides visibility into changes in security group membership, ensuring that user removal is performed in accordance with established security policies and operating procedures, ensuring that activities are appropriately managed by the responsible individuals.', null, null, null, null, null, null, null, null, null, 807, true, 321, 'TEMPLATE', null, null, 'Windows 1.1 Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1075, 'This report collects 4672 events generated by the Windows system, which records logons of accounts with elevated privileges. Analysis of these events is essential to verify compliance with PCI DSS requirements, ensuring that the roles and responsibilities of users with special privileges are clearly documented, assigned, and understood. Additionally, it provides visibility into the activities performed by users with administrative privileges, ensuring that access and permissions are assigned appropriately, in accordance with defined security policies and operating procedures, and that activities are managed by the responsible individuals.', null, null, null, null, null, null, null, null, null, 807, true, 278, 'TEMPLATE', null, null, 'Windows 1.1 Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1076, 'This report collects 4648 events generated by the Windows system, which record authentication attempts using specific user account credentials. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities for authentication and access to critical systems are clearly documented, assigned, and understood by all responsible parties. Additionally, the report provides visibility into authentication attempts involving specific credentials, ensuring that access is managed appropriately and in line with defined security policies and operational procedures.', null, null, null, null, null, null, null, null, null, 807, true, 281, 'TEMPLATE', null, null, 'Windows 1.1 Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1079, 'This report collects 4624 events generated by the Windows system, which record successful logons to the system. Analysis of these events is key to verifying compliance with PCI DSS requirements, ensuring that the roles and responsibilities associated with accessing the system and performing critical activities are properly documented, assigned, and understood. Additionally, it provides visibility into which users and accounts are accessing systems, allowing validation that the right people have the necessary permissions to perform security activities related to installing and maintaining network controls, in accordance with established operational policies and procedures.', null, null, null, null, null, null, null, null, null, 807, true, 265, 'TEMPLATE', null, null, 'Windows 1.1 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1080, 'This report captures 4625 events generated by the Windows system, which record failed logon attempts. Analysis of these events is crucial to verify compliance with PCI DSS requirements, ensuring that roles and responsibilities related to system access and security management are properly documented, assigned, and understood. It also helps detect potential unauthorized access attempts, helping to ensure that authentication and authorization activities are performed only by individuals designated to perform tasks related to security controls, in accordance with established policies and operating procedures.', null, null, null, null, null, null, null, null, null, 807, true, 266, 'TEMPLATE', null, null, 'Windows 1.1 Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1083, 'This report compiles relevant information obtained from the Windows event logs 5156, 5158, and 5159, which are related to the Windows Filtering Platform (WFP). These events are analyzed to verify that Network Security Controls (NSC) are correctly implemented between trusted and untrusted networks, as required by PCI DSS requirements. The information extracted from these logs allows monitoring of inter-network traffic and ensures that only authorized traffic, corresponding to communications necessary for permitted services, is being properly managed. It also ensures that network security policies are being correctly applied to protect the integrity of the systems within the CDE.', null, null, null, null, null, null, null, null, null, 807, true, 349, 'TEMPLATE', null, null, 'Windows 1.4 Connections and Port Assignments', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1085, 'This report compiles relevant information from Windows event 4740 logs, which relates to user account lockouts due to failed login attempts. It is used to verify compliance with PCI DSS Requirements, which mandates that anti-spoofing measures must be implemented to detect and block spoofed source IP addresses attempting to access the trusted network. This event helps identify unauthorized attempts that could be related to phishing activities, helping to ensure that access to the trusted network is protected from attacks using spoofed or deceptive IP addresses.', null, null, null, null, null, null, null, null, null, 807, true, 276, 'TEMPLATE', null, null, 'Windows 1.4 Account Locks', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1087, 'This report compiles relevant information from Windows event 4799 logs, which refers to network configuration changes involving access and disclosure of internal IP address and routing information. This event is key to verifying compliance with PCI DSS Requirements, which establishes that disclosure of internal IP addresses and routing information must be limited to authorized parties only. By reviewing these events, unauthorized access to sensitive network configurations can be monitored, ensuring that only authorized personnel have visibility into this critical information.', null, null, null, null, null, null, null, null, null, 807, true, 306, 'TEMPLATE', null, null, 'Windows 1.4 User Accounts Enumeration', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1091, 'The report consolidates relevant information from Windows event 4697 logs, providing evidence for assessing compliance with PCI DSS Requirements. This event allows monitoring the installation of new services on devices that have connectivity to both untrusted networks and the CDE, facilitating the identification of potential configurations that could introduce risks to the network. By analyzing these logs, it is possible to verify that security controls are active, that the installation of unauthorized services is restricted, and that any modifications to device configurations are properly documented and approved in accordance with established security policies.', null, null, null, null, null, null, null, null, null, 807, true, 305, 'TEMPLATE', null, null, 'Windows 1.5 Service Installed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1095, 'This report compiles relevant information from Windows Event 4728 logs, which is used to verify the proper implementation of security controls on devices connecting to both untrusted networks and the Cardholder Data Entity (CDE). Event 4728, related to the addition of members to a security group, is analyzed to ensure that the devices in question have specific configurations that prevent threats to the entity''s network. Additionally, it verifies that security controls are active and cannot be modified by device users, except when there are documented authorizations approved by management in limited situations. This report ensures compliance with security policies for both company and employee-owned devices, contributing to the protection of the CDE and risk mitigation in accordance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 807, true, 316, 'TEMPLATE', null, null, 'Windows 1.5 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1096, 'This report gathers relevant information from the 4663 events generated in Windows logs, which are used to verify compliance with PCI DSS Requirement 2.1.1. This requirement establishes that all security policies and operational procedures must be documented, kept up-to-date, in use, and known to all affected parties.

4663 events correspond to access to files and objects within the system, allowing the tracking of the access, modification, or deletion of key documents, such as security policies and operational procedures. These events confirm that relevant documents are being managed according to defined standards, ensuring that policies and procedures are available, up-to-date, and accessible to the appropriate parties for implementation.

This report facilitates validation that security policies and operational procedures, essential for data protection, are being correctly managed within the IT environment and that the requirements established by PCI DSS regarding the documentation and continuous updating of these policies are met.', null, null, null, null, null, null, null, null, null, 801, true, 277, 'TEMPLATE', null, null, 'Windows 2.1 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1097, 'This report gathers relevant information from 4720 events generated in Windows logs, which correspond to the creation of new user accounts in the system. Event 4720 is useful for verifying compliance with PCI DSS requirement 2.1.1, which establishes that all security-related operational policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4720 allows for auditing the creation of new accounts, which is important to ensure that user management procedures, which are part of security policies, are being implemented in accordance with established standards. Furthermore, the correct assignment and awareness of these policies by affected parties can be verified by registering new accounts, especially if they are linked to activities related to the implementation and maintenance of these security policies.

This report ensures that access control and identity management are implemented in accordance with documented, updated, and approved security procedures, helping to ensure the protection of sensitive data and compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 801, true, 267, 'TEMPLATE', null, null, 'Windows 2.1 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1098, 'This report gathers relevant information from 4728 events generated in Windows logs, which correspond to the addition of users to a security group. Event 4728 is useful for verifying compliance with PCI DSS Requirement 2.1.2, which establishes that the roles and responsibilities for performing the activities defined in Requirement 2 must be documented, assigned, and understood by all involved parties.

This event allows you to audit which users have been added to specific security groups, allowing you to verify that the responsibilities associated with configuring and maintaining system components are clearly assigned to the appropriate individuals or groups. These records are essential for ensuring that security policies and operational procedures are being correctly implemented and that access roles are aligned with defined security responsibilities.

This report helps ensure that activities related to the secure configuration of systems and compliance with security standards are being carried out by authorized and competent persons, supporting the correct management of system components in accordance with documented and assigned procedures.', null, null, null, null, null, null, null, null, null, 801, true, 316, 'TEMPLATE', null, null, 'Windows 2.1 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1099, 'This report gathers relevant information from 4732 events generated in Windows logs, which correspond to the addition of a member to a security group. Event 4732 is used to verify compliance with PCI DSS Requirement 2.1.2, which establishes that the roles and responsibilities for performing the activities defined in Requirement 2 must be documented, assigned, and understood by all involved parties.

This event allows you to audit which users have been assigned to specific security groups in the system. This is crucial for verifying that the individuals responsible for performing activities related to configuring and maintaining the security of system components are clearly identified and have adequate access to the required functions.

This report ensures that security policies and access responsibilities are aligned, ensuring that roles for implementing and managing secure configurations are correctly assigned and that the responsibilities of the individuals involved are clear and understood. Additionally, it helps confirm that secure configurations and operational procedures are being followed in accordance with PCI DSS.', null, null, null, null, null, null, null, null, null, 801, true, 320, 'TEMPLATE', null, null, 'Windows 2.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1100, 'This report gathers relevant information from 4657 events recorded in Windows logs, which are triggered when a change is made to a system''s configuration. This type of event is crucial for compliance with PCI DSS Requirement 2.2.1, which requires the development, implementation, and maintenance of configuration standards for all system components, covering all known security areas and aligning with industry- or vendor-accepted system hardening recommendations.

Through 4657 events, all changes made to system configurations can be tracked and audited, allowing verification of whether security configuration standards are being applied appropriately, whether updates are being made in accordance with newly identified vulnerabilities, and whether they are being applied in a timely manner when a new system is configured.

This report provides evidence that security configurations are being maintained and updated in accordance with PCI DSS best practices and requirements, ensuring that all system components are securely configured before being connected to the production environment.', null, null, null, null, null, null, null, null, null, 801, true, 322, 'TEMPLATE', null, null, 'Windows 2.2 Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1101, 'This report gathers key information from 4697 events recorded in Windows logs, which are generated when a new service or component is installed on a system. These events are important for verifying that security configuration standards are being implemented in accordance with PCI DSS Requirement 2.2.1, which requires configurations to be consistent with system hardening best practices or vendor recommendations, address all known vulnerabilities, and be updated as new threats are identified.

4697 events allow for auditing the installation of new services or components on the system, providing evidence that these components are being properly configured to meet security standards before being connected to the production network. Additionally, these events help verify that configuration updates are being applied in a timely manner, as required by PCI DSS regarding the application of secure configurations and the management of new vulnerabilities.

This report ensures that security configurations are continuously maintained and audited, and that PCI DSS requirements related to the secure configuration of system components are met.', null, null, null, null, null, null, null, null, null, 801, true, 305, 'TEMPLATE', null, null, 'Windows 2.2 Service Installed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1102, 'This report gathers relevant information from 4670 events (Permissions on an object were changed) generated in Windows, with the purpose of verifying compliance with PCI DSS Requirement 2.1.1. This requirement mandates that all security policies and operating procedures be documented, up-to-date, in use, and known to all affected parties.

Event 4670 allows you to audit changes to permissions on critical system objects, including configuration files and security policies, ensuring that only authorized users can modify these elements and that the integrity of security configurations is maintained in accordance with established policies.', null, null, null, null, null, null, null, null, null, 801, true, 274, 'TEMPLATE', null, null, 'Windows 2.1 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1103, 'This report compiles relevant information from 4724 events (An attempt was made to reset an account''s password) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 2.2.2. This requirement requires that default vendor accounts be managed securely, ensuring that if used, their passwords are changed, and if not, they are deleted or disabled.

Event 4724 allows for auditing password reset attempts on system accounts, which is key to identifying potential changes to default vendor accounts and ensuring that adequate controls are in place to mitigate security risks associated with default credentials.', null, null, null, null, null, null, null, null, null, 801, true, 312, 'TEMPLATE', null, null, 'Windows 2.2 Password Reset Attempts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1104, 'This report compiles relevant information from 4688 events (A new process has been created) generated in Windows, with the aim of verifying compliance with PCI DSS requirement 2.2.3. This requirement establishes that core functions requiring different levels of security must be managed appropriately, either by ensuring that each system contains only one core function, isolating functions with different security levels, or applying the highest security level if they share a single system.

Event 4688 allows the auditing of process creation in the system, providing visibility into which applications and services are running. Through this event, it is possible to identify processes associated with critical functions, verify the correct segmentation of tasks within systems, and detect potential misconfigurations that allow functions with different security levels to coexist in the same component.', null, null, null, null, null, null, null, null, null, 801, true, 284, 'TEMPLATE', null, null, 'Windows 2.2 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1105, 'This report compiles relevant information from 7045 events (A service was installed in the system) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.2.4. This requirement establishes that only services, protocols, daemons, and functions necessary for system operation should be enabled, and that all unnecessary functionality should be removed or disabled.

Event 7045 allows you to audit the installation of new services on the system, providing visibility into the activation of software that could introduce security risks. This event allows you to identify unauthorized services, verify that only essential processes are running, and detect improper configurations that could expose the infrastructure to unnecessary threats.', null, null, null, null, null, null, null, null, null, 801, true, 290, 'TEMPLATE', null, null, 'Windows 2.2 Installation of Services', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1106, 'This report compiles relevant information from 4719 events (System audit policy was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.2.6, which requires that system security parameters be configured to prevent misuse.

Event 4719 allows you to audit changes to the system audit policy, providing visibility into modifications that could weaken security or allow unauthorized access. This event can detect unauthorized changes in audit logs, ensuring that security configurations remain aligned with best practices and compliance standards.', null, null, null, null, null, null, null, null, null, 801, true, 280, 'TEMPLATE', null, null, 'Windows 2.2 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1107, 'This report compiles relevant information from 1102 events (Audit log was cleared) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 2.3, which establishes that wireless environments must be configured and managed securely.

Event 1102 indicates that audit logs have been cleared, which may be a sign of an attempt to hide unauthorized changes to critical configurations, including management of security parameters on wireless networks, such as default encryption keys, access point passwords, and SNMP settings. Monitoring this event helps detect potential attempts to circumvent security controls and ensure that wireless network configurations remain aligned with required security standards.', null, null, null, null, null, null, null, null, null, 801, true, 295, 'TEMPLATE', null, null, 'Windows 2.3 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1108, 'This report compiles relevant information from 4738 events (A user account was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 2.3.2, which establishes that wireless encryption keys must be changed in specific situations, such as the departure of employees with knowledge of the keys or when there is a suspicion of compromise.

Event 4738 records changes to user accounts, which can help identify changes in privileges or access by personnel who may have had knowledge of the wireless network''s encryption keys. Monitoring these events ensures that keys are updated in a timely manner, reducing the risk of unauthorized access to networks that transmit sensitive data.', null, null, null, null, null, null, null, null, null, 801, true, 308, 'TEMPLATE', null, null, 'Windows 2.3 User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1109, 'This report compiles relevant information from 4670 events (Permissions on an object were changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirements 3.1 and 3.1.1. This requirement establishes that processes and mechanisms for protecting stored account data must be defined and understood, and that related security policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4670 allows you to audit changes made to the permissions of audit objects, providing visibility into changes in access and rights related to sensitive data. This event allows you to identify whether any changes have been made to access permissions on stored account data, ensuring that these changes align with established security policies and that access is appropriate and controlled.', null, null, null, null, null, null, null, null, null, 802, true, 274, 'TEMPLATE', null, null, 'Windows 3.1 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1110, 'This report compiles relevant information from events 4719 (System audit policy was changed) generated in Windows, with the goal of verifying compliance with PCI DSS requirements 3.1 and 3.1.1. This requirement establishes that processes and mechanisms for protecting stored account data must be defined and understood, and that related security policies and procedures must be documented, up-to-date, in use, and known to all affected parties.

Event 4719 allows auditing of changes made to system audit policy settings, which is crucial to ensuring that audit policies remain appropriate, up-to-date, and aligned with security requirements. This event allows verification that system audit settings are being reviewed and managed correctly, which contributes to maintaining traceability and control over activities related to stored account data.', null, null, null, null, null, null, null, null, null, 802, true, 280, 'TEMPLATE', null, null, 'Windows 3.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1111, 'This report compiles relevant information from 4732 events (A member was added to a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4732 allows for auditing the assignment of users to local security groups, providing visibility into the delegation of roles and responsibilities within the system. This event allows for verifying that the appropriate roles are being assigned to the right people, ensuring that tasks related to the protection of account data are clearly defined and that those responsible understand their duties. This helps ensure that access controls and role management are consistent with established security policies.', null, null, null, null, null, null, null, null, null, 802, true, 320, 'TEMPLATE', null, null, 'Windows 3.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1112, 'This report compiles relevant information from 4733 events (A member was removed from a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4733 allows for auditing the removal of users from local security groups, providing visibility into changes to roles and responsibilities within the system. This event allows for verification that roles assigned to the correct individuals are kept up to date, and that improper changes that could affect the security of account data are prevented. This helps ensure that responsibilities related to information protection are properly managed and understood, as established in security policies.', null, null, null, null, null, null, null, null, null, 802, true, 321, 'TEMPLATE', null, null, 'Windows 3.1 Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1113, 'This report compiles relevant information from 4728 events (A member was added to a security-enabled local group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.1.2. This requirement establishes that roles and responsibilities for performing activities related to the protection of stored account data must be documented, assigned, and understood.

Event 4728 allows for auditing the addition of members to local security groups, providing visibility into changes to roles and responsibilities within the system. This event allows for verifying that the correct users are assigned to the appropriate roles, ensuring that tasks related to the protection of account data are performed by authorized and properly trained personnel. This contributes to maintaining the integrity of roles and responsibilities management, as required by the security policies defined in the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 802, true, 316, 'TEMPLATE', null, null, 'Windows 3.1 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1114, 'This report compiles relevant information from 4663 events (An attempt was made to access an object) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.2. This requirement establishes that account data storage must be kept to a minimum, through the implementation of appropriate policies, procedures, and processes for data retention and deletion.

Event 4663 allows for auditing attempts to access objects in the system, providing visibility into the processes for manipulating stored data. This event can detect unauthorized or inappropriate access to sensitive account data, which could indicate unnecessary storage or a failure to comply with data retention policies. Additionally, this event helps verify that secure deletion processes or the disabling of stored data are being carried out in accordance with defined policies, thereby minimizing the risk of information exposure beyond the time necessary to comply with legal, regulatory, or business requirements.', null, null, null, null, null, null, null, null, null, 802, true, 277, 'TEMPLATE', null, null, 'Windows 3.2 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1115, 'This report compiles relevant information from 4688 events (A new process has been created) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.2. This requirement establishes that account data storage must be kept to a minimum through the implementation of appropriate policies, procedures, and processes for data retention and deletion.

Event 4688 allows the creation of new processes in the system to be audited, helping to identify activities that could generate, process, or store account data. This event allows you to verify that applications and processes that handle sensitive data are aligned with defined retention policies, ensuring that account data is retained only in the necessary locations and for the duration stipulated in the policies. Additionally, this event helps verify that, if the data is no longer needed, secure deletion or data deprecation processes are carried out in accordance with established procedures. This ensures that data storage is limited and complies with legal, regulatory, and business requirements, and that data is not retained beyond the required period.', null, null, null, null, null, null, null, null, null, 802, true, 284, 'TEMPLATE', null, null, 'Windows 3.2 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1116, 'This report compiles relevant information from 1102 events (The audit log was cleared) generated in Windows, with the aim of verifying compliance with PCI DSS Requirement 3.2.1. This requirement establishes that account data storage must be kept to a minimum, ensuring that data is stored only in the necessary locations and for the time period determined by data retention and deletion policies.

Event 1102 allows auditing the deletion or clearing of audit logs in the system, providing visibility into when and why records were deleted. This event is relevant to verify that account data retention policies are being applied correctly and that audit logs, which may contain sensitive information, have not been deleted before the minimum retention period defined in the policy is reached. It also helps verify that, once the defined retention period has elapsed, account data is deleted or rendered unrecoverable in accordance with established procedures. This ensures that sensitive information is not stored beyond the necessary time, complying with legal, regulatory, and business requirements.', null, null, null, null, null, null, null, null, null, 802, true, 295, 'TEMPLATE', null, null, 'Windows 3.2 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1117, 'This report compiles relevant information from 4660 events (An object was deleted) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3, which states that sensitive authentication data (SAD) should not be stored after authorization.

Event 4660 allows you to audit the deletion of objects from the system, providing visibility into when and what data is deleted. This event is essential for verifying that sensitive authentication data, such as card details, verification code, and PIN, are either deleted or rendered unrecoverable after authorization. Auditing this event ensures that any sensitive content, including the full content of the tracks, the card verification code, or the PIN, is not unnecessarily retained in the system after the authorization transaction is completed.

By analyzing the logs for this event, it is possible to verify that the mechanisms and processes for deleting sensitive data are correctly implemented, aligning with PCI DSS requirements for the protection of confidential information. This ensures that the principles of minimal storage and secure handling of sensitive authentication data are not violated.', null, null, null, null, null, null, null, null, null, 802, true, 298, 'TEMPLATE', null, null, 'Windows 3.3 Object Deletion', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1118, 'This report compiles relevant information from 5379 (Credential Validation) events generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3.3. This requirement establishes that the storage of sensitive authentication data (SAD) must be limited to what is necessary for legitimate business purposes and must be adequately secured.

Event 5379 allows for auditing credential validation, which is essential to ensure that access to sensitive authentication data is restricted to authorized users or systems and that appropriate security requirements are met to protect this data. By analyzing this event, it is possible to verify that access and transactions related to SAD storage are subject to strict validation and access controls, and that the information is handled in accordance with the organization''s security policies.

This report helps assess whether SAD storage meets legitimate business needs and whether security best practices are followed to ensure that such data is adequately protected, minimizing the risk of unauthorized access and ensuring compliance with PCI DSS requirements for the protection of sensitive data.', null, null, null, null, null, null, null, null, null, 802, true, 315, 'TEMPLATE', null, null, 'Windows 3.3 Credential Access', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1119, 'This report compiles relevant information from 5038 (Code Integrity Policy Change) events generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 3.3.3. This requirement establishes that the storage of sensitive authentication data (SAD) must be limited to what is necessary for legitimate business purposes and must be adequately secured.

Event 5038 provides logs of changes to code integrity policies, which is crucial for ensuring that configurations related to SAD storage have not been modified unauthorizedly. Through this event, changes to security policies that affect the protection of sensitive authentication data can be tracked, ensuring that any SAD storage is subject to strict controls and remains within the parameters necessary for business operations.

This report facilitates the assessment of whether SAD storage meets legitimate business needs by providing evidence that security policies are appropriately configured to protect such data and prevent unauthorized access, in compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 802, true, 337, 'TEMPLATE', null, null, 'Windows 3.3 Audit File integrity Validation Failed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1120, 'This report compiles relevant information from Windows 4624 events to verify compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when remote access technologies are used, technical controls must prevent the copying and/or relocation of PANs (Primary Account Numbers) by all personnel, except those with express, documented authorization and a defined, legitimate business need.

Event 4624 provides details on successful login attempts to the system, allowing for effective auditing of system access. This event allows you to verify whether remote access is being performed by authorized personnel and whether technical measures are in place to prevent unauthorized manipulation of the PAN, thereby meeting the security requirements of PCI DSS.

Remote access to systems is analyzed, authenticated user identification is identified, and access controls and security policies are validated to prevent unauthorized access that could compromise the security of the PAN and other sensitive information stored or transmitted.', null, null, null, null, null, null, null, null, null, 802, true, 265, 'TEMPLATE', null, null, 'Windows 3.4 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1121, 'This report compiles relevant information from Windows 4776 events to verify compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when using remote access technologies, technical controls must be implemented to prevent the copying and/or relocation of the PAN (Primary Account Number) by anyone except those with explicit, documented authorization and a defined, legitimate business need.

Event 4776 provides information on user authentication attempts, specifically related to the use of credentials to log in remotely. This event is useful for tracking remote access and ensuring that technical controls are operating properly to prevent unauthorized access and manipulation of the PAN.

This event can be used to verify that remote access is being performed only by authorized personnel with valid credentials and the necessary permissions to manipulate sensitive data such as the PAN, in compliance with the remote access policies defined by PCI DSS. The report allows you to review compliance with security measures and appropriate access controls, ensuring that account data is protected throughout the remote access process.', null, null, null, null, null, null, null, null, null, 802, true, 301, 'TEMPLATE', null, null, 'Windows 3.4 Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1122, 'This report compiles relevant information from Windows 4769 events, with the goal of verifying compliance with PCI DSS Requirement 3.4.2. This requirement establishes that, when using remote access technologies, technical controls must be implemented to prevent the copying and/or relocation of the PAN (Primary Account Number) by anyone except those with explicit, documented authorization and a legitimate, defined business need.

Event 4769 refers to the issuance of a service grant ticket (TGT) to a user in the context of a Kerberos-based authentication system. This event is key for tracking and verifying remote authentication requests through a domain controller, providing details on authorized or denied access and allowing auditing of whether the remote access requests were made by personnel with valid permissions.

This report allows you to monitor and ensure that the technical controls implemented to prevent the copying and/or relocation of PAN are functioning properly, allowing only users with documented authorization and a legitimate business need to access sensitive data. It also allows you to verify whether remote access is being properly managed, following the remote access policies defined by PCI DSS.', null, null, null, null, null, null, null, null, null, 802, true, 343, 'TEMPLATE', null, null, 'Windows 3.4 Kerberos Service Ticket', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1123, 'This report compiles relevant information from 4670 events (Permissions on Audit Objects Changed) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1. This requirement establishes that processes and mechanisms for protecting cardholder data using strong cryptography during transmission over open, public networks must be clearly defined and understood.

Event 4670 allows for auditing changes to security object permissions, providing visibility into modifications to critical settings that could affect the protection of transmitted data. This event can identify attempts to alter encryption policy settings, changes to security certificates, or adjustments to communication protocols that could compromise the security of the PAN (Primary Account Number) during transmission.

This analysis assesses the proper implementation and maintenance of cryptographic measures, ensuring that only authorized personnel can modify key settings and that PCI DSS controls for the secure transmission of cardholder data are followed.', null, null, null, null, null, null, null, null, null, 803, true, 274, 'TEMPLATE', null, null, 'Windows 4.1 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1124, 'This report compiles relevant information from 4719 events (System Audit Configuration Changed) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1. This requirement establishes that processes and mechanisms for protecting cardholder data using strong cryptography during transmission over open, public networks must be defined and understood.

Event 4719 allows for auditing changes to system audit configurations, which is critical to ensuring oversight of data protection-related activities during transmission. Changing these parameters could impact the ability to detect unauthorized access, changes to security certificates, cryptographic protocol failures, or attempts to disable critical event monitoring.

Analysis of these events provides visibility into potential system audit changes, allowing verification that security policies and procedures are documented, up-to-date, and operational, in accordance with the controls established in PCI DSS for the secure transmission of cardholder data.', null, null, null, null, null, null, null, null, null, 803, true, 280, 'TEMPLATE', null, null, 'Windows 4.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1125, 'This report compiles relevant information from the 1102 event (Audit log was deleted) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.1. This requirement establishes that all security policies and operating procedures related to the protection of cardholder data during transmission over open and public networks must be documented, up-to-date, in use, and known to all affected parties.

Event 1102 is critical because it indicates the deletion of the audit log, which could compromise the ability to monitor and detect unauthorized access, changes to security settings, or attempts to circumvent data protection controls. Reviewing this event allows for assessing whether security procedures are being followed and whether the integrity of the audit logs is being maintained, ensuring that data protection policies are implemented and operational in compliance with PCI DSS.

Analyzing these events helps identify potential security breaches and verify that the organization has adequate mechanisms for managing, updating, and enforcing cardholder data protection policies.', null, null, null, null, null, null, null, null, null, 803, true, 295, 'TEMPLATE', null, null, 'Windows 4.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1126, 'This report compiles relevant information from the 4732 events (A user was added to a security group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.2. This requirement establishes that roles and responsibilities for implementing security controls in the transmission of cardholder data must be documented, assigned, and understood by the involved parties.

Event 4732 is crucial for auditing access management to security groups, as it verifies the correct assignment of privileges to users responsible for applying cryptographic measures and other security controls in the transmission of sensitive data. Proper monitoring of this event facilitates the detection of improper assignments or unauthorized changes to the structure of roles and responsibilities.

This analysis assesses whether the assignment of roles in the security infrastructure is aligned with documented policies and whether access is controlled in accordance with operational and PCI DSS compliance requirements.', null, null, null, null, null, null, null, null, null, 803, true, 320, 'TEMPLATE', null, null, 'Windows 4.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1127, 'This report compiles relevant information from 4733 events (A user was removed from a security group) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.1.2. This requirement establishes that the roles and responsibilities associated with the protection of cardholder data, particularly in the context of secure data transmission, must be documented, assigned, and understood by all involved parties.

Event 4733 is crucial for monitoring access management to security groups within the system infrastructure. It identifies changes in permissions or the removal of users from groups responsible for implementing security controls over the transmission of sensitive data. This event is key to ensuring that assigned roles are aligned with documented security policies and that users with critical responsibilities remain appropriate.

Analyzing this event helps ensure that access is managed correctly and that roles related to data protection are up-to-date and understood by users, minimizing the risk of unauthorized access or improper modification.', null, null, null, null, null, null, null, null, null, 803, true, 321, 'TEMPLATE', null, null, 'Windows 4.1 Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1128, 'This report compiles relevant information from event 36874 (Use of Certificate or Private Key) generated in Windows, with the goal of verifying compliance with PCI DSS Requirement 4.2.1. This requirement establishes the implementation of robust cryptography and security protocols to protect the PAN (Cardholder Account Number) during transmission over public and open networks.

Event 36874 is essential for auditing the use of certificates and private keys during the transmission of sensitive data, confirming that only trusted keys and certificates are accepted, that they are valid, and that they have not expired or been revoked. Additionally, this event verifies that the protocols used in PAN transmission comply with security standards, avoiding insecure versions, outdated algorithms, inadequate key sizes, or vulnerable implementations.

This analysis helps ensure that the encryption methods implemented are adequate and maintain the integrity and confidentiality of cardholder data, thereby protecting information during transmission over open public networks.', null, null, null, null, null, null, null, null, null, 803, true, 374, 'TEMPLATE', null, null, 'Windows 4.2 TLS protocol Errors', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1129, 'This report compiles relevant information from events 4673 (Attempt to access an audit object) and 4674 (Action performed on an audit object) generated in Windows, with the goal of verifying compliance with PCI DSS requirement 4.2.2. This requirement establishes that the PAN (cardholder account number) must be protected using strong cryptography whenever it is sent via messaging technologies used by end users.

Events 4673 and 4674 are essential for auditing actions performed on audit objects that involve the transmission of PAN. These events allow for the identification and monitoring of attempts to access sensitive information and actions performed on card account data, ensuring that only authorized users can interact with said information.

By analyzing these events, it is verified that the PAN transmission is adequately protected with strong cryptography technologies, ensuring that the information remains confidential during its transfer via messaging channels used by users. This control is essential to meet the security requirements established by PCI DSS, ensuring that cardholder data is not exposed to unnecessary risks during transmission.', null, null, null, null, null, null, null, null, null, 803, true, 286, 'TEMPLATE', null, null, 'Windows 4.2 Use of Elevated Privileges', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1130, 'This report gathers relevant information from event 4698 generated in Windows logs, with the aim of assessing compliance with PCI DSS requirement 4.2.2. This requirement establishes that the PAN (cardholder account number) must be protected using strong cryptography whenever it is transmitted through messaging technologies used by end users.

Event 4698 allows for auditing configurations related to the use of messaging technologies, ensuring that the necessary security controls are in place to protect the transmission of the PAN. This includes verifying that the cryptographic methods used are appropriate and that sensitive information is properly encrypted in transit.

This analysis ensures compliance with the PAN protection policy during transmission through messaging channels, validating that security and cryptographic technologies are configured correctly and that the information is adequately protected against unauthorized access, in accordance with the requirements established by PCI DSS.', null, null, null, null, null, null, null, null, null, 803, true, 372, 'TEMPLATE', null, null, 'Windows 4.2 Scheduled Task Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1131, 'This report collects and analyzes information generated by Windows 1102 events, which indicate the deletion of records in the system''s Event Viewer. Since log integrity is critical for monitoring and detecting malicious activity, this report assesses compliance with PCI DSS Requirement 5.1, ensuring that malware protection mechanisms are documented, updated, and in use.

Analyzing these events helps identify potential attempts to hide suspicious activity, ensuring that the security infrastructure maintains adequate records for threat detection and prevention.', null, null, null, null, null, null, null, null, null, 804, true, 295, 'TEMPLATE', null, null, 'Windows 5.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1132, 'This report collects and analyzes information from Windows event 4719, which indicates changes to system audit settings. Since event monitoring and logging are critical for detecting malicious activity, this report assesses compliance with PCI DSS Requirement 5.1, ensuring that processes and mechanisms for protecting systems and networks against malicious software are properly defined and operational.

Analyzing these events can identify unauthorized modifications to audit policies, which could compromise the ability to detect and respond to security threats.', null, null, null, null, null, null, null, null, null, 804, true, 280, 'TEMPLATE', null, null, 'Windows 5.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1133, 'This report collects and analyzes Windows 5007 events, which indicate changes to Windows Defender security policy settings. Since PCI DSS Requirement 5.3 establishes the need for anti-malware mechanisms and processes to be active, maintained, and monitored, this report helps identify unauthorized or unexpected changes to the security solution''s configuration.

Monitoring these events helps ensure the integrity and effectiveness of anti-malware measures, ensuring that critical settings are not altered inappropriately and that malware protection remains operational at all times.', null, null, null, null, null, null, null, null, null, 804, true, 287, 'TEMPLATE', null, null, 'Windows 5.3 Changes to Defender settings', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1134, 'This report collects and analyzes Windows 4688 events, which record the creation of new processes on the system. Since PCI DSS Requirement 5.4 establishes the need for protection mechanisms against phishing attacks, this report identifies the execution of suspicious or malicious processes related to phishing attempts, such as the opening of malicious scripts, dangerous attachments, or exploit tools.

Analyzing these events helps evaluate the effectiveness of implemented anti-phishing solutions, ensuring that threat detection and response controls are adequate and operational.', null, null, null, null, null, null, null, null, null, 804, true, 284, 'TEMPLATE', null, null, 'Windows 5.4 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1135, 'This report presents information extracted from Windows event 4672 logs, used to verify compliance with PCI DSS Requirement 6.1. Event 4672 is generated when a user gains administrative privileges, which is crucial to ensure that the security policies and procedures defined in Requirement 6 are documented, up-to-date, in use, and known to all affected parties. It also helps verify that roles and responsibilities related to the management and secure development of systems and software are clearly assigned and understood. Reviewing this event ensures that security configurations and practices are aligned with organizational policies and defined responsibilities for system security.', null, null, null, null, null, null, null, null, null, 806, true, 278, 'TEMPLATE', null, null, 'Windows 6.1 Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1136, 'This report collects relevant information extracted from Windows event logs (Event 4688) used to verify compliance with PCI DSS Requirement 6.1. Requirement 6.1 establishes that processes and mechanisms for developing and maintaining secure systems and software must be defined and understood by all involved parties.

Event 4688 is generated each time a new process is started in the system, allowing tracking of program execution and role assignment. This information is critical for verifying that the security policies and operational procedures identified in Requirement 6.1.1 are being properly implemented. Specifically, this event verifies that policies related to software and process execution are documented, up-to-date, and in use.

Additionally, the event helps identify the assignment of roles and responsibilities within software processes, ensuring that the tasks described in Requirement 6.1.2, such as secure system development and maintenance activities, are documented, assigned, and understood by the responsible personnel.

The report generated with this information allows for auditing and validating that the actions of users and processes interacting with the system are consistent with the organization''s security policies and procedures, thus meeting PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 806, true, 284, 'TEMPLATE', null, null, 'Windows 6.1 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1137, 'This report collects relevant information from Windows Event 4689 logs to assess compliance with PCI DSS Requirement 6.1. Event 4689 provides details on process terminations within the system, allowing validation that security policies and operational procedures are documented, up-to-date, and in use, in accordance with 6.1.1. It also ensures that the roles and responsibilities associated with developing and maintaining secure systems are clearly defined and understood, as required by 6.1.2.', null, null, null, null, null, null, null, null, null, 806, true, 302, 'TEMPLATE', null, null, 'Windows 6.1 Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1138, 'This report compiles relevant information from Windows Event 4662 logs to verify compliance with PCI DSS Requirement 6.1. Event 4662 provides details on attempts to modify or access objects, enabling verification that security policies and operational procedures are properly documented, up-to-date, and in use (6.1.1), and that roles and responsibilities related to developing and maintaining secure systems are documented, assigned, and understood (6.1.2), as required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 297, 'TEMPLATE', null, null, 'Windows 6.1 Protected Object Access Operation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1139, 'This report compiles and analyzes relevant information extracted from Windows Event 1102 logs, used to assess compliance with PCI DSS Requirement 6.2, which addresses security in custom software development. The analysis focuses on how security best practices and standards are implemented throughout the software development lifecycle, including secure authentication, event logging, and code review, with the goal of identifying vulnerabilities and mitigating risks related to common software attacks. It also examines compliance with development staff training criteria, the use of software engineering techniques to prevent vulnerabilities, and the methodologies applied to ensure software complies with the security regulations required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 295, 'TEMPLATE', null, null, 'Windows 6.2 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1140, 'This report collects and analyzes relevant information from Windows event 4720 logs, which record the creation of new accounts in the system. Its purpose is to assess compliance with PCI DSS Requirement 6.2, ensuring that custom software development is carried out securely. Analysis of these events identifies potential security gaps in access management, ensuring that only authorized users can interact with development, testing, and production environments. It also reviews whether authentication and account control processes follow established security best practices and standards, contributing to the prevention of unauthorized access, mitigating security risks, and implementing audit measures in compliance with PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 267, 'TEMPLATE', null, null, 'Windows 6.2 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1141, 'This report compiles and analyzes relevant information from Windows event 4722 logs, which indicate the activation of previously disabled user accounts. Its objective is to assess compliance with PCI DSS Requirement 6.2, ensuring that custom software development is carried out securely and in accordance with established standards. Analysis of these events allows for the detection of potential irregularities in access management and the evaluation of whether the activated accounts comply with secure authentication and privilege management controls. It also verifies that account management and access auditing practices contribute to mitigating security risks, preventing unauthorized access to development, testing, and production environments, in alignment with the security principles required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 293, 'TEMPLATE', null, null, 'Windows 6.2 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1142, 'This report collects and analyzes relevant information from the logs of Windows event 5038, which indicates that the system integrity policy configuration has been compromised. Its purpose is to assess compliance with PCI DSS Requirement 6.3, ensuring that security vulnerabilities are effectively identified and addressed. Analysis of these events allows for the detection of potential alterations to system integrity, which could indicate the presence of threats or unauthorized configurations that increase the risk of vulnerability exploitation. It also reviews whether response and mitigation measures, such as the application of security patches and vulnerability management in custom and third-party software, meet the timelines and criteria established by PCI DSS. This approach contributes to the protection of system components against known vulnerabilities, reducing the impact of potential attacks and ensuring environmental security.', null, null, null, null, null, null, null, null, null, 806, true, 337, 'TEMPLATE', null, null, 'Windows 6.3 Audit File integrity Validation Failed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1144, 'This report collects and analyzes relevant information from Windows event 4728 logs, which record the addition of a user to a security group. Its objective is to assess compliance with PCI DSS Requirement 6.4, ensuring that public-facing web applications are protected against attacks. Analysis of these events identifies changes in privilege assignment that could grant unauthorized access to critical resources related to web application security. It also reviews whether access controls and security group management comply with best practices to minimize exploitation risks, prevent privilege escalation attacks, and ensure that only authorized users can perform sensitive configurations. This approach contributes to the detection and mitigation of potential threats, aligning with the security controls established by PCI DSS for the protection of publicly exposed web applications.', null, null, null, null, null, null, null, null, null, 806, true, 316, 'TEMPLATE', null, null, 'Windows 6.4 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1145, 'This report collects and analyzes relevant information from Windows event 4648 logs, which record the use of explicit credentials for authentication on the system. Its objective is to assess compliance with PCI DSS Requirement 6.4, ensuring that public web applications are protected against attacks. Analysis of these events allows for the detection of suspicious authentication attempts, misuse of privileged credentials, or potential phishing attacks. It also reviews whether access controls, authentication management, and credential protection mechanisms comply with security best practices to minimize exploitation risks. This approach contributes to the early detection of threats, ensuring the protection of web applications against vulnerabilities and aligning them with the security controls required by PCI DSS.', null, null, null, null, null, null, null, null, null, 806, true, 281, 'TEMPLATE', null, null, 'Windows 6.4 Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1146, 'This report collects and analyzes relevant information from Windows event 4719 logs, which indicate changes to the system''s audit policy configuration. Its purpose is to assess compliance with PCI DSS Requirement 6.5, ensuring that changes to system components are managed securely and in accordance with established procedures. Monitoring these events allows for the identification of unauthorized changes to audit policies, ensuring traceability of modifications in the production environment. Additionally, it verifies that all modifications comply with documentation, approval, and security impact testing controls before being implemented. This approach contributes to the detection and mitigation of risks associated with uncontrolled changes, ensuring the security and stability of the environment in compliance with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 806, true, 280, 'TEMPLATE', null, null, 'Windows 6.5 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1147, 'This report collects and analyzes Windows 4719 events, which record changes to the system''s audit policy. Its purpose is to assess compliance with PCI DSS Requirement 7.1, ensuring that processes and mechanisms for restricting access to system components and cardholder data are defined, understood, and in use. Monitoring these events can detect unauthorized changes to audit policies, ensuring they are documented, updated, and effectively enforced.', null, null, null, null, null, null, null, null, null, 805, true, 280, 'TEMPLATE', null, null, 'Windows 7.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1148, 'This report collects and analyzes Windows 1102 events, which indicate the deletion of the security audit log. Its purpose is to assess compliance with PCI DSS Requirement 7.1, ensuring that processes and mechanisms for restricting access to system components and cardholder data are defined, understood, and in use. Monitoring these events can detect potential attempts to conceal unauthorized activity, ensuring the integrity and availability of audit logs.', null, null, null, null, null, null, null, null, null, 805, true, 295, 'TEMPLATE', null, null, 'Windows 7.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1149, 'This report collects and analyzes Windows 4720 events, which record the creation of new user accounts. Its purpose is to assess compliance with PCI DSS Requirement 7.2, ensuring that access to system components and data is appropriately defined and assigned. Monitoring these events helps identify the creation of unauthorized accounts, verify the assignment of privileges based on job functions, and ensure the principle of least privilege in access management.', null, null, null, null, null, null, null, null, null, 805, true, 267, 'TEMPLATE', null, null, 'Windows 7.2 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1150, 'This report collects and analyzes Windows 4722 events, which record the activation of user accounts. Its purpose is to assess compliance with PCI DSS Requirement 7.2, ensuring that access to system components and data is appropriately defined and assigned. Monitoring these events allows for the detection of reactivation of inactive or disabled accounts, verification of access management in accordance with job functions, and enforcement of the principle of least privilege.', null, null, null, null, null, null, null, null, null, 805, true, 293, 'TEMPLATE', null, null, 'Windows 7.2 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1151, 'This report collects and analyzes Windows 4728 events, which record the addition of users to security groups. The objective of this report is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be properly defined and assigned. By monitoring these events, we ensure that users are assigned to the appropriate groups based on their job functions, ensuring the principle of least privilege is applied and that access to data and systems is restricted according to business needs.', null, null, null, null, null, null, null, null, null, 805, true, 316, 'TEMPLATE', null, null, 'Windows 7.2 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1152, 'This report collects and analyzes Windows 4732 events, which record the addition of users to security groups on the system. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. By reviewing these events, we validate that access to resources and systems is granted according to users'' specific roles and needs, ensuring the implementation of the principle of least privilege and guaranteeing that only authorized users have access to critical information based on their role.', null, null, null, null, null, null, null, null, null, 805, true, 320, 'TEMPLATE', null, null, 'Windows 7.2 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1153, 'This report collects and analyzes Windows 4729 events, which record the removal of users from security groups on the system. Its objective is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. By reviewing these events, it is verified that access is appropriately revoked when users no longer require access to specific resources or data, ensuring effective privilege management and ensuring that only authorized users retain access based on their role and needs.', null, null, null, null, null, null, null, null, null, 805, true, 317, 'TEMPLATE', null, null, 'Windows 7.2 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1154, 'This report compiles information from Windows 4733 events, which record the removal of a user from a security group, indicating a change in system access privileges. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which requires that access to system components and data be properly defined and assigned. By analyzing these logs, it is ensured that access is revoked appropriately and in a timely manner, ensuring that users have only the privileges necessary to perform their functions and thus protecting the security of sensitive data and system resources.', null, null, null, null, null, null, null, null, null, 805, true, 321, 'TEMPLATE', null, null, 'Windows 7.2 Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1155, 'This report collects information from Windows 4670 events, which record access and modification events on security objects. Its purpose is to assess compliance with PCI DSS Requirement 7.2, which ensures that access to system components and data is defined and assigned according to the principle of least privilege. These logs verify that access to specific resources is properly managed and assigned to users according to their roles and responsibilities, ensuring that excessive or inappropriate permissions are not granted, and protecting the integrity of sensitive data and critical applications.', null, null, null, null, null, null, null, null, null, 805, true, 274, 'TEMPLATE', null, null, 'Windows 7.2 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1156, 'This report compiles information from Windows 4662 events, which record audit actions on security objects, such as the creation, modification, or deletion of permissions on specific files or directories. The purpose is to assess compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. These logs verify that access to systems and resources is properly controlled and assigned according to user roles, following the principle of least privilege and ensuring that only the permissions strictly necessary to perform job duties are granted.', null, null, null, null, null, null, null, null, null, 805, true, 297, 'TEMPLATE', null, null, 'Windows 7.2 Protected Object Access Operation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1157, 'This report compiles relevant information from Windows 4798 events, which record queries and access to specific system objects, such as changes to user groups and assigned permissions. The purpose of this report is to verify compliance with PCI DSS Requirement 7.2, which establishes that access to system components and data must be appropriately defined and assigned. Through 4798 events, the correct assignment of privileges can be tracked and audited, ensuring that access to systems and data is consistent with business needs and the principle of least privilege, and that permissions are granted only to those users whose role warrants it.', null, null, null, null, null, null, null, null, null, 805, true, 307, 'TEMPLATE', null, null, 'Windows 7.2 Group Membership Enumerated', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1158, 'This report compiles relevant information from Windows 4624 events, which record successful system logins. The information contained in these events is crucial for assessing compliance with PCI DSS Requirement 7.3, which establishes that access to system components and data must be managed through an access control system. 4624 events verify that system access is carried out in accordance with defined access control policies, ensuring that only authorized users with the necessary privileges have access to sensitive systems and data. This allows for auditing and managing access based on business needs and assigned user roles.', null, null, null, null, null, null, null, null, null, 805, true, 265, 'TEMPLATE', null, null, 'Windows 7.3 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1159, 'This report compiles relevant information from Windows 4625 events, which record failed login attempts. These event data are essential for assessing compliance with PCI DSS Requirement 7.3, which mandates that access to system components and data must be managed through an access control system. 4625 events provide details on unauthorized access attempts, allowing you to verify that the system is configured to reject unauthorized access and to alert you to potential security risks. This report helps audit the effectiveness of access control, ensuring that only legitimate users with the necessary privileges have access to sensitive systems and data.', null, null, null, null, null, null, null, null, null, 805, true, 266, 'TEMPLATE', null, null, 'Windows 7.3 Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1160, 'This report compiles relevant information from Windows 4776 events, which record authenticated login attempts using user credentials. 4776 events are key to assessing compliance with PCI DSS Requirement 7.3, which requires access to system components and data to be managed by an access control system. Data from these events allows verification that authenticated access attempts are adequately controlled, confirming that the access control system is functioning correctly to allow only authorized access. This report facilitates auditing of implemented access controls, ensuring that user credentials are properly managed and validated for access to critical systems and data.', null, null, null, null, null, null, null, null, null, 805, true, 301, 'TEMPLATE', null, null, 'Windows 7.3 Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1161, 'This report compiles relevant information from Windows events 4768, 4769, and 4771, which are related to the user authentication process via the Kerberos protocol, used for access management on Windows systems. These events provide key information for verifying compliance with PCI DSS Requirement 7.3, which establishes that access to system components and data must be managed through an access control system.

Event 4768: Indicates the issuance of a Kerberos Authentication Ticket (TGT), confirming that a user has been authenticated to the system.
Event 4769: Records the issuance of a Kerberos Service Ticket, detailing authorized access to specific applications or services.
Event 4771: Reports failures in the Kerberos authentication attempt, providing information on unauthorized access. These events allow for auditing the authentication and access control process in systems, ensuring that only authenticated and authorized users can access resources, in accordance with PCI DSS access control principles. This report is essential for validating that access to systems and data is being properly managed and audited.', null, null, null, null, null, null, null, null, null, 805, true, 283, 'TEMPLATE', null, null, 'Windows 7.3 Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1162, 'This report collects and analyzes 4720 events (Creation of a New User Account) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that all created accounts have a unique ID before granting access to systems, that generic or shared accounts are not used without documented justification and approval, that account creation is properly authorized with the minimum necessary privileges, that inactive or disassociated user accounts are appropriately managed, and that third-party accounts are activated and deactivated as needed, with activity monitoring. This analysis helps ensure secure and controlled management of the user account lifecycle, in line with PCI DSS requirements.', null, null, null, null, null, null, null, null, null, 808, true, 267, 'TEMPLATE', null, null, 'Windows 8.2 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1163, 'This report collects and analyzes 4722 events (User Account Enablement) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that account activation is properly authorized and documented, ensuring that each user has a unique ID before accessing the systems. It also examines that accounts disabled due to inactivity or disassociation are not reactivated without proper justification and approval, and that third-party accounts are managed in a controlled manner. This analysis helps ensure proper account lifecycle management, reinforcing security and access traceability.', null, null, null, null, null, null, null, null, null, 808, true, 293, 'TEMPLATE', null, null, 'Windows 8.2 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1164, 'This report collects and analyzes 4624 (Successful Logon) events recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that each user has a unique ID before accessing systems, preventing the misuse of generic or shared accounts. It also verifies that logged-in sessions correspond to authorized users, that inactive accounts are not used uncontrollably, and that third-party access is monitored and managed appropriately. This analysis ensures proper account management and access traceability, strengthening system security.', null, null, null, null, null, null, null, null, null, 808, true, 265, 'TEMPLATE', null, null, 'Windows 8.2 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1165, 'This report collects and analyzes 4634 (Logoff) events recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies that each user session is properly terminated, ensuring that unauthorized access is prevented and accounts are properly managed. It also reviews the use of unique IDs, the management of inactive accounts, and proper monitoring of third-party access, ensuring that all actions are attributable to individual users and strengthening the security of the environment.', null, null, null, null, null, null, null, null, null, 808, true, 350, 'TEMPLATE', null, null, 'Windows 8.2 Account Logoff', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1166, 'This report collects and analyzes 4648 events (Use of Explicit Credentials) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. Credential usage is verified to ensure each user has a unique ID before accessing system components or cardholder data. The use of shared accounts, proper management of account additions, deletions, and modifications, and the attribution of actions to individual users are also monitored, ensuring strict account lifecycle management and compliance with authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 281, 'TEMPLATE', null, null, 'Windows 8.2 Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1167, 'This report collects and analyzes 4672 events (Special Privileges Assigned to a New Session) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. It verifies the use of elevated privileges assigned to users and administrators, ensuring that each account has a unique ID and that privileged access is properly managed and controlled. It also monitors the use of shared accounts, the administration of account additions, deletions, and modifications, and the attribution of actions to individual users, ensuring strict account lifecycle management and compliance with authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 278, 'TEMPLATE', null, null, 'Windows 8.2 Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1168, 'This report collects and analyzes 4726 events (User Account Deletion) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. User account deletions are monitored to ensure that access for terminated users is revoked immediately, in accordance with Section 8.2.5. Inactive accounts are also validated as being deleted or disabled within the stipulated 90-day period, in line with Section 8.2.6. This analysis helps ensure that account lifecycle management is strict and complies with the security and authentication controls defined in PCI DSS.', null, null, null, null, null, null, null, null, null, 808, true, 272, 'TEMPLATE', null, null, 'Windows 8.2 User Accounts Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1169, 'This report collects and analyzes 4738 events (User Account Modification) recorded in Windows logs to assess compliance with PCI DSS Requirement 8.2. Changes to user accounts are monitored, including changes to privileges, authentication information, and other key attributes, ensuring that all modifications are properly authorized and documented. Additionally, the assignment of unique IDs, restriction on the use of shared accounts, immediate revocation of access for inactive or deregistered users, and attribution of actions to individual users are verified, ensuring strict account lifecycle management in accordance with required authentication controls.', null, null, null, null, null, null, null, null, null, 808, true, 308, 'TEMPLATE', null, null, 'Windows 8.2 User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1171, 'This report collects system events related to NTLM authentication attempts (Windows event 4776), both successful and failed, to assess compliance with authentication controls and access management in accordance with PCI DSS Requirement 8.3. Relevant information from these logs is used to verify that user and administrator authentication is properly implemented and managed in accordance with strong authentication requirements. This includes verifying that all access attempts are properly authenticated using one or more authentication factors, and that failed attempts are handled according to lockout and access control policies.', null, null, null, null, null, null, null, null, null, 808, true, 301, 'TEMPLATE', null, null, 'Windows 8.3 Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1172, 'This report collects and analyzes events 4768 (Kerberos Authentication Ticket Request), 4769 (Kerberos Authentication Ticket Grant), and 4771 (Kerberos Authentication Ticket Grant Attempt Failed) in the Windows logs to verify compliance with PCI DSS Requirement 8.3. Specifically, it reviews the use of strong authentication for users and administrators, ensuring that system access is validated using factors such as passwords, token devices, or smart cards, and that authentication factors are encrypted both in transit and in storage. It also verifies that restrictions are applied to failed authentication attempts, with a maximum of 10 attempts and user lockouts as established. The password policy is evaluated, ensuring that they are unique, changed regularly, and of appropriate complexity, complying with PCI DSS guidelines. In addition, it ensures that authentication factors such as smart cards or tokens are individually assigned and that physical and logical controls exist for their exclusive use.', null, null, null, null, null, null, null, null, null, 808, true, 283, 'TEMPLATE', null, null, 'Windows 8.3 Kerberos ticket requests', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1173, 'Report that compiles relevant information from Windows Event 4740 logs to verify compliance with PCI DSS Requirement 8.3 on strong authentication. It addresses aspects such as multi-factor authentication, the use of strong cryptography, control of failed attempts and account lockouts, and password change and complexity policies, ensuring that best practices are followed to protect user credentials.', null, null, null, null, null, null, null, null, null, 808, true, 276, 'TEMPLATE', null, null, 'Windows 8.3 Account Locks', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1174, 'This report consolidates relevant information from Windows Event 1100 logs, which indicates the closure of the audit log. Its purpose is to verify the implementation and activation of audit logs on all system components and in environments that process cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also enables the detection of anomalous activity and forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 314, 'TEMPLATE', null, null, 'Windows 10.2 Event Logging Service Shut Down', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1175, 'This report compiles relevant information from Windows Event 1102 logs, which indicate that the audit log has been deleted. Its analysis is critical to ensuring compliance with PCI DSS requirements 10.2 and 10.2.1, ensuring that audit logs are enabled, active, and protected against unauthorized modification or deletion. It also allows for the detection of anomalous activity and forensic security analysis.', null, null, null, null, null, null, null, null, null, 809, true, 295, 'TEMPLATE', null, null, 'Windows 10.2 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1176, 'This report compiles relevant information from Windows Event 4719 logs, which indicate changes to system audit policy settings. Its purpose is to verify the activation and maintenance of audit logs on all system components and environments that process cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also facilitates the detection of unauthorized modifications to audit policies, contributing to the identification of suspicious activity and forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 280, 'TEMPLATE', null, null, 'Windows 10.2 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1177, 'This report compiles relevant information from Windows Event 4625 logs, which indicate failed login attempts. Its purpose is to support the detection of suspicious activity and authentication anomalies, as well as facilitate forensic analysis of security events. It also verifies that audit logging is enabled and active on all system components and in environments that handle cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1.', null, null, null, null, null, null, null, null, null, 809, true, 266, 'TEMPLATE', null, null, 'Windows 10.2 Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1178, 'This report gathers relevant information from Windows Event 4672 logs, which indicates the assignment of special privileges to an account. Its purpose is to verify the enablement and activation of audit logs on all system components and environments that handle cardholder data, in compliance with PCI DSS requirements 10.2 and 10.2.1. It also facilitates the detection of unusual or suspicious activity and enables forensic analysis of events related to the use of elevated privileges.', null, null, null, null, null, null, null, null, null, 809, true, 278, 'TEMPLATE', null, null, 'Windows 10.2 Special privileges assigned to new logon', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1179, 'This report compiles relevant information from Windows Event 4720 logs, which indicate the creation of new user accounts. Its purpose is to verify that all actions performed by individuals with administrative access, including interactive use of system or application accounts, are logged in accordance with PCI DSS requirement 10.2.1.2. This monitoring contributes to the detection of suspicious activity and forensic analysis of events in the IT environment.', null, null, null, null, null, null, null, null, null, 809, true, 267, 'TEMPLATE', null, null, 'Windows 10.2 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1180, 'This report compiles relevant information from Windows Event 4728 logs, which are triggered when a user is added to a group with administrative privileges. Its purpose is to verify that all audit logs capture actions performed by individuals with administrative access, including any interactive use of application or system accounts. This ensures compliance with PCI DSS Requirement 110.2.1.2, which establishes the need to audit the activities of users with administrative privileges to ensure the integrity and security of the environment.', null, null, null, null, null, null, null, null, null, 809, true, 316, 'TEMPLATE', null, null, 'Windows 10.2 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1181, 'This report compiles relevant information from Windows event 4663 logs, which document access to system audit logs. Its objective is to verify that all activity related to access to audit logs is captured, in compliance with PCI DSS requirement 10.2.1.3. This control ensures the integrity and traceability of access to audit logs, enabling the detection of potential unauthorized access and facilitating forensic analysis of events.', null, null, null, null, null, null, null, null, null, 809, true, 277, 'TEMPLATE', null, null, 'Windows 10.2 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1182, 'This report aggregates relevant information from Windows Event 4670 logs, which are generated when permissions are changed on a protected object on the system, such as files, folders, or other resources with specific security settings. The purpose of this report is to track and document changes to access permissions on sensitive objects, contributing to access control policy compliance and the protection of critical data in the environment. This information is essential for detecting and preventing unauthorized access to important resources, aligning with security best practices on Windows systems.', null, null, null, null, null, null, null, null, null, 809, true, 274, 'TEMPLATE', null, null, 'Windows 10.2 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1185, 'This report compiles relevant information from Windows event 4776 logs, which are generated when an account authentication attempt is made using the NTLM protocol. Event 4776 captures both successful and failed access attempts, allowing for the identification of invalid access attempts. This information is crucial for complying with PCI DSS requirement 10.2.1.4, which requires the capture of all invalid logical access attempts. Analyzing these events facilitates the detection of suspicious activity and forensic analysis of potential security incidents in environments that handle cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 301, 'TEMPLATE', null, null, 'Windows 10.2 Account Authentication Using NTLM', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1186, 'This report compiles relevant information from Windows event 4722 logs, which are generated when a user account is enabled or activated on the system. This event is essential for compliance with PCI DSS requirement 10.2.1.5, which requires the capture of all changes related to identification and authentication credentials, including the creation of new accounts, elevation of privileges, and any modification, addition, or deletion of accounts. Monitoring these events allows for the detection of critical credential changes, which is critical for forensic analysis and identifying suspicious activity in environments that handle cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 293, 'TEMPLATE', null, null, 'Windows 10.2 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1187, 'This report captures key information from Windows Event 4726 logs, which are generated when a user account is deleted. Event 4726 is critical for monitoring changes to identification and authentication credentials, in compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of all account changes, additions, or deletions, as well as the creation of new accounts or elevation of privileges. This audit log is essential for ensuring control and tracking of credential changes, facilitating the detection of unauthorized or anomalous actions and providing key support for forensic analysis of security-related events.', null, null, null, null, null, null, null, null, null, 809, true, 272, 'TEMPLATE', null, null, 'Windows 10.2 User Accounts Deleted', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1188, 'This report collects relevant information from Windows event 4738 logs, which are generated when a change is made to a user account, such as modifications to identification and authentication credentials. Event 4738 captures actions such as new account creation, privilege escalation, and all user account changes, additions, or deletions. This information is essential for compliance with PCI DSS Requirement 10.2.1.5, which establishes the need to capture all changes related to access credentials. Analyzing these events allows for auditing and detecting potentially unauthorized or malicious actions related to account and privilege management in environments that process cardholder data.', null, null, null, null, null, null, null, null, null, 809, true, 303, 'TEMPLATE', null, null, 'Windows 10.2 User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1189, 'This report compiles relevant information from Windows Event 4740 logs, which is generated when a user account is locked out due to failed authentication attempts. This event is key for monitoring changes to identification and authentication credentials, as it may indicate unauthorized access attempts or suspicious activity related to account management.

The report contributes to compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of events related to account and credential changes, including account lockouts that may lead to privilege escalation attempts or improper access. Its analysis strengthens security in environments that process cardholder data and facilitates the detection and response to security incidents.', null, null, null, null, null, null, null, null, null, 809, true, 276, 'TEMPLATE', null, null, 'Windows 10.2 Account Locks', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1190, 'This report consolidates key information from Windows Event 4767 logs, which is generated when a user account is unlocked. This event is relevant for compliance with PCI DSS Requirement 10.2.1.5, which requires the capture of all changes to identification and authentication credentials.

Account unlocking is an indicator of potential unauthorized access attempts or compromised credential management. Analyzing these events allows for the detection of anomalous patterns, such as brute-force attacks or unauthorized access attempts, contributing to the security and traceability of the cardholder data environment.', null, null, null, null, null, null, null, null, null, 809, true, 336, 'TEMPLATE', null, null, 'Windows 10.2 Unlocked Account', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1193, 'This report compiles relevant information from Windows Event 4616 logs, which are generated when a change occurs in the system time settings. Event 4616 is key for monitoring changes in system clock synchronization, helping to ensure the consistency of audit logs and the traceability of security events.

The report is aligned with PCI DSS Requirement 10.6.1, which requires system clocks to be synchronized to ensure accurate audit logs. Analyzing these events can detect unauthorized changes in time settings, helping to prevent alterations that could compromise the integrity of security logs.', null, null, null, null, null, null, null, null, null, 809, true, 303, 'TEMPLATE', null, null, 'Windows 10.6 System Time Settings Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1195, 'This report gathers and analyzes security events associated with Windows Event 4719, which indicates changes to the system''s audit configuration. The information provided allows verification of the application and updating of security policies in accordance with PCI DSS Requirement 11.1.1, ensuring that operational and security procedures are documented, up-to-date, in use, and known to affected parties.

Analyzing these events helps detect unauthorized or unexpected modifications to audit controls, ensuring the integrity of monitoring mechanisms and validating that security processes are regularly evaluated.', null, null, null, null, null, null, null, null, null, 810, true, 280, 'TEMPLATE', null, null, 'Windows 11.1 Policy changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1196, 'This report consolidates relevant information from Windows Event Viewer 1102 events, which indicate audit log deletion. Tracking these events is essential for compliance with PCI DSS Requirement 11.1.1, as it ensures that security policies and operating procedures are documented, updated, utilized, and understood by affected parties. The deletion of audit logs may represent an attempt to conceal malicious activity or operational mismanagement. Therefore, this report helps detect, investigate, and mitigate potential security breaches by providing audit evidence of attempts to manipulate critical records on monitored systems. This analysis contributes to maintaining the integrity of security logs, enabling the implementation of corrective and preventive controls that reinforce compliance with PCI DSS standards.', null, null, null, null, null, null, null, null, null, 810, true, 295, 'TEMPLATE', null, null, 'Windows 11.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1197, 'This report presents a detailed analysis of Windows security events with ID 4728, which record the addition of users to global security groups. The information collected verifies compliance with PCI DSS Requirement 11.1.2, ensuring that roles and responsibilities for system and network security activities are documented, assigned, and understood by the appropriate parties.

This analysis validates that privilege and role assignments in the system are carried out in accordance with established policies and that any changes are audited and traceable, contributing to security and PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 810, true, 316, 'TEMPLATE', null, null, 'Windows 11.1 Additions to Security Groups', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1198, 'This report consolidates events generated by ID 4729 in Windows, which indicates the removal of a user from a global security group. The collection and analysis of these events allows for verification of compliance with PCI DSS requirement 11.1.2, ensuring that roles and responsibilities for executing security activities are documented, assigned, and understood.

The report provides information on changes to security groups, including affected users, modified groups, accounts responsible for the changes, and timestamps. This allows for the identification of potential unauthorized changes or inconsistencies in role management, ensuring proper segregation of duties and compliance with established security policies.', null, null, null, null, null, null, null, null, null, 810, true, 317, 'TEMPLATE', null, null, 'Windows 11.1 Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1199, 'This report assesses compliance with PCI DSS requirement 11.1.2, verifying that roles and responsibilities for security activities are documented, assigned, and understood.

By analyzing Windows 4732 events, changes to security groups are reviewed to ensure that privilege management is carried out in accordance with established policies. This allows for the detection of potential deviations and ensures the correct assignment of permissions within the monitored environment.', null, null, null, null, null, null, null, null, null, 810, true, 320, 'TEMPLATE', null, null, 'Windows 11.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1200, 'This report focuses on assessing compliance with PCI DSS requirement 11.1.2, which relates to the documentation, assignment, and understanding of roles and responsibilities for security testing activities. By analyzing logs generated by Windows event 4733, any changes to user roles can be verified, specifically the removal of a member from a security group, which is relevant to ensuring that security responsibilities are correctly assigned. This report ensures that the management of roles and privileges within the system remains aligned with the security processes defined and understood by all involved parties.', null, null, null, null, null, null, null, null, null, 810, true, 321, 'TEMPLATE', null, null, 'Windows 11.1 Local Security Group Member Removal', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1201, 'This report is designed to assess compliance with PCI DSS Requirement 11.2, which establishes that wireless access points must be identified, monitored, and unauthorized access points must be appropriately managed. By analyzing logs generated by Windows Event 1100, the report gathers key information to verify that both authorized and unauthorized wireless access points are correctly detected and identified. It also ensures that the testing, detection, and identification process is performed at least every three months, as required.', null, null, null, null, null, null, null, null, null, 810, true, 314, 'TEMPLATE', null, null, 'Windows 11.2 Event Logging Service Shut Down', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1202, 'This report compiles and presents relevant information extracted from the logs generated by Windows Event 1001 to assess compliance with PCI DSS Requirement 11.3. This requirement mandates internal vulnerability scans at least every three months, prioritizing high-risk or critical vulnerabilities. This report verifies that scans are performed in accordance with the organization''s standards, that critical vulnerabilities are resolved, and that rescans are executed to confirm the correction.', null, null, null, null, null, null, null, null, null, 810, true, 339, 'TEMPLATE', null, null, 'Windows 11.3 Error Reporting', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1203, 'This report focuses on gathering relevant information from logs generated by Windows event 4624 to assess compliance with PCI DSS Requirement 11.3.1.2. The purpose of this requirement is to ensure that internal vulnerability scans are performed using authenticated scans. By analyzing successful logon events, the report verifies that systems requiring credentials for authenticated scans are properly documented and managed. It also ensures that systems accepting credentials for scans use sufficient privileges and that, if accounts used for authenticated scanning can be used for interactive logins, these accounts are managed in accordance with the requirements established in PCI DSS Requirement 8.2.2. This report is essential to confirm that practices related to authenticated scans are aligned with the security policies and appropriate access controls defined by PCI DSS.', null, null, null, null, null, null, null, null, null, 810, true, 265, 'TEMPLATE', null, null, 'Windows 11.3 Account Logon Success', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1204, 'This report is designed to assess compliance with PCI DSS Requirement 11.3.1.2, which requires internal vulnerability scans to be conducted using authenticated scans. Using logs generated by Windows event 4625, this report collects relevant information about failed login attempts, which may indicate issues with the credentials used in authenticated scans. The report helps verify that systems unable to accept credentials for authenticated scans are properly documented and that systems that allow such scans use sufficient privileges to ensure a proper security assessment. It also ensures that accounts used for authenticated scans that allow interactive logins are managed in accordance with the requirements established in PCI DSS Requirement 8.2.2, ensuring proper handling of credentials and their alignment with security best practices.', null, null, null, null, null, null, null, null, null, 810, true, 266, 'TEMPLATE', null, null, 'Windows 11.3 Account Logon Failure', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1205, 'This report assesses compliance with PCI DSS Requirement 11.3.1.3, which establishes that internal vulnerability scans must be performed after any significant system changes. Using Windows Event 7045 logs, the report collects information on the installation of new services and drivers, which may be indicative of significant changes to the system infrastructure. This analysis verifies that, after these changes were made, internal vulnerability scans were performed to detect and resolve high-risk or critical vulnerabilities, in accordance with the risk classifications defined in PCI DSS Requirement 6.3.1. It also ensures that rescans are performed when necessary and that scans are conducted by qualified personnel, ensuring effectiveness and an appropriate response to system vulnerabilities following significant changes.', null, null, null, null, null, null, null, null, null, 810, true, 290, 'TEMPLATE', null, null, 'Windows 11.3 Installation of Services', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1206, 'This report aims to assess compliance with PCI DSS Requirement 11.3.1.3, which establishes that internal vulnerability scans must be performed after any significant change to system infrastructure. Using Windows event 4688 logs, which record the creation of new processes, the report gathers information on command execution and the installation of new applications or configurations that may indicate significant changes to the systems. This analysis verifies that, following these changes, internal vulnerability scans were performed to identify and resolve high-risk or critical vulnerabilities, in accordance with the risk classifications defined in PCI DSS Requirement 6.3.1. Furthermore, the report ensures that rescans are performed when necessary and that scans are conducted by qualified personnel, ensuring proper management and mitigation of vulnerabilities in the system environment following significant changes.', null, null, null, null, null, null, null, null, null, 810, true, 284, 'TEMPLATE', null, null, 'Windows 11.3 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1207, 'This report aims to assess compliance with PCI DSS requirement 11.4.3, which establishes that external penetration tests must be performed according to the organization''s defined methodology, at least once every 12 months, and after any significant change to the infrastructure or applications. Using Windows event 4740 logs, the report collects information on user account lockouts due to multiple failed login attempts, which may indicate penetration testing activities or unauthorized access attempts. This analysis verifies that external penetration tests are executed according to the organization''s defined methodology, ensuring compliance with the established frequency and with qualified personnel, whether internal or external, as required by PCI DSS. It also ensures that these tests are performed after any significant changes to the infrastructure or applications.', null, null, null, null, null, null, null, null, null, 810, true, 276, 'TEMPLATE', null, null, 'Windows 11.4 Account Locks', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1208, 'This report assesses compliance with PCI DSS Requirement 11.5.2, which requires a change detection mechanism (e.g., file integrity monitoring tools) to alert staff of unauthorized modifications (including changes, additions, and deletions) to critical files. Using Windows Event 4663 logs, the report compiles information on access and actions performed on critical files, providing evidence of modification and access activity. This analysis ensures that the change detection mechanism is properly configured to perform comparisons of critical files at least once a week and alerts staff of any unauthorized actions, thereby contributing to the protection and integrity of key files for PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 810, true, 277, 'TEMPLATE', null, null, 'Windows 11.5 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1209, 'This report aims to assess compliance with PCI DSS Requirement 11.5.2, which establishes the need to implement a change detection mechanism (e.g., file integrity monitoring tools) to alert staff about unauthorized modifications (including changes, additions, and deletions) to critical files. Using Windows event 4656 logs, the report gathers relevant information on access attempts to protected and critical system files, allowing identification of unauthorized modifications. Additionally, it ensures that critical file comparisons are performed at least once a week, as required by the PCI DSS standard, ensuring that any file alterations are detected and reported in a timely manner to prevent potential security risks.', null, null, null, null, null, null, null, null, null, 810, true, 273, 'TEMPLATE', null, null, 'Windows 11.5 Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1210, 'This report presents a detailed analysis of events logged under Event ID 4732 in Windows logs, used to verify compliance with PCI DSS Requirement 12.1, which establishes the need for a well-defined, published, maintained, and disseminated information security policy to relevant employees, suppliers, and business partners. Event 4732 relates to the modification of security groups, which is crucial to validate that information security roles and responsibilities are correctly assigned and communicated.

Reviewing these events provides evidence to confirm that security policies are established, periodically reviewed, and updated in response to changing business risks and objectives, and that all relevant personnel are aware of them. It also helps ensure that responsibility for information security is formally assigned to a member of senior management with appropriate knowledge, as required by the PCI DSS.', null, null, null, null, null, null, null, null, null, 811, true, 320, 'TEMPLATE', null, null, 'Windows 12.1 Member Addition to a Security Local Group', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1211, 'This report compiles key information from 1102 events in Windows logs, used to assess compliance with PCI DSS Requirement 12.1, which requires an information security policy that is known, established, published, maintained, and appropriately distributed to all relevant personnel, as well as to suppliers and business partners. Event 1102 is linked to the audit event log, and its analysis helps ensure that information security policies are reviewed and updated at least once every 12 months, reflecting changes in business risks and objectives.

The report verifies that the information security policy is in place and that all relevant individuals within the organization have access to it. It also helps validate that information security responsibilities are clearly defined and assigned, and that security responsibility is formally delegated to a senior executive with the necessary knowledge, as required by the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 811, true, 295, 'TEMPLATE', null, null, 'Windows 12.1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1212, 'This report gathers relevant information from 4663 events in Windows logs, which are essential for verifying compliance with PCI DSS Requirement 12.1, which establishes that the information security policy must be known and updated. 4663 events are generated when attempts are made to access files or directories, which is critical to ensuring that information security policies are effectively applied to the entity''s information assets.

By analyzing these events, it is possible to verify that the information security policy is established, published, maintained, and appropriately disseminated to all relevant personnel, including suppliers and business partners, as required by the PCI DSS standard. Furthermore, the logs verify that the policy is reviewed at least every 12 months and updated in response to changes in business risks and objectives. This analysis also confirms that security responsibilities are clearly defined for all staff and that ultimate responsibility rests with a CISO or security executive with the necessary expertise.', null, null, null, null, null, null, null, null, null, 811, true, 277, 'TEMPLATE', null, null, 'Windows 12.1 Access to critical files or specific directories', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1213, 'This report compiles relevant information from 4656 events in Windows logs, which are critical for verifying compliance with PCI DSS Requirement 12.1, which requires that an information security policy be established, published, maintained, and disseminated to all relevant employees, vendors, and business partners.

4656 events are logged when access requests are made to an object or resource in the system, providing key insights into user interactions with information assets. By analyzing these events, we can confirm that access controls and related policies are being effectively enforced, supporting that the information security policy is adequately disseminated to relevant parties, as required by PCI DSS.

In addition, these logs help verify that the information security policy is reviewed at least once every 12 months and updated as needed to reflect changes in business objectives or environmental risks. They also help validate that security responsibilities are clearly defined for all staff and that ultimate responsibility for security is assigned to a trained CISO or executive.', null, null, null, null, null, null, null, null, null, 811, true, 273, 'TEMPLATE', null, null, 'Windows 12.1 Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1214, 'This report compiles relevant information from 4688 events in the Windows logs, which are generated each time a new process is created in the system. These events are essential for verifying compliance with PCI DSS Requirement 12.2.1, which establishes that acceptable use policies for end-user technologies must be documented and implemented.

Analyzing these events determines that explicit approvals from authorized authorities are being properly implemented, ensuring that users only use the technologies they have been authorized to use. Furthermore, the logs verify that acceptable use of technologies is being followed, verifying that users are only using approved tools for purposes permitted by the company. This includes both approved hardware and software usage, ensuring that the company maintains an up-to-date inventory of products permitted for employee use.

This report is critical to demonstrating that the company is compliant with PCI DSS regulations by ensuring that acceptable use policies for technology are effectively implemented and monitored through event logging in systems.', null, null, null, null, null, null, null, null, null, 811, true, 284, 'TEMPLATE', null, null, 'Windows 12.2 Process Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1215, 'This report compiles relevant information from 4689 events in Windows logs, which are generated when a process completes its execution. These events are crucial for verifying compliance with PCI DSS Requirement 12.3, which establishes that risks to the cardholder data environment (CDE) must be formally identified, assessed, and managed.

4689 events allow tracking of process execution in systems, which facilitates the identification of protected assets and provides valuable information for assessing threats that may impact those assets. The logs verify that risk assessments are being conducted and updated continuously, which contributes to active risk management in the CDE environment.

This analysis also allows for observing the factors that contribute to the likelihood and/or impact of threats, and how the organization''s established processes minimize the identified risks. Additionally, 4689 events can be used to ensure that a risk assessment is conducted at least once every 12 months, as required by the PCI DSS, to ensure the security environment is always up-to-date and in line with emerging threats.

This report is essential to demonstrate that the organization is adequately managing the risks associated with the cardholder data environment in accordance with PCI DSS standards, and that security policies and procedures are aligned with risk analysis requirements.', null, null, null, null, null, null, null, null, null, 811, true, 302, 'TEMPLATE', null, null, 'Windows 12.3 Process Termination', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1216, 'This report compiles Windows 4720 events, which record when a user is added to a security group. These events are key to verifying the assignment of responsibilities for PCI DSS compliance. They help ensure that security tasks and operational policies are being properly implemented.

The report confirms that quarterly PCI DSS compliance reviews are conducted, including reviewing logs, security configurations, and responding to alerts, ensuring that the organization and its vendors maintain compliance.', null, null, null, null, null, null, null, null, null, 811, true, 267, 'TEMPLATE', null, null, 'Windows 12.4 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1217, 'This report gathers relevant information from Windows 4722 events, which record changes to user accounts, such as account activation or deactivation. These events are crucial for verifying compliance with security policies and the PCI DSS compliance program.

The report ensures that quarterly reviews of security-related activities, such as log review, security configuration assessment, and alert response, have been conducted. It also documents the corrective actions taken for any deviations found during the reviews, ensuring that the PCI DSS compliance program is being properly implemented.', null, null, null, null, null, null, null, null, null, 811, true, 293, 'TEMPLATE', null, null, 'Windows 12.4 User Accounts Enabled', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1219, 'This report compiles relevant information from Windows 4657 events, which record changes to system objects, including files and settings, which may require updates related to the security awareness program. Data from these events is used to verify that the organization is implementing a security awareness program, properly informing all staff about security policies and procedures, as well as their role in protecting credit card data.

The report ensures that ongoing security training is conducted, with an annual review of the program and updates based on new threats or vulnerabilities. It also confirms that staff receive training on specific threats such as phishing, social engineering, and acceptable use of endpoint technologies, ensuring that the security policy is understood and acknowledged annually by all employees.', null, null, null, null, null, null, null, null, null, 811, true, 322, 'TEMPLATE', null, null, 'Windows 12.6 Registry Value Modification', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1220, 'This report compiles relevant information from Windows 4698 events, which record configuration and modifications to security policies and user accounts. These events are critical to ensuring that staff receive ongoing security education, in accordance with PCI DSS Requirement 12.6.

The report validates that the organization has implemented a formal security awareness program, reviewed and updated annually to reflect new threats and vulnerabilities. It also ensures that staff receive security training at least once a year, utilizing various communication methodologies, and that employees'' understanding of security policies is confirmed.

It also confirms that the training covers threats such as phishing, social engineering, and acceptable use of end-user technologies, in accordance with the guidelines established in the PCI DSS standard.', null, null, null, null, null, null, null, null, null, 811, true, 372, 'TEMPLATE', null, null, 'Windows 12.6 Scheduled Task Creation', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1221, 'This report compiles relevant information from Windows 4648 events, which record login attempts with explicit credentials, which is crucial for the early detection of potential security incidents. The report validates compliance with PCI DSS 12.10, which states that suspected or confirmed security incidents that may affect the Card Data Environment (CDE) must be responded to immediately.

4648 events provide evidence of access and actions that could be related to security incidents, facilitating rapid detection and response. The report also verifies that the incident response plan is up-to-date, tested, and ready to be activated when necessary. It also confirms that specific people have been designated to respond to security incidents 24/7 and that the personnel responsible for these incidents have been regularly trained. The report includes monitoring and response strategies for security systems, such as intrusion detection systems, network security controls, and mechanisms for detecting changes to critical files.', null, null, null, null, null, null, null, null, null, 811, true, 281, 'TEMPLATE', null, null, 'Windows 12.10 Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1222, 'This report analyzes successful logon events (Event ID 4624) on Windows systems to evaluate the effectiveness of logical separation in multi-tenant environments according to PCI DSS Requirement A1.1. Authentication logs are reviewed to verify that access to customer and vendor environments is performed only by authorized users and that there is no unauthorized access between customer environments or from the vendor to the customer environments. The results of this report contribute to the validation of security controls, ensuring regulatory compliance and reducing the risk of unauthorized access to shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 312, 'TEMPLATE', null, null, 'Windows A1 Password Reset Attempts', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1223, 'This report analyzes logoff events (Event ID 4634) on Windows systems to evaluate the effectiveness of logical separation in multi-tenant environments in accordance with PCI DSS Requirement A1.1. Activity logs are reviewed to verify that sessions initiated in the customer and vendor environments are properly closed and that there is no unauthorized access or persistence of unauthorized sessions between environments. The analysis considers key information that facilitates the validation of access controls, ensuring regulatory compliance and minimizing the risk of prolonged or unauthorized access in shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 350, 'TEMPLATE', null, null, 'Windows A1 Account Logoff', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1224, 'This report analyzes user-initiated logoff events (Event ID 4647) on Windows systems to assess compliance with PCI DSS Requirement A1.1 in multi-tenant environments. Activity logs are reviewed to verify that users terminate their sessions in a controlled manner and that no unauthorized access exists between customer and vendor environments. The analysis includes key information that contributes to the validation of security controls, ensuring that sessions are properly managed and reducing the risk of unauthorized persistence on shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 351, 'TEMPLATE', null, null, 'Windows A1 User Account Logoff', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1225, 'This report collects and analyzes object permission modification events (event ID 4670) on Windows systems to validate that access controls are properly implemented according to PCI DSS requirements A1.1.2 and A1.1.3. Through analysis of these logs, it is verified that each client only has permissions to their own cardholder information (CDE) and cannot access unassigned resources. Details are examined to support the assessment of data and resource segregation, ensuring that security controls are effective in multi-tenant environments and reducing the risk of unauthorized access.', null, null, null, null, null, null, null, null, null, 812, true, 274, 'TEMPLATE', null, null, 'Windows A1 Protected Object Permission Change', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1226, 'This report analyzes Object Access Request events (Event ID 4656) on Windows systems to assess compliance with PCI DSS requirements A1.1.2 and A1.1.3 in multi-tenant environments. This event is generated when a process requests access to a protected object, such as files, registry keys, or system services. Therefore, its analysis allows verification that each client only attempts to access its own cardholder information (CDE) and the resources assigned to it, preventing unauthorized access to other clients'' data or systems. Details are examined that contribute to the validation of access controls, ensuring proper segregation of data and resources, and reducing the risk of exposure in shared infrastructures.', null, null, null, null, null, null, null, null, null, 812, true, 273, 'TEMPLATE', null, null, 'Windows A1 Attempt to Access a Protected Object', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1227, 'This report analyzes shared resource access and permission modification events (Event IDs 5140 and 5145) on Windows systems to assess compliance with PCI DSS Requirement A1.2, which relates to enabling auditing capabilities and incident response in multi-tenant environments. These events provide key information to ensure that auditing and incident response controls are effective, protecting the integrity of multi-tenant environments and complying with established security regulations.', null, null, null, null, null, null, null, null, null, 812, true, 285, 'TEMPLATE', null, null, 'Windows A1 Network Access to shared resource', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1228, 'This report collects and analyzes user account modification events (event ID 4738) on Windows systems to assess compliance with PCI DSS Requirement A1.2.3. This event is generated when a modification is made to a user account, which may indicate changes affecting system security or related security incidents. This analysis verifies that processes and mechanisms are in place to report and address security incidents and vulnerabilities, allowing customers to securely report any incidents or vulnerabilities to the vendor. Additionally, it assesses whether the vendor takes appropriate actions to address and remediate security incidents in accordance with PCI DSS Requirement 6.3.1. Records of this event provide evidence of how account modifications are handled, allowing potential security incidents to be detected and ensuring that vulnerabilities are appropriately managed. The findings in this report ensure that incident response processes are effective and aligned with the controls established by PCI DSS.', null, null, null, null, null, null, null, null, null, 812, true, 308, 'TEMPLATE', null, null, 'Windows A1 User Account Attributes Changes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1229, 'This report analyzes Security Log Closure events (Event ID 1102) on Windows systems to assess compliance with PCI DSS Requirement A1.2.3, which establishes the implementation of processes or mechanisms for reporting and addressing security incidents and vulnerabilities. Event 1102 is generated when the system''s Security Log is cleared or closed, which may indicate an action related to security event management or incident response. This analysis verifies that logs are managed appropriately and that security incidents and vulnerabilities are communicated and addressed securely. It also ensures that the vendor has established mechanisms to remediate incidents in accordance with PCI DSS Requirement 6.3.1, ensuring that customers can safely report incidents and that they are addressed in accordance with security policies. The findings in this report support the validation of audit and incident response processes, ensuring that appropriate records are maintained for security incident investigation and PCI DSS compliance.', null, null, null, null, null, null, null, null, null, 812, true, 295, 'TEMPLATE', null, null, 'Windows A1 Cleaned Event Log', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1230, 'This report collects and analyzes explicit credentials login events (Event ID 4648) on Windows systems to assess compliance with PCI DSS Requirement A1.2.2, which establishes the implementation of processes and mechanisms to facilitate rapid forensic investigations in the event of a suspected or confirmed security incident. Event 4648 is generated when a login process uses explicit credentials to authenticate a session, which may indicate unusual or suspicious access requiring further investigation. This analysis verifies that mechanisms are in place to support the collection and analysis of relevant logs, enabling timely forensic investigations in the event of security incidents. The findings in this report ensure that the system is configured to provide the necessary information for incident resolution and support security investigations, aligning with PCI DSS controls for incident response and evidence preservation.', null, null, null, null, null, null, null, null, null, 812, true, 281, 'TEMPLATE', null, null, 'Windows A1 Logins with explicit credentials', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1231, 'This report analyzes user account creation events (Event ID 4720) on Windows systems to assess compliance with PCI DSS Requirement A1.2.2, which establishes the implementation of processes or mechanisms to facilitate rapid forensic investigations in the event of a suspected or confirmed security incident. Event 4720 is generated when a new user account is created, which can be relevant in situations where unauthorized or unexpected account creation is indicative of a security incident. This analysis verifies that event logs provide the information necessary to conduct timely and detailed forensic investigations, enabling a rapid incident response. The findings in this report help ensure that the system has adequate mechanisms for recording and storing critical information, facilitating the resolution of security incidents and ensuring compliance with PCI DSS controls for evidence preservation and forensic investigation.', null, null, null, null, null, null, null, null, null, 812, true, 267, 'TEMPLATE', null, null, 'Windows A1 User Accounts Created', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1232, 'This report presents relevant information collected from logs generated by the Office 365 MailItemsAccessed event, as part of the audit integrity monitoring and control activities required by the CMMC Level 4 standard (AU.4.053). This control requires the implementation of mechanisms to ensure the integrity of audit logs, ensuring their protection against unauthorized modification, deletion, or malicious alteration.

The collected logs include critical details about access to email items. Analyzing these logs allows for validating the integrity of the recorded events and detecting any anomalous activity that could compromise information security, thereby complying with CMMC requirement AU.4.053.', null, null, null, null, null, null, null, null, null, 505, true, 400, 'TEMPLATE', null, null, 'Office 365 Level 4 (AU.4.053): MailItems Accessed', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1233, 'This report collects and analyzes Office 365 FileSyncUploadedFull event logs to comply with the CMMC Level 5 standard (AU.5.055), which requires the use of advanced tools to ensure the integrity and availability of audit logs.

Data about users, applications, IP addresses, devices, platforms, geographic locations, names and sizes of synchronized files, and whether they are synchronized from managed devices is examined. This analysis helps identify legitimate access and detect suspicious activity that could compromise information security.', null, null, null, null, null, null, null, null, null, 505, true, 401, 'TEMPLATE', null, null, 'Office Level 5 (AU.5.055): File Sync Uploaded Full', ''); INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1234, 'This report gathers relevant information from logs generated by the Set-Mailbox event in Office 365, which is used to monitor configuration changes to user mailboxes. These events can reflect administrative actions that directly affect account security, such as permission modifications, email redirects, or changes to retention policies.

Monitoring these types of events is essential for compliance with CMMC Level 1 (SI.1.210): Identify and correct system flaws, including malware, as it allows for identifying potential system configuration flaws, malicious or unauthorized activity, and for a timely response to anomalies that could compromise the integrity of email services. This monitoring helps maintain a secure environment, detect potential attack vectors, and proactively apply corrective measures.', null, null, null, null, null, null, null, null, null, 502, true, 402, 'TEMPLATE', null, null, 'Office 365 Level 1 (SI.1.210): Changes Applied to Mailboxes', ''); + INSERT INTO utm_compliance_report_config (id, config_solution, config_report_columns, config_report_req_body, config_report_req_params, config_report_resource_url, config_report_request_type, config_report_pageable, config_report_filter_by_time, config_report_data_origin, config_report_export_csv_url, standard_section_id, config_report_editable, dashboard_id, config_type, config_url, config_report_note, config_report_name, config_report_remediation) VALUES (1235, 'This report provides a detailed analysis of the event logs generated by the Set-Mailbox cmdlet in Office 365, which is used to monitor and detect unauthorized changes to mailbox settings. The purpose of this report is to ensure compliance with Level 4 (CM.4.070) of the CMMC cybersecurity maturity model, which establishes the need to automate the detection of unauthorized changes to systems. By reviewing these logs, we aim to identify any inappropriate access or modification of mailbox settings, facilitating risk management and compliance with security regulations', null, null, null, null, null, null, null, null, null, 506, true, 402, 'TEMPLATE', null, null, 'Office 365 Level 4 (CM.4.070): Changes Applied to Mailboxes', ''); SELECT setval('utm_compliance_report_config_id_seq', (SELECT COALESCE(MAX(id), 1) FROM utm_compliance_report_config), true); From eba29882e79f0679fb0e2f3c2acc3e024911ee97 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Mon, 14 Apr 2025 11:18:06 -0500 Subject: [PATCH 2/6] feat: update sophos and gcp filters --- .../20250414001_updating_sophos_filter.xml | 1163 +++++++++++++++++ .../20250414002_updating_gcp_filter.xml | 113 ++ .../resources/config/liquibase/master.xml | 4 + 3 files changed, 1280 insertions(+) create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250414001_updating_sophos_filter.xml create mode 100644 backend/src/main/resources/config/liquibase/changelog/20250414002_updating_gcp_filter.xml diff --git a/backend/src/main/resources/config/liquibase/changelog/20250414001_updating_sophos_filter.xml b/backend/src/main/resources/config/liquibase/changelog/20250414001_updating_sophos_filter.xml new file mode 100644 index 000000000..9b0753ddd --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250414001_updating_sophos_filter.xml @@ -0,0 +1,1163 @@ + + + + + + + "message" + terminator => "" + } + + #Looking for datasource generated by an agent and parse original message + if [message]=~/\[utm_stack_agent_ds=(.+)\]-(.+)/ { + grok { + match => { + "message" => [ "\[utm_stack_agent_ds=%{DATA:dataSource}\]-%{GREEDYDATA:original_log_message}" ] + } + } + } + if [original_log_message] { + mutate { + update => { "message" => "%{[original_log_message]}" } + } + } + + if ![dataType] { + #First, search for common fields and parse them + grok { + match => { + "message" => [ + # Old format XG + "device=%{QUOTEDSTRING:device} date=%{DATA:syslog_timestamp} time=%{TIME:xg_time} timezone=%{DATA:xg_timezone} device_name=%{QUOTEDSTRING:device_name} device_id=%{DATA:device_id} log_id=%{DATA:log_id} log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}", + "%{GREEDYDATA}device=%{QUOTEDSTRING:device} date=%{DATA:syslog_timestamp} time=%{TIME:xg_time} timezone=%{DATA:xg_timezone} device_name=%{QUOTEDSTRING:device_name} device_id=%{DATA:device_id} log_id=%{DATA:log_id} log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}", + + # New format with ISO 8601 timestamp XGS + "device_name=%{QUOTEDSTRING:device} timestamp=%{QUOTEDSTRING:timestamp} device_model=%{QUOTEDSTRING:device_model} .*? log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}", + "%{GREEDYDATA}device_name=%{QUOTEDSTRING:device} timestamp=%{QUOTEDSTRING:timestamp} device_model=%{QUOTEDSTRING:device_model} .*? log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}", + + # Common fields for the log_type="WAF" format + "messageid=%{QUOTEDSTRING:messageid} log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}", + "%{GREEDYDATA}messageid=%{QUOTEDSTRING:messageid} log_type=%{QUOTEDSTRING:log_type} log_component=%{QUOTEDSTRING:log_component} %{GREEDYDATA:msg}" + ] + } + } + # Other needed fields available in the new format + if ![syslog_timestamp] { + grok { + match => { + "message" => [ + "%{GREEDYDATA} device_serial_id=%{QUOTEDSTRING:device_serial_id} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "message" => [ + "%{GREEDYDATA} log_id=(?:%{QUOTEDSTRING:log_id}|%{DATA:log_id}) %{GREEDYDATA}" + ] + } + } + } + #Replacing string quotation for common fields + mutate { + gsub => ["device", ''"'', ""] + gsub => ["device_name", ''"'', ""] + gsub => ["log_type", ''"'', ""] + gsub => ["log_component", ''"'', ""] + gsub => ["device_model", ''"'', ""] + gsub => ["log_id", ''"'', ""] + gsub => ["device_serial_id", ''"'', ""] + gsub => ["messageid", ''"'', ""] + } + if [log_type] and ([log_type] == "Firewall" or [log_type] == "Content Filtering" or [log_type] == "Event" + or [log_type] == "WAF" or [log_type] == "System Health" or [log_type] == "IDP" + or [log_type] == "ATP" or [log_type] == "EATP" or ([log_type] == "Antivirus" or [log_type] == "Anti-Virus") + or [log_type] == "Anti-spam" or [log_type] == "Anti-Spam" + or [log_type] == "Heartbeat" or [log_type] == "Sandbox" + or [log_type] == "Wireless protection" or [log_type] == "Wireless Protection" + or [log_type] == "System health" or [log_type] == "Content filtering" + or [log_type] == "SSL" ) { + #Other fields needed for rules in Correlation Engine + if [msg] { + grok { + match => { + "msg" => [ + "status=%{QUOTEDSTRING:status} %{GREEDYDATA}", + "%{GREEDYDATA} status=%{QUOTEDSTRING:status} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "log_subtype=%{QUOTEDSTRING:log_subtype} %{GREEDYDATA}", + "%{GREEDYDATA} log_subtype=%{QUOTEDSTRING:log_subtype} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "priority=%{WORD:priority} %{GREEDYDATA}", + "%{GREEDYDATA} priority=%{WORD:priority} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (sent_bytes|bytes_sent)=%{INT:sent_bytes} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (recv_bytes|bytes_received|bytes_recv)=%{INT:recv_bytes} %{GREEDYDATA}" + ] + } + } + } + #Adding common fields to logx tree structure + mutate { + add_field => { "[dataType]" => "firewall-sophos-xg" } + rename => { "[device]" => "[logx][sophos][device]" } + rename => { "[device_name]" => "[logx][sophos][device_name]" } + rename => { "[device_id]" => "sophosDataSource" } + rename => { "[log_id]" => "[logx][sophos][log_id]" } + rename => { "[log_type]" => "[logx][sophos][log_type]" } + rename => { "[log_component]" => "[logx][sophos][log_component]" } + rename => { "[status]" => "[logx][sophos][status]" } + rename => { "[log_subtype]" => "[logx][sophos][log_subtype]" } + rename => { "[message]" => "[logx][sophos][message]" } + rename => { "[syslog_timestamp]" => "[logx][sophos][syslog_timestamp]" } + rename => { "[xg_time]" => "[logx][sophos][xg_time]" } + rename => { "[xg_timezone]" => "[logx][sophos][xg_timezone]" } + rename => { "[priority]" => "[logx][sophos][priority]" } + rename => { "[sent_bytes]" => "[logx][sophos][sent_bytes]" } + rename => { "[recv_bytes]" => "[logx][sophos][recv_bytes]" } + rename => { "[timestamp]" => "[logx][sophos][timestamp]" } + rename => { "[device_serial_id]" => "[logx][sophos][device_serial_id]" } + rename => { "[device_model]" => "[logx][sophos][device_model]" } + } + +#......................................................................# +#Generating dataSource field required by CurrelationRulesEngine +#Checks if sophosDataSource exists, if true, the dataSource field take its value, if not, take the agent dataSource value + if ([sophosDataSource]){ + if [dataSource] { + mutate { + update => { "dataSource" => "%{[sophosDataSource]}" } + } + } else { + mutate { + add_field => { "dataSource" => "%{sophosDataSource}" } + } + } + } +#Finally evaluates to the host variable if can not be calculated + if ![dataSource] { + mutate { + add_field => { "dataSource" => "%{host}" } + } + } + + if [logx][sophos][device] and [logx][sophos][device] == "SFW" { + if [msg] { + #Fields from Firewall log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (src_ip|sourceip)=%{IP:src_ip} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_ip=%{IP:dst_ip} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} protocol=%{QUOTEDSTRING:proto} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} src_port=%{NUMBER:src_port} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_port=%{NUMBER:dst_port} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} application=%{QUOTEDSTRING:application} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (application_risk|app_risk)=%{NUMBER:application_risk} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (application_technology|app_technology)=%{QUOTEDSTRING:application_technology} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (application_name|app_name)=%{QUOTEDSTRING:application_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (application_category|app_category)=%{QUOTEDSTRING:application_category} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (user_name)=%{QUOTEDSTRING:user_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (src_country_code|src_country)=%{WORD:src_country_code} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (dst_country_code|dst_country)=%{WORD:dst_country_code} %{GREEDYDATA}" + ] + } + } + #1.3.7 + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_mac=%{QUOTEDSTRING:dst_mac} %{GREEDYDATA}" + ] + } + } + #2.1.0 + #Fields from Firewall XGS log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} fw_rule_name=%{QUOTEDSTRING:fw_rule_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} fw_rule_section=%{QUOTEDSTRING:fw_rule_section} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} nat_rule_id=%{QUOTEDSTRING:nat_rule_id} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} nat_rule_name=%{QUOTEDSTRING:nat_rule_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} fw_rule_type=%{QUOTEDSTRING:fw_rule_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} ether_type=%{QUOTEDSTRING:ether_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} in_interface=%{QUOTEDSTRING:in_interface} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} out_interface={QUOTEDSTRING:out_interface} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} src_zone_type={QUOTEDSTRING:src_zone_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_zone_type={QUOTEDSTRING:dst_zone_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_zone={QUOTEDSTRING:dst_zone} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} src_zone={QUOTEDSTRING:src_zone} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} con_event={QUOTEDSTRING:con_event} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} con_id={QUOTEDSTRING:con_id} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} hb_status={QUOTEDSTRING:hb_status} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} app_resolved_by={QUOTEDSTRING:app_resolved_by} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} app_is_cloud={QUOTEDSTRING:app_is_cloud} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} qualifier={QUOTEDSTRING:qualifier} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} in_display_interface={QUOTEDSTRING:in_display_interface} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} out_display_interface={QUOTEDSTRING:out_display_interface} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} log_occurrence={QUOTEDSTRING:log_occurrence} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} dst_country={QUOTEDSTRING:dst_country} %{GREEDYDATA}" + ] + } + } + + #New fields from Content Filtering + grok { + match => { + "msg" => [ + "%{GREEDYDATA} category=%{QUOTEDSTRING:category} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} category_type=%{QUOTEDSTRING:category_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (url|FTP_url)=%{NOTSPACE:url} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} download_file_name=%{QUOTEDSTRING:download_file_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} download_file_type=%{QUOTEDSTRING:download_file_type} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} upload_file_name=%{QUOTEDSTRING:upload_file_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} upload_file_type=%{QUOTEDSTRING:upload_file_type} %{GREEDYDATA}" + ] + } + } + + #New fields from Event log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} reason=%{QUOTEDSTRING:reason} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} message=%{QUOTEDSTRING:event_message} %{GREEDYDATA}" + ] + } + } + #1.3.7 + grok { + match => { + "msg" => [ + "%{GREEDYDATA} src_mac=%{QUOTEDSTRING:src_mac} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (client_used|auth_client)=%{QUOTEDSTRING:client_used} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} gatewayname=%{QUOTEDSTRING:gateway_name} %{GREEDYDATA}" + ] + } + } + #Fields from WAF log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} server=%{NOTSPACE:server} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} contenttype=%{QUOTEDSTRING:contenttype} %{GREEDYDATA}" + ] + } + } + #Fields from Antivirus log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (status_code|httpstatus)=%{NUMBER:httpstatus} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (useragent)=%{QUOTEDSTRING:useragent} %{GREEDYDATA}" + ] + } + } + #New fields from 1.3.7 + grok { + match => { + "msg" => [ + "%{GREEDYDATA} severity=%{QUOTEDSTRING:severity} %{GREEDYDATA}", + "%{GREEDYDATA} severity=%{WORD:severity} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} malware=%{QUOTEDSTRING:malware_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (domain|domainname|src_domainname)=%{QUOTEDSTRING:domain} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} virus=%{QUOTEDSTRING:malware_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (user_group|user_gp|usergroupname)=%{QUOTEDSTRING:user_group} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (con_direction|FTP_direction)=%{QUOTEDSTRING:direction} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} file_path=%{QUOTEDSTRING:file_path} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (parent_app|parent_application)=%{QUOTEDSTRING:parent_application_name} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (parent_app_category|parent_application_category)=%{QUOTEDSTRING:parent_application_category} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (parent_app_risk|parent_application_risk)=%{QUOTEDSTRING:parent_application_risk} %{GREEDYDATA}" + ] + } + } + #Fields from IDP log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} signature_msg=%{QUOTEDSTRING:event_message} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} classification=%{QUOTEDSTRING:classification} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} platform=%{QUOTEDSTRING:platform} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} target=%{QUOTEDSTRING:target} %{GREEDYDATA}" + ] + } + } + #Fields from ATP log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} destinationip=%{IP:dst_ip} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} threatname=%{NOTSPACE:threatname} %{GREEDYDATA}" + ] + } + } + #1.3.7 + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (reported_user|login_user)=%{QUOTEDSTRING:login_user} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (process_user|proc_user)=%{QUOTEDSTRING:process_user} %{GREEDYDATA}" + ] + } + } + #Fields from Anti-Spam log_type + #1.3.7 + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (action|spamaction)=%{QUOTEDSTRING:action} %{GREEDYDATA}", + "%{GREEDYDATA} (action|spamaction)=%{WORD:action} %{GREEDYDATA}" + ] + } + } + #Fields from System Health log_type + grok { + match => { + "msg" => [ + "%{GREEDYDATA} users=%{NUMBER:users} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} display_interface=%{QUOTEDSTRING:display_interface} %{GREEDYDATA}" + ] + } + } + } + + mutate { + #Common Fields + gsub => ["[logx][sophos][status]", ''"'', ""] + gsub => ["[logx][sophos][log_subtype]", ''"'', ""] + gsub => ["[logx][sophos][xg_timezone]", ''"'', ""] + gsub => ["[logx][sophos][timestamp]", ''"'', ""] + + #Fields from Firewall log_type + gsub => ["src_ip", ''"'', ""] + gsub => ["src_port", ''"'', ""] + gsub => ["dst_ip", ''"'', ""] + gsub => ["dest_port", ''"'', ""] + gsub => ["proto", ''"'', ""] + gsub => ["application", ''"'', ""] + gsub => ["application_risk", ''"'', ""] + gsub => ["application_technology", ''"'', ""] + gsub => ["application_name", ''"'', ""] + gsub => ["application_category", ''"'', ""] + gsub => ["user_name", ''"'', ""] + gsub => ["src_country_code", ''"'', ""] + gsub => ["dst_country_code", ''"'', ""] + #1.3.7 + gsub => ["dst_mac", ''"'', ""] + #2.1.0 + gsub => ["fw_rule_name",''"'',""] + gsub => ["fw_rule_section",''"'',""] + gsub => ["nat_rule_id",''"'',""] + gsub => ["nat_rule_name",''"'',""] + gsub => ["fw_rule_type",''"'',""] + gsub => ["ether_type",''"'',""] + gsub => ["in_interface",''"'',""] + gsub => ["out_interface",''"'',""] + gsub => ["src_zone_type",''"'',""] + gsub => ["dst_zone_type",''"'',""] + gsub => ["dst_zone",''"'',""] + gsub => ["src_zone",''"'',""] + gsub => ["con_event",''"'',""] + gsub => ["con_id",''"'',""] + gsub => ["hb_status",''"'',""] + gsub => ["app_resolved_by",''"'',""] + gsub => ["app_is_cloud",''"'',""] + gsub => ["qualifier",''"'',""] + gsub => ["in_display_interface",''"'',""] + gsub => ["out_display_interface",''"'',""] + gsub => ["log_occurrence",''"'',""] + gsub => ["dst_country",''"'',""] + + #New fields from Content Filtering log_type + gsub => ["category", ''"'', ""] + gsub => ["category_type", ''"'', ""] + gsub => ["url", ''"'', ""] + gsub => ["download_file_name", ''"'', ""] + gsub => ["download_file_type", ''"'', ""] + gsub => ["upload_file_name", ''"'', ""] + gsub => ["upload_file_type", ''"'', ""] + + #New fields from Event log_type + gsub => ["reason", ''"'', ""] + gsub => ["event_message", ''"'', ""] + #1.3.7 + gsub => ["src_mac", ''"'', ""] + gsub => ["client_used", ''"'', ""] + gsub => ["src_host", ''"'', ""] + gsub => ["reported_ip", ''"'', ""] + gsub => ["updated_ip", ''"'', ""] + gsub => ["gateway_name", ''"'', ""] + + #Fields from WAF log_type + gsub => ["server", ''"'', ""] + gsub => ["contenttype", ''"'', ""] + gsub => ["useragent", ''"'', ""] + + #Fields from Antivirus log_type + #1.3.7 + gsub => ["severity", ''"'', ""] + gsub => ["malware_name", ''"'', ""] + gsub => ["domain", ''"'', ""] + gsub => ["user_group", ''"'', ""] + gsub => ["direction", ''"'', ""] + gsub => ["file_path", ''"'', ""] + gsub => ["parent_application_name", ''"'', ""] + gsub => ["parent_application_category", ''"'', ""] + gsub => ["parent_application_risk", ''"'', ""] + + #Fields from IDP log_type + gsub => ["classification", ''"'', ""] + gsub => ["platform", ''"'', ""] + gsub => ["target", ''"'', ""] + + #Fields from ATP log_type + gsub => ["threatname", ''"'', ""] + #1.3.7 + gsub => ["login_user", ''"'', ""] + gsub => ["process_user", ''"'', ""] + + #Fields from Anti-Spam log_type + #1.3.7 + gsub => ["action", ''"'', ""] + + #Fields from System Health log_type + gsub => ["users", ''"'', ""] + gsub => ["display_interface", ''"'', ""] + + } + + #Do specific mutations to unify field names across log_type + if ([logx][sophos][log_type] == "Antivirus" or [logx][sophos][log_type] == "Anti-Virus") + and [logx][sophos][log_component] == "FTP" { + if ([direction]) and ([direction] == "Upload" or [direction] == "upload") { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (filename|file_name)=%{QUOTEDSTRING:upload_file_name} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["upload_file_name", ''"'', ""] + } + + } else { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (filename|file_name)=%{QUOTEDSTRING:download_file_name} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["download_file_name", ''"'', ""] + } + } + } else if [logx][sophos][log_type] == "WAF" { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} local_ip=%{QUOTEDSTRING:local_ip} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["local_ip", ''"'', ""] + } + } else if [logx][sophos][log_type] == "Event" { + if ([logx][sophos][log_component] == "L2TP" or [logx][sophos][log_component] == "PPTP") { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} localip=%{IP:src_ip} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} remotepeer=%{IP:dst_ip} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["src_ip", ''"'', ""] + gsub => ["dst_ip", ''"'', ""] + } + } else if ([logx][sophos][log_component] == "DDNS" or [logx][sophos][log_component] == "DHCP Server") { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (src_host|host|client_host_name|reported_host)=%{IPORHOST:src_host} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} client_physical_address=%{QUOTEDSTRING:src_mac} %{GREEDYDATA}" + ] + } + } + if ![src_ip] { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (reported_ip|reportedip)=%{IPORHOST:src_ip} %{GREEDYDATA}", + "%{GREEDYDATA} (reported_ip|reportedip)=%{QUOTEDSTRING:src_ip} %{GREEDYDATA}" + ] + } + } + } + if ![src_ip] { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (updatedip|updated_ip)=%{IPORHOST:src_ip} %{GREEDYDATA}", + "%{GREEDYDATA} (updatedip|updated_ip)=%{QUOTEDSTRING:src_ip} %{GREEDYDATA}" + ] + } + } + } + if ![src_ip] { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} ipaddress=%{IPORHOST:src_ip} %{GREEDYDATA}", + "%{GREEDYDATA} ipaddress=%{QUOTEDSTRING:src_ip} %{GREEDYDATA}" + ] + } + } + } + if ![src_ip] { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} leased_ip=%{IPORHOST:src_ip} %{GREEDYDATA}", + "%{GREEDYDATA} leased_ip=%{QUOTEDSTRING:src_ip} %{GREEDYDATA}" + ] + } + } + } + mutate { + gsub => ["src_ip", ''"'', ""] + gsub => ["src_mac", ''"'', ""] + gsub => ["src_host", ''"'', ""] + } + } else if [logx][sophos][log_component] == "Quarantine" { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} from=%{QUOTEDSTRING:email_sender} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} to=%{QUOTEDSTRING:email_recipient} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["email_sender", ''"'', ""] + gsub => ["email_recipient", ''"'', ""] + } + } + } else if ([logx][sophos][log_type] == "Anti-spam" or [logx][sophos][log_type] == "Anti-Spam") + or ([log_type] == "Antivirus" or [log_type] == "Anti-Virus") { + if ([logx][sophos][log_component] == "SMTP" or [logx][sophos][log_component] == "SMTPS" + or [logx][sophos][log_component] == "POP3" or [logx][sophos][log_component] == "IMAP4" + or [logx][sophos][log_component] == "IMAPS" or [logx][sophos][log_component] == "POPS") { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (sender|from_email_address)=%{QUOTEDSTRING:email_sender} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (recipient|to_email_address)=%{QUOTEDSTRING:email_recipient} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["email_sender", ''"'', ""] + gsub => ["email_recipient", ''"'', ""] + } + } + } else if [logx][sophos][log_type] == "Sandbox" { + grok { + match => { + "msg" => [ + "%{GREEDYDATA} source=%{QUOTEDSTRING:domain} %{GREEDYDATA}" + ] + } + } + grok { + match => { + "msg" => [ + "%{GREEDYDATA} (file_hash|sha1sum)=%{QUOTEDSTRING:file_hash} %{GREEDYDATA}" + ] + } + } + mutate { + gsub => ["file_hash", ''"'', ""] + gsub => ["domain", ''"'', ""] + } + } + + + #Set logx tree structure + mutate { + #Fields from Firewall log_type, adding to logx tree structure + rename => { "[src_ip]" => "[logx][sophos][src_ip]" } + rename => { "[src_port]" => "[logx][sophos][src_port]" } + rename => { "[dst_ip]" => "[logx][sophos][dest_ip]" } + rename => { "[dst_port]" => "[logx][sophos][dest_port]" } + rename => { "[proto]" => "[logx][sophos][proto]" } + rename => { "[application]" => "[logx][sophos][application]" } + rename => { "[application_risk]" => "[logx][sophos][application_risk]" } + rename => { "[application_technology]" => "[logx][sophos][application_technology]" } + rename => { "[application_name]" => "[logx][sophos][application_name]" } + rename => { "[application_category]" => "[logx][sophos][application_category]" } + rename => { "[user_name]" => "[logx][sophos][user_name]" } + rename => { "[src_country_code]" => "[logx][sophos][src_country_code]" } + rename => { "[dst_country_code]" => "[logx][sophos][dst_country_code]" } + #1.3.7 + rename => { "[dst_mac]" => "[logx][sophos][dst_mac]" } + #2.1.0 + #Fields from Firewall XGS log_type, adding to logx tree structure + rename => { "[fw_rule_name]" => "[logx][sophos][fw_rule_name]" } + rename => { "[fw_rule_section]" => "[logx][sophos][fw_rule_section]" } + rename => { "[nat_rule_id]" => "[logx][sophos][nat_rule_id]" } + rename => { "[nat_rule_name]" => "[logx][sophos][nat_rule_name]" } + rename => { "[fw_rule_type]" => "[logx][sophos][fw_rule_type]" } + rename => { "[ether_type]" => "[logx][sophos][ether_type]" } + rename => { "[out_interface]" => "[logx][sophos][out_interface]" } + rename => { "[in_interface]" => "[logx][sophos][in_interface]" } + rename => { "[src_zone_type]" => "[logx][sophos][src_zone_type]" } + rename => { "[dst_zone_type]" => "[logx][sophos][dst_zone_type]" } + rename => { "[dst_zone]" => "[logx][sophos][dst_zone]" } + rename => { "[src_zone]" => "[logx][sophos][src_zone]" } + rename => { "[con_event]" => "[logx][sophos][con_event]" } + rename => { "[con_id]" => "[logx][sophos][con_id]" } + rename => { "[hb_status]" => "[logx][sophos][hb_status]" } + rename => { "[app_resolved_by]" => "[logx][sophos][app_resolved_by]" } + rename => { "[app_is_cloud]" => "[logx][sophos][app_is_cloud]" } + rename => { "[qualifier]" => "[logx][sophos][qualifier]" } + rename => { "[in_display_interface]" => "[logx][sophos][in_display_interface]" } + rename => { "[out_display_interface]" => "[logx][sophos][out_display_interface]" } + rename => { "[log_occurrence]" => "[logx][sophos][log_occurrence]" } + rename => { "[dst_country]" => "[logx][sophos][dst_country]" } + + + #New fields from Content Filtering log_type + rename => { "[category]" => "[logx][sophos][category]" } + rename => { "[category_type]" => "[logx][sophos][category_type]" } + rename => { "[url]" => "[logx][sophos][url]" } + rename => { "[download_file_name]" => "[logx][sophos][download_file_name]" } + rename => { "[download_file_type]" => "[logx][sophos][download_file_type]" } + rename => { "[upload_file_name]" => "[logx][sophos][upload_file_name]" } + rename => { "[upload_file_type]" => "[logx][sophos][upload_file_type]" } + + #New fields from Event log_type + rename => { "[reason]" => "[logx][sophos][reason]" } + rename => { "[event_message]" => "[logx][sophos][event_message]" } + #1.3.7 + rename => { "[src_mac]" => "[logx][sophos][src_mac]" } + rename => { "[client_used]" => "[logx][sophos][client_used]" } + rename => { "[src_host]" => "[logx][sophos][src_host]" } + rename => { "[reported_ip]" => "[logx][sophos][reported_ip]" } + rename => { "[updated_ip]" => "[logx][sophos][updated_ip]" } + rename => { "[gateway_name]" => "[logx][sophos][gateway_name]" } + + #New fields from WAF log_type + rename => { "[server]" => "[logx][sophos][server]" } + rename => { "[httpstatus]" => "[logx][sophos][httpstatus]" } + rename => { "[contenttype]" => "[logx][sophos][contenttype]" } + rename => { "[useragent]" => "[logx][sophos][useragent]" } + #1.3.7 + rename => { "[local_ip]" => "[logx][sophos][local_ip]" } + + #New fields from Antivirus log_type + #1.3.7 + rename => { "[severity]" => "[logx][sophos][severity]" } + rename => { "[malware_name]" => "[logx][sophos][malware_name]" } + rename => { "[domain]" => "[logx][sophos][domain]" } + rename => { "[user_group]" => "[logx][sophos][user_group]" } + rename => { "[direction]" => "[logx][sophos][direction]" } + rename => { "[file_path]" => "[logx][sophos][file_path]" } + rename => { "[parent_application_name]" => "[logx][sophos][parent_application_name]" } + rename => { "[parent_application_category]" => "[logx][sophos][parent_application_category]" } + rename => { "[parent_application_risk]" => "[logx][sophos][parent_application_risk]" } + + #New fields from IDP log_type + rename => { "[classification]" => "[logx][sophos][classification]" } + rename => { "[platform]" => "[logx][sophos][platform]" } + rename => { "[target]" => "[logx][sophos][target]" } + + #New fields from ATP log_type + rename => { "[threatname]" => "[logx][sophos][threatname]" } + #1.3.7 + rename => { "[login_user]" => "[logx][sophos][login_user]" } + rename => { "[process_user]" => "[logx][sophos][process_user]" } + + #New fields from Anti-Spam log_type + #1.3.7 + rename => { "[email_sender]" => "[logx][sophos][email_sender]" } + rename => { "[email_recipient]" => "[logx][sophos][email_recipient]" } + rename => { "[action]" => "[logx][sophos][log_action]" } + + #New fields from System Health log_type + rename => { "[users]" => "[logx][sophos][users]" } + rename => { "[display_interface]" => "[logx][sophos][display_interface]" } + + #New fields from Sandbox log_type + #1.3.7 + rename => { "[file_hash]" => "[logx][sophos][file_hash]" } + + } + } + #Generating action field used by Correlation engine + if [logx][sophos][status] and [logx][sophos][status] =~/(Allow|Allow Session|Successful|Established|Connected|Success|Renew)/ { + mutate { + add_field => { "[logx][utm][action]" => "Success" } + } + } else if ([logx][sophos][status] and [logx][sophos][status] == "Interim") and + ([logx][sophos][sent_bytes] and [logx][sophos][sent_bytes] != "0") and ([logx][sophos][recv_bytes] and [logx][sophos][recv_bytes] != "0") { + mutate { + add_field => { "[logx][utm][action]" => "Success" } + } + } else if ([logx][sophos][log_subtype] and [logx][sophos][log_subtype] == "Allowed") and + (![logx][sophos][status] or [logx][sophos][status] == "") and + ([logx][sophos][sent_bytes] and [logx][sophos][sent_bytes] != "0") and + ([logx][sophos][recv_bytes] and [logx][sophos][recv_bytes] != "0") { + mutate { + add_field => { "[logx][utm][action]" => "Success" } + } + } else if [logx][sophos][log_component] and ([logx][sophos][log_component] == "FTP" or [logx][sophos][log_component] == "HTTP") and + ([logx][sophos][recv_bytes] and [logx][sophos][recv_bytes] != "0") { + mutate { + add_field => { "[logx][utm][action]" => "Success" } + } + } else if [logx][sophos][log_type] == "SSL" and ([logx][sophos][log_subtype] == "Decrypt" + or [logx][sophos][log_subtype] == "Do not decrypt" ) { + mutate { + add_field => { "[logx][utm][action]" => "Success" } + } + + } + #Finally, remove unnecessary fields + mutate { + remove_field => ["@version","path","tags","type","msg"] + } + + } + } + #Also, remove unwanted fields if the message not match with conditions + mutate { + remove_field => ["sophosDataSource","original_log_message","headers"] + } +}', + filter_version='2.1.0' + WHERE id=801; + + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/changelog/20250414002_updating_gcp_filter.xml b/backend/src/main/resources/config/liquibase/changelog/20250414002_updating_gcp_filter.xml new file mode 100644 index 000000000..d4a5f9a85 --- /dev/null +++ b/backend/src/main/resources/config/liquibase/changelog/20250414002_updating_gcp_filter.xml @@ -0,0 +1,113 @@ + + + + + + + "message" + } + } + if [resource][type] and [resource][labels][project_id] or [protoPayload][@type]{ + #Generating dataType and dataSource fields + mutate { + add_field => { + "dataType" => "google" + } + } + if ([@metadata][dataSource]) { + mutate { + #Add based on metadata + add_field => { + "dataSource" => "%{[@metadata][dataSource]}" + } + add_field => { + "[logx][tenant]" => "%{[@metadata][dataSource]}" + } + } + } + mutate { + #Non variable fields, without fields inside + rename => { "[logName]" => "[logx][google][logName]" } + rename => { "[timestamp]" => "[logx][google][timestamp]" } + rename => { "[receiveTimestamp]" => "[logx][google][receiveTimestamp]" } + rename => { "[severity]" => "[logx][google][severityLabel]" } + rename => { "[insertId]" => "[logx][google][insertId]" } + rename => { "[trace]" => "[logx][google][trace]" } + rename => { "[spanId]" => "[logx][google][spanId]" } + rename => { "[traceSampled]" => "[logx][google][traceSampled]" } + rename => { "[message]" => "[logx][google][message]" } + + #Non variable fields, with other fields inside + #httpRequest + rename => { "[httpRequest][requestMethod]" => "[logx][google][requestMethod]" } + rename => { "[httpRequest][requestUrl]" => "[logx][google][requestUrl]" } + rename => { "[httpRequest][requestSize]" => "[logx][google][requestSize]" } + rename => { "[httpRequest][status]" => "[logx][google][status]" } + rename => { "[httpRequest][responseSize]" => "[logx][google][responseSize]" } + rename => { "[httpRequest][userAgent]" => "[logx][google][userAgent]" } + rename => { "[httpRequest][serverIp]" => "[logx][google][dest_ip]" } + rename => { "[httpRequest][referer]" => "[logx][google][referer]" } + rename => { "[httpRequest][latency]" => "[logx][google][latency]" } + rename => { "[httpRequest][cacheLookup]" => "[logx][google][cacheLookup]" } + rename => { "[httpRequest][cacheHit]" => "[logx][google][cacheHit]" } + rename => { "[httpRequest][cacheValidatedWithOriginServer]" => "[logx][google][cacheValidatedWithOriginServer]" } + rename => { "[httpRequest][cacheFillBytes]" => "[logx][google][cacheFillBytes]" } + rename => { "[httpRequest][protocol]" => "[logx][google][proto]" } + #operation + rename => { "[operation][id]" => "[logx][google][operation_id]" } + rename => { "[operation][producer]" => "[logx][google][producer]" } + rename => { "[operation][first]" => "[logx][google][first]" } + rename => { "[operation][last]" => "[logx][google][last]" } + #sourceLocation + rename => { "[sourceLocation][file]" => "[logx][google][file]" } + rename => { "[sourceLocation][line]" => "[logx][google][line]" } + rename => { "[sourceLocation][function]" => "[logx][google][function]" } + + #Fields with variable content, stay the same as in the source + rename => { "[resource]" => "[logx][google][resource]" } + rename => { "[labels]" => "[logx][google][labels]" } + + #Union payload field, variants, stay the same as in the source + rename => { "[jsonPayload]" => "[logx][google][jsonPayload]" } + rename => { "[protoPayload]" => "[logx][google][protoPayload]" } + rename => { "[textPayload]" => "[logx][google][textPayload]" } + + } + #............................................................................................ + #Generate src_ip used in correlation engine + if [logx][google][protoPayload][requestMetadata][callerIp] { + mutate { + rename => { "[httpRequest][remoteIp]" => "[logx][google][remoteIp]" } + rename => { "[logx][google][protoPayload][requestMetadata][callerIp]" => "[logx][google][src_ip]" } + } + } else { + mutate { + rename => { "[httpRequest][remoteIp]" => "[logx][google][src_ip]" } + } + } + + #Finally remove unused fields + mutate { + remove_field => ["path","@version","httpRequest","operation","sourceLocation"] + } + } + }', + filter_version='1.3.0' + WHERE id=1301; + + ]]> + + + diff --git a/backend/src/main/resources/config/liquibase/master.xml b/backend/src/main/resources/config/liquibase/master.xml index 9de1c5f7b..1642ad210 100644 --- a/backend/src/main/resources/config/liquibase/master.xml +++ b/backend/src/main/resources/config/liquibase/master.xml @@ -85,4 +85,8 @@ + + + + From 2cd9fc04019ce09e5c748f61d69d3345ba6cafbb Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 15 Apr 2025 12:12:39 -0500 Subject: [PATCH 3/6] chore: update changelog --- CHANGELOG.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc15adeb4..ba1adb9b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,10 @@ -# UTMStack 10.7.2 Release Notes --- Implemented backend support for filtering compliance reports based on active integrations, optimizing query performance and data retrieval. +# UTMStack 10.7.3 Release Notes + +### Features +-- Implemented backend support for filtering compliance reports based on active integrations. +-- Introduced new PCI DSS compliance reports. +-- Enabled creation and update of tag-based rules with dynamic conditions. ### Bug Fixes --- Improved exception handling in `automaticReview` to prevent the process from stopping due to errors, ensuring the system continues evaluating alerts even if a specific rule fails. --- Improved operator selection for more accurate and consistent filtering. --- Introduced new compliance reports aligned with the PCI DSS standard to expand auditing capabilities. --- Enabled creation and update of tag-based rules with dynamic conditions. \ No newline at end of file +-- Improved exception handling in `automaticReview`. +-- Improved operator selection accuracy for filtering. \ No newline at end of file From 5333b09803c10506b9aec114b72efe821f7bdb00 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 15 Apr 2025 12:14:53 -0500 Subject: [PATCH 4/6] chore: update changelog --- CHANGELOG.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba1adb9b9..aa1c862da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,8 @@ # UTMStack 10.7.3 Release Notes - -### Features --- Implemented backend support for filtering compliance reports based on active integrations. --- Introduced new PCI DSS compliance reports. --- Enabled creation and update of tag-based rules with dynamic conditions. +-- Implemented backend support for filtering compliance reports based on active integrations, optimizing query performance and data retrieval. +-- Introduced new compliance reports aligned with the PCI DSS standard to expand auditing capabilities. +-- Added support for creating and updating tag-based rules with dynamic conditions. ### Bug Fixes --- Improved exception handling in `automaticReview`. --- Improved operator selection accuracy for filtering. \ No newline at end of file +-- Improved exception handling in `automaticReview` to prevent the process from stopping due to errors, ensuring the system continues evaluating alerts even if a specific rule fails. +-- Improved operator selection for more accurate and consistent filtering. \ No newline at end of file From 00a03776350afa6de8f493bd717d8ce32563caaa Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 15 Apr 2025 12:12:39 -0500 Subject: [PATCH 5/6] chore: update changelog --- CHANGELOG.md | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index fc15adeb4..ba1adb9b9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,8 +1,10 @@ -# UTMStack 10.7.2 Release Notes --- Implemented backend support for filtering compliance reports based on active integrations, optimizing query performance and data retrieval. +# UTMStack 10.7.3 Release Notes + +### Features +-- Implemented backend support for filtering compliance reports based on active integrations. +-- Introduced new PCI DSS compliance reports. +-- Enabled creation and update of tag-based rules with dynamic conditions. ### Bug Fixes --- Improved exception handling in `automaticReview` to prevent the process from stopping due to errors, ensuring the system continues evaluating alerts even if a specific rule fails. --- Improved operator selection for more accurate and consistent filtering. --- Introduced new compliance reports aligned with the PCI DSS standard to expand auditing capabilities. --- Enabled creation and update of tag-based rules with dynamic conditions. \ No newline at end of file +-- Improved exception handling in `automaticReview`. +-- Improved operator selection accuracy for filtering. \ No newline at end of file From f3c195150b05bb6e47ecea405c50a4361afb1960 Mon Sep 17 00:00:00 2001 From: Manuel Abascal Date: Tue, 15 Apr 2025 12:14:53 -0500 Subject: [PATCH 6/6] chore: update changelog --- CHANGELOG.md | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index ba1adb9b9..aa1c862da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,10 +1,8 @@ # UTMStack 10.7.3 Release Notes - -### Features --- Implemented backend support for filtering compliance reports based on active integrations. --- Introduced new PCI DSS compliance reports. --- Enabled creation and update of tag-based rules with dynamic conditions. +-- Implemented backend support for filtering compliance reports based on active integrations, optimizing query performance and data retrieval. +-- Introduced new compliance reports aligned with the PCI DSS standard to expand auditing capabilities. +-- Added support for creating and updating tag-based rules with dynamic conditions. ### Bug Fixes --- Improved exception handling in `automaticReview`. --- Improved operator selection accuracy for filtering. \ No newline at end of file +-- Improved exception handling in `automaticReview` to prevent the process from stopping due to errors, ensuring the system continues evaluating alerts even if a specific rule fails. +-- Improved operator selection for more accurate and consistent filtering. \ No newline at end of file