Alert on Unusual Enumeration Activity

CCC.Core.C07: Alert on Unusual Enumeration Activity

Control ID:CCC.Core.C07

Title:Alert on Unusual Enumeration Activity

Objective:Ensure that logs and associated alerts are generated when unusual enumeration activity is detected that may indicate reconnaissance activities.

Control Family:

Logging & Monitoring

Related Threats

ID	Title	Description	External Mappings	Capability Mappings	Control Mappings
CCC.Core.TH15	Automated Enumeration and Reconnaissance by Non-human Entities	Automated processes may be used to gather details about service and child resource elements such as APIs, file systems, or directories. This information can reveal vulnerabilities, misconfigurations, and the network topology, which can be used to plan an attack against the system, the service, or its child resources.	1	1	0

Related Capabilities

ID	Title	Description
CCC.Core.F14	API Access	The service exposes a port enabling external actors to interact programmatically with the service and its resources using HTTP protocol methods such as GET, POST, PUT, and DELETE.

Guideline Mappings

Reference ID	Entry ID	Strength	Remarks
NIST-CSF	DE.AE-1	0	-
CCM	LOG-05	3	Audit Logs Monitoring and Response (take action on detected anomalies)
CCM	SEF-05	3	Incident Response Metrics (establish and monitor metrics)
NIST_800_53	AU-6	0	-

Assessment Requirements

ID	Description	Applicability
CCC.Core.C07.TR01	When enumeration activities are detected, the service MUST publish an event to a monitored channel which includes the client identity, time, and nature of the activity.	tlp-amber tlp-red
CCC.Core.C07.TR02	When enumeration activities are detected, the service MUST log the client identity, time, and nature of the activity.	tlp-clear tlp-green tlp-amber tlp-red