CIS-CSC User Guide – AI Engine Rules
This section lists describes the AI Engine rules included in the suite, including any additional configuration notes.
CSC: Port Scan then Attack
AIE Rule ID: 12
Rule Description:
Port scan on multiple unique impacted ports is followed by an attack/malware/compromise/critical/DoS event within an hour on one of the impacted hosts. CIS Critical Security Control(s): CSC 9.5, CSC 12.7
CSC Control(s): CSC 9.5, CSC 12.7
Common Event: AIE: CSC: Port Scan then Attack
Classification: Security : Attack
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
Firewall or Network Flow Data, IDS/Security Events
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the impacted system for possible compromise. You may want to look specifically for processes listening on the ports scanned and determine if those processes have recently crashed, have become non-responsive or new outbound processes have recently started.
Use Case: An attacker wants to prevent the timely release of a signature file/software release, so the attacker successfully launches a DDoS attack resulting in an application/host crashing, preventing the release from happening on time.
Optional Configuration: Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.
CSC: Possible DDoS Detected
AIE Rule ID: 13
Rule Description:
Externally originating denial of service log messages with different Origin Hosts and same impacted host. CIS Critical Security Control(s): CSC 9.5, CSC 12.7
CSC Control(s): CSC 9.5, CSC 12.7
Common Event: AIE: CSC: Possible DDoS Detected
Classification: Security : Denial of Service
Suppression Multiple: 60
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum):
Firewall or Netwok Flow Data, IDS/Security Events, Host Logs
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the impacted system for possible compromise. You may want to look specifically for processes listening on ports and determine if those processes have recently crashed, have become non-responsive or new outbound processes have recently started.
Use Case: An attacker wants to prevent the timely release of a signature file/software release, so the attacker successfully launches a DDoS attack resulting in an application/host crashing, preventing the release from happening on time.
Configuration: The number of Unique Values in rule block 1 should be set to a value just above your organization's average number of unique web visitors per minute. In addition, creating a new Primary Criteria filter where the Impacted Host is a list of publicly facing web servers will limit the rule to only evaluate traffic appropriate for the organization.
CSC: Multiple Unique Attacks Observed
AIE Rule ID: 14
Rule Description:
Multiple unique external attack events against the same host. CIS Critical Security Control(s): CSC 8.1, CSC 12.7
CSC Control(s): CSC 8.1, CSC 12.7
Common Event: AIE: CSC: Multiple Unique Attacks Observed
Classification: Security : Attack
Suppression Multiple: 6
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
IDS/Security Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the impacted system for possible compromise. You may want to look specifically for processes listening on ports and determine if those processes have recently crashed, have become non-responsive or new outbound processes have recently started.
Use Case: An attacker is using an automated tool to launch a variety of attacks against a host.
Optional Configuration: Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.
CSC: Attack then External Connection
AIE Rule ID: 18
Rule Description:
An observed external attack or compromise followed by data leaving the system and going to the attacker. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: Attack then External Connection
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
IDS/Security Events, Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the impacted system for possible compromise. You may want to look specifically for processes listening on ports and determine if those processes have recently crashed, have become non-responsive or new outbound processes have recently started.
Use Case: An attacker is looking for sensitive financial information. The attacker successfully compromises a host and is able to copy the information to the attacker's host.
CSC: Password Modified on Multiple Accounts
AIE Rule ID: 34
Rule Description:
A user has modified the password on 3 or more accounts in one hour. This can indicate a compromised account or malicious insider activity. CIS Critical Security Control(s): CSC 16.4
CSC Control(s): CSC16.4
Common Event: AIE: CSC: Password Modified on Multiple Accounts
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the origin user whom changed the multiple passwords and verify that there is a known change control, help desk ticket or other documented method according to your company’s policies and procedures. You may want to disable the origin and impacted user accounts until the investigation has concluded.
Use Case: Administrator changes passwords on multiple accounts to either use as future backdoors or to prevent users from logging in.
Configuration: A Primary Criteria Filter should be added to RB1 where Origin Login = list of privileged user ids.
CSC: Audit Disabled by Admin
AIE Rule ID: 36
Rule Description:
Login by an administrator followed by disabling of an audit process. CIS Critical Security Control(s): CSC 6.2
CSC Control(s): CSC 6.2
Common Event: AIE: CSC: Audit Disabled by Admin
Classification: Security : Compromise
Suppression Multiple: 3
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the origin user whom disabled auditing and verify that there is a known change control, help desk ticket or other documented method according to your company’s policies and procedures. You may want to disable the origin user account until the investigation has concluded.
Use Case: A disgruntled administrator plans on malicious activity and disables auditing beforehand to ensure the activity is not logged.
Configuration: A include filter where Origin Login = list of privileged user ids must be entered into RB1.
CSC: Temporary Account Used
AIE Rule ID: 37
Rule Description:
An account is created, logged into, and then deleted within 1 day. CIS Critical Security Control(s): CSC 4.8
CSC Control(s): CSC 4.8
Common Event: AIE: CSC: Temporary Account Used
Classification: Security : Compromise
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the origin user who created the temporary account and verify that there is a known change control, help desk ticket or other documented method according to your company’s policies and procedures. You may want to disable the origin user account and temporary user account until the investigation has concluded.
Use Case: Administrator creates, uses, and deletes an account to possibly try and avoid discovery of an activity performed on the newly created account.
CSC: Local Account Created and Used
AIE Rule ID: 40
Rule Description:
An account is created on a host and then used shortly thereafter on the same host. CIS Critical Security Control(s): CSC 4.8
CSC Control(s): CSC 4.8
Common Event: AIE: CSC: Local Account Created and Used
Classification: Security : Compromise
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the origin user who created the local account and verify that there is a known change control, help desk ticket or other documented method according to your company’s policies and procedures. You may want to disable the origin user account and local user account until the investigation has concluded.
Use Case: A disgruntled administrator creates a dummy account to use temporarily while performing malicious activities in an attempt to mask who is performing the activity.
CSC: Disabled Account Auth Failures
AIE Rule ID: 76
Rule Description:
Recently disabled or deleted account unsuccessfully tries to authenticate or access resources. CIS Critical Security Control(s): CSC 16.12
CSC Control(s): CSC 16.12
Common Event: AIE: CSC: Disabled Account Auth Failures
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Likely the source activity will occur externally. Investigate to see if the activity is relatively normal after an account is disabled like from the user’s mobile device that has a corporate app installed that is still configured to access the corporate resource like Microsoft Mobile Outlook and is now failing. Follow your company’s policies and procedures to determine if HR should be notified to contact the user and ask them to uninstall their corporate apps from their device or to add the user to an “ignore” list for a period of time for example. If the activity seems more abnormal, you may want to add the user and or source IP address to a watch list for additional activity monitoring to determine if the user is trying to actively gain access to corporate resources.
Use Case: An employee is terminated or has left an organization. Shortly after he/she attempts to access network resources and does not succeed.
Optional Configuration: If using windows audit logging make sure audit account management is turned on for successes and audit account logon events is turned on for success and failures in the local security policy.
CSC: Config Change then Critical Error
AIE Rule ID: 81
Rule Description:
Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise. CIS Critical Security Control(s): CSC 5.1
CSC Control(s): CSC 5.1
Common Event: AIE: CSC: Config Change then Critical Error
Classification: Security : Compromise
Suppression Multiple: 6
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Host Logs
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Origin User that performed the configuration change and determine if the change was part of an authorized action. If authorized, you may want to add an exception to this rule for a period of time. If unauthorized, follow your company’s policies and procedures in creating an incident.
Use Case: An inexperienced system administrator misconfigured a critical service causing a critical error on the system.
CSC: Recon after Attack
AIE Rule ID: 82
Rule Description:
A security related event followed by a port scan from the same source. CIS Critical Security Control(s): CSC 12.7
CSC Control(s): CSC 12.7
Common Event: AIE: CSC: Recon after Attack
Classification: Security : Attack
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
IDS/Security Events, Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Impacted) for services that have recently stopped, become non-responsive, or new processes with outbound connections. Determine if the processes affected might have been compromised and respond according to your company’s policies and procedures.
Use Case: A host has been compromised by a self-replicating worm/malware, and is now trying to identify other machines to infect on the network that are running a particular vulnerable service.
Optional Configuration: Add an Impacted Host exclude filter for Vulnerability scanners, E-mail servers, perimeter devices, proxies, and AV servers in Rule Block 1.
CSC: Disabled Account Auth Success
AIE Rule ID: 88
Rule Description:
Recently disabled or deleted account authenticates or accesses resources on the network. CIS Critical Security Control(s): CSC 16.12
CSC Control(s): CSC 16.12
Common Event: AIE: CSC: Disabled Account Auth Success
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the User Origin and based on why the account was disabled, determine if the successful authorization was part of a legacy automated process or suspicious interactive. If suspicious, you may want to disable the user account on the system that they accessed. You may also want to block their external IP address. Continue following your company’s policies and procedures in responding to a compromised system.
Use Case: An employee is terminated or has left an organization. Shortly after he/she is seen accessing network resources.
Optional Configuration: If using windows audit logging make sure audit account management is turned on for successes and audit account logon events is turned on for success and failures in the local security policy.
CSC: SQL Injection Detected
AIE Rule ID: 95
Rule Description:
Common URL-encoded SQL Injection string in a URL. CIS Critical Security Control(s): CSC 18.10
CSC Control(s): CSC 18.10
Common Event: AIE: CSC: SQL Injection Detected
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 2
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host Impacted to determine if a successful SQL Injection Attack has occurred and if so, follow your company’s incident response procedures. You may also want to block the attacking IP address and or network block in order to prevent similar attacks in the future.
Use Case: An attacker is attempting to launch a SQL Injection that is being detected by an IDS, WAF or other similar technology.
CSC: Cross-site Scripting (XSS) Detected
AIE Rule ID: 97
Rule Description:
Common URL-encoded <script> tags in a URL, indicating a reflected cross-site scripting attack. CIS Critical Security Control(s): CSC 18.10
CSC Control(s): CSC 18.10
Common Event: AIE: CSC: Cross-site Scripting (XSS) Detected
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 2
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host Impacted to determine if a successful Cross-Site Scripting Attack has occurred and if so, follow your company’s incident response procedures. You may also want to block the attacking IP address and or network block in order to prevent similar attacks in the future.
Use Case: An attacker has found a XSS vulnerability in a web application. He crafts a URL that passes malicious java script as an HTTP parameter and distributes this URL to a specific audience. One of the recipients clicks the URL, but because of the XSS vulnerability, the injected script is then presented back to the client from the vulnerable web application and run client-side.
CSC: Directory Traversal URL
AIE Rule ID: 99
Rule Description:
Use of special characters related to directory traversal observed in a URL. CIS Critical Security Control(s): CSC 18.10, CSC 8.1
CSC Control(s): CSC 18.10, CSC 8.1
Common Event: AIE: CSC: Directory Traversal URL
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 2
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host Impacted to determine if a successful Directory Traversal Attack has occurred and if so, follow your company’s incident response procedures. You may also want to block the attacking IP address and or network block in order to prevent similar attacks in the future.
Use Case: An attacker is attempting to access directories on a web server via his browser using the dot dot slash technique of directory traversal.
CSC: Accounts Deleted by Admin
AIE Rule ID: 158
Rule Description:
An observed login by a user in the privileged user list followed by the deletion of more than one account. CIS Critical Security Control(s): CSC 16.7, CSC 5.5
CSC Control(s): CSC 16.7, CSC 5.5
Common Event: AIE: CSC: Accounts Deleted by Admin
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
Privileged Users
AIE Rule Additional Details:
Action: Investigate the User Origin and determine if the changes were authorized and tracked via your company’s change control process. If unauthorized, disable the account used to delete the accounts with and perform a compromise incident response procedure.
Use Case: A disgruntled administrator wants to disrupt company workflow by deleting multiple critical user accounts.
Optional configuration: The unique value threshold may need to be increased in Rule Block 2 for larger environments where batch account lock-out/disabling occurs. (Default is 2 occurrences within 1 hour)
CSC: Accounts Disabled by Admin
AIE Rule ID: 159
Rule Description:
An observed login by a user in the privileged user list followed by the disabling of more than one account. CIS Critical Security Control(s): CSC 16.7, CSC 5.5
CSC Control(s): CSC 16.7, CSC 5.5
Common Event: AIE: CSC: Accounts Disabled by Admin
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
Privileged Users
AIE Rule Additional Details:
Action: Investigate the User Origin and determine if the changes were authorized and tracked via your company’s change control process. If unauthorized, disable the account used to disable the accounts with and perform a compromise incident response procedure.
Use Case: Administrator attempts to prevent users from logging in by disabling multiple accounts.
Configuration: A Primary Criteria Filter should be added to RB1 where Origin Login = list of privileged user ids.
Optional configuration: The unique value threshold may need to be increased in Rule Block 2 for larger environments where batch account lock-out/disabling occurs. (Default is 2 occurrences within 1 hour)
CSC: Users Added to Admin Group
AIE Rule ID: 160
Rule Description:
Addition of 3 or more users to a group listed in the LogRhythm list "Privileged Groups". CIS Critical Security Control(s): CSC 4.8, CSC 5.5
CSC Control(s): CSC 4.8, CSC 5.5
Common Event: AIE: CSC: Users Added to Admin Group
Classification: Security : Suspicious
Suppression Multiple: 20
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
Privileged Groups
AIE Rule Additional Details:
Action: Investigate the User Origin and determine if the changes were authorized and tracked via your company’s change control process. If unauthorized, disable the account used to create the accounts, and disable the accounts created. Perform a compromise incident response procedure.
Use Case: An attacker has compromised a domain controller and has created several new accounts to help maintain access, adding them to the Domain Admins group.
CSC: Users Removed from Admin Group
AIE Rule ID: 161
Rule Description:
Removal of 3 or more users from a group listed in the LogRhythm list "Privileged Groups" CIS Critical Security Control(s): CSC 4.8, CSC 5.5
CSC Control(s): CSC 4.8, CSC 5.5
Common Event: AIE: CSC: Users Removed from Admin Group
Classification: Security : Suspicious
Suppression Multiple: 20
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
Privileged Groups
AIE Rule Additional Details:
Action: Investigate the User Origin and determine if the changes were authorized and tracked via your company’s change control process. If unauthorized, disable the account used to remove the accounts. Perform a compromise incident response procedure.
Use Case: A rogue administrator wants to block access to the domain to all other administrators in order to perform malicious activity without anyone being able to respond.
CSC: Windows RunAs Privilege Escalation
AIE Rule ID: 162
Rule Description:
User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option. CIS Critical Security Control(s): CSC 4.3, CSC 5.5
CSC Control(s): CSC 4.3, CSC 5.5
Common Event: AIE: CSC: Windows RunAs Privilege Escalation
Classification: Security : Suspicious
Suppression Multiple: 30
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum):
Windows Event Logs
Log Sources (recommended):
N/A
List:
Privileged Users
AIE Rule Additional Details:
Action: Investigate the User Origin that issued the RunAs and verify that the action is an approved process. If approved, you may want to add the user, process and or host to an exception list so as not to be alarmed on an approved process. If unapproved, follow your incident response playbook involving a compromise.
Use Case: You've hardened all the security settings on your internal chat sever (e.g., Microsoft Lync) and someone is trying to install a MITM spyware to capture chats. The malicious user needs to run the spyware as administrator to access various registry settings needed to complete the attack.
CSC: Linux sudo Privilege Escalation
AIE Rule ID: 165
Rule Description:
User not in the LogRhythm list "Privileged Users" and not in the local 'sudoers' file tries to use sudo on a Linux host. CIS Critical Security Control(s): CSC 4.3, CSC 5.5
CSC Control(s): CSC 4.3, CSC 5.5
Common Event: AIE: CSC: Linux sudo Privilege Escalation
Classification: Security : Suspicious
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum):
Linux Host Logs
Log Sources (recommended):
N/A
List:
Privileged Users
AIE Rule Additional Details:
Action: Investigate the User Origin that issued the sudo command and verify that the action is an approved process. If approved, you may want to add the user, process and or host to an exception list so as not to be alarmed on an approved process. If unapproved, follow your incident response playbook involving a compromise.
Use Case: An attacker is testing their access by trying to run malicious code on a Linux box without super user privileges.
Required Configuration: "Privileged Users" list must be populated.
CSC: Password Modified by Another User
AIE Rule ID: 250
Rule Description:
User changes the password of another account (not their own). CIS Critical Security Control(s): CSC 16.4
CSC Control(s): CSC16.4
Common Event: AIE: CSC: Password Modified by Another User
Classification: Security : Suspicious
Suppression Multiple: 60
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 6
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the User Origin that issued the password change and verify that the action is an approved process. If unapproved, follow your incident response playbook involving a compromise.
Use Case: An attacker has successfully compromised a host and needs to assume another user that has access that the attacker does not have. The attacker will change the password of the user account to something they know in order to further their mission on objective.
Optional Configuration: If you would like to exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches this regular expression: \$$
CSC: Abnormal File Access
AIE Rule ID: 287
Rule Description:
First tracks which files users generally accesses over a learning period. Afterward, triggers if a user begins accessing different files. CIS Critical Security Control(s): CSC 14.9
CSC Control(s): CSC 14.9
Common Event: AIE: CSC: Abnormal File Access
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 7
Log Sources (minimum):
LogRhythm File Integrity Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the User Origin that is accessing the files and determine if they are authorized to do so. If authorized, you may want to add them to an exclusion list to avoid future alarms. If unauthorized, follow your company’s normal incident response procedures for a compromise.
Use Case: A user's credentials are compromised. The attacker is using that account to enumerate a shared drive's files.
Required Configuration: LogRhythm file integrity monitoring is enabled.
CSC: New Network Host
AIE Rule ID: 383
Rule Description:
A new host is seen communicating in the environment for the first time. CIS Critical Security Control(s): CSC 1.3
CSC Control(s): CSC 1.3
Common Event: AIE: CSC: New Network Host
Classification: Security : Reconnaissance
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 5
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the new host detected and determine if the system was added outside of your company’s change control process, or that it is a rogue system that could be used by an attacker. Follow your company’s policies and procedures in responding to a network intrusion event. You may want to deny the MAC of the rogue system on switches until you have completed your investigation.
Use Case: An attacker has cracked a company's internal wireless WPA2 key and has setup a rogue host to listen in promiscuous mode to all wireless traffic in the hopes of obtaining sensitive information. Another use case could be where a system was added to the network without following approved change control procedures.
Required Configuration:
1) Collecting from the LogRhythm Network Monitor.
2) Define all internal network ranges. Then create an include filter in both the baseline and live period where Network (Origin) is <defined network ranges>(3) In the Data Processor advanced properties turn on DNSIPToName resolution.
Optional Configuration: When turning on this rule for the first time, turn on suppression for 2 or 3 days. Then, after 2 or 3 days turn the suppression off again. This will allow data to build up in the baseline and alerts will become more accurate.
CSC: Attack then Inbound Traffic
AIE Rule ID: 420
Rule Description:
Attacks from an external source followed by traffic to or from that source. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: Attack then Inbound Traffic
Classification: Security : Attack
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 6
Log Sources (minimum):
IDS/Security Events, Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Impacted) and determine if the host has been compromised by looking for recently stopped, not responding or new services that are listening on ports. If the attacked device is a Firewall, you may want to determine if the device has been compromised or a vulnerability in the way the Firewall handles traffic has been successfully exploited. Follow your company’s normal incident response procedures if the host and or device has been compromised.
Use Case: An attacker successfully exploits a Cisco PIX firewall to modify the ACL to allow a connection from their host.
CSC: DMZ Jumping
AIE Rule ID: 432
Rule Description:
Internal communication is seen that originated externally without passing through the DMZ. CIS Critical Security Control(s): CSC 12.8
CSC Control(s): CSC 12.8
Common Event: AIE: CSC: DMZ Jumping
Classification: Security : Suspicious
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 8
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Impacted) and determine if the host has been compromised by looking for recently stopped, not responding or new services that are listening on ports. If the attacked device is a Firewall, you may want to determine if the device has been compromised or a vulnerability in the way the Firewall handles traffic has been successfully exploited. Follow your company’s normal incident response procedures if the host and or device has been compromised.
Use Case: A host on the internet has gained access to a system inside the network and traffic is passing directly between the two.
Required: DMZ network ranges are defined in the entities tab.
CSC: Port Misuse: 80
AIE Rule ID: 436
Rule Description:
Traffic not using HTTP over the common HTTP port (80). CIS Critical Security Control(s): CSC 12.5
CSC Control(s): CSC 12.5
Common Event: AIE: CSC: Port Misuse: 80
Classification: Security : Suspicious
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
Network: Search : HTTP
AIE Rule Additional Details:
Action: Investigate the network traffic and determine if nonstandard application traffic is being used. You may want to block the source and or destination addresses involved until the investigation is concluded.
Use Case: Detection of local hosts tunneling traffic over port 80. This would typically be a violation of network policy and a security risk.
CSC: Port Misuse: 53
AIE Rule ID: 437
Rule Description:
Traffic not using DNS over the common DNS port (53). CIS Critical Security Control(s): CSC 12.5
CSC Control(s): CSC 12.5
Common Event: AIE: CSC: Port Misuse: 53
Classification: Security : Suspicious
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the network traffic and determine if nonstandard application traffic is being used. You may want to block the source and or destination addresses involved until the investigation is concluded.
Use Case: Detection of local hosts tunneling traffic over port 53. This would typically be a violation of network policy and a security risk.
CSC: Allowed Traffic from Non-Whitelist Country
AIE Rule ID: 439
Rule Description:
Inbound connection from a suspicious country defined as being absent in the "Network: Whitelisted Countries" list. CIS Critical Security Control(s): CSC 12.3
CSC Control(s): CSC 12.3
Common Event: AIE: CSC: Inbound Traffic fm NonWhitelist Country
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 2
Log Sources (minimum):
Firewall or Network Flow Data, GeoLocation Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
Network: Whitelisted Countries
AIE Rule Additional Details:
Action: Investigate Host (Origin) to determine if the activity and or the host is known. Also, investigate the Host (Impacted) to determine if the system and or data is being accessed by the Host (Origin) in an unauthorized manner. If the activity is found to be known, you may want to add the country identified in the alert to the Whitelist Country list. If the activity is suspicious or known malicious, you my want to follow your company’s policies and procedures in responding to a compromise.
Use Case: An attacker in a suspicious location has compromised an internal host and is now communicating with that host.
CSC: Inbound SSH on Non-standard Port
AIE Rule ID: 448
Rule Description:
Detects inbound SSH traffic connecting over a non-standard port (not 22). CIS Critical Security Control(s): CSC 12.5
CSC Control(s): CSC 12.5
Common Event: AIE: CSC: Inbound SSH on Non-standard Port
Classification: Security : Attack
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate Host (Origin) to determine if the activity and or the host is known. Also, investigate the Host (Impacted) to determine if the system and or data is being accessed by the Host (Origin) in an unauthorized manner. If the activity is found to be known, you may want to add an exception to this rule. If the activity is suspicious or known malicious, you my want to follow your company’s policies and procedures in responding to a compromise.
Use Case: Valuable in detecting compromised hosts and network/policy abuse.
CSC: New Application Detected
AIE Rule ID: 452
Rule Description:
New application that hasn't been seen in the environment within the past 10 days. CIS Critical Security Control(s): CSC 2.3, CSC 12.5
CSC Control(s): CSC 2.3, CSC 12.5
Common Event: AIE: CSC: New Application Detected
Classification: Security : Suspicious
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 5
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Impacted) and if the application detected is known and part of a change control or ticket. If known, you may want to add it to an authorized application list. If unknown, you may want to follow your company’s policies and procedures on responding to a host compromise.
Use Case: A user is seen installing Steam to play games during work hours. Another use case is that an attacker has installed an application that wasn’t present previously in order to further their attack.
CSC: Excessive Inbound Firewall Denies
AIE Rule ID: 453
Rule Description:
For this rule we look for an excessive number (400) of network denied events from a host within 5 minutes. CIS Critical Security Control(s): CSC 6.2, CSC 12.3
CSC Control(s): CSC 6.2, CSC 12.3
Common Event: AIE: CSC: Excessive Inbound Firewall Denies
Classification: Security : Reconnaissance
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate for recent configuration changes that would attribute to the increase of firewall denies. Investigate the Host (Origin) to determine if it is a known host. For known hosts, perform a compromise incident response procedure.
Use Case: An external compromised host is attempting communication via blocked protocol.
CSC: ICMP Flood Detected
AIE Rule ID: 457
Rule Description:
Single external host sending a single flow with over 60,000 ICMP packets to an internal host. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: ICMP Flood Detected
Classification: Security : Denial of Service
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate Host (Origin) involved in the flood and if it is an asset under company control perform your company’s compromise incident response procedures. If the source is External, you may want to block the protocol on your firewall and or block the Host (Origin) or subnet involved.
Use Case: An external host is trying to ICMP flood a local, internal machine.
CSC: TCP Flood Detected
AIE Rule ID: 458
Rule Description:
Single external host sending a single flow with over 100,000 TCP packets to an internal host. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: TCP Flood Detected
Classification: Security : Denial of Service
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate Host (Origin) involved in the flood and if it is an asset under company control perform your company’s compromise incident response procedures. If the source is External, you may want to block the protocol on your firewall and or block the Host (Origin) or subnet involved.
Use Case: A compromised home computer on the internet is being used to launch a flood attack against a host on your corporate network to take it offline.
CSC: UDP Flood Detected
AIE Rule ID: 459
Rule Description:
Single external host sending a single flow with over 100,000 UDP packets to an internal host. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: UDP Flood Detected
Classification: Security : Denial of Service
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate Host (Origin) involved in the flood and if it is an asset under company control perform your company’s compromise incident response procedures. If the source is External, you may want to block the protocol on your firewall and or block the Host (Origin) or subnet involved.
Use Case: An external host is trying to UDP flood a local, internal machine.
CSC: Excessive Unknown Application
AIE Rule ID: 460
Rule Description:
Single external host sending a single flow with over 60,000 packets to an internal host using an Unknown protocol. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: Excessive Unknown Application
Classification: Security : Denial of Service
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate Host (Origin) involved in the flood and if it is an asset under company control perform your company’s compromise incident response procedures. If the source is External, you may want to block the protocol on your firewall and or block the Host (Origin) or subnet involved.
Use Case: An external host is trying to flood a local, internal machine.
CSC: Allowed Traffic from Blacklist Country
AIE Rule ID: 464
Rule Description:
Inbound connection from a suspicious country specified in the list "Network: Blacklisted Countries". CIS Critical Security Control(s): CSC 12.3
CSC Control(s): CSC 12.3
Common Event: AIE: CSC: Allowed Traffic from Blacklist Country
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
Network: Blacklisted Countries
AIE Rule Additional Details:
Action: Investigate Host (Origin) involved and determine if this is known traffic. If unknown, block the communication at the firewall by either adding the Host (Origin) IP or the subnet to the firewall deny policy.
Use Case: An attacker in a blacklisted country has compromised an internal host and is now communicating with that host.
CSC: Blocked Traffic then Allowed
AIE Rule ID: 471
Rule Description:
400 or more instances of denied network traffic from an external source, followed by a network allow event. CIS Critical Security Control(s): CSC 12.6
CSC Control(s): CSC 12.6
Common Event: AIE: CSC: Blocked Traffic then Allowed
Classification: Security : Reconnaissance
Suppression Multiple: 30
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
N/A
AIE Rule Additional Details:
Action: Investigate the firewall for recent configuration changes. If unauthorized, perform your company’s compromise incident response procedures. Also, you should investigate the Host (Origin) to determine if it’s known and if it should be blocked at the firewall and or perform compromise incident response procedures on the host. Likely, you should also investigate the Host (Impacted) for signs of compromise.
Use Case: An attacker is using the “cisco auditing tool” that comes with backtrack to try and exploit known vulnerabilities in older versions of cisco IOS. Eventually we see some allowed activity where the attacker successfully exploited the Cisco IOS and gained access to a web management portal.
CSC: Malware Event
AIE Rule ID: 488
Rule Description:
Any event with a malware classification. CIS Critical Security Control(s): CSC 8.1
CSC Control(s): CSC 8.1
Common Event: AIE: CSC: Malware Event
Classification: Security : Malware
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
IDS/Security or Antimalware Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the system reporting the malware event and determine if it is a false positive. If the malware event appears to be real, isolate the system from the network and perform your company’s incident response procedure for malware.
Use Case: A user has browsed to a website hosting a drive-by attack and their corporate laptop is now infected, sending out phishing emails.
Optional Configuration: This rule can be useful without alarming in order to populate dashboards and reports. For more targeted real-time alarming it may be useful to add an include filter with a list of target hosts in the Impacted Host field.
CSC: Config Deleted/Disabled
AIE Rule ID: 490
Rule Description:
Configuration deleted within the organization infrastructure. CIS Critical Security Control(s): CSC 5.5, CSC 11.3
CSC Control(s): CSC 5.5, CSC 11.3
Common Event: AIE: CSC: Config Deleted/Disabled
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Host or Network Device Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the system reporting the configuration change and determine if the change was authorized. If unauthorized, perform your company’s compromise incident response procedures.
Use Case: Configuration settings have been deleted from a campus router. This rule can be used to quickly detect such activity.
CSC: Config Modified
AIE Rule ID: 492
Rule Description:
Configuration modified within the organization infrastructure. CIS Critical Security Control(s): CSC 5.5, CSC 11.3
CSC Control(s): CSC 5.5, CSC 11.3
Common Event: AIE: CSC: Config Modified
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Host or Network Device Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the system reporting the configuration change and determine if the change was authorized. If unauthorized, perform your company’s compromise incident response procedures.
Use Case: A firewall configuration has been modified to allow an attacker access to the network.
CSC: Config Change After Attack
AIE Rule ID: 493
Rule Description:
Attack event on a host followed by a configuration change made to that host within 3 minutes. CIS Critical Security Control(s): CSC 11.3, CSC 5.1
CSC Control(s): CSC 11.3, CSC 5.1
Common Event: AIE: CSC: Config Change After Attack
Classification: Security : Compromise
Suppression Multiple: 20
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
IDS/Security Events, Host or Network Device Events
Log Sources (recommended):
N/A
List:
Network Devices
AIE Rule Additional Details:
Action: Investigate the system reporting the configuration change and determine if the change was authorized. If unauthorized, perform your company’s compromise incident response procedures.
Use Case: An attacker completes a successful privilege escalation and begins making changes to allow further network penetration.
CSC: Vulnerability after Software Installed
AIE Rule ID: 494
Rule Description:
Vulnerability detected on a host following a software installation or update. CIS Critical Security Control(s): CSC 3.1
CSC Control(s): CSC 3.1
Common Event: AIE: CSC: Vulnerability after Software Installed
Classification: Security : Vulnerability
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 4
Log Sources (minimum):
Host Logs, Vulnerability Scanner Logs
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the recently installed software to determine if it’s approved and part of a known change control. If unknown, perform your company’s incident response process for a compromise.
Use Case: A software installation introduced a new vulnerability which was detected by a corporate vulnerability scanner.
CSC: Repeat Vulnerability Detected
AIE Rule ID: 495
Rule Description:
Vulnerability detected without subsequent cleaning event. CIS Critical Security Control(s): CSC 3.6
CSC Control(s): CSC 3.6
Common Event: AIE: CSC: Repeat Vulnerability Detected
Classification: Security : Vulnerability
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum):
Vulnerability Scanner Logs
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: You may want to track this as an incident depending on your company’s vulnerability and patching policies.
Use Case: A vulnerability scanner detects a known vulnerability on a network host. The next day the same vulnerability has not been patched and is detected again.
CSC: Repeat Attacks Against a Host
AIE Rule ID: 496
Rule Description:
The same security event is detected on the same host multiple times within a short window. CIS Critical Security Control(s): CSC 12.5
CSC Control(s): CSC 12.5
Common Event: AIE: CSC: Repeat Attacks Against a Host
Classification: Security : Attack
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
IDS/Security Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Origin) if internal and perform your company’s incident response procedure when responding to a compromise. You may also want to investigate the Host (Origin) for any recent software changes that could attribute to this alert being a false positive.
Use Case: A company's Snort IDS deployment is firing repeatedly because an infected host is attempting to spread on the network.
CSC: Blacklisted User-Agent String
AIE Rule ID: 497
Rule Description:
Blacklisted devices attempting to communicate on the network. CIS Critical Security Control(s): CSC 12.3, CSC 18.10
CSC Control(s): CSC 12.3, CSC 18.10
Common Event: AIE: CSC: Blacklisted User-Agent String
Classification: Security : Attack
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
Blacklisted User Agent Strings
AIE Rule Additional Details:
Action: Investigate the suspicious user agent string to determine if it is being generated by an unknown application. Follow your company’s incident response policies and procedures for compromise.
Use Case: A unique user agent string is identified as part of an investigation and you would like to keep track of how and where this user agent appears on the network.
CSC: Backup Failure Detected
AIE Rule ID: 498
Rule Description:
More than 10 backup failure events are detected. CIS Critical Security Control(s): CSC 10.1
CSC Control(s): CSC 10.1
Common Event: AIE: CSC: Backup Failure Detected
Classification: Ops : Error
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum):
Backup System Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: You may want to track this as an incident as systems that miss backups are more vulnerable to data loss. You may want to escalate this incident to your IT department in charge of backups to resolve.
Use Case: A host has disconnected a network volume and is not able to make scheduled backups.
CSC: Blacklisted Egress Port Observed
AIE Rule ID: 499
Rule Description:
Triggered when an internal host communicates with a host outside the network using a port not on the allowed list. CIS Critical Security Control(s): CSC 9.4, CSC 12.3
CSC Control(s): CSC 9.4, CSC 12.3
Common Event: AIE: CSC: Blacklisted Egress Port Observed
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 2
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
Network: Allowed Egress Ports
AIE Rule Additional Details:
Action: Investigate the unknown application on the non-approved port. If found to be authorized, add the port to the Allowed Egress Ports list. If unauthorized, perform your company’s incident response procedure for compromise.
Use Case: A misconfigured firewall is allowing traffic to pass outside the network over the common VNC port (5900).
Configuration: The LogRhythm List "Allowed Egress Ports" must be populated for this rule to work.
CSC: Blacklisted Ingress Port Observed
AIE Rule ID: 500
Rule Description:
Triggered when an external host communicates with a network host on a port not on the allowed ingress list. CIS Critical Security Control(s): CSC 9.4, CSC 12.3
CSC Control(s): CSC 9.4, CSC 12.3
Common Event: AIE: CSC: Blacklisted Ingress Port Observed
Classification: Security : Attack
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum):
Firewall or Network Flow Data
Log Sources (recommended):
LogRhythm Network Monitor or Next Gen Firewall
List:
Network: Allowed Ingress Ports
AIE Rule Additional Details:
Action: Investigate the unknown application on the non-approved port. If found to be authorized, add the port to the Allowed Ingress Ports list. If unauthorized, perform your company’s incident response procedure for compromise.
Use Case: A misconfigured firewall is allowing traffic to pass into the network on the common VNC port (5900).
Configuration: The LogRhythm List "Allowed Ingress Ports" must be populated for this rule to work.
CSC: Multiple Passwords Modified by Different User
AIE Rule ID: 501
Rule Description:
Multiple occurrences of one user changing another's password. CIS Critical Security Control(s): CSC 16.4
CSC Control(s): CSC 16.4
Common Event: AIE: CSC: Mult Pass Modified by Separate User
Classification: Security : Compromise
Suppression Multiple: 4
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum):
Host Logs
Log Sources (recommended):
Active Directory or LDAP
List:
N/A
AIE Rule Additional Details:
Action: Investigate the User (Origin) performing the password resets and verify that this is authorized activity and a help desk ticket or change control process is being followed. If unknown, follow your company’s compromise incident response process.
Use Case: A disgruntled employee is attempting to lock out multiple other users' accounts.
Required Configuration: The AI Engine rule "CSC: Password Modified by Another User" must be enabled.
Optional Configuration: If IT personnel regularly reset multiple passwords this activity will likely set off this alarm. May need to exclude authorized users.
CSC: External DNS Observed
AIE Rule ID: 502
Rule Description:
Internal hosts using an external DNS server. CIS Critical Security Control(s): CSC 12.3
CSC Control(s): CSC 12.3
Common Event: AIE: CSC: External DNS Observed
Classification: Security : Suspicious
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum):
LogRhythm Network Monitor or Next Gen Firewall
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Origin) that is calling out for what application is querying the external DNS server. You may also want to investigate the host for a recent configuration change and if the change was authorized and part of a change control process. If the application and or change is unauthorized, follow your company’s incident response policies and procedures for compromise.
Use Case: A network host has been infected with malware and is using a compromised external DNS server.
CSC: Multiple Failed Access Attempts
AIE Rule ID: 506
Rule Description:
User makes multiple failed access attempts within a short time period. CIS Critical Security Control(s): CSC 16.8
CSC Control(s): CSC 16.8
Common Event: AIE: CSC: Multiple Failed Access Attempts
Classification: Security : Suspicious
Suppression Multiple: 12
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum):
Object-Level Auditing Data
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the User (Origin) to determine if the attempted access is authorized due to a recent job role change or other. If unauthorized, follow your company’s normal incident response process for an insider threat.
Use Case: A new employee is exploring the file server looking for files they can access.
CSC: Multiple Object Access Failures
AIE Rule ID: 507
Rule Description:
Multiple users failed to access the same file. CIS Critical Security Control(s): CSC 16.8
CSC Control(s): CSC 16.8
Common Event: AIE: CSC: Multiple Object Access Failures
Classification: Security : Suspicious
Suppression Multiple: 20
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum):
Object-Level Auditing Data
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the Host (Origin) to determine who the authorized user is and verify the user is attempting to use alternate credentials. If unauthorized activity is discovered, follow your company’s incident response policies and process for compromise.
Use Case: A hacker has gained access to the network and is testing different accounts to see if one has access to a particular directory on the file server.
CSC: New Wireless Host
AIE Rule ID: 508
Rule Description:
A new host is seen communicating the environment for the first time. CIS Critical Security Control(s): CSC 1.3, CSC 15.3
CSC Control(s): CSC 1.3, CSC 15.3
Common Event: AIE: CSC: New Wireless Host
Classification: Security : Suspicious
Suppression Multiple: 2
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 4
Log Sources (minimum):
LogRhythm Network Monitor
Log Sources (recommended):
N/A
List:
Wireless Network IP Range
AIE Rule Additional Details:
Action: Investigate the unknown host and determine if it’s unauthorized. If unauthorized, you may want to prevent the MAC address on the network while you perform your investigation. Follow your company’s incident response policies and processes.
Use Case: An attacker has cracked a company's internal wireless WPA2 key and has setup a rogue host to listen in promiscuous mode to all wireless traffic in the hopes of obtaining sensitive information.
Required Configuration:
- LogRhythm Network Monitor.
- Define all internal network ranges. Then create an include filter in both the baseline and live period where Network (Origin) is <defined network ranges>
- In the Data Processor advanced properties turn on DNSIPToName resolution.
- Populate the list Wireless Network IP Range
Optional Configuration: When turning on this rule for the first time, turn on suppression for 2 or 3 days. Then, after 2 or 3 days turn the suppression off again. This will allow data to build up in the baseline and alerts will become more accurate.
CSC: Malware Not Cleaned
AIE Rule ID: 509
Rule Description:
A malware removal event from a host followed immediately (within 1 hour) by another malware event. This indicates that the malware was not completely removed. CIS Critical Security Control(s): CSC 8.1
CSC Control(s): CSC 8.1
Common Event: AIE: CSC: Malware Not Cleaned
Classification: Security : Malware
Suppression Multiple: 1
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: Medium
False Positive Probability: 4
Log Sources (minimum):
IDS/Security or Antimalware Events
Log Sources (recommended):
N/A
List:
N/A
AIE Rule Additional Details:
Action: Investigate the host reporting the malware event and determine if the infection is still present. If so, you may want to remove the system from the network and follow your company’s incident response policies and procedures for a malware event.
Use Case: A network host was infected with malware and the corporate virus scanner reported it cleaned. The malware was not fully removed and another malware event was seen shortly after.
CSC: External Malicious User-Agent
AIE Rule ID: 1112
Rule Description:
User agent string used by hacking/security research tools found in web server logs. CIS Critical Security Control(s): CSC 12.5, CSC 8.1
CSC Control(s): CSC 12.5, CSC 8.1
Common Event: AIE: CSC: External Malicious User-Agent
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
Malicious User Agent Strings
AIE Rule Additional Details:
Action: Investigate the suspicious user-agent string and determine if you should block the origin IP address, subnet or add to a watch list to determine what the attacker is interested in.
Use Case: A known malicious user-agent string has been observed alerting you to activity that should be scrutinized closer.
Optional Configuration: By default, this rule evaluates Apache and IIS web server logs. If you have a custom Log Source that parses the User Agent string to the Object field, add it to the Log Source Type Primary Criteria.
CSC: External Malicious URL Characters
AIE Rule ID: 1113
Rule Description:
Malicious characters in the URL string found in web server log. CIS Critical Security Control(s): CSC 12.5, CSC 8.1
CSC Control(s): CSC 12.5, CSC 8.1
Common Event: AIE: CSC: External Malicious URL Characters
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: Disabled
Environmental Dependence Factor: High
False Positive Probability: 2
Log Sources (minimum):
Web Server
Log Sources (recommended):
Web Proxy or Next Gen Firewall
List:
Suspicious URL Characters
AIE Rule Additional Details:
Action: Investigate the suspicious URL characters and determine if you should block the origin IP address, subnet or add to a watch list to determine what the attacker is interested in.
Use Case: A known malicious URL characters (string) has been observed alerting you to activity that should be scrutinized closer.
Optional Configuration: By default, we will filter down on all web server logs for Apache and IIS. If you have a custom Log Source that parses the User Agent string to the Object field it will work here as well.