Skip to main content
Skip table of contents

CJIS – AI Engine Rules

AIE Rules & Alerts

Augment Requirements

Alarming

Classification

Corresponding Investigation

Log Sources

Rule DescriptionAlertRule ID

CCF: Abnormal Amount of Data Transferred

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.5, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2),5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

No

Operations: Warning

Operations: Warning

1. Include All Log Sources
2. Include All Log Sources

This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host.

No

1230

CCF: Abnormal Origin Location

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2),5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Attack

Security: Attack

1. Include All Log Sources
2. Include All Log Sources

First tracks geographic locations for VPN logins. Afterwards, triggers when a new origin location is seen for a user.

No

1208

CCF: Account Deleted Rule

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Audit: Account Deleted

Audit: Account Deleted

Include All Log Sources

This rule provides details of accounts that have been deleted

No

1367

CCF: Account Disabled Rule

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Audit: Access Revoked

Audit: Access Revoked

Include All Log Sources

This AIE Rule alerts on the occurrence of any access revoking to accounts.

No

1369

CCF: Account Enabled Rule

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Audit: Access Granted

Audit: Access Granted

Include All Log Sources

This AIE Rule alerts on the occurrence of any access granting to accounts.

Yes

1368

CCF: Account Modification

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Audit: Account Modified

Audit: Account Modified

Include All Log Sources

This AIE Rule creates a common event and provides detail around account modification activity.

No

1377

CCF: Admin Password Modified

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

User changes the password of a different privileged user account.

No

1326

CCF: Attack then External Connection

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

An observed external attack or compromise followed by data leaving the system and going to the attacker.

No

1211

CCF: Audit Log Cleared Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1.1, 5.4.2, 5.4.4, 5.4.5, 5.4.6, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.8.3, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

Yes

Audit: Access Success

Audit: Access Success

Include All Log Sources

This AIE Rule provides details on audit log clearing.

Yes

1331

CCF: Audit Logging Stopped Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1.1, 5.4.2, 5.4.4, 5.4.5, 5.4.6, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.8.3, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

Yes

Audit: Configuration

Audit: Configuration

Include All Log Sources

This AIE Rule provides details on audit logging being stopped.

Yes

1328

CCF: Auth After Numerous Failed Auths

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.

No

1199

CCF: Auth After Security Event

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

An observed attack, compromise, or other security event followed by successful access or authentication from the attacking host.

No

1200

CCF: Backup Failure Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.2.1, 5.3.2.2, 5.4.1, 5.4.1.1, 5.4.2, 5.4.5, 5.4.6,5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11)

Yes

Operations: Error

Operations: Error

Include All Log Sources

More than 10 backup failure events are detected.

Yes

1236

CCF: Backup Information

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.2.1, 5.3.2.2, 5.4.1, 5.4.1.1, 5.4.2, 5.4.5, 5.4.6, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 

No

Operations: Information

Operations: Information

Include All Log Sources

This AIE Rule creates events for information from backup software.

No

1237

CCF: Blacklist Location Auth

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Audit: Other Audit Success

Include All Log Sources

Authentication success from a blacklisted location.

No

1204

CCF: Blacklisted Account Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Audit: Other Audit Success

Security: Compromise

Include All Log Sources

This AIE creates an alarm when a blacklisted account activity occurs within the environment.  This requires the CCF: User Blacklist to be populated and updated regularly.

Yes

1334

CCF: Compromise Detected Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8)

Yes

Security: Compromise

Security: Compromise

Include All Log Sources

This AIE rule creates an event and alerts on potential compromises across the environment.

Yes

1335

CCF: Concurrent VPN from Multiple Locations

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

Include All Log Sources

Multiple VPN authentication successes from the same origin login are observed from different regions within a given time period (default 3 hours).

No

1205

CCF: Concurrent VPN from Same User

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Compromise

Include All Log Sources

This AIE Rule alerts on the occurrence of concurrent VPN from the same user

No

1373

CCF: Config Change After Attack

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.6, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

Attack event on a host followed by a configuration change made to that host within 3 minutes.

No

1214

CCF: Config Change then Critical Error

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.6, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise.

No

1216

CCF: Config Deleted/Disabled

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.6, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

CCF: Production Servers

Configuration deleted or disabled within the organization infrastructure.  

No

1219

CCF: Config Modified

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.6, 5.7.1, 5.7.1.1, 5.8.1,  5.15(SI-10)

No

Security: Compromise

Security: Compromise

Include All Log Sources

Configuration modified within the organization infrastructure.

No

1221

CCF: Corroborated Account Anomalies

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

Include All Log Sources

3 or more unique behavioral anomalies for a given user within a 3 hour period. This rule requires Rule IDs 285 - 289 be turned on.

Use Case : An account has been compromised.

No

1207

CCF: Corroborated Data Access Anomalies

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

Include All Log Sources

2 or more unique behavioral anomalies for data within a 3 hour periods. The alarm requires rule IDs 300-302 be turned on for this alarm to trigger.

No

1201

CCF: Critical Event After Attack

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

1. Include All Log Sources
2. Include All Log Sources

An external attack or compromise followed by a critical event on the same host.

Action: This alarm can identify when an error message is generated as the result of a successful attack. This can be unexpected process termination or a hardware fail

No

1206

CCF: Critical/PRD Envir Patch Failure Alarm

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.7.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11)

Yes

Operations : Error

Operations: Error

Include All Log Sources

This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure).

Yes

1212

CCF: Data Destruction

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.5, 5.5.2, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

Yes

Security : Compromise

Security: Compromise

Include All Log Sources

Attack event followed by a FIM delete/modify event on the same host.

No

1202

CCF: Data Exfiltration Observed

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.5, 5.5.2, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

Yes

Security : Compromise

Security: Compromise

Include All Log Sources

External attack or compromise followed by data leaving the same system.

No

1193

CCF: Data Loss Prevention

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.5, 5.5.2, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Operations : Information

Operations: Information

Include All Log Sources

This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured.

No

1232

CCF: Denial of Service Alert

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8)

No

Security: Denial Of Service

Security: Denial Of Service

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule alerts on the occurrence of any identified Denial of Service event.

Yes

1376

CCF: Disabled Account Auth Success

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

Include All Log Sources

Recently disabled or deleted account authenticates or accesses resources on the network.

No

1194

CCF: Distributed Brute Force

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Compromise

Security: Compromise

Include All Log Sources

A successful brute force authentication -- multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.

No

1203

CCF: Early TLS/SSL Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

No

Security: Activity

Security: Activity

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event.

Yes

1238

CCF: Excessive Authentication Failures Rule

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Audit: Authentication Failure

Audit: Authentication Failure

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule supports alerting on >10 authentication failures in 30 minutes (login failures). Match this threshold to your organization’s specific authentication failure policies.

Yes

1370

CCF: External Brute Force Auths

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Compromise

Security: Compromise

Include All Log Sources

Successful authentication after multiple failed attempts from different external origin hosts to the same impacted host.

No

1197

CCF: Failed Audit Log Write Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1.1, 5.4.2, 5.4.4, 5.4.5, 5.4.6, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.8.3, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

Yes

Audit: Other Audit Failure

Audit: Other Audit Failure

Include All Log Sources

This AIE Rule provides details on audit log write failures.

Yes

1332

CCF: FIM Abnormal Activity

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

No

Security: Suspicious

Security: Suspicious

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule creates events for all abnormal file integrity monitoring activity.

No

1233

CCF: FIM Add Activity

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

Yes

Security: Activity

Security: Activity

Include All Log Sources

This AIE Rule creates events for all file integrity monitoring add activity.

No

1234

CCF: FIM Delete Activity Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

No

Security: Activity

Security: Activity

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule alarms on file integrity monitoring delete activity.

Yes

1235

CCF: FIM General Activity

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

No

Operations: Information

Operations: Information

Include All Log Sources

This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions.

No

1239

CCF: FIM Information

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.6, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

Yes

Operations: Information

Operations: Information

Include All Log Sources

This AIE Rule creates events for general file integrity monitoring information.

No

1229

CCF: GeoIP Blacklisted Region Activity

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

This rule tracks activity associated with Blacklisted Regions (list).

No

1241

CCF: GeoIP General Activity

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

This rule is designed to use with the Data Processor's GeoIP functionality, to represent general GeoIP activity.

No

1240

CCF: Large Outbound Transfer

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.5, 5.5.2, 5.7.1.1, 5.8.1, 5.8.3, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-12), 5.15(SI-16)

No

Security: Compromise

Security: Compromise

Include All Log Sources

Single host is seen sending over 1GB of data within 30 minutes out of the network.

No

1195

CCF: Linux sudo Privilege Escalation

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

User not in the LogRhythm list "CCF: Privileged Accounts" and not in the local 'sudoers' file tries to use sudo on a Linux host.

No

1330

CCF: Local Account Created and Used

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Compromise

Security: Compromise

Include All Log Sources

An account is created on a host and then used shortly thereafter on the same host.

No

1196

CCF: LogRhythm Silent Log Source Error Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1.1, 5.4.2, 5.4.4, 5.4.5, 5.4.6, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.8.3, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-2),5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-11), 5.15(SI-12), 5.15(SI-16)

No

Operations: Warning

Operations: Warning

Include All Log Sources

This AIE Rule creates an alert and provides information when a LogRhythm Log Source has not received logs from a critical or production server-system during the defined error period.

Yes

1209

CCF: Malware Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8)

No

Security: Malware

Security: Malware

1. Include All Log Sources
2. Include All Log Sources

This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied.

Yes

1217

CCF: Misuse

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.4, 5.5.6, 5.5.6.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Misuse

Security: Misuse

Include All Log Sources

This AIE Rule provides details on misuse activity.

No

1231

CCF: Multiple Account Passwords Modified by Admin

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Suspicious

Security: Suspicious

Include All Log Sources

An observed login by a user in the privileged user list followed by the change of two or more other account passwords.

No

1327

CCF: Non-Encrypted Protocol Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10), 5.15(SI-12), 5.15(SI-16)

No

Operations: Information

Operations: Information

Include All Log Sources

This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure).

Yes

1222

CCF: Password Modified by Admin

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

Privileged user changes the password of another account.

No

1325

CCF: Password Modified by Another User

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Audit: Account Modified

Audit: Account Modified

Include All Log Sources

User changes the password of another account (not their own).

No

1333

CCF: PRD Envir Config/Policy Change Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.7.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11), 5.15(SI-16)

No

Audit: Policy

Audit: Policy

CCF: Production Servers

This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure).

Yes

1210

CCF: PRD Envir Signature Failure Alarm

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.7.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11)

No

Operations: Error

Operations: Error

Include All Log Sources

This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure).

Yes

1213

CCF: Priv Group Access Granted Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-10)

Yes

Audit: Access Granted

Audit: Access Granted

Include All Log Sources

This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure.

Yes

1324

CCF: Privilege Escalation After Attack Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Compromise

Security: Compromise

Include All Log Sources

Compromised host event followed by a new account created or account modified on the same host.

Yes

1329

CCF: Rogue Access Point Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.2.4, 5.5.6, 5.7.1.1, 5.8.1, 5.8.2.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Suspicious

Security: Suspicious

Include All Log Sources

This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment.

Yes

1220

CCF: Social Media Event

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.2.1, 5.3.2.2, 5.4.1, 5.4.1.1, 5.5.2, 5.7.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-12), 5.15(SI-16)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

This rule tracks social media activity, to help identify if private or personal data that should not be in transmission is present within the environment's traffic.

No

1242

CCF: Software Install Rule

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.5, 5.7.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-11), 5.15(SI-16)

No

Audit: Configuration

Audit: Configuration

Include All Log Sources

This alerts on failed and incomplete updates attempts to update or install in the organization.

Yes

1375

CCF: Software Install Failure Alarm

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.7.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11), 5.15(SI-16)

Yes

Audit: Configuration

Audit: Configuration

Include All Log Sources

This AIE rule creates an event and alerts on any software installation activity across the environment.

No

1371

CCF: Software Uninstall Rule

 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.4.5, 5.7.1.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-11), 5..15(SI-16)

No

Audit: Configuration

Audit: Configuration

Include All Log Sources

This alerts on failed or interrupted software uninstallations.

Yes

1374

CCF: Software Uninstall Failure Alarm

5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.4.2, 5.7.1, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11), 5.15(SI-16)

Yes

Audit: Configuration

Audit: Configuration

Include All Log Sources

This AIE rule creates an event and alerts on any software uninstallation activity across the environment.

No

1372

CCF: Suspected Wireless Attack Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Attack

Security: Attack

CCF: Wireless IDS

This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices.

Yes

1223

CCF: Time Sync Error Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.2, 5.10.1.2.1, 5.10.1.2.2, 5.10.1.3, 5.10.2, 5.10.3.1, 5.10.3.2, 5.10.4.1, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1.1, 5.4.2, 5.4.4, 5.4.5, 5.4.6, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.2, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.8.2.1, 5.8.3, 5.9.1, 5.9.1.1, 5.9.1.2, 5.9.1.3, 5.9.1.4, 5.9.1.5, 5.9.1.6, 5.9.1.7, 5.9.1.8, 5.9.2, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-11)

Yes

Operations: Warning

Operations: Warning

Include All Log Sources

This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source.

Yes

1215

CCF: Unknown User Account Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

This rule identifies activity originating from unknown user accounts, based off of the CCF user lists.

Yes

1243

CCF: Vulnerability Detected Alarm

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

Yes

Security: Vulnerability

Security: Vulnerability

Include All Log Sources

This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment.

Yes

1218

CCF: Windows RunAs Privilege Escalation

4.2.2, 5.10.1, 5.10.1.1, 5.10.1.3, 5.10.3.1, 5.10.3.2, 5.3.1, 5.3.2, 5.3.2.1, 5.3.2.2, 5.3.4, 5.4.1, 5.4.1.1, 5.5.1, 5.5.2, 5.5.2.1, 5.5.2.3, 5.5.2.4, 5.5.6, 5.5.6.1, 5.7.1, 5.7.1.1, 5.7.2, 5.8.1, 5.15(SI-2), 5.15(SI-3), 5.15(SI-4), 5.15(SI-4-2), 5.15(SI-4-4), 5.15(SI-4-5), 5.15(SI-5), 5.15(SI-7), 5.15(SI-7-1), 5.15(SI-7-7), 5.15(SI-8), 5.15(SI-10)

No

Security: Suspicious

Security: Suspicious

Include All Log Sources

User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option.

No

1321

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close