Core Threat Detection – AI Engine Rules
Rule ID | Rule | Risk Rating | FPP | Runtime Priority | Suppression Multiple | Alarm on Event | Minimum Data Requirement | Recommended Data Requirement | Configuration Steps | Endpoint Threat Detection | Network Threat Detection | User Threat Detection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
3 | Compromise: Distributed Brute Force | 9 | 1 | Normal | 12 | No | AD/LDAP | AD/LDAP,Host | In Windows, activate Audit Account Management for successes in the Group/Local Security Policy. |
|
| X |
9 | Recon: Failed Distributed Account Probe | 4 | 1 | Normal | 6 | No | AD/LDAP | AD/LDAP,Host |
|
| X | |
17 | Lateral: External Attack then Account Creation | 9 | 1 | Normal | 1 | No | IDS/IPS | IDS/IPS |
|
| X | |
19 | Attainment: Log Cleared | 9 | 3 | Normal | 1 | No | Host Security Logs/AV/IDS/IPS | NextGen Firewall | X |
|
| |
29 | Lateral: Privilege Escalation after Attack | 9 | 1 | Normal | 2 | No | IDS/Security/AD/LDAP | IDS/Security/AD/LDAP |
|
| X | |
52 | Lateral: Internal Attack then Account Creation | 9 | 4 | Normal | 6 | No | IDS/Security/AD/LDAP | IDS/Security/AD/LDAP |
|
| X | |
72 | Compromise: Malware Outbreak | 9 | 3 | Normal | 2 | No | AV/IDS/IPS | NextGen Firewall | X |
|
| |
79 | C2: Malware: Outbound IRC | 6 | 7 | Normal | 3600 | No | Firewall or Network Flow Data (internal/egress) | LogRhythm Network Monitor, Next Gen Firewall (internal/egress) |
| X |
| |
86 | Lateral: Internal Recon then Account Creation | 9 | 1 | Normal | 3 | No | IDS/Sec Evt, AD, LDAP | Host |
|
| X | |
89 | Recon: Excessive HTTP Errors | 4 | 5 | Normal | 30 | No | Web Server | Web Server |
| X |
| |
111 | Recon: Metasploit Activity Observed | 4 | 5 | Normal | 3600 | No | Firewall or Network Flow Data (internal) | LogRhythm Network Monitor, Next Gen Firewall (internal) |
| X |
| |
473 | Compromise: Inbound RDP/VNC | 6 | 3 | Normal | 3600 | No | Firewall or Network Flow Data (perimeter) | LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
| X |
| |
475 | C2: Excessive Outbound Firewall Denies | 6 | 5 | Normal | 60 | No | Firewall or Network Flow Data (perimeter) | LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
| X |
| |
510 | Lateral: Password Modified by Admin | 6 | 8 | Normal | 60 | No | AD/LDAP | Host | (Optional) If you would like to exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches the regular expression ‘. *?/$' |
|
| X |
511 | Lateral: Admin Password Modified | 6 | 3 | Normal | 60 | No | AD/LDAP | Host | (Optional) If you would like to exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches this regular expression: \$$ |
|
| X |
546 | Recon: Multiple Lockouts | 6 | 5 | Normal | 1 | No | AD/LDAP | Host |
|
| X | |
711 | C2: Attack then Outbound Connection | 8 | 5 | Normal | 1 | No | IDS/IPS and Firewall or Network Flow Data | LogRhythm Network Monitor, Next Gen Firewall |
| X |
| |
713 | Corruption: Audit Disabled by Admin | 9 | 1 | Normal | 1 | No | AD/LDAP, Host Logs | AD/LDAP, Host Logs | A include filter where Origin Login = list of privileged user ids must be entered into RB1. |
|
| X |
715 | Lateral: Locally Created and Used | 9 | 5 | Normal | 2 | No | Host Security Logs | Single Sign On Logs | X |
|
| |
716 | Exfil: Lateral Movement then Exfil | 9 | 5 | Normal | 2 | No | Host Security Logs/AV/IDS/IPS | NextGen Firewall | X |
|
| |
739 | C2: Port Misuse: 53 | 6 | 6 | Normal | 3600 | No | LogRhythm Network Monitor | LogRhythm Network Monitor |
| X |
| |
742 | Exfiltration: Large Outbound Transfer | 6 | 2 | Normal | 2 | No | Firewall or Network Flow Data | LogRhythm Network Monitor, Next Gen Firewall |
| X |
| |
744 | Recon: Excessive Inbound Firewall Denies | 4 | 9 | Normal | 12 | No | Firewall or Network Flow Data (perimeter) | LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
| X |
| |
770 | Compromise: Repeated Attacks Against Host | 8 | 5 | Normal | 12 | No | IDS/IPS | Next Gen Firewall |
| X |
| |
776 | C2: External DNS Server Used | 6 | 4 | Normal | 3600 | No | Firewall or Network Flow Data | LogRhythm Network Monitor, Next Gen Firewall |
| X |
| |
783 | Compromise: Malware Not Cleaned | 9 | 5 | Normal | 1 | No | Host Security Logs/Host Application Logs/AV/IDS/IPS | NextGen Firewall | X |
|
| |
1180 | Compromise: Obsolete SSL/TLS Version | 6 | 6 | Normal | 3600 | No | Firewall or Network Flow Data | LogRhythm Network Monitor, Next Gen Firewall | Cannot tune this but assists with reporting and insight. It is recommended to enforce web server policy to not fallback to older/vulnerable versions. It is also recommended for web browsers. | X |
Attack Lifecycle Progression Rules
The AI Engine rules contained in the Network Threat Detection Module are categorized by Attack Lifecycle stage. Each stage reflects steps involved in a security event, and activity moving forward through stages should be considered a more serious event. The Network Threat Detection Module also contains Attack Lifecycle Progression rules which are meant to identify this activity. These rules are listed in the following table.
| Rule ID | Rule | Risk Rating | FPP | Runtime Priority | Suppression Multiple | Alarm on Event | Endpoint Threat Detection | Network Threat Detection | User Threat Detection |
|---|---|---|---|---|---|---|---|---|---|
1003 | Progression: to Initial Compromise | 8 | 1 | Normal | 1 | Yes | X | X | X |
1004 | Progression: to Command and Control | 8 | 1 | Normal | 1 | Yes | X | X | X |
1005 | Progression: to Lateral Movement | 8 | 1 | Normal | 1 | Yes | X | X | X |
1006 | Progression: to Target Attainment | 9 | 1 | Normal | 1 | Yes | X | X | X |
1007 | Progression: to Exfil, Corruption, Disruption | 9 | 1 | Normal | 1 | Yes | X | X | X |
1008 | Progression: to Initial Compromise | 8 | 1 | Normal | 1 | Yes | X | X | X |
1009 | Progression: to Command and Control | 8 | 1 | Normal | 1 | Yes | X | X | X |
1010 | Progression: to Lateral Movement | 8 | 1 | Normal | 1 | Yes | X | X | X |
1011 | Progression: to Target Attainment | 9 | 1 | Normal | 1 | Yes | X | X | X |
1012 | Progression: to Exfil, Corruption, Disruption | 9 | 1 | Normal | 1 | Yes | X | X | X |
1013 | Progression: to Initial Compromise | 9 | 1 | Normal | 1 | Yes | X | X | X |
1014 | Progression: to Command and Control | 8 | 1 | Normal | 1 | Yes | X | X | X |
1015 | Progression: to Lateral Movement | 8 | 1 | Normal | 1 | Yes | X | X | X |
1016 | Progression: to Target Attainment | 9 | 1 | Normal | 1 | Yes | X | X | X |
1017 | Progression: to Exfil, Corruption, Disruption | 9 | 1 | Normal | 1 | Yes | X | X | X |