AI Rule ID

AI Rule Name

Log Sources Minimum

Log Sources Recommended

Network Monitor Required?

1382

Recon: Port Sweep

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1383

Recon: Port Scan

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1384

Disruption: Denial of Service

Host Logs or IDS/IPS (internal)

Host Logs or IDS/IPS (internal)

No

1385

Compromise: Multiple Unique Attack Events

IDS/IPS (internal)

IDS/IPS (internal)

No

1386

C2: Spamming Bot

Firewall or Network Flow Data (egress)

LogRhythm Network Monitor, Next Gen Firewall (egress)

No

1387

Compromise: Attack then Critical Event

IDS/IPS and Host Logs

IDS/IPS and LogRhythm System Monitor

No

1388

C2: Excessive Unique Outbound Connections

Firewall or Network Flow Data (internal/egress)

LogRhythm Network Monitor, Next Gen Firewall (internal/egress)

No

1389

Compromise: Malicious Payload Drop

IDS/IPS and Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall

No

1390

C2: Malware: Outbound IRC

Firewall or Network Flow Data (internal/egress)

LogRhythm Network Monitor, Next Gen Firewall (internal/egress)

No

1391

Recon: Excessive HTTP Errors

Web Server

Web Server

No

1392

Compromise: SQL Injection

Next Gen Firewall

LogRhythm Network Monitor

No

1393

Compromise: Cross-Site Scripting (XSS)

Next Gen Firewall

LogRhythm Network Monitor

No

1394

Recon: URL Directory Traversal

Next Gen Firewall (internal/egress)

LogRhythm Network Monitor (internal/egress)

No

1395

Compromise: Vuln Exploited Externally

IDS/IPS and Vulnerability Scanner

No

1396

Recon: Metasploit Activity Observed

Firewall or Network Flow Data (internal)

LogRhythm Network Monitor, Next Gen Firewall (internal)

No

1397

C2: Outbound Connections Increase

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)            

No

1398

Disruption: Distributed Denial of Service Attack

LogRhythm Network Monitor (perimeter)

Yes

1399

C2: Port Misuse: HTTP

LogRhythm Network Monitor

Yes

1400

Disruption: DoS (Traffic Threshold)

LogRhythm Network Monitor (internal/egress)

Yes

1401

C2: Port Misuse: SSH Outbound

LogRhythm Network Monitor

Yes

1402

Lateral: Multiple MACs for Same IP

LogRhythm Network Monitor (internal/egress)

Yes

1403

C2: Long Session: ICMP

LogRhythm Network Monitor

Yes

1404

Compromise: Insecure Protocol

LogRhythm Network Monitor

Yes

1405

C2: Port Misuse: FTP

LogRhythm Network Monitor

Yes

1406

C2: Non-Whitelisted Country Observed

Firewall or Network Flow Data (egress)

LogRhythm Network Monitor, Next Gen Firewall (egress)     

No

1407

C2: Long Running Session

LogRhythm Network Monitor

Yes

1408

Disruption: DMZ DDoS

Web Server and Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall       

No

1409

Compromise: Blacklisted Application

LogRhythm Network Monitor

Yes

1410

C2: Blacklisted Country Observed

Firewall or Network Flow Data (egress)

LogRhythm Network Monitor, Next Gen Firewall (egress)

No

1411

C2: Blocked Outbound Traffic then Allow

Firewall or Network Flow Data (egress)

LogRhythm Network Monitor, Next Gen Firewall (egress)

No

1412

Compromise: Inbound RDP/VNC

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1413

C2: Excessive Outbound Firewall Denies

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1414

C2: High Entropy Traffic

LogRhythm Network Monitor

Yes

1415

C2: Port Misuse: 22

LogRhythm Network Monitor

Yes

1416

C2: Port Misuse: 443

LogRhythm Network Monitor

Yes

1417

C2: Internationalized Domain Name (IDN)

Next Gen Firewall, Outbound Web Proxy, DNS Logs

LogRhythm Network Monitor

No

1418

C2: Suspicious Top Level Domain (TLD)

LogRhythm Network Monitor

Yes

1420

Lateral: Internal Recon After Attack

Firewall or Network Flow Data and IDS/IPS or Antivirus Logs

LogRhythm Network Monitor, Next Gen Firewall       

No

1421

Compromise: New Network Host

LogRhythm Network Monitor (internal)

No

1422

C2: DMZ Jumping

LogRhythm Network Monitor (perimeter)

Yes

1423

C2: Port Misuse: 80

LogRhythm Network Monitor

Yes

1424

C2: Port Misuse: 53

LogRhythm Network Monitor

Yes

1425

Compromise: Port Misuse: SSH Inbound

LogRhythm Network Monitor

Yes

1426

Exfiltration: Large Outbound Transfer

Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall

No

1419

C2: Attack then Outbound Connection

IDS/IPS and Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall

No

1427

C2: New Application

Next Gen Firewall

LogRhythm Network Monitor

No

1428

Recon: Excessive Inbound Firewall Denies

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1429

AIE: Recon: Blocked ExternalTraffic then Allow

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1430

Compromise: Repeated Attacks Against Host

IDS/IPS

Next Gen Firewall

No

1431

C2: Blacklisted Egress Port

Firewall or Network Flow Data (egress)

LogRhythm Network Monitor, Next Gen Firewall (egress)

No

1432

Recon: Blacklisted Ingress Port

Firewall or Network Flow Data (perimeter)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

No

1433

C2: External DNS Server Used

Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall       

No

1434

Disruption: Network Device Configuration Wiped

Network Device Logs

No

1435

Compromise: Authentication From a DMZ Host

Firewall or Network Flow Data

LogRhythm Network Monitor, Next Gen Firewall

No

1436

C2: IRC on NonStandard Port

LogRhythm Network Monitor

Yes

1437

Compromise: Obsolete SSL/TLS Version

LogRhythm Network Monitor

LogRhythm Network Monitor and Next Gen Firewall or Web Proxy

Yes

1438

Compromise: SQL Injection Event

Next Gen Firewall and IDS/IPS

No

1439

Compromise: CrossSite Scripting (XSS) Event

Next Gen Firewall and IDS/IPS

No

1440

Recon: URL Directory Traversal Event

Next Gen Firewall and IDS/IPS

No
1487Lateral: Non-SCADA traffic in SCADA NetworkLogRhythm Network MonitorLogRhythm Network MonitorYes
1488Exfiltration: Unauthorized Cloud ServiceLogRhythm Network MonitorLogRhythm Network MonitorYes
1489Exfiltration: Unauthorized VPN UsageLogRhythm Network MonitorLogRhythm Network MonitorYes

Attack Lifecycle Progression Rules

The AI Engine rules contained in the Network Detection and Response Module are categorized by Attack Lifecycle stage. Each stage reflects steps involved in a security event, and activity moving forward through stages should be considered a more serious event. The Network Detection and Response Module also contains Attack Lifecycle Progression rules which are meant to identify this activity. These rules are listed in the following table.


Rule ID

AI Engine Rule Name

Groups By

1003

Progression: to Initial Compromise

Host (Origin)

1004

Progression: to Command and Control

Host (Origin)

1005

Progression: to Lateral Movement

Host (Origin)

1006

Progression: to Target Attainment

Host (Origin)

1007

Progression: to Exfil, Corruption, Disruption

Host (Origin)

1008

Progression: to Initial Compromise

Host (Impacted)

1009

Progression: to Command and Control

Host (Impacted)

1010

Progression: to Lateral Movement

Host (Impacted)

1011

Progression: to Target Attainment

Host (Impacted)

1012

Progression: to Exfil, Corruption, Disruption

Host (Impacted)

1013

Progression: to Initial Compromise

User (Origin)

1014

Progression: to Command and Control

User (Origin)

1015

Progression: to Lateral Movement

User (Origin)

1016

Progression: to Target Attainment

User (Origin)

1017

Progression: to Exfil, Corruption, Disruption

User (Origin)

The Rule Group has been set to “Attack Lifecycle Progression” for convenience in identifying these rules. Each rule has two Rule Blocks, the second looks for an AIE Event in the target Attack Lifecycle Stage, and the first looks for an AIE Event in any previous stage. Each rule appears 3 times, each with a different grouping field. For example, Progression: to Target Attainment will fire when an event in “Reconnaissance”, “Initial

Compromise”, “Command and Control”, or “Lateral Movement” is observed, followed by an event in “Target Attainment”, as long as either the Origin Host, Impacted Host, or Origin User is the same between the two events. Lists contain all the AIE Events which populate each of the Attack Lifecycle Stages.


List Type

Name

List ID

Common Event

Attack Lifecycle: Command and Control

-2551

Common Event

Attack Lifecycle: Exfil, Corruption, Disruption

-2554

Common Event

Attack Lifecycle: Initial Compromise

-2550

Common Event

Attack Lifecycle: Lateral Movement

-2552

Common Event

Attack Lifecycle: Recon and Planning

-2549

Common Event

Attack Lifecycle: Target Attainment

-2553