118 ElastAlert2 rules + 5 GRC docs β complete CSfC CM Annex V1.0 compliance toolkit
All 9 monitoring sections plus mandatory GRC templates.
Equivalent consultant cost avoided. GSA rate: $150β$332/hour.
CM Policy, Data Lifecycle, COOP, Logging Standards, Audit Checklist.
All 118 rules pass schema validation on Elasticsearch 8.12.
118 ElastAlert2 rules + 5 mandatory GRC documents. Complete CSfC CM Annex V1.0 coverage.
One-time purchase β no subscription
Save 400++ hoursof documentation work β start immediately with expert-crafted templates
Every rule follows this exact structure β NSA requirement reference, ECS 8.x fields, severity classification, and actionable remediation steps.
1# Requirement: CM-SM-9 2# Source: CSfC CM Annex V1.0 β Table 16 3# Severity: HIGH 4# ECS Version: 8.x 5name: "CM-SM-9 β Failed Login Threshold Exceeded" 6index: windows-events 7type: frequency 8num_events: 3 9timeframe:10 hours: 2411query_key: host.name12realert:13 minutes: 1514timestamp_field: "@timestamp"15filter:16 - term:17 winlog.event_id: 462518alert_subject: "[CM-SM-9] [HIGH] Failed Login Threshold"19alert:20 - debug21 - indexer
Maps directly to CM-SM-9 in NSA CSfC CM Annex V1.0 Table 16 β traceable to the exact NSA requirement.
Uses winlog.event_id (not EventID) β correct for Winlogbeat 8.x and Elastic Agent deployments.
type: frequency with num_events: 3 and timeframe: 24 hours β exactly matching the CSfC CM-SM-9 threshold.
realert: 15 minutes prevents alert flooding while ensuring ongoing attacks are still reported.
Every alert includes 5 specific actions the analyst should take β not just a notification.
Alerts go to both debug log and Elasticsearch index for dashboard visibility and audit trail.
Total time: under 3 minutes from purchase to your first detection alert firing.
Receive your ZIP instantly after purchase. Contains all rules, deployment guide, and config sample.
pip install elastalert2 β copy config.yaml to your ElastAlert directory. Point it at your Elasticsearch instance.
Copy rule files to your rules/ directory. One command: elastalert --config config.yaml
ElastAlert begins monitoring immediately. First alerts fire as soon as matching events appear in your Windows Security logs.
The complete NSA CSfC Continuous Monitoring compliance toolkit β 118 ElastAlert2 rules covering all 9 monitoring sections (CM-SM, CM-MP1 through CM-MP8) plus 5 mandatory GRC documents: CM Policy and Procedures, Data Lifecycle Plan, Continuity of Operations Plan, Logging Standards Guide, and Audit Checklist with compliance dashboard. All rules use ECS 8.x field mappings, validated against live Elasticsearch 8.12 with 7,200 synthetic Windows Security events across 33 unique EventIDs. Includes CP Selection Guide for MA, MSC, and WLAN deployments.
Complete compliance evidence package for the Authorizing Official.
118 pre-built rules covering every monitoring point β deploy immediately.
5 mandatory documents with audit checklist β compliance-ready on day one.
Deliver CSfC CM compliance to government clients without building from scratch.
Download a free sample PDF to review the quality, structure, and depth of this product before purchasing.
Free account required β no credit card needed
The Universal Core has 67 rules covering CM-SM, MP6, and MP7. This Complete Bundle adds 51 more rules for CM-MP1 through CM-MP5 and CM-MP8, plus 5 mandatory GRC documents β everything you need for full CSfC CM compliance.
CM Policy and Procedures (CM-GR-13), Data Lifecycle Plan (CM-GR-20), Continuity of Operations Plan (CM-GR-14/15/16/17), Logging Standards Guide (CM-LN-1 through CM-LN-17), and Audit Checklist with compliance dashboard.
The included CP Selection Guide has a matrix showing which rule sets apply to Mobile Access (MA), Multi-Site Connectivity (MSC), and Campus WLAN deployments.
Yes β rules are plain YAML files, documents are Word (.docx) and Excel (.xlsx) formats. Fully editable.
Yes β create a free account and download 4 sample rules plus the deployment quickstart guide.
Use code LAUNCH20 for 20% off
All sales final β no refunds on digital downloads