67 ElastAlert2 rules for CSfC CM-SM, MP6 & MP7 β mandatory for every CSfC deployment
Covering CM-SM, CM-MP6, and CM-MP7 β mandatory for every CSfC deployment.
Equivalent consultant cost avoided. GSA rate: $150β$332/hour.
Copy YAML files, restart ElastAlert2, first alert fires immediately.
All 67 rules pass schema validation on Elasticsearch 8.12.
Save 200++ hoursof documentation work β start immediately with expert-crafted templates
67 production-ready ElastAlert2 rules for NSA CSfC CM compliance. Deploy in 3 minutes.
One-time purchase β no subscription
Every rule follows this exact structure β NSA requirement reference, ECS 8.x fields, severity classification, and actionable remediation steps.
1# Requirement: CM-SM-9 2# Source: CSfC CM Annex V1.0 β Table 16 3# Severity: HIGH 4# ECS Version: 8.x 5name: "CM-SM-9 β Failed Login Threshold Exceeded" 6index: windows-events 7type: frequency 8num_events: 3 9timeframe:10 hours: 2411query_key: host.name12realert:13 minutes: 1514timestamp_field: "@timestamp"15filter:16 - term:17 winlog.event_id: 462518alert_subject: "[CM-SM-9] [HIGH] Failed Login Threshold"19alert:20 - debug21 - indexer
Maps directly to CM-SM-9 in NSA CSfC CM Annex V1.0 Table 16 β traceable to the exact NSA requirement.
Uses winlog.event_id (not EventID) β correct for Winlogbeat 8.x and Elastic Agent deployments.
type: frequency with num_events: 3 and timeframe: 24 hours β exactly matching the CSfC CM-SM-9 threshold.
realert: 15 minutes prevents alert flooding while ensuring ongoing attacks are still reported.
Every alert includes 5 specific actions the analyst should take β not just a notification.
Alerts go to both debug log and Elasticsearch index for dashboard visibility and audit trail.
Total time: under 3 minutes from purchase to your first detection alert firing.
Receive your ZIP instantly after purchase. Contains all rules, deployment guide, and config sample.
pip install elastalert2 β copy config.yaml to your ElastAlert directory. Point it at your Elasticsearch instance.
Copy rule files to your rules/ directory. One command: elastalert --config config.yaml
ElastAlert begins monitoring immediately. First alerts fire as soon as matching events appear in your Windows Security logs.
Production-ready ElastAlert2 rules for NSA CSfC Continuous Monitoring compliance. Covers all mandatory monitoring points for CM-SM (SIEM), CM-MP6 (Gray Management Network) and CM-MP7 (Red Management Network) β required for every CSfC deployment. 67 rules with ECS 8.x field mappings, validated against live Elasticsearch 8.12 with 7,200 synthetic Windows Security events across 33 unique EventIDs. Includes deployment guide, sample config, and full CSfC requirement traceability.
Needs CM compliance evidence for the Authorizing Official.
Deploys pre-built rules instead of writing 67 from scratch.
Production-ready ECS 8.x rules with deployment guide included.
Meet CSfC CM requirements without hiring a dedicated CM engineer.
Download a free sample PDF to review the quality, structure, and depth of this product before purchasing.
Free account required β no credit card needed
ElastAlert2 running on Elasticsearch 7.x or 8.x. Rules use ECS 8.x field mappings compatible with Winlogbeat and Elastic Agent.
This Tier 1 pack covers CM-SM (SIEM), CM-MP6 (Gray Management), and CM-MP7 (Red Management) β the mandatory monitoring points for every CSfC deployment.
Those are conditional monitoring points that depend on your Capability Package. They are included in the Complete Bundle (CSFC-CM-002).
Yes β all rules are plain YAML text files. Edit index names, timestamp fields, realert intervals, and alert destinations to match your environment.
Yes β create a free account and download 2 sample rules plus the deployment quickstart guide.
Use code LAUNCH20 for 20% off
All sales final β no refunds on digital downloads