|
Rule ID |
Rule |
Risk Rating |
FPP |
Runtime Priority |
Suppression Multiple |
Alarm on Event |
Minimum Data Requirement |
Recommended Data Requirement |
Configuration Steps |
Endpoint Threat Detection |
Network Threat Detection |
User Threat Detection |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
3 |
Compromise: Distributed Brute Force |
9 |
1 |
Normal |
12 |
No |
AD/LDAP |
AD/LDAP,Host |
In Windows, activate Audit Account Management for successes in the Group/Local Security Policy. |
|
|
X |
|
9 |
Recon: Failed Distributed Account Probe |
4 |
1 |
Normal |
6 |
No |
AD/LDAP |
AD/LDAP,Host |
|
|
|
X |
|
17 |
Lateral: External Attack then Account Creation |
9 |
1 |
Normal |
1 |
No |
IDS/IPS |
IDS/IPS |
|
|
|
X |
|
19 |
Attainment: Log Cleared |
9 |
3 |
Normal |
1 |
No |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
X |
|
|
|
29 |
Lateral: Privilege Escalation after Attack |
9 |
1 |
Normal |
2 |
No |
IDS/Security/AD/LDAP |
IDS/Security/AD/LDAP |
|
|
|
X |
|
52 |
Lateral: Internal Attack then Account Creation |
9 |
4 |
Normal |
6 |
No |
IDS/Security/AD/LDAP |
IDS/Security/AD/LDAP |
|
|
|
X |
|
72 |
Compromise: Malware Outbreak |
9 |
3 |
Normal |
2 |
No |
AV/IDS/IPS |
NextGen Firewall |
|
X |
|
|
|
79 |
C2: Malware: Outbound IRC |
6 |
7 |
Normal |
3600 |
No |
Firewall or Network Flow Data (internal/egress) |
LogRhythm Network Monitor, Next Gen Firewall (internal/egress) |
|
|
X |
|
|
86 |
Lateral: Internal Recon then Account Creation |
9 |
1 |
Normal |
3 |
No |
IDS/Sec Evt, AD, LDAP |
Host |
|
|
|
X |
|
89 |
Recon: Excessive HTTP Errors |
4 |
5 |
Normal |
30 |
No |
Web Server |
Web Server |
|
|
X |
|
|
111 |
Recon: Metasploit Activity Observed |
4 |
5 |
Normal |
3600 |
No |
Firewall or Network Flow Data (internal) |
LogRhythm Network Monitor, Next Gen Firewall (internal) |
|
|
X |
|
|
473 |
Compromise: Inbound RDP/VNC |
6 |
3 |
Normal |
3600 |
No |
Firewall or Network Flow Data (perimeter) |
LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
|
|
X |
|
|
475 |
C2: Excessive Outbound Firewall Denies |
6 |
5 |
Normal |
60 |
No |
Firewall or Network Flow Data (perimeter) |
LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
|
|
X |
|
|
510 |
Lateral: Password Modified by Admin |
6 |
8 |
Normal |
60 |
No |
AD/LDAP |
Host |
(Optional) If you would like to exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches the regular expression ‘. *?/$' |
|
|
X |
|
511 |
Lateral: Admin Password Modified |
6 |
3 |
Normal |
60 |
No |
AD/LDAP |
Host |
(Optional) If you would like to exclude system accounts from this alarm, add an exclude filter for an Origin Login or Account which matches this regular expression: \$$ |
|
|
X |
|
546 |
Recon: Multiple Lockouts |
6 |
5 |
Normal |
1 |
No |
AD/LDAP |
Host |
|
|
|
X |
|
711 |
C2: Attack then Outbound Connection |
8 |
5 |
Normal |
1 |
No |
IDS/IPS and Firewall or Network Flow Data |
LogRhythm Network Monitor, Next Gen Firewall |
|
|
X |
|
|
713 |
Corruption: Audit Disabled by Admin |
9 |
1 |
Normal |
1 |
No |
AD/LDAP, Host Logs |
AD/LDAP, Host Logs |
A include filter where Origin Login = list of privileged user ids must be entered into RB1. |
|
|
X |
|
715 |
Lateral: Locally Created and Used |
9 |
5 |
Normal |
2 |
No |
Host Security Logs |
Single Sign On Logs |
|
X |
|
|
|
716 |
Exfil: Lateral Movement then Exfil |
9 |
5 |
Normal |
2 |
No |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
X |
|
|
|
739 |
C2: Port Misuse: 53 |
6 |
6 |
Normal |
3600 |
No |
LogRhythm Network Monitor |
LogRhythm Network Monitor |
|
|
X |
|
|
742 |
Exfiltration: Large Outbound Transfer |
6 |
2 |
Normal |
2 |
No |
Firewall or Network Flow Data |
LogRhythm Network Monitor, Next Gen Firewall |
|
|
X |
|
|
744 |
Recon: Excessive Inbound Firewall Denies |
4 |
9 |
Normal |
12 |
No |
Firewall or Network Flow Data (perimeter) |
LogRhythm Network Monitor, Next Gen Firewall (perimeter) |
|
|
X |
|
|
770 |
Compromise: Repeated Attacks Against Host |
8 |
5 |
Normal |
12 |
No |
IDS/IPS |
Next Gen Firewall |
|
|
X |
|
|
776 |
C2: External DNS Server Used |
6 |
4 |
Normal |
3600 |
No |
Firewall or Network Flow Data |
LogRhythm Network Monitor, Next Gen Firewall |
|
|
X |
|
|
783 |
Compromise: Malware Not Cleaned |
9 |
5 |
Normal |
1 |
No |
Host Security Logs/Host Application Logs/AV/IDS/IPS |
NextGen Firewall |
|
X |
|
|
|
1180 |
Compromise: Obsolete SSL/TLS Version |
6 |
6 |
Normal |
3600 |
No |
Firewall or Network Flow Data |
LogRhythm Network Monitor, Next Gen Firewall |
Cannot tune this but assists with reporting and insight. It is recommended to enforce web server policy to not fallback to older/vulnerable versions. It is also recommended for web browsers. |
|
X |
|
Attack Lifecycle Progression Rules
The AI Engine rules contained in the Network Threat Detection Module are categorized by Attack Lifecycle stage. Each stage reflects steps involved in a security event, and activity moving forward through stages should be considered a more serious event. The Network Threat Detection Module also contains Attack Lifecycle Progression rules which are meant to identify this activity. These rules are listed in the following table.
|
Rule ID |
Rule |
Risk Rating |
FPP |
Runtime Priority |
Suppression Multiple |
Alarm on Event |
Endpoint Threat Detection |
Network Threat Detection |
User Threat Detection |
|---|---|---|---|---|---|---|---|---|---|
|
1003 |
Progression: to Initial Compromise |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1004 |
Progression: to Command and Control |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1005 |
Progression: to Lateral Movement |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1006 |
Progression: to Target Attainment |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1007 |
Progression: to Exfil, Corruption, Disruption |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1008 |
Progression: to Initial Compromise |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1009 |
Progression: to Command and Control |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1010 |
Progression: to Lateral Movement |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1011 |
Progression: to Target Attainment |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1012 |
Progression: to Exfil, Corruption, Disruption |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1013 |
Progression: to Initial Compromise |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1014 |
Progression: to Command and Control |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1015 |
Progression: to Lateral Movement |
8 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1016 |
Progression: to Target Attainment |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |
|
1017 |
Progression: to Exfil, Corruption, Disruption |
9 |
1 |
Normal |
1 |
Yes |
X |
X |
X |