These lists require configuration in the LogRhythm environment.

List ID

List Name

Type

ID

Name

-2169Network : Search : HTTPAIE Rule1417C2: Internationalized Domain Name (IDN)
AIE Rule1423C2: Port Misuse: 80
-2171Network : Search : SSL/TLSAIE Rule1416C2: Port Misuse: 443

-2177

Network : Unauthorized/Risky Applications

AIE Rule

1409

Compromise: Blacklisted Applications

Investigation

205

Network : Unauthorized/Risky Application Usage

Report

958

Network : Unauthorized/Risky Application Usage

-2179

Network : Whitelisted Countries

AIE Rule

1406

C2: Non-Whitelisted Country Observed

Investigation

207

Network : Non-Whitelisted Country Activity

-2180

Network : Blacklisted Countries

AIE Rule

1410

C2: Blacklisted Country Observed

Investigation

206

Network : Blacklisted Country Activity

-2181

Network : Internal/DMZ Webservers

AIE Rule

1408

Disruption: DMZ DDoS

-2187

Network : Allowed Ingress Ports

AIE Rule

1432

Recon: Blacklisted Ingress Port

-2188

Network : Allowed Egress Ports

AIE Rule

1431

C2: Blacklisted Egress Port

-2197

Network Devices

AIE Rule

1434

Disruption: Network Device Configuration Wiped

-2201

Top Common Domains Using Suspicious TLDs

AIE Rule

1418

C2: Suspicious Top Level Domain (TLD)

-2362

Vulnerability Scanners

AIE Rule

1382

Recon: Port Sweep

-2365

Mail Servers

AIE Rule

1388

C2: Excessive Unique Outbound Connections

-2366

External IP Addresses

AIE Rule

1382

Recon: Port Sweep

-1000123Network: Authorized ApplicationsAIE Rule1489Exfiltration: Unauthorized VPN Usage
-1000124Network: SCADA IP RangesAIE Rule1487Lateral: Non-SCADA traffic in SCADA Network
-1000125Network: SCADA EntitiesAIE Rule1487 Lateral: Non-SCADA traffic in SCADA Network