Achieve BACEN Resolution CMN 4,893/2021 compliance with ManageEngine

BACEN strengthened Brazil's financial sector cybersecurity by advancing from Resolution CMN 4,658 (2018) to Resolution CMN 4,893 (2021), mandating robust identity governance, real-time monitoring, multi-factor authentication, continuous compliance, and comprehensive audit trails to counter evolving digital threats.

Get started free  Request a demo 
Compliance

How can ManageEngine support Brazil's financial institutions in meeting these standards?

With ManageEngine Log360 (SIEM), banks and other financial institutions can start aligning with the principles of BACEN 4,893/2021. See the key clauses and how our solutions help in the table below.

Chapter II, Section I - Art. 3 (II) The procedures and controls adopted to reduce the institution's vulnerability to incidents and to address other cyber security objectives

Compliance actions How Log360 can help Reports and evidences Threat rules
  1. Quarterly automated vulnerability scans on all systems
  2. Prioritized patch management with severity-based timelines
  3. Security-reviewed change management for production
  4. Continuous IDS/IPS for threat blocking, updated IT asset inventory
  1. Real-time AD change auditing detects unauthorized modifications and privilege escalation attempts instantly
  2. Critical group membership alerts prevent unauthorized privilege escalation to sensitive groups
  3. 1,000+ predefined alert profiles cover brute-force, escalation, and suspicious access without configuration
  4. Real-time correlation engine analyzes events identifying attack chains before exploitation
  5. Out-of-box correlation rules detect brute-force, escalation, and intrusion attempts automatically
  6. Customize alert profiles with severity classification for BACEN-specific threat scenarios
  7. Enable centralized eventlog collection and analysis from all end points
  8. Advanced correlation detects brute-force, lateral movement, privilege escalation attacks
  9. System event monitoring detects unexpected shutdowns, restarts, kernel security failures
  10. Select from 200+ predefined alert criteria for automatic security event detection
  11. Real-time AWS/Azure/GCP/Salesforce monitoring detects unauthorized access and anomalies
  12. Access predefined and customizable cloud alert profiles for vulnerability detection
  13. Anomaly detection identifies unusual cloud logons, data access, resource modifications
  1. DoS Attack Entered Defensive Mode
  2. DoS Attack Subsided
  3. DoS Attacks
  4. Downgrade Attacks
  5. Replay Attack
  6. Terminal Server Attacks
  7. Terminal Server Exceeds Maximum Logon Attempts
  8. IP Conflicts
  9. Threats Detections by ESET Endpoint Antivirus
  10. Threats Detections by Kaspersky
  11. Threats Detection by Microsoft Antimalware
  12. Threats Detection by Sophos Anti-Virus
  13. Threats Detection by Norton AntiVirus
  14. Infected files detected by Symantec Endpoint Protection
  15. Threat Detections by McAfee
  16. Defender Malware Detection
  17. Defender Real Time Protection Detection
  18. Anti-Malwares Updated
  19. Anti-Malwares Spyware Removed
  20. Anti-Malwares Scan
  21. Windows Firewall Rule Added
  22. Windows Firewall Rule Modified
  23. Windows Firewall Rule Deleted
  24. Windows Firewall Settings Restored
  25. Windows Firewall Settings Changed
  26. Windows Firewall Group Policy Changes
  27. Firewall Spoof Attack
  28. Firewall Internet Protocol half-scan attack
  29. Firewall Flood Attack
  30. Firewall Ping of Death Attack
  31. Firewall SYN Attack
  32. Top Vulnerable Severities (Nessus)
  33. Top CVS Score by Count (Nessus)
  34. Top Vulnerabilities (Nessus)
  35. Top Vulnerable Devices (Nessus)
  36. Top Vulnerable Service (Nessus)
  37. Top Vulnerable OS (Nessus)
  38. Top Vulnerable protocol (Nessus)
  39. Top Vulnerable ports (Nessus)
  40. Top Exploitable Vulnerabilities
  1. Windows Firewall Settings Have Been Changed
  2. Firewall IPS Signature Detected
  3. Disable Microsoft Defender Firewall via Registry
  4. Firewall Disabled via Netsh.EXE
  5. New Firewall Rule Added Via Netsh.EXE
  6. Disable Windows Firewall by Registry
  7. Windows Defender Service Disabled - Registry
  8. Disable Macro Runtime Scan Scope
  9. PowerShell Disable Security Monitoring
  10. Disable Windows Defender Functionalities Via Registry Keys
  11. Windows Defender Exclusions Added - Registry
  12. Windows Defender Exclusions Added - PowerShell
  13. Add SafeBoot Keys Via Reg Utility
  14. ETW Logging Disabled In .NET Processes - Sysmon Registry
  15. ETW Logging Disabled For rpcrt4.dll
  16. ETW Logging Disabled For SCM
  17. ETW Trace Evasion Activity
  18. Disable of ETW Trace - PowerShell
  19. PowerShell Logging Disabled Via Registry Key Tampering
  20. PUA - Sysinternal Tool Execution - Registry
  21. Potential EventLog File Location Tampering
  22. EventLog Query Requests By Builtin Utilities
  23. EventLog EVTX File Deleted
  24. Security Eventlog Cleared
  25. Clear PowerShell History - PowerShell
  26. PowerShell Console History Logs Deleted
  27. IIS WebServer Access Logs Deleted
  28. Tomcat WebServer Logs Deleted
  29. Suspicious Modification Of Scheduled Tasks
  30. Suspicious Scheduled Tasks created during non-working hours on Windows
  31. Suspicious Scheduled Task Creation Involving Temp Folder
  32. Delete Important Scheduled Task
  33. Delete All Scheduled Tasks
  34. New Root or CA or AuthRoot Certificate to Store
  35. New Root Certificate Installed Via CertMgr.EXE
  36. Ransomware detections
  37. Windows Backup Deleted Via Wbadmin.EXE
  38. All Backups Deleted Via Wbadmin.EXE
  39. Periodic Backup For System Registry Hives Enabled

Chapter II, Section I - Art. 3 (III) The specific controls, including those directed at information traceability, aiming to ensure the security of sensitive information

Compliance actions How Log360 can help Reports and evidences Threat rules
  1. Centralized logging for DB access/files/admin to tamper-proof repo
  2. UAM to record user actions with timestamps/ID
  3. RBAC with permission matrices and reviews
  4. Data classification for encryption/logging
  5. Quarterly access reviews to revoke outdated rights
  1. Real-time file server auditing tracks access, including modifications with timestamps and user
  2. Data classification discovers and tags PII, PCI, ePHI for targeted protection
  3. File integrity monitoring detects unauthorized modifications to critical system files
  4. Permission analysis identifies over-permissioned users and access control vulnerabilities
  5. Automated response blocks transfers, shuts servers, and disables accounts on threats
  6. USB DLP blocks/monitors unauthorized removable media data transfers
  7. Email DLP inspects attachments and blocks sensitive file transmission
  8. Printer DLP controls printing of sensitive data with activity logging
  9. Ransomware detection identifies abnormal file patterns before encryption spreads
  10. Database DML/DDL auditing captures all data modifications and schema changes
  11. Column-level monitoring tracks sensitive field modifications with old/new values
  12. User access auditing detects unauthorized database access and exfiltration attempts
  13. Provides permission change monitoring alerts on privilege modifications and escalations
  14. View real-time alerts on critical changes including mass deletion and tampering
  15. Access predefined audit reports on DML/DDL operations exportable for compliance
  16. User attribute monitoring tracks all modifications with before/after values
  17. Group membership changes are logged with timestamps and user identification
  18. Password change auditing records user and admin-initiated modifications
  19. Detailed audit trails show what changed, who, when, why with comparisons
  20. Access 200+ event-specific reports for all AD modification categories
  21. Consolidate audit trail across multiple AD forests and domains
  1. File (or) Folder Created
  2. File (or) Folder Deleted
  3. File (or) Folder Modified
  4. File (or) Folder Accessed
  5. Folder Permission Changes
  6. Failed attempt to Create File
  7. Failed attempt to Delete File
  8. Failed attempt to Modify File
  9. Failed attempt to Access File
  10. System File Changes
  11. Top FileType Changes
  12. Top operations - user wise report
  13. Top operations - host wise report
  14. Top operations - file wise report
  15. File Monitoring Overview
  16. File Monitoring Trend
  17. All File or Folder Changes (Removable Storage/USB)
  18. File Read
  19. Failed attempt to Read File
  20. File Created
  21. File Modified
  22. Failed attempt to Modify File
  23. File Deleted
  24. Failed attempt to Delete File
  25. File Deleted And Archived
  26. File Shredding Blocked
  27. File Stream Creation
  28. File Time Change
  29. Raw Access Read
  30. Clipboard Content Changed
  31. Executable File Blocked
  32. Registry Accessed
  33. Failed Registry Access
  34. Registry Created
  35. Failed Registry Creations
  36. Registry Value Modified
  37. Failed Registry Modifications
  38. Registry Deleted
  39. Failed Registry Deletions
  40. Registry Permission Changes
  41. Top Users on Registry
  42. Network Share Read
  43. Failed Network Share Read
  44. Network Share Permission Modified
  45. Network Share Added
  46. Network Share Modified
  47. Network Share Deleted
  48. Network Share Overview
  49. Network Share Object Permission Added
  50. Network Share Permission Deleted
  51. User wise top successful network shares
  52. User wise top failed network shares
  53. Remote host wise top network share access
  54. Top network share creations/modifications/deletions by remote host
  55. External Device Recognized
  56. Device Disabled
  57. Device Enabled
  58. Installation Forbidden By GPO
  59. Previously Blocked Device Installed
  60. Removable Device Plug in
  61. Removable Device Plug out
  62. Top Successful Users on Removable Disk Auditing
  63. Top Failed Users on Removable Disk Auditing
  64. Removable Disk Changes Trend
  65. Host Based Removable Disk Changes
  66. UAC Bypass via Event Viewer
  67. AD Object WriteDAC Access
  68. File or Folder Permissions Modifications
  69. Run PowerShell Script from ADS
  70. Unauthorized System Time Modification
  71. Disable of ETW Trace
  72. Suspicious Eventlog Clear or Configuration Using Wevtutil
  73. Fsutil Suspicious Invocation
  1. EventLog Query Requests By Builtin Utilities
  2. Unusual Mailbox Access
  3. MSQL XPCmdshell Option Change
  4. Computer Discovery And Export Via Get-ADComputer Cmdlet - PowerShell
  5. Active Directory Computers Enumeration With Get-AdComputer
  6. Active Directory Kerberos DLL Loaded Via Office Application
  7. Suspicious Bulk File Modifications or Deletions on Windows
  8. Automated Collection Command Prompt
  9. Potential EventLog File Location Tampering
  10. Browser Execution In Headless Mode
  11. PUA - SoftPerfect Netscan Execution
  12. Active Directory Replication from Non Machine Account
  13. LSASS Process Reconnaissance Via Findstr.EXE
  14. Private Keys Reconnaissance Via CommandLine Tools
  15. Potential Compromise of DSRM Account
  16. Extracting Information with PowerShell
  17. Local Accounts Discovery
  18. Active Directory Group Enumeration With Get-AdGroup
  19. User Discovery And Export Via Get-ADUser Cmdlet
  20. Password Policy Enumerated
  21. Suspicious PowerShell Mailbox Export to Share - PS
  22. PowerShell Script Change Permission Via Set-Acl - PsScript
  23. Sensitive File Recovery From Backup Via Wbadmin.EXE
  24. SAM SECURITY Hive Dump Possible Credential Theft
  25. Ntdsutil Abuse
  26. User Added to Remote Desktop Users Group
  27. Exchange PowerShell Snap-Ins Usage
  28. Certificate Exported Via PowerShell
  29. Suspicious Get-ADReplAccount
  30. DPAPI Domain Backup Key Extraction
  31. HackTool - DSInternals Suspicious PowerShell Cmdlets
  32. Unattend.XML File Access Attempt
  33. Suspicious Where Execution
  34. Suspicious Processes Spawned by Java.EXE
  35. Suspicious Processes Spawned by WinRM
  36. Suspicious Get Information for SMB Share

Chapter II, Section I - Art. 3 (IV) The record of incidents relevant to the institution's activities, as well as the analysis of their cause and impact and the control of their effects

Compliance actions How Log360 can help Reports and evidences
  1. Centralized incident logging with date/time/systems/severity
  2. Formal RCA for vulnerabilities and patterns
  3. Timeline/impact docs (disruption, exposure, costs)
  4. Track control enhancements post-incident
  5. Quarterly trend reports for leadership
  1. Centralized incident repository consolidates security events into unified incident tracking
  2. Correlation engine analyzes event relationships and reconstructs complete attack chains
  3. Playbook automation triggers immediate response actions on incident detection
  4. Alert profiles systematically categorize incidents by type for organized tracking
  5. Incident Workbench correlates multi-source data for comprehensive impact analysis
  6. Root cause analysis through correlation reconstructs forensic timelines
  7. Historical event retention enables retrospective incident analysis after discovery
  8. Metrics tracking measures incident response effectiveness and improvement areas
  9. Event forensics reconstruct incident timelines showing exact attacker action sequence
  10. Multi-source correlation reconstructs complete attack context with evidence
  11. Centralized secure archival prevents attacker deletion of forensic evidence
  12. Pattern analysis detects brute-force, escalation, lateral movement attack patterns
  13. Powerful search enables rapid incident investigation and impact assessment
  14. Forensic reports show detailed before and after comparisons of affected objects
  15. Admin group tracking identifies unauthorized privilege escalation during incidents
  16. ML-based detection identifies insider threat and compromised account activity
  17. Password analysis detects compromised credentials and unauthorized changes
  18. IP tracking identifies geographic origin of suspicious logons
  19. Ransomware detection identifies abnormal file patterns enabling early containment
  20. Automated incident response immediately isolates infected systems from the network
  21. File auditing enables ransomware impact assessment and recovery scope determination
  22. Exfiltration detection identifies data theft via USB, email, and web channels
  1. Audit Events Dropped
  2. Eventlog Cleared
  3. Security Log Full
  4. Error in EventLog Service
  5. Event Logging Service Shutdown
  6. Security Logs Cleared
  7. Event Logs Cleared
  8. Event Logger Started
  9. Secure Deletion with SDelete
  10. Security Eventlog Cleared
  11. Backup Catalog Deleted
  12. NotPetya Ransomware Activity
  13. Shadow Copies Deletion Using Operating Systems Utilities
  14. All Events (Windows)
  15. Important Events (Windows)
  16. Failed logons due to Bad UserName
  17. Failed logons due to Bad Password
  18. Failed logons due to Account Lock
  19. Failed logons due to Expiry
  20. Failed logons during non-working hours
  21. Failed Interactive Logons
  22. Failed Remote Interactive Logons
  23. Failed Network Logons
  24. Failed Logons Overview
  25. Top Failed Logons by User
  26. Top Failed Logons by Host
  27. Top Failed Logons by RemoteHost
  28. Top Failed Logons by Domain
  29. Top reasons for windows logon failure
  30. Failed Logons Trend
  31. Failed Logons
  32. Local Logon Failures
  33. Interactive Logon Failure
  34. RADIUS Logon Failures(NPS)
  35. Application Errors
  36. Application Hanged
  37. Error Reporting
  38. Blue Screen Error(BSOD)
  39. System Errors
  40. EMET Logs

Chapter II, Section I - Art. 3 (Paragraph 1) When defining the cyber security objectives mentioned in item I, the institution must consider its capacity to prevent, detect and reduce the vulnerability to cyber incidents

Compliance actions How Log360 can help Reports and evidences Threat rules
  1. Assess and document maturity, infrastructure, and resources
  2. Define targeted objectives based on risk and regulations
  3. Set measurable KPIs like MTTD, MTTR, and vulnerability remediation rates
  4. Allocate resources and secure board approval
  5. Establish governance with clear accountability and monthly reporting

PREVENTION

  1. Multi-channel DLP blocks USB, email, web, printer data transfers
  2. Ransomware protection detects abnormal file patterns before encryption spreads

DETECTION

  1. Real-time alerts enable rapid response before attacks escalate
  2. Predefined profiles cover common attack scenarios without custom configuration
  3. Correlation identifies multi-step attacks missed by single-event monitoring
  4. ML behavioral anomaly detection identifies novel attacks through deviations
  5. Real-time Windows monitoring detects threats in real-time on endpoints
  6. Brute-force detection identifies failed attempts enabling rapid blocking
  7. Privilege escalation detects unauthorized elevation, indicating compromise
  8. Unusual logon detection identifies account compromise and unauthorized access
  9. Real-time cloud threat detection enables rapid incident response
  10. Predefined profiles for cloud threats reduce time-to-detection
  11. Anomaly detection identifies unusual activities in cloud environments
  1. Windows Updates - Downloaded
  2. Windows Updates - Detected
  3. Windows Updates - Connectivity
  4. Windows Updates - Availability
  5. Windows Updates - Installed
  6. Failed software installations
  7. Failed software installations due to privilege mismatches
  8. Software Installed
  9. Software Updated
  10. Software Uninstalled
  11. Failed Windows backup
  12. Successful windows backup
  13. Failed Windows restores
  14. Successful Windows restores
  15. System Restored
  16. Windows Backup and Restore (all variants)
  17. Update Packages Installed
  18. Failed hotpatching
  19. New Service Installed
  20. Service Started
  21. Service Paused
  22. Service Stopped
  23. Service Failed
  24. Successful Patch Events
  25. Policy Deployment Events
  26. Inventory Scanning Changes
  27. License Modifications
  28. Recovery Key Audit Events
  29. BitLocker Policy Events
  30. Computer Account Created
  31. Computer Account Modified
  32. Computer Account Deleted
  33. Computer Account Management (all variants)
  34. Potential RDP Exploit CVE-2019-0708
  35. CVE-2020-0688 Exploitation via Eventlog
  36. Exploited CVE-2020-10189 Zoho ManageEngine
  37. DNS RCE CVE-2020-1350
  38. Possible Common Log File System Driver CVE-2023-28252 Exploitation
  39. Suspicious Java Child Process Spawned via Internet Explorer
  40. Top Exploitable Vulnerabilities
  41. GHOST in Linux
  42. Shellshock Report
  43. Credential Failures Report
  44. Elevated Privilege Failures Report
  45. Registry Access Failures Report
  46. Admin Discovery Report
  47. Overall Nessus Report
  1. Firewall IPS Signature Detected
  2. Sysmon Blocked Executable
  3. Excessive Inbound or Outbound Connections from same Source
  4. Windows Firewall Settings Have Been Changed
  5. Disable Microsoft Defender Firewall via Registry
  6. Firewall Disabled via Netsh.EXE
  7. New Firewall Rule Added Via Netsh.EXE
  8. Disable Windows Firewall by Registry
  9. Windows Defender Service Disabled - Registry
  10. Disable Macro Runtime Scan Scope
  11. PowerShell Disable Security Monitoring
  12. Disable Windows Defender Functionalities Via Registry Keys
  13. Windows Defender Exclusions Added - Registry
  14. Windows Defender Exclusions Added - PowerShell
  15. Add SafeBoot Keys Via Reg Utility
  16. ETW Logging Disabled In .NET Processes - Sysmon Registry
  17. ETW Logging Disabled For rpcrt4.dll
  18. ETW Logging Disabled For SCM
  19. ETW Trace Evasion Activity
  20. Disable of ETW Trace - PowerShell
  21. PowerShell Logging Disabled Via Registry Key Tampering
  22. PUA - Netcat Suspicious Execution
  23. Suspicious Tasklist Discovery Command
  24. Suspicious Bulk File Modifications or Deletions on Windows
  25. Automated Collection Command Prompt
  26. Potential EventLog File Location Tampering
  27. EventLog EVTX File Deleted
  28. Security Eventlog Cleared
  29. Clear PowerShell History - PowerShell
  30. PowerShell Console History Logs Deleted
  31. IIS WebServer Access Logs Deleted
  32. Tomcat WebServer Logs Deleted
  33. Suspicious Modification Of Scheduled Tasks
  34. Suspicious Scheduled Tasks created during non-working hours on Windows
  35. Suspicious Scheduled Task Creation Involving Temp Folder
  36. Delete Important Scheduled Task
  37. Delete All Scheduled Tasks
  38. New Root or CA or AuthRoot Certificate to Store
  39. New Root Certificate Installed Via CertMgr.EXE
  40. Ransomware detections
  41. Windows Backup Deleted Via Wbadmin.EXE
  42. All Backups Deleted Via Wbadmin.EXE

Chapter II, Section I - Art. 3 (Paragraph 2) The procedures and controls mentioned in item II must comprise, at least, authentication, cryptography, prevention and detection of intrusions, prevention of information leaking, performance of periodic tests and scanning to detect vulnerabilities, protection against malicious software, implementation of traceability mechanisms, control of access and segmentation of the computer network, as well as maintenance of data and information backups

Compliance actions How Log360 can help Reports and evidences Threat rules
  1. MFA on all systems (password + biometrics/token)
  2. AES-256 encryption + TLS 1.2+ for data
  3. Enterprise IDS/IPS for real-time monitoring/blocking
  4. DLP for outgoing data scanning
  5. Automated vuln scans/pen tests with remediation

CRYPTOGRAPHY

  1. File encryption monitoring enforces encryption for sensitive data at rest
  2. Encrypted communication prevents interception of security events

PREVENTION AND DETECTION OF INTRUSIONS

  1. Event correlation detects intrusion patterns through multi-source analysis
  2. Real-time alerts enable rapid response blocking before compromise
  3. Network log analysis detects network-level intrusion indicators
  4. Windows analysis detects host-level intrusion indicators on endpoints
  5. Lateral movement detection identifies multi-system compromise attacks
  6. Unusual logon detection identifies account compromise and unauthorized access
  7. Cloud monitoring detects cloud infrastructure intrusion and unauthorized API calls

VULNERABILITY SCANNING

  1. Compliance reporting enables scheduled periodic compliance assessments
  2. Compliance reports provide evidence of periodic security assessments
  3. Cloud compliance scanning identifies cloud infrastructure security misconfigurations
  4. Periodic assessment reports show security posture and vulnerability status
  5. Attack surface analyzer scans and identifies exposed assets and configuration risks to reduce your overall attack surface

TRACEBILITY

  1. AD change auditing tracks all modifications with before and after values
  2. File server auditing monitors access and modifications on file servers
  3. Logon/logoff auditing records sessions with source and duration
  4. 200+ reports enable rapid traceability documentation generation
  5. Multi-domain consolidation provides organization-wide administrative change tracking
  6. Centralized management consolidates logs from all infrastructure components
  7. Database auditing records all DML/DDL operations with details
  8. FIM tracks all critical file modifications with change tracking
  9. File access auditing records endpoint file system activities
  10. Permission tracking shows before and after values of changes

ACCESS CONTROLS

  1. Group membership monitoring alerts on unauthorized privilege escalation
  2. Permission tracking alerts on changes to sensitive resources
  3. Privileged user monitoring provides enhanced visibility into high-privilege operations
  4. File access control monitoring identifies users with file access
  5. Permission vulnerability identification remediates over-permissioned users

NETWORK SEGMENTATION

  1. Firewall analysis identifies communication patterns between network segments
  2. East-west monitoring detects lateral movement and breach propagation
  3. Network device analysis provides visibility into all network traffic
  4. Network log collection provides network-level visibility complementing host monitoring
  5. Log correlation detects network-based attacks exploiting segmentation failures
  6. Cloud segmentation monitoring validates AWS VPC and Azure VNet policies
  7. Multi-platform monitoring provides consistent segmentation across cloud providers
  1. Interactive Logon
  2. Remote Interactive Logon
  3. Network Logon
  4. Terminal Server Reconnected
  5. Terminal Server Disconnected
  6. Logons Overview
  7. Privilege Assigned to New Logon
  8. Logon Attempt Using explicit Credentials
  9. Top Logons by User
  10. Top Logons by Host
  11. Top Logons by RemoteHost
  12. Top Logons by Domain
  13. Logons Trend
  14. User Logons
  15. Logon Activity
  16. Remote Desktop Services Activity
  17. Terminated Users Session
  18. Remote Desktop Gateway
  19. RADIUS Logon History(NPS)
  20. Special Groups have been assigned to a New Logon
  21. User Added to Local Administrators
  22. Admin User Remote Logon
  23. Enabled User Right in AD to Control User Objects
  24. Interactive Logon to Server Systems
  25. Account Tampering - Suspicious Failed Logon Reasons
  26. User Account Created
  27. User Account Modified
  28. User Account Deleted
  29. User Account Enabled
  30. User Account Disabled
  31. Renamed User Accounts
  32. Unlocked User Accounts
  33. User Account Own Password Changes
  34. User Account Password Changes
  35. Password Set Users
  36. DC Credentials Validation Success
  37. DC Credential Validation Failure due to Bad Username
  38. DC Credential Validation Failure due to Bad Password
  39. Kerberos authentication ticket (TGT) - Requested
  40. Successful Pre Authentication
  1. Windows Firewall Settings Have Been Changed
  2. Windows Defender Service Disabled - Registry
  3. Disable Windows Defender Functionalities Via Registry Keys
  4. Periodic Backup For System Registry Hives Enabled
  5. Ransomware detections
  6. New Root or CA or AuthRoot Certificate to Store
  7. Firewall IPS Signature Detected
  8. ETW Logging Disabled In .NET Processes - Sysmon Registry
  9. PowerShell Logging Disabled Via Registry Key Tampering
  10. Suspicious Modification Of Scheduled Tasks

Chapter II, Section III - Art. 6 The institutions mentioned in art. 1 must establish a plan of action and response to incidents, aiming at the implementation of the cyber security policy

Compliance actions How Log360 can help Reports and evidences
  1. Multidisciplinary response team with defined roles
  2. Detailed playbooks/escalation for incident types
  3. BC/DR procedures with RTO/RPO targets
  4. Communication templates/escalation chains
  5. Annual tabletop exercises with lessons learned
  1. Alert profiles enable systematic detection and categorization by incident type
  2. Playbook automation triggers predefined response actions immediately on detection
  3. Incident Workbench consolidates contextual data for comprehensive analysis
  4. Real-time alerting enables rapid incident response team mobilization
  5. Pattern correlation detects incidents, enabling early response before damage
  6. Alerts notify incident response teams immediately of incident requirement
  7. Forensics support incident investigation and post-incident analysis
  8. Rapid search enables quick investigation and containment decisions
  9. Forensic reports show detailed before and after object comparisons for investigation
  10. Action tracking verifies incident response execution and effectiveness
  11. Critical alerts enable rapid incident response team notification
  12. Automated response triggers containment actions on threat detection
  13. Ransomware isolation prevents spread through rapid automated containment
  14. File auditing enables ransomware scope assessment and recovery requirements
  1. Risk Level (Unix)
  2. Top Risk by Events (Unix)
  3. Top Risk by Host (Unix)
  4. Top Risk by RemoteHost (Unix)
  5. Risks Trend (Unix)
  6. Risks Overview (Unix)
  7. Success Events
  8. Information Events (Device Severity)
  9. Failure Events
  10. Warning Events (Device Severity)
  11. Error Events (Device Severity)
  12. Emergency Events (Device Severity)
  13. Alert Events (Device Severity)
  14. Critical Events (Device Severity)
  15. Notice Events (Device Severity)
  16. Debug Events (Device Severity)
  17. Audit Policy Changed (Windows Important Events)
  18. Audit Logs Cleared (Windows Important Events)
  19. User Account Changes (Windows Important Events)
  20. Locked User Accounts (Windows Important Events)
  21. SceCli Group Policy (Windows Important Events)
  22. All Events (Windows)
  23. Important Events (Windows)
  24. User Based Activity
  25. Weekly Report
  26. Hourly Report
  27. User Failed Logons (Unix)
  28. Top Risk by Events
  29. Top Risk by Host
  30. Top Risk by RemoteHost
  31. Risks Trend
  32. Risks Overview
  33. Process Created (Sysmon)
  34. Process Terminated (Sysmon)
  35. Remote Thread Creation (Sysmon)
  36. Process Access (Sysmon)
  37. Service State Change (Sysmon)
  38. Configuration Report (Sysmon)
  39. Noncritical (SAP)
  40. Severe (SAP)

Chapter III - Art. 11 The institutions mentioned in art. 1 must ensure that their policies, strategies and structures for risk management established in regulation in force, specifically regarding to the criteria for decision on the outsourcing of services, include the contracting of relevant data processing, data storage and cloud computing services, in the country or abroad

Compliance actions How Log360 can help Reports and evidences Threat rules
  1. Pre-contract vendor security due diligence
  2. Contractual cybersecurity clauses (controls, notifications, audits)
  3. Require ISO 27001/SOC 2 certifications with annual reports
  4. Quarterly oversight, audits, vuln scans
  5. On-demand audit rights and incident notification provisions

DATA PROCESS MONITORING

  1. Multi-platform monitoring enables tracking data handling in contracted services
  2. Real-time monitoring maintains visibility into contracted service operations
  3. Custom profiles detect data processing violating BACEN policies
  4. Out-of-box reports support verification of cloud service provider compliance
  5. Activity tracking identifies data access patterns and potential leaks
  6. Audit trails document all cloud infrastructure changes and configurations

VENDOR RISK MANAGEMENT

  1. Centralized monitoring consolidates security logs from all vendors and services
  2. Audit trails enable verification contracted vendors operate within requirements
  3. Cross-platform correlation identifies suspicious activities spanning vendor boundaries
  4. Set up alert profiles and configure custom alerts for third-party service events
  5. Azure AD tracking monitors cloud-integrated directory changes
  6. Permission monitoring detects unauthorized modifications in cloud systems
  7. Hybrid monitoring tracks activities across on-premises and cloud
  1. VPN Connection Status (WatchGuard)
  2. VPN Sessions (WatchGuard)
  3. VPN Connection Status (Topsec)
  4. VPN Sessions (Topsec)
  5. VPN Connection Status (Terminal)
  6. VPN Sessions (Terminal)
  7. Database Server Events
  8. Hyper-V Server Events - Partitions Created
  9. Hyper-V Server Events - Partitions Deleted
  10. Hyper-V Server Events - Failed Partition Creations
  11. Hyper-V Server Events - Hyper-V Start Events
  12. Hyper-V Server Events - Failed Hyper-V Launch
  13. Hyper-V VM Management - VM Management Service Started
  14. Hyper-V VM Management - VM Creation
  15. Hyper-V VM Management - VM Deletion
  16. Hyper-V VM Management - Failed VM Creations
  17. Cluster Created
  18. Cluster Destroyed
  19. Cluster Reconfigured
  20. Cluster Renamed
  21. Datacenter Created
  22. Datacenter Renamed
  23. Datacenter Destroyed
  24. Datastore Created
  25. Datastore Destroyed
  26. Datastore Renamed
  27. Datastore File Copied
  28. Datastore File Moved
  29. Datastore File Deleted
  30. Folder Created
  31. Folder Deleted
  32. Folder Renamed
  33. Permission Created
  34. Permission Removed
  35. Network Connection (Sysmon)
  36. DNS Query (Sysmon)
  37. Opened Connections (SonicWall)
  38. Closed Connections (SonicWall)
  39. VPC Changes (AWS)
  40. Network Gateway Changes (AWS)
  1. AWS RDS DB Snapshot Created
  2. AWS IAM Roles Anywhere Trust Anchor Created with External CA
  3. AWS S3 Bucket Server Access Logging Disabled
  4. AWS Config Disabling Channel/Recorder
  5. AWS RDS Security Group Deletion
  6. AWS S3 Bucket Server Access Logging Disabled
  7. AWS EFS File System or Mount Deleted
  8. AWS RDS Security Group Creation
  9. AWS RDS Instance or Cluster Delete
  10. AWS EC2 VM Export Failure
  11. AWS Key Pair Import Activity
  12. AWS Lambda Function Created or Updated
  13. AWS WAF Access Control List Deletion
  14. AWS STS Role Assumption by Service
  15. AWS Redshift Cluster Creation
  16. AWS RDS DB Instance or Cluster Restored
  17. AWS Systems Manager SecureString Parameter Request with Decryption Flag
  18. AWS EC2 Deprecated AMI Discovery
  19. AWS S3 Bucket Expiration Lifecycle Configuration Added
  20. AWS S3 Data Management Tampering
  21. AWS EC2 Full Network Packet Capture Detected
  22. AWS IAM User Addition to Group
  23. AWS IAM Roles Anywhere Profile Created
  24. AADInternals PowerShell Cmdlets Execution - PsScript
  25. AADInternals PowerShell Cmdlets Execution - ProccessCreation
  26. DNS HybridConnectionManager Service Bus
  27. Cloudflared Quick Tunnel Execution
  28. Cloudflared Tunnel Execution
  29. Network Connection Initiated To Cloudflared Tunnels Domains
  30. Network Connection Initiated To BTunnels Domains
  31. Network Connection Initiated To Portmap.IO Domain
  32. Communication To LocaltoNet Tunneling Service Initiated
  33. Potential MOVEit Transfer CVE-2023-34362 Exploitation - File Activity
  34. Potential MOVEit Transfer CVE-2023-34362 Exploitation - Dynamic Compilation Via Csc.EXE
  35. Visual Studio Code Tunnel Execution
  36. VsCode Code Tunnel Execution File Indicato
  37. VsCode PowerShell Profile Modification
  38. Visual Studio Code Tunnel Remote File Creation
  39. Visual Studio Code Tunnel Service Installation
  40. Renamed VsCode Code Tunnel Execution - File Indicator
  41. Suspicious File Execution From Internet Hosted WebDav Share

Conclusion

Now that you’ve explored how BACEN Resolution 4,893/2021 strengthens cybersecurity standards in Brazil’s financial sector and how Log360 helps you meet every clause, it’s time to take the next step.

Whether it’s identity governance, audit logging, threat detection, or building a compliance-ready audit trail, we’re here to guide you through it. Start a 30-day free trial to experience our solutions in your own environment, or contact us to schedule a one-on-one consultation.

Disclaimer: The information provided on this page is for general knowledge and awareness purposes only. It is not intended to serve as professional, legal, or regulatory advice. Compliance with BACEN Resolution 4,893/2021 depends on your organization’s specific environment, processes, and risk profile.

To accurately assess your compliance posture, we strongly recommend engaging a qualified consultant, compliance agency, or referring directly to the official BACEN documentation and guidelines.

Home »

Awards & recognition

ManageEngine named in 2025 Gartner MQ for SIEM Gartner Peer Insights Customers' choice for SIEM

  Editor's choice  
  8th time in the MQ in 2025  
  Major player in 2024  
  Integrated cloud security Innovator  
  Technical excellence in SIEM  
  Market leader most innovative  

Gartner® Magic Quadrant™ for SIEM 2024

Features

Support

Secure your IT infrastructure with a cloud SIEM solution

Solutions by industry

Related solutions

One-stop solution to all Log Management and Active Directory Auditing

Free Trial Get Quote
Email Download Link