CSCv6|16.10

Title

Profile each user's typical account usage by determining normal time-of-day access and access duration.

Description

Profile each user's typical account usage by determining normal time-of-day access and access duration. Reports should be generated that indicate users who have logged in during unusual hours or have exceeded their normal login duration. This includes flagging the use of the user's credentials from a computer other than computers on which the user generally works.

Reference Item Details

Reference: CIS Critical Security Controls v6

Category: Account Monitoring and Control

Family: Application

Audit Items

View all Reference Audit Items

Name	Plugin	Audit Name
2.1 Ensure that IP addresses are mapped to usernames - User ID Agents	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - User ID Agents	Palo_Alto	CIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - Zones	Palo_Alto	CIS Palo Alto Firewall 9 Benchmark L2 v1.0.0
2.1 Ensure that IP addresses are mapped to usernames - Zones	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L2 v1.0.0
2.3 Ensure that User-ID is only enabled for internal trusted interfaces	Palo_Alto	CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
2.3 Ensure that User-ID is only enabled for internal trusted interfaces	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled	Palo_Alto	CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1
2.4 Ensure that 'Include/Exclude Networks' is used if User-ID is enabled	Palo_Alto	CIS Palo Alto Firewall 8 Benchmark L1 v1.0.0
17.5.2 Ensure 'Audit Logoff' is set to 'Success'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
17.5.2 Ensure 'Audit Logoff' is set to 'Success'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 MS L1 v2.2.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
17.5.2 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
17.5.3 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
17.5.3 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.5.3 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.5.3 Ensure 'Audit Logoff' is set to include 'Success'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 MS L1 v2.2.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.5.3 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.5.4 Ensure 'Audit Logon' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 MS L1 v2.5.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.2.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 MS L1 v2.4.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 DC L1 v2.5.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 DC L1 v2.2.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 MS L1 v2.2.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Windows Server 2012 R2 DC L1 v2.4.0
17.5.4 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.2.0
17.5.4 Set 'Audit Other Logon/Logoff Events' to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Domain Controller Level 1 v3.1.0
17.5.4 Set 'Audit Other Logon/Logoff Events' to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2008 R2 Member Server Level 1 v3.1.0
17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.2.0
17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.3.0
17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 DC L1 v1.3.0
17.5.5 Ensure 'Audit Other Logon/Logoff Events' is set to 'Success and Failure'	Windows	CIS Microsoft Windows Server 2016 MS L1 v1.2.0

Detections

Analytics

CSCv6|16.10

Title

Description

Reference Item Details

Audit Items