AI Engine Rules
2
LogRhythm AI Engine Rules
© 2014 LogRhythm, Inc. All rights reserved
This document contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be
reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser’s personal use without the written permission of
LogRhythm, Inc.
Warranty
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of the merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information.
Trademark
LogRhythm® is a trademark of LogRhythm, Inc.
LogRhythm Inc.
4780 Pearl East CircleBoulder CO, 80301 (303) 413-8745 www.logrhythm.com
LogRhythm Customer Support
3
LogRhythm AI Engine Rules
Table of Contents
Security Analytics Suites
... 4
Advanced Persistent Threats (APTs)
... 4
Multi-Dimensional Behavioral Analytics (MDBA)
... 6
Network Behavior Anomaly Detection (NBAD)
... 7
Privileged User Monitoring (PUM)
... 8
Retail Cyber Crime*
... 9
SANS Critical Security Controls
... 9
Targeted Host Activity Monitoring*
... 11
Web Application Defense
... 11
Compliance Automation Suites
... 12
201 CRM 17
... 12
DoDI 8500.2
... 12
FISMA
... 12
GPG-13
... 12
HIPAA
... 13
ISO 27001
... 13
NEI
... 13
NERC CIP
... 13
NIST 800-35
... 15
NRC
... 17
PCI DSS
... 17
SOX-COSO
... 18
4
Overview
This document lists the currently available LogRhythm Advanced Intelligence Engine (AI Engine) Rules. These
AI Engine Rules are available as of the 6.2.3 Knowledge Base release. Rules that are being released in BETA
status are denoted with an asterisk (*) next to the rule name.
Security Analytics Suites
Advanced Persistent Threats (APTs)
Direction/Type
Abnormal Authentication Behavior Behavioral Anomaly
Abnormal Data Transfer Size Operations
Abnormal Email Activity Behavioral Anomaly
Abnormal FIM Activity Behavioral Anomaly
Abnormal Internal Connections Behavioral Anomaly
Abnormal Malicious Classification Behavioral Anomaly
Abnormal Outbound Connections Behavioral Anomaly
Abnormal Process Activity Behavioral Anomaly
Abnormal Rate Increase Of Outbound Traffic Behavioral Anomaly
Account Compromised: Account Probe External
Account Attack: Account Probe On Multiple Hosts External
Account Attack: Account Probe On Multiple Hosts Internal
Account Compromised: Account Probe On Multiple Hosts Internal
Account Scan External
Account Scan Internal
Account Scan On Single Host External
Account Scan On Single Host Internal
Attack/Compromise External
Attack/Compromise Internal
Attack/Compromise Followed By Process Starting External
Attack/Compromise Followed By Process Starting Internal
Audit Log Cleared External
Audit Log Cleared Internal
Botnet Zombie Internal
Botnet Zombie Infestation Internal
Brute Force From Distributed Origin Hosts External
Brute Force From Distributed Origin Hosts Internal
Brute Force From A Single Origin Host External
Brute Force From A Single Origin Host Internal
Commonly Probed Port External
5
Communication with Low Reputation Address Behavioral Anomaly
Compromised Account Corroborated Anomalies
Compromised Data Corroborated Anomalies
Compromised Host Corroborated Anomalies
Concurrent Authentications From Multiple Cities External
Concurrent Authentications From Multiple Countries External
Concurrent Authentications From Multiple Regions External
Concurrent VPN Authentications From Same User External
Connection Open Internal
Connection Opened To Attacker External
Critical Data Destruction External
Critical Data Destruction Internal
Data Loss External
Data Loss Internal
Data Stolen Internal
Denial Of Service Attack Internal
Denial Of Service Attack External
Distributed Denial Of Service Attack External
Excessive HTTP Errors External
Increase In Outbound Connections Behavioral Anomaly
Malware Outbreak Internal
Multiple Unique Attacks Internal
Multiple Unique Attacks Against Same Host External
Non-Trivial Rate Increase In Outbound Traffic Behavioral Anomaly
Ping Sweep External
Ping Sweep Internal
Port Probe External
Port Probe Internal
Port Scan External
Port Scan Internal
Port Scan Followed By an Attack Internal
Port Scan Followed By An Attack External
Privilege Escalation Internal
Privilege Escalation External
Reconnaissance External
Reconnaissance Internal
Reconnaissance Followed By Account Creation Internal
Reconnaissance Followed By Account Creation External
Reconnaissance Followed By Process Starting External
6
Remote Authentication External
Slow Port Scan External
Slow Port Scan Internal
Spamming Zombie Internal
Abnormal Amount Of Audit Failures Account Suspicious
Abnormal Authentication Behavior Account Suspicious
Abnormal File Access Account Suspicious
Abnormal Origin Location Account Suspicious
Abnormal Process Activity Account Suspicious
Attack Followed By An Attacker Login External
Attack Followed By An Attacker Login Internal
Compromise or Attack Followed By Time Change General
Default MetaSploit Port External
Default MetaSploit Port Internal
Dot Dot Slash Directory Traversal External
Dot Dot Slash Directory Traversal Internal
Payload Download Observed General
SQL Injection External
SQL Injection Internal
Threat List - abuse.ch SpyEye IP External
Threat List - abuse.ch Zeus IP External
Threat List - AlienVault IP External
Threat List - SRI Malware Threat Center IP External
Threat List - Tor Exit Node External
Threat List - Tor Server External
Vulnerability Exploited External
Vulnerability Exploited Internal
XSS Attack External
XSS Attack Internal
ZeroAccess Botnet Communication Internal
Multi-Dimensional Behavioral Analytics (MDBA)
Direction/Type
Abnormal Authentication Behavior Behavioral Anomaly
Abnormal Email Activity Behavioral Anomaly
Abnormal FIM Activity Behavioral Anomaly
Abnormal Internal Connections Behavioral Anomaly
Abnormal Malicious Classification Behavioral Anomaly
Abnormal Outbound Connections Behavioral Anomaly
Abnormal Process Activity Behavioral Anomaly
Abnormal Rate Increase Of Outbound Traffic Behavioral Anomaly
7
Compromised Account Corroborated Anomalies
Compromised Data Corroborated Anomalies
Compromised Host Corroborated Anomalies
Increase In Outbound Connections Behavioral Anomaly
Non-Trivial Rate Increase In Outbound Traffic Behavioral Anomaly
Abnormal Amount Of Audit Failures Account Suspicious
Abnormal Authentication Behavior Account Suspicious
Abnormal File Access Account Suspicious
Abnormal Origin Location Account Suspicious
Abnormal Process Activity Account Suspicious
Network Behavior Anomaly Detection (NBAD)
Direction/Type
Internationalized Domain Name (IDN) General
Abnormal Application Activity General
Blacklist Transfer During Off-Hours General
Chat Traffic General
Excessive External FW Denies General
Excessive External FW Denies Followed By Allow General
Excessive Firewall Accepts Multiple Src Single Dst General
Excessive FW Accepts To Multiple Hosts General
Excessive Internal FW Denies Followed By Allow General
Excessive IRC Connections To A Single Impacted Host General
Excessive IRC Connections To A Single Origin Host General
Excessive Outbound FW Denies General
Hidden FTP Server General
Insecure Communication Usage General
Internal ICMP Flood General
Internal TCP Flood General
Internal UDP Flood General
Internal Unknown Flood General
Large Outbound Transfer General
Long ICMP Flow General
Outbound ICMP Flood General
Outbound TCP Flood General
Outbound UDP Flood General
Outbound Unknown Flood General
P2P Client Making Excessive Connections General
Potential DDoS General
Potential DDoS Against Single Host General
Potential ICMP DDoS General
8
Repeat Signature Detection General
Rogue Host Detection General
Sessions Over 48 Hours General
Unauthorized/Risky Applications General
Web Server DDoS Attack General
Attack Followed By Firewall Allow Suspicious
DMZ Jumping Suspicious
Inbound Connection With Non-Whitelisted Country Suspicious
Inbound ICMP Flood Suspicious
Inbound RDP Access Suspicious
Inbound RDP From Blacklisted Country Suspicious
Inbound TCP Flood Suspicious
Inbound UDP Flood Suspicious
Inbound Unknown Flood Suspicious
Connection With Blacklisted Country Suspicious
MAC Spoofing Suspicious
New Application Detection Suspicious
Non-Whitelist Transfer During Off-Hours Suspicious
Outbound Connection With Blacklisted Country Suspicious
Outbound Connection With Non-Whitelisted Country Suspicious
Port Misuse 22 Suspicious
Port Misuse 443 Suspicious
Port Misuse 53 Suspicious
Port Misuse 80 Suspicious
Port Misuse HTTP Suspicious
Port Misuse SSH In Suspicious
Port Misuse SSH Out Suspicious
Rogue Wireless Host Suspicious
Suspicious Top Level Domain (TLD) Suspicious
Privileged User Monitoring (PUM)
Direction/Type
Impersonation Account Suspicious
Mass File Deletion By A Privileged User Account Suspicious
Multiple Accounts Deleted By A Privileged User Account Suspicious
Multiple Accounts Disabled By A Privileged A User Account Suspicious
Multiple Failed Attempts To Logon To Non-Primary Exchange Account Account Suspicious
Multiple Users Added To A Privileged Group Account Suspicious
Multiple Users Removed From A Privileged Group Account Suspicious
New Administrator Activity Account Audit
9
Password Modified By Privileged User Account Audit
Privileged User's Password Modified Account Audit
Recently Disabled Privileged Cant Access Failures Account Suspicious
Recently Disabled Privileged Cant Access Success Account Suspicious
User Not In Sudoers File Account Suspicious
Retail Cyber Crime*
Direction/Type
Abnormal CE From Payment System Internal
Abnormal CE From POS Endpoint Internal
Abnormal Payment Sys Authentication Activity Internal
Abnormal Payment System File Access Internal
Abnormal Payment System Network Communications Internal
Abnormal POS Authentication Activity Internal
Abnormal POS File Access Internal
Abnormal POS Network Communication Internal
New Process On Payment System Internal
New Process On POS Internal
Payment System Endpoint DLD Event Internal
Payment System File System Modified Internal
POS Endpoint DLD Event Internal
POS Endpoint File System Modified Internal
SANS Critical Security Controls
Direction/Type
Password Modified By Another User Account Audit
Abnormal File Access Account Suspicious
Account Created, Used, Deleted Account Suspicious
Impersonation Account Suspicious
Multiple Accounts Deleted By A Privileged User Account Suspicious
Multiple Accounts Disabled By A Privileged A User Account Suspicious
Recently Disabled Account Access Failures Account Suspicious
Recently Disabled Account Access Success Account Suspicious
User Not In Sudoers File Account Suspicious
Abnormal FIM Activity Behavioral Anomaly
Dot Dot Slash Directory Traversal External
SQL Injection External
XSS Attack External
Malicious Use-Agent External
Threat List abuse.ch SpyEye IP External
Threat List abuse.ch Zeus IP External
Threat List AlienVault IP External
10
Threat List Tor Exit Node External
Threat List Tor Server External
Suspicious URL Characters External
Denial Of Service Attack External
Distributed Denial Of Service Attack External
Multiple Unique Attacks Against Same Host External
Port Scan Followed By An Attack External
Repeat Signature Detected External
Connection Opened To Attacker External
Data Loss External
Threat List abuse.ch SpyEye Domain External
Threat List abuse.ch Zeus Domain External
Threat List Malware Domains External
Threat List Malware Patrol URL External
Attack Followed By Config Change General
Configuration Deleted General
Configuration Disabled General
Configuration Modified General
Repeat Vulnerability Detected General
Vulnerability After Software Install General
Malware Not Cleaned Internal
Multiple Failed Access Attempts Internal
Multiple Object Access Failures Internal
Outbound DNS Activity Internal
Alarm On Malware Internal
Data Loss Internal
Malware Outbreak Internal
Misuse Internal
Unauthorized Egress Port Internal
Unauthorized Ingress Port Internal
Critical Error Due To Configuration Change Internal
Audit Disabled By Privileged User Internal
Blacklisted Wireless Device Seen Internal
Multiple Passwords Modified By Another User Internal
Multiple Users Added To Administrator Group Internal
Multiple Users Removed From Administrator Group Internal
Password Changed On Multiple Accounts By Administrator Internal
Suspicious Privilege Escalation Internal
Temporary Account Created And Used Internal
11
Excessive External FW Denies Followed By Allow General
Large Outbound Transfer General
Rogue Host Detection General
LogRhythm Agent Heartbeat Missed General
LogRhythm Log Manager Heartbeat Missed Operations
LogRhythm Silent Log Source Error Operations
Backup Failure Operations
Attack Followed By Firewall Allow Suspicious
DMZ Jumping Suspicious
Inbound Connection With Non-Whitelisted Country Suspicious
Inbound ICMP Flood Suspicious
Inbound TCP Flood Suspicious
Inbound UDP Flood Suspicious
Inbound Unknown Flood Suspicious
Inbound Suspicious
New Application Detection Suspicious
Port Misuse 53 Suspicious
Port Misuse 80 Suspicious
Port Misuse SSH In Suspicious
Rogue Wireless Host Suspicious
Targeted Host Activity Monitoring*
Direction/Type
After-Hours Activity General
Unauthorized Host General
Unauthorized Location General
Unauthorized Network General
Unauthorized Port/Application General
Unauthorized Process General
Unauthorized User General
Web Application Defense
Direction/Type
Bad Bot User-Agent External
Bad Bot User-Agent Internal
Malicious Use-Agent External
Malicious User-Agent Internal
Suspicious URL Characters External
12
Compliance Automation Suites
201 CRM 17
Attack Alert Compromise Alert Denial Of Service Alert Malware Alert
Vulnerability Alert
DoDI 8500.2
Alarm On CompromiseFISMA
Alarm On Compromise Failed Writing To Audit Log
GPG-13
Alarm On Compromise Alarm On Critical Alarm On Malware
Account Access Granted Rule Account Access Revoked Rule Account Created Rule
Account Deleted Rule Account Disabled Rule Account Locked Rule Account Modified Rule Attack Rule
Audit Log Cleared Rule Audit Logging Stoppage Rule Authentication Failure Rule Backup Critical Error Rule Backup Information Rule Compromise Rule
Configuration Change Rule Critical Condition Rule Denial Of Service Rule Error Condition Rule Failed Audit Log Write Rule Malware Detection Rule
13
Misuse Rule Policy Change Rule
Privileged Access Failure Rule
Privileged Authentication Failure Rule Reconnaissance Rule
Remote Authentication Failure Rule Rogue WAP Detection Rule
Signature Update Failure Rule Signatures Updated Rule Software Installation Rule Software Uninstallation Rule Software Update Failure Rule Software Updated Rule Suspicious Activity Rule Vulnerability Rule Web Browsing Deny Rule
HIPAA
Alarm On Attack Alarm On Compromise Alarm On Malware Alarm On Misuse
ISO 27001
*NIX Host Critical Condition Alarm on Malware
LogRhythm Silent Log Source Error Network Device Critical Condition Windows Host Critical Condition
NEI
Alarm On Compromise Failed Writing To Audit Log
NERC CIP
Alarm On Compromise Alarm On Malware Alarm On Attack
Account Access Revoked Rule Account Disabled Rule Account Locked Rule
14
Antivirus Critical Condition Rule Antivirus Error Condition Rule Attack Rule
Compromise Rule
Configuration Deleted Rule Configuration Disabled Rule Configuration Modified Rule Critical Condition Rule
Default Act Access Failure Rule Default Act Access Success Rule
Default Act Authentication Failure Rule Default Act Authentication Success Rule Denial Of Service Rule
Dial-Up Initiation Rule Door Access Success Rule
ESP Allowed Egress Communication Rule ESP Allowed Ingress Communication Rule ESP Denied Egress Communication Rule ESP Denied Ingress Communication Rule Malware Rule
Misuse Rule
Modem Enabled/Installed Rule Policy Disabled Rule
Policy Modified Rule
Privileged Account Access Failure Rule Privileged Account Access Success Rule
Privileged Account Authentication Failure Rule Privileged Account Authentication Success Rule Privileged Account Access Granted Rule
Privilege Revoked Rule Reconnaissance Rule
Remote Authentication Failure Rule Remote Authentication Success Rule Shared Act Access Failure Rule Shared Act Access Success Rule
Shared Act Authentication Failure Rule Shared Act Authentication Success Rule Signature Update Failure Rule
Software Update Failure Rule Suspicious Activity Rule
15
Suspicious Door Access Rule System Shutdown Rule Term Act Access Failure Rule Term Act Access Success Rule
Term Act Authentication Failure Rule Term Act Authentication Success Rule Vendor Act Access Failure Rule Vendor Act Access Success Rule
Vendor Act Authentication Failure Rule Vendor Act Authentication Success Rule Vulnerability Rule
NIST 800-35
Account Access Revoked Rule Account Disabled Rule Account Locked Rule Activity Rule
Antivirus Critical Condition Rule Antivirus Error Condition Rule Attack Rule
Audit Log Cleared Rule Audit Logging Stopped Rule Backup Critical/Error Rule Backup Information Rule Compromise Rule
Configuration Change Rule Critical Condition Rule Data Loss Prevention Rule Default Act Access Failure Rule Default Act Access Success Rule
Default Act Authentication Failure Rule Default Act Authentication Success Rule Denial Of Service Rule
Door Access Success Rule Error Condition Rule
Brute Force Success From Distributed Origin Hosts Brute Force Success From Single Origin Host Rule
Concurrent Remote Authentication Successes from Multiple Cities Rule Concurrent Remote Authentication Successes from Multiple Countries Rule Concurrent Remote Authentication Successes from Multiple Regions Rule Concurrent VPN Authentications From Same User
16
Host Compromise Followed by Account Created Rule Host Compromise Followed by Audit Log Cleared Rule Host Compromise Followed by Critical Data Destruction Rule Multiple Unique Attacks Against Same Host
Successful Account Probe On Multiple Hosts Rule Successful Account Probe On Single Host Rule Successful Denial Of Service Rule
Successful Distributed Denial Of Service Rule Failed Audit Log Write Rule
File Integrity Monitor Log Rule Guest Act Access Failure Rule
Guest Act Authentication Failure Rule
Host Compromise by Attacker Followed by Time Change Rule Account Created, Used, Then Deleted Rule
Brute Force Success From A Single Origin Host Rule Brute Force Success From Distributed Origin Hosts Rule Host Compromise Followed by Account Created Rule Host Compromise Followed by Audit Log Cleared Rule Host Compromise Followed by Critical Data Destruction Rule Malware Activity From Multiple Hosts Rule
Multiple Unique Attacks Against Same Host Spamming System Rule
Successful Account Probe On Multiple Hosts Rule Successful Account Probe On Single Host Rule Malware Rule
Misuse Rule Policy Change Rule
Privileged Account Access Failure Rule
Privileged Account Authentication Failure Rule Privileged Group Access Granted Rule
Reconnaissance Rule
Remote Authentication Failure Rule Rogue WAP Detection Rule
Shared Act Access Failure Rule
Shared Act Authentication Failure Rule Signature Update Failure Rule
Software Installed Rule Software Update Failure Rule SPAM Detection Rule
17
Suspicious Door Access Rule Term Act Access Failure Rule Term Act Access Success Rule
Term Act Authentication Failure Rule Term Act Authentication Success Rule Vendor Act Access Failure Rule
Vendor Act Authentication Failure Rule Vulnerability Rule
NRC
Alarm On Compromise Failed Writing To Audit Log
PCI DSS
Account Disabled/Locked AIE Rule Attack Alert Rule
Backup Failure Alert Rule Backup Information AIE Rule Compromise Alert Rule
Database Authentication AIE Rule
DB Account Authentication Failure Alert Rule Denial Of Service Alert Rule
FIM Failure Alert Rule FIM Information AIE Rule Invalid Account Usage AIE Rule
Invalid Act Authentication Failure Alert Rule Malware Alert Rule
Rogue WAP Detected Alert Rule Software Update Failure Alert Rule Vendor Account Enabled Alert Rule Vendor Authentication Activity AIE Rule Vendor Authentication Failure Alert Rule Vulnerability Alert Rule
Antivirus Failure Alert Rule Antivirus Information AIE Rule Audit Log Cleared Alert Rule Audit Log Write Failure Alert Rule
Denied CDE => Internet Communication AIE Rule Denied DMZ => Internal Communication AIE Rule Denied Inet => Internal Communication AIE Rule Denied Internet => CDE Communication AIE Rule
18
Denied Internet => DMZ Comm AIE Rule
Denied Internet => Inet Communication AIE Rule Denied Internet => Internet Communication AIE Rule Denied Test => Internal Communication AIE Rule Denied Test => Internet Communication AIE Rule Denied Wireless => CDE Communication AIE Rule FIM Add Activity AIE Rule
FIM Delete Activity AIE Rule
FIM Group Change Activity AIE Rule FIM Modify Activity AIE Rule
FIM Owner Change Activity AIE Rule FIM Permission Activity AIE Rule
Firewall Policy Synch Information AIE Rule FW Policy Synch Failure Alert Rule
Host Firewall Failure Alert Rule Host Firewall Information AIE Rule
Invalid CDE => Internet Communication AIE Rule Invalid DMZ => Internal Communication AIE Rule Invalid Inet => Internet Communication AIE Rule Invalid Internet => CDE Communication AIE Rule Invalid Internet => DMZ Communication AIE Rule Invalid Internet => Inet Communication AIE Rule Invalid Internet => Internet Communication AIE Rule Invalid Test => Internal Communication AIE Rule Invalid Test => Internet Communication AIE Rule Invalid Wireless => CDE Communication AIE Rule Object Disposal Failure Alert Rule
Physical Access Failure Alert Rule Physical Access Usage AIE Rule
Privileged Acct Authentication Failure Alert Rule Reconnaissance Activity Alert Rule
Remote Session Timeout AIE Rule Signature Update Failure Alert Rule Suspicious Activity Alert Rule
SOX-COSO
Alarm On Attack Alarm On Compromise Alarm On Malware
