CSCv7|16.13

Title

Alert on Account Login Behavior Deviation

Description

Alert when users deviate from normal login behavior, such as time-of-day, workstation location and duration.

Reference Item Details

Reference: CIS Critical Security Controls v7

Category: Account Monitoring and Control

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
1.1.8 Enable Azure AD Identity Protection sign-in risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.5.0
1.1.8 Enable Azure AD Identity Protection sign-in risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.4.0
1.1.8 Enable Identity Protection to identify anomalous logon behavior	microsoft_azure	CIS Microsoft 365 Foundations E5 L1 v1.3.0
1.1.9 Enable Azure AD Identity Protection sign-in risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.3.0
1.1.9 Enable Azure AD Identity Protection user risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.4.0
1.1.9 Enable Azure AD Identity Protection user risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.5.0
1.1.10 Enable Azure AD Identity Protection user risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v1.3.0
1.1.13 Enable Azure AD Identity Protection sign-in risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v2.0.0
1.1.14 Enable Azure AD Identity Protection user risk policies	microsoft_azure	CIS Microsoft 365 Foundations E5 L2 v2.0.0
1.3.10 Ensure 'Password Profiles' do not exist	Palo_Alto	CIS Palo Alto Firewall 10 v1.1.0 L1
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1 Bitlocker
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.0 L1
17.1.1 (L1) Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1 Bitlocker
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG NG MS L3 v1.0.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 8.1 v2.4.1 L1
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG MS L1 v1.0.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG DC L1 v1.0.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG NG DC L3 v1.0.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 Member Server Level 1 v3.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 MS L1 v2.2.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows 10 Enterprise (Release 2004) v1.9.1 L1
17.1.1 Ensure 'Audit Credential Validation' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG NG DC L3 v1.0.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 STIG DC L1 v1.0.0
17.1.2 Ensure 'Audit Kerberos Authentication Service' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 STIG NG DC L3 v1.0.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 STIG DC L1 v1.0.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.1.3 Ensure 'Audit Kerberos Service Ticket Operations' is set to 'Success and Failure' (DC Only)	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.2.0
17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 R2 DC L1 v3.0.0
17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.3.1
17.5.2 (L1) Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2008 Domain Controller Level 1 v3.3.1

Detections

Analytics

CSCv7|16.13

Title

Description

Reference Item Details

Audit Items