The following table describes the log source types that should be collected to make effective use of each AIE rule in the UEBA Module.

AIE Rule ID

AIE Rule Name

Log Sources (minimum)

Log Sources (recommended)

1245

Attainment: Abnormal File Access

LogRhythm Sysmon

Other File Integrity Monitoring

1246

Attainment: Corroborated Account Anomalies

AI Engine Events

AI Engine Events

1247

C2: Abnormal Origin Location

Active Directory or LDAP

Host Logs

1248

Compromise: Abnormal Process Activity

Host Logs

LogRhythm Sysmon

1249

C2: Blacklist Location Auth

Active Directory or LDAP

Host Logs

1250

Compromise: Concurrent VPN from Multiple Locations

Authentication Log Sources

N/A

1251

Recon: Linux sudo Privilege Escalation

Linux Host Logs

Active Directory or LDAP

1252

Compromise: Windows RunAs Privilege Escalation

Windows Host Logs

Active Directory or LDAP

1253

Compromise: Auth After Numerous Failed Auths

Active Directory or LDAP

Host Logs

1254

Compromise: Auth After Security Event

Intrusion Detection System Host Logs

Intrusion Detection System LogRhythm Sysmon

1255

Compromise: Distributed Brute Force

Active Directory or LDAP

Host Logs, Web Server Logs

1256

Compromise: External Brute Force Auths

Active Directory or LDAP

Host Logs, Web Server Logs, VPN

1257

Compromise: Lateral Movement With Account Sweep

Active Directory or LDAP

Host Logs

1258

Corruption: Audit Disabled by Admin

Host Logs

LogRhythm Sysmon

1259

Disruption: Files Deleted by Admin

Host Logs

Active Directory or LDAP, LogRhythm Sysmon

1260

Lateral: Abnormal Auth Behavior

Active Directory or LDAP

Host Logs

1261

Compromise: Account Added to Admin Group

Active Directory or LDAP

Host Logs

1262

Lateral: Admin Password Modified

Active Directory or LDAP

Host Logs

1263

Lateral: Auth After Dispersed Failed Auths

Active Directory or LDAP

Host Logs

1264

Lateral: Brute Force Internal Auth Failure

Active Directory or LDAP

Host Logs

1265

Lateral: External Attack then Account Creation

Active Directory or LDAP

Host Logs

1266

Lateral: Failed Auths then Success

Active Directory or LDAP

Host Logs

1267

Lateral: Internal Attack then Account Creation

Intrusion Detection System and Active Directory or LDAP

Intrusion Detection System and Host Logs

1268

Lateral: Internal Recon then Account Creation

Intrusion Detection System and Active Directory or LDAP

Intrusion Detection System and Host Logs

1269

Lateral: Multiple Account Passwords Modified by Admin

Active Directory or LDAP

Host Logs

1270

Lateral: Numerous and Dispersed Internal Failed Auths

Active Directory or LDAP

Host Logs

1271

Lateral: Numerous Internal Failed Auths

Active Directory or LDAP

Host Logs

1272

Lateral: Password Modified by Admin

Active Directory or LDAP

Host Logs

1273

Lateral: Privilege Escalation after Attack

Intrusion Detection System Host Logs

Intrusion Detection System LogRhythm Sysmon

1278

Compromise: CloudAI Multiple User Threat Events

LogRhythm UEBA Events

N/A

1279

Recon: Disabled Account Auth Failures

Active Directory or LDAP

Host Logs

1281

Recon: Failed Distributed Account Probe

Active Directory or LDAP

Host Logs

1282

Recon: Failed Distributed Brute Force

Active Directory or LDAP

Host Logs

1283

Recon: Multiple Lockouts

Active Directory or LDAP

Host Logs

1284

Progression: to Initial Compromise

AI Engine Events

N/A

1285

Progression: to Command and Control

AI Engine Events

N/A

1286

Progression: to Lateral Movement

AI Engine Events

N/A

1287

Progression: to Target Attainment

AI Engine Events

N/A

1288

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1289

Progression: to Initial Compromise

AI Engine Events

N/A

1290

Progression: to Command and Control

AI Engine Events

N/A

1291

Progression: to Lateral Movement

AI Engine Events

N/A

1292

Progression: to Target Attainment

AI Engine Events

N/A

1293

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1294

Progression: to Initial Compromise

AI Engine Events

N/A

1295

Progression: to Command and Control

AI Engine Events

N/A

1296

Progression: to Lateral Movement

AI Engine Events

N/A

1297

Progression: to Target Attainment

AI Engine Events

N/A

1298

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1299

Compromise: Log Cleared

Host Security Logs/AV/IDS/IPS

NextGen Firewall

1300

Compromise: Security Event then Process Starting

Host Security Logs/AV/IDS/IPS

NextGen Firewall

1301

Compromise: System Time Change

Host Security Logs/IDS/IPS

NextGen Firewall

1302

Compromise: Unusual Auth then Unusual Process

Host Security Logs/AD/LDAP

LogRhythm Sysmon

1303

Compromise: Security Event then Scheduled Task

Host Security Logs/AV/IDS/IPS

Sysmon/CarbonBlack

1304

Lateral: Locally Created and Used

Host Security Logs

Single Sign On Logs

1305

Compromise: Change to Host File

LogRhythm Sysmon: File Monitor

N/A

1306

Disruption: Critical Windows Binaries Modified/Deleted

LogRhythm Sysmon: File Monitor

N/A

1307

Compromise: CloudAI and Recent User Location Data Observed

LogRhythm UEBA Events

VPN Logs

1308

Compromise: CloudAI and Location Watch List

LogRhythm UEBA Events

VPN Logs

1309

Compromise: CloudAI and User Recently Added to a Privileged Group

LogRhythm UEBA Events/Active Directory or LDAP

Host Logs

1310

Compromise: CloudAI and User related Security Classification Event

LogRhythm UEBA Events/Any Log Source

N/A

1312

Compromise: CloudAI Threat Event

LogRhythm UEBA Events/Active Directory or LDAP

Host Logs

1336

Compromise: CloudAI Threat Event and Identity Lists

LogRhythm UEBA Events/Active Directory or LDAP

Host Logs

1490

Exfiltration: CloudAI and File (NGFW) Detection

CloudAI/NGFW

N/A

1491

Exfiltration: CloudAI and Sensitive Data (NGFW) Detection

CloudAI/NGFW

N/A