CIS-CSC – AI Engine Rules
Rule ID | Rule Name | Minimum Data Requirement | Recommended Data Requirement |
|---|---|---|---|
12 | CSC: Port Scan then Attack | Firewall or Network Flow Data, IDS/Security Events | LogRhythm Network Monitor or Next Gen Firewall |
13 | CSC: Possible DDoS Detected | Firewall or Network Flow Data, IDS/Security Events, Host Logs |
|
14 | CSC: Multiple Unique Attacks Observed | IDS/Security Events |
|
18 | CSC: Attack then External Connection | IDS/Security Events, Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
34 | CSC: Password Modified on Multiple Accounts | Host Logs | Active Directory or LDAP |
36 | CSC: Audit Disabled by Admin | Host Logs | Active Directory or LDAP |
37 | CSC: Temporary Account Used | Host Logs | Active Directory or LDAP |
40 | CSC: Local Account Created and Used | Host Logs | Active Directory or LDAP |
76 | CSC: Disabled Account Auth Failures | Host Logs | Active Directory or LDAP |
81 | CSC: Config Change then Critical Error | Host Logs |
|
82 | CSC: Recon after Attack | IDS/Security Events, Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
88 | CSC: Disabled Account Auth Success | Host Logs | Active Directory or LDAP |
95 | CSC: SQL Injection Detected | Web Server | Web Proxy or Next Gen Firewall |
97 | CSC: Cross-site Scripting (XSS) Detected | Web Server | Web Proxy or Next Gen Firewall |
99 | CSC: Directory Traversal URL | Web Server | Web Proxy or Next Gen Firewall |
158 | CSC: Accounts Deleted by Admin | Host Logs | Active Directory or LDAP |
159 | CSC: Accounts Disabled by Admin | Host Logs | Active Directory or LDAP |
160 | CSC: Users Added to Admin Group | Host Logs | Active Directory or LDAP |
161 | CSC: Users Removed from Admin Group | Host Logs | Active Directory or LDAP |
162 | CSC: Windows RunAs Privilege Escalation | Windows Event Logs |
|
165 | CSC: Linux sudo Privilege Escalation | Linux Host Logs |
|
250 | CSC: Password Modified by Another User | Host Logs | Active Directory or LDAP |
287 | CSC: Abnormal File Access | LogRhythm File Integrity Monitor |
|
383 | CSC: New Network Host | LogRhythm Network Monitor |
|
420 | CSC: Attack then Inbound Traffic | IDS/Security Events, Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
432 | CSC: DMZ Jumping | LogRhythm Network Monitor |
|
436 | CSC: Port Misuse: 80 | LogRhythm Network Monitor |
|
437 | CSC: Port Misuse: 53 | LogRhythm Network Monitor |
|
439 | CSC: Allowed Traffic from Non-Whitelist Country | Firewall or Network Flow Data, GeoLocation Data | LogRhythm Network Monitor or Next Gen Firewall |
448 | CSC: Inbound SSH on Non-standard Port | LogRhythm Network Monitor |
|
452 | CSC: New Application Detected | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
453 | CSC: Excessive Inbound Firewall Denies | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
457 | CSC: ICMP Flood Detected | LogRhythm Network Monitor |
|
458 | CSC: TCP Flood Detected | LogRhythm Network Monitor |
|
459 | CSC: UDP Flood Detected | LogRhythm Network Monitor |
|
460 | CSC: Excessive Unknown Application | LogRhythm Network Monitor |
|
464 | CSC: Allowed Traffic from Blacklist Country | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
471 | CSC: Blocked Traffic then Allowed | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
488 | CSC: Malware Event | IDS/Security or Antimalware Events |
|
490 | CSC: Config Deleted/Disabled | Host or Network Device Events |
|
492 | CSC: Config Modified | Host or Network Device Events |
|
493 | CSC: Config Change After Attack | IDS/Security Events, Host or Network Device Events |
|
494 | CSC: Vulnerability after Software Installed | Host Logs, Vulnerability Scanner Logs |
|
495 | CSC: Repeat Vulnerability Detected | Vulnerability Scanner Logs |
|
496 | CSC: Repeat Attacks Against a Host | IDS/Security Events |
|
497 | CSC: Blacklisted User-Agent String | Web Server | Web Proxy or Next Gen Firewall |
498 | CSC: Backup Failure Detected | Backup System Events |
|
499 | CSC: Blacklisted Egress Port Observed | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
500 | CSC: Blacklisted Ingress Port Observed | Firewall or Network Flow Data | LogRhythm Network Monitor or Next Gen Firewall |
501 | CSC: Multiple Passwords Modified by Different User | Host Logs | Active Directory or LDAP |
502 | CSC: External DNS Observed | LogRhythm Network Monitor or Next Gen Firewall |
|
506 | CSC: Multiple Failed Access Attempts | Object-Level Auditing Data |
|
507 | CSC: Multiple Object Access Failures | Object-Level Auditing Data |
|
508 | CSC: New Wireless Host | LogRhythm Network Monitor |
|
509 | CSC: Malware Not Cleaned | IDS/Security or Antimalware Events |
|
1112 | CSC: External Malicious User-Agent | Web Server | Web Proxy or Next Gen Firewall |
1113 | CSC: External Malicious URL Characters | Web Server | Web Proxy or Next Gen Firewall |