Current Active Threat User Guide – AI Engine Rules
AIE Rule Name: | CAT: Canary List Rule: Hash Value |
AIE Rule ID: | 1337 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Hash Value. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Hash Value |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hash |
Rule Block Include Filter: | Hash = CAT: Canary List: Hash Value |
Group By: | Hash AND Host (Impacted) |
Additional Details: | The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the environment. It is recommended to perform a further investigation of the affected system, network, or related computer infrastructure to ensure malicious activity is identified as early as possible. This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: IP Address (Impacted) |
AIE Rule ID: | 1338 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified IP Address. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: IP Address (Impacted) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hostname Impacted AND Direction = Outbound |
Rule Block Include Filter: | IP Address (Impacted) = CAT: Canary List: IP Address (Host) |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: IP Address (Origin) |
AIE Rule ID: | 1339 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified IP Address. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: IP Address (Origin) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hostname Origin AND Direction = External |
Rule Block Include Filter: | IP Address (Origin) = CAT: Canary List: IP Address (Host) |
Group By: | Host (Origin) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Process Name |
AIE Rule ID: | 1340 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Process Name. It is relatively likely for this process name to be used in a legitimate fashion, but it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Process Name |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Process Name |
Rule Block Include Filter: | Process Name = CAT: Canary List: Process Name |
Group By: | Process Name AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Process Path |
AIE Rule ID: | 1341 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Process Path. It is relatively likely for this process name to be used in a legitimate fashion, it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Process Path |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Subject OR Log Source Type = CAT: Metadata Field: Parent Process Path |
Rule Block Include Filter: | Subject = CAT: Canary List: Process Path OR Parent Process Path = CAT: Canary List: Process Path |
Group By: | Parent Process Path AND Subject AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Registry Key |
AIE Rule ID: | 1342 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Registry Key. It is relatively likely for this process name to be used in a legitimate fashion, but it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Registry Key |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Object OR Log Source Type = CAT: Metadata Field: Subject |
Rule Block Include Filter: | Object = CAT : Canary List : Registry Keys OR Subject = CAT : Canary List : Registry Keys |
Group By: | Object AND Subject AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Domain (Impacted) |
AIE Rule ID: | 1345 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Domain (Impacted). It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Domain (Impacted) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Domain Impacted |
Rule Block Include Filter: | Domain Impacted = CAT: Canary List: Domain |
Group By: | Domain Impacted AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Domain (Origin) |
AIE Rule ID: | 1366 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Domain (Origin). It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Domain (Origin) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Domain Origin |
Rule Block Include Filter: | Domain Origin = CAT: Canary List: Domain |
Group By: | Domain Origin AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Severity Increase: 2 Hits from Unique Canary Lists |
AIE Rule ID: | 1346 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of two Canary List hits from a single host. This event is designed to solely affect the WebUI CAT dashboard, highlighting emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 2 Hits from Unique Canary Lists |
Classification | Security: Suspicious |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 6 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = AIE: CAT: Canary List Rule: Domain Common Event = CAT: Canary List: UEBA - Event |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase : 3 Hits from Any Canary List |
AIE Rule ID: | 1347 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of three Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase : 3 Hits from Any Canary List |
Classification | Security: Suspicious |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 6 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase : 3 Hits from Unique Canary Lists |
AIE Rule ID: | 1348 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of three Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase : 3 Hits from Unique Canary Lists |
Classification | Operations: Error |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 4 |
Risk Rating: | 7 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 4 Hits from Any Canary List |
AIE Rule ID: | 1349 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of four Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 4 Hits from Any Canary List |
Classification | Operations: Error |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 7 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 4 Hits from Unique Canary Lists |
AIE Rule ID: | 1350 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of four Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 4 Hits from Unique Canary Lists |
Classification | Security: Attack |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 3 |
Risk Rating: | 8 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 5 Hits from Any Canary List |
AIE Rule ID: | 1351 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of five Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 5 Hits from Any Canary List |
Classification | Security: Attack |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 4 |
Risk Rating: | 8 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 5 Hits from Unique Canary Lists |
AIE Rule ID: | 1352 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of five Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 5 Hits from Unique Canary Lists |
Classification | Security: Compromise |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 2 |
Risk Rating: | 9 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 6 Hits from Any Canary List |
AIE Rule ID: | 1353 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of six Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 6 Hits from Any Canary List |
Classification | Security: Compromise |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 3 |
Risk Rating: | 9 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Canary List Rule: Hash Value |
AIE Rule ID: | 1337 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Hash Value. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Hash Value |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hash |
Rule Block Include Filter: | Hash = CAT: Canary List: Hash Value |
Group By: | Hash AND Host (Impacted) |
Additional Details: | The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the environment. It is recommended to perform a further investigation of the affected system, network, or related computer infrastructure to ensure malicious activity is identified as early as possible. This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: IP Address (Impacted) |
AIE Rule ID: | 1338 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified IP Address. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: IP Address (Impacted) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hostname Impacted AND Direction = Outbound |
Rule Block Include Filter: | IP Address (Impacted) = CAT: Canary List: IP Address (Host) |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: IP Address (Origin) |
AIE Rule ID: | 1339 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified IP Address. It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: IP Address (Origin) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Hostname Origin AND Direction = External |
Rule Block Include Filter: | IP Address (Origin) = CAT: Canary List: IP Address (Host) |
Group By: | Host (Origin) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Process Name |
AIE Rule ID: | 1340 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Process Name. It is relatively likely for this process name to be used in a legitimate fashion, but it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Process Name |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Process Name |
Rule Block Include Filter: | Process Name = CAT: Canary List: Process Name |
Group By: | Process Name AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Process Path |
AIE Rule ID: | 1341 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Process Path. It is relatively likely for this process name to be used in a legitimate fashion, it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Process Path |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Subject OR Log Source Type = CAT: Metadata Field: Parent Process Path |
Rule Block Include Filter: | Subject = CAT: Canary List: Process Path OR Parent Process Path = CAT: Canary List: Process Path |
Group By: | Parent Process Path AND Subject AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Registry Key |
AIE Rule ID: | 1342 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Registry Key. It is relatively likely for this process name to be used in a legitimate fashion, but it has been found to have illegitimate uses. |
Common Event: | AIE: CAT: Canary List Rule: Registry Key |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Object OR Log Source Type = CAT: Metadata Field: Subject |
Rule Block Include Filter: | Object = CAT : Canary List : Registry Keys OR Subject = CAT : Canary List : Registry Keys |
Group By: | Object AND Subject AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Domain (Impacted) |
AIE Rule ID: | 1345 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Domain (Impacted). It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Domain (Impacted) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Domain Impacted |
Rule Block Include Filter: | Domain Impacted = CAT: Canary List: Domain |
Group By: | Domain Impacted AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Canary List Rule: Domain (Origin) |
AIE Rule ID: | 1366 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of a prior specified Domain (Origin). It is relatively unlikely for this hash value to be used in a legitimate fashion, but not impossible. |
Common Event: | AIE: CAT: Canary List Rule: Domain (Origin) |
Classification | Security: Misuse |
Suppression Period: | 0 |
Alarm of Event Occurrence: | No |
Environmental Dependency Factor: | None |
False Positive Probability: | 6 |
Risk Rating: | 5 |
Rule Block Type: | Log Observed |
Rule Block Primary Filter: | Log Source Type = CAT: Metadata Field: Domain Origin |
Rule Block Include Filter: | Domain Origin = CAT: Canary List: Domain |
Group By: | Domain Origin AND Host (Impacted) |
Additional Details: | Recommendations: This rule is designed to trigger an event. It is not designed to trigger an AIE Alarm. Furthermore, this rule is designed to be used in conjunction with other Canary List rules built within the LogRhythm Labs CAT Module. Taking mitigation steps based solely upon this AIE rule alone is not recommended. Use your best judgment and analytic skills when taking mitigation steps against potential adversarial threats. |
AIE Rule Name: | CAT: Severity Increase: 2 Hits from Unique Canary Lists |
AIE Rule ID: | 1346 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of two Canary List hits from a single host. This event is designed to solely affect the WebUI CAT dashboard, highlighting emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 2 Hits from Unique Canary Lists |
Classification | Security: Suspicious |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 6 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = AIE: CAT: Canary List Rule: Domain Common Event = CAT: Canary List: UEBA - Event |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase : 3 Hits from Any Canary List |
AIE Rule ID: | 1347 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of three Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase : 3 Hits from Any Canary List |
Classification | Security: Suspicious |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 6 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase : 3 Hits from Unique Canary Lists |
AIE Rule ID: | 1348 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of three Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase : 3 Hits from Unique Canary Lists |
Classification | Operations: Error |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 4 |
Risk Rating: | 7 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 4 Hits from Any Canary List |
AIE Rule ID: | 1349 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of four Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 4 Hits from Any Canary List |
Classification | Operations: Error |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 5 |
Risk Rating: | 7 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 4 Hits from Unique Canary Lists |
AIE Rule ID: | 1350 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of four Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 4 Hits from Unique Canary Lists |
Classification | Security: Attack |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 3 |
Risk Rating: | 8 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 5 Hits from Any Canary List |
AIE Rule ID: | 1351 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of five Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 5 Hits from Any Canary List |
Classification | Security: Attack |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 4 |
Risk Rating: | 8 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 5 Hits from Unique Canary Lists |
AIE Rule ID: | 1352 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of five Canary List hits from a single host. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 5 Hits from Unique Canary Lists |
Classification | Security: Compromise |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 2 |
Risk Rating: | 9 |
Rule Block Type: | Unique Values Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |
AIE Rule Name: | CAT: Severity Increase: 6 Hits from Any Canary List |
AIE Rule ID: | 1353 |
Rule Description: | This AI rule is designed to generate an AI event upon the successful identification of six Canary List hits from any list, including repeated events. Designed to affect the WebUI CAT dashboard, focusing on emerging threats in the network. |
Common Event: | AIE: CAT: Severity Increase: 6 Hits from Any Canary List |
Classification | Security: Compromise |
Suppression Period: | 3 Hours |
Alarm of Event Occurrence: | Yes |
Environmental Dependency Factor: | None |
False Positive Probability: | 3 |
Risk Rating: | 9 |
Rule Block Type: | Threshold Observed |
Rule Block Primary Filter: | Common Event = AIE: CAT: Canary List Rule: Hash Value Common Event = AIE: CAT: Canary List Rule: IP Address (Impacted) Common Event = AIE: CAT: Canary List Rule: IP Address (Origin) Common Event = AIE: CAT: Canary List Rule: Process Name Common Event = AIE: CAT: Canary List Rule: Process Path Common Event = AIE: CAT: Canary List Rule: Registry Key Common Event = CAT: Canary List: UEBA – Event Common Event = AIE: CAT: Canary List Rule: Domain (Impacted) Common Event = AIE: CAT: Canary List Rule: Domain (Origin) |
Rule Block Include Filter: | |
Group By: | Host (Impacted) |
Additional Details: | Recommendations: The triggering of this rule does not 100% indicate or guarantee that the system, network, or computer environment is compromised. The triggering of this rule stipulates that a potentially malicious event happened within the Impacted Host. To investigate this alarm, drill down into the Alarm itself, which will display the Canary List Rules which triggered it. To investigate each of the Canary List Rules, drill down into each of the Canary List Rules to ascertain each log which triggered that rule. |