Breadcrumbs

CIS-CSC – AI Engine Rules

Rule ID

Rule Name

Minimum Data Requirement

Recommended Data Requirement

12

CSC: Port Scan then Attack

Firewall or Network Flow Data, IDS/Security Events

LogRhythm Network Monitor or Next Gen Firewall

13

CSC: Possible DDoS Detected

Firewall or Network Flow Data, IDS/Security Events, Host Logs

 

14

CSC: Multiple Unique Attacks Observed

IDS/Security Events

 

18

CSC: Attack then External Connection

IDS/Security Events, Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

34

CSC: Password Modified on Multiple Accounts

Host Logs

Active Directory or LDAP

36

CSC: Audit Disabled by Admin

Host Logs

Active Directory or LDAP

37

CSC: Temporary Account Used

Host Logs

Active Directory or LDAP

40

CSC: Local Account Created and Used

Host Logs

Active Directory or LDAP

76

CSC: Disabled Account Auth Failures

Host Logs

Active Directory or LDAP

81

CSC: Config Change then Critical Error

Host Logs

 

82

CSC: Recon after Attack

IDS/Security Events, Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

88

CSC: Disabled Account Auth Success

Host Logs

Active Directory or LDAP

95

CSC: SQL Injection Detected

Web Server

Web Proxy or Next Gen Firewall

97

CSC: Cross-site Scripting (XSS) Detected

Web Server

Web Proxy or Next Gen Firewall

99

CSC: Directory Traversal URL

Web Server

Web Proxy or Next Gen Firewall

158

CSC: Accounts Deleted by Admin

Host Logs

Active Directory or LDAP

159

CSC: Accounts Disabled by Admin

Host Logs

Active Directory or LDAP

160

CSC: Users Added to Admin Group

Host Logs

Active Directory or LDAP

161

CSC: Users Removed from Admin Group

Host Logs

Active Directory or LDAP

162

CSC: Windows RunAs Privilege Escalation

Windows Event Logs

 

165

CSC: Linux sudo Privilege Escalation

Linux Host Logs

 

250

CSC: Password Modified by Another User

Host Logs

Active Directory or LDAP

287

CSC: Abnormal File Access

LogRhythm File Integrity Monitor

 

383

CSC: New Network Host

LogRhythm Network Monitor

 

420

CSC: Attack then Inbound Traffic

IDS/Security Events, Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

432

CSC: DMZ Jumping

LogRhythm Network Monitor

 

436

CSC: Port Misuse: 80

LogRhythm Network Monitor

 

437

CSC: Port Misuse: 53

LogRhythm Network Monitor

 

439

CSC: Allowed Traffic from Non-Whitelist Country

Firewall or Network Flow Data, GeoLocation Data

LogRhythm Network Monitor or Next Gen Firewall

448

CSC: Inbound SSH on Non-standard Port

LogRhythm Network Monitor

 

452

CSC: New Application Detected

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

453

CSC: Excessive Inbound Firewall Denies

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

457

CSC: ICMP Flood Detected

LogRhythm Network Monitor

 

458

CSC: TCP Flood Detected

LogRhythm Network Monitor

 

459

CSC: UDP Flood Detected

LogRhythm Network Monitor

 

460

CSC: Excessive Unknown Application

LogRhythm Network Monitor

 

464

CSC: Allowed Traffic from Blacklist Country

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

471

CSC: Blocked Traffic then Allowed

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

488

CSC: Malware Event

IDS/Security or Antimalware Events

 

490

CSC: Config Deleted/Disabled

Host or Network Device Events

 

492

CSC: Config Modified

Host or Network Device Events

 

493

CSC: Config Change After Attack

IDS/Security Events, Host or Network Device Events

 

494

CSC: Vulnerability after Software Installed

Host Logs, Vulnerability Scanner Logs

 

495

CSC: Repeat Vulnerability Detected

Vulnerability Scanner Logs

 

496

CSC: Repeat Attacks Against a Host

IDS/Security Events

 

497

CSC: Blacklisted User-Agent String

Web Server

Web Proxy or Next Gen Firewall

498

CSC: Backup Failure Detected

Backup System Events

 

499

CSC: Blacklisted Egress Port Observed

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

500

CSC: Blacklisted Ingress Port Observed

Firewall or Network Flow Data

LogRhythm Network Monitor or Next Gen Firewall

501

CSC: Multiple Passwords Modified by Different User

Host Logs

Active Directory or LDAP

502

CSC: External DNS Observed

LogRhythm Network Monitor or Next Gen Firewall

 

506

CSC: Multiple Failed Access Attempts

Object-Level Auditing Data

 

507

CSC: Multiple Object Access Failures

Object-Level Auditing Data

 

508

CSC: New Wireless Host

LogRhythm Network Monitor

 

509

CSC: Malware Not Cleaned

IDS/Security or Antimalware Events

 

1112

CSC: External Malicious User-Agent

Web Server

Web Proxy or Next Gen Firewall

1113

CSC: External Malicious URL Characters

Web Server

Web Proxy or Next Gen Firewall