Skip to main content
Skip table of contents

GDPR – AI Engine Rules

 

AI Engine Rule Name

Rule Description

Alert

Rule ID

Notification Area

Corresponding Investigation

Directly Meet Requirements

Log Sources

CCF: Abnormal Amount of Data Transferred

This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out from a specific host.
Augment: Article 17, Article 18, Article 22, Article
24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

N/A

1230

Operations : Warning

N/A

N/A

GDPR: All Log Sources

CCF: Abnormal Origin Location

First tracks geographic locations for VPN logins. Afterwards, triggers when a new origin location is seen for a user.
Augment: Article 17, Article 18, Article 21, Article
24, Article 25, Article 32, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

N/A

1208

Security : Attack

N/A

N/A

GDPR: All Log Sources

CCF: Attack then External Connection

An observed external attack or compromise followed by data leaving the system and going to the attacker.
"Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90"   

N/A

1211

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Auth After Numerous Failed Auths

Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

Yes

1199

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Auth After Security Event

An observed attack, compromise, or other security event followed by successful access or authentication from the attacking host.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

No

1200

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Backup Failure Alarm

More than 10 backup failure events are detected.
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 40, Article 46, Article 47, Article 90

Yes

1236

Operations : Error

CCF: Backup Activity Inv

N/A

GDPR: All Log Sources

CCF: Backup Information

This AIE Rule creates events for information from backup software.
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 40, Article 46, Article 47, Article 90

No

1237

Operations : Information

CCF: Backup Activity Inv

N/A

GDPR: All Log Sources

CCF: Blacklist Location Auth

Authentication success from a blacklisted location.
Augment: Article 17, Article 18, Article 21, Article 22, Article 24, Article 25, Article 32, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1204

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Concurrent VPN from Multiple Locations

Multiple VPN authentication successes from the same origin login are observed from different regions within a given time period (default 3 hours).
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

No

1205

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Config Change After Attack

Attack event on a host followed by a configuration change made to that host within 3 minutes.
"Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90"    

No

1214

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Config Change then Critical Error

Configuration change followed by a critical error on the same host indicating an erroneous configuration, malicious intent or otherwise.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

No

1216

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Config Deleted/Disabled

Configuration deleted within the organization infrastructure.
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 46, Article 47, Article 90

No

1219

Security : Compromise

CCF: Config/Policy Change Inv

N/A

CCF: Production Servers

CCF: Config Modified

Configuration modified within the organization infrastructure.
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 46, Article 47, Article 90

No

1221

Security : Compromise

CCF: Config/Policy Change Inv

N/A

GDPR: All Log Sources

CCF: Corroborated Account Anomalies

3 or more unique behavioral anomalies for a given user within a 3 hour period. This rule requires Rule IDs 285 - 289 be turned on.
Use Case : An account has been compromised. Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 44, Article 45, Article 46, Article 47, Article 90

No

1207

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Corroborated Data Access Anomalies

2 or more unique behavioral anomalies for data within a 3 hour periods. The alarm requires rule IDs 300-302 be turned on in order for this alarm to trigger.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1201

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Critical Event After Attack

An external attack or compromise followed by a critical event on the same host.
Action: This alarm can identify when an error message is generated as the result of a successful attack. This can be unexpected process termination or a hardware fail.
"Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90"    

No

1206

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Critical/PRD Envir Config/Policy Change Alarm

This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure).
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 46, Article 47, Article 90

Yes

1210

Audit : Policy

CCF: Config/Policy Change Inv

N/A

CCF: Production Servers

CCF: Critical/PRD Envir Patch Failure Alarm

This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure).
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 46, Article 47, Article 90

Yes

1212

Operations : Error

CCF: Critical Environment Error Inv

N/A

GDPR: All Log Sources

CCF: Critical/PRD Envir Signature Failure Alarm

This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure).
Augment: Article 22, Article 24, Article 25, Article 32, Article 35, Article 46, Article 47, Article 90

Yes

1213

Operations : Error

CCF: Critical Environment Error Inv

N/A

GDPR: All Log Sources

CCF: Data Destruction

Attack event followed by a FIM delete/modify event on the same host.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1202

Security : Compromise

CCF: LogRhythm Data Loss Defender Log Inv

N/A

GDPR: All Log Sources

CCF: Data Exfiltration Observed

External attack or compromise followed by data leaving the same system.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1193

Security : Compromise

CCF: LogRhythm Data Loss Defender Log Inv

N/A

GDPR: All Log Sources

CCF: Data Loss Prevention

This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1232

Operations : Information

CCF: LogRhythm Data Loss Defender Log Inv

N/A

GDPR: All Log Sources

CCF: Disabled Account Auth Success

Recently disabled or deleted account authenticates or accesses resources on the network.
"Augment: Article 17, Article 18, Article 21, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90"    

No

1194

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Distributed Brute Force

A successful brute force authentication -- multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

No

1203

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Early TLS/SSL Alarm

This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

Yes

1238

Security : Activity

N/A

N/A

GDPR: All Log Sources

CCF: External Brute Force Auths

Successful authentication after multiple failed attempts from different external origin hosts to the same impacted host.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

No

1197

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: FIM Abnormal Activity

This AIE Rule creates events for all abnormal file integrity monitoring activity.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1233

Security : Suspicious

N/A

N/A

GDPR: All Log Sources

CCF: FIM Add Activity

This AIE Rule creates events for all file integrity monitoring add activity.
Augment: Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1234

Security : Activity

N/A

N/A

GDPR: All Log Sources

CCF: FIM Delete Activity Alarm

This AIE Rule alarms on file integrity monitoring delete activity.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

Yes

1235

Security : Activity

N/A

N/A

GDPR: All Log Sources

CCF: FIM General Activity

This rule creates an event fir file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1239

Operations : Information

N/A

N/A

GDPR: All Log Sources

CCF: FIM Information

This AIE Rule creates events for general file integrity monitoring information.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1229

Operations : Information

N/A

N/A

GDPR: All Log Sources

CCF: GeoIP Blacklisted Region Activity

This rule tracks activity associated with Blacklisted Regions (list).
Augment: Article 17, Article 18, Article 21, Article 24, Article 25, Article 32, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1241

Security : Suspicious

CCF: GeoIP Inv

N/A

GDPR: All Log Sources

CCF: GeoIP General Activity

This rule is designed to use with the Data Processor's GeoIP functionality, to represent general GeoIP activity.
Augment: Article 17, Article 18, Article 21, Article 24, Article 25, Article 32, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1240

Security : Suspicious

CCF: GeoIP Inv

N/A

GDPR: All Log Sources

CCF: Large Outbound Transfer

Single host is seen sending over 1GB of data within 30 minutes out of the network.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1195

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: Local Account Created and Used

An account is created on a host and then used shortly thereafter on the same host.
Augment: Article 17, Article 18, Article 21, Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1196

Security : Compromise

N/A

N/A

GDPR: All Log Sources

CCF: LogRhythm Silent Log Source Error Alarm

This AIE Rule creates an alert and provides information when a LogRhythm Log Source has "not received logs from a critical or production server-system during the defined error period.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90"    

Yes

1209

Operations : Warning

N/A

N/A

GDPR: All Log Sources

CCF: Malware Alarm

This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

Yes

1217

Security : Malware

CCF: Malware Detected Inv

N/A

GDPR: All Log Sources

CCF: Misuse

This AIE Rule provides details on misuse activity.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1231

Security : Misuse

CCF: User Misuse Inv

N/A

GDPR: All Log Sources

CCF: Non-Encrypted Protocol Alarm

This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure).
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

Yes

1222

Operations : Information

CCF: Use Of Non-Encrypted Protocols Inv

N/A

GDPR: All Log Sources

CCF: Rogue Access Point Alarm

This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

Yes

1220

Security : Suspicious

CCF: Rogue Access Point Inv

N/A

GDPR: All Log Sources

CCF: Social Media Event

This rule tracks social media activity, to help identify if private or personal data that should not be in transmission is present within the environment's traffic.
Augment: Article 17, Article 18, Article 22, Article 24, Article 25, Article 32, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

No

1242

Security : Suspicious

CCF: Social Media Inv

N/A

GDPR: All Log Sources

CCF: Suspected Wireless Attack Alarm

This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices.
"Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90"    

Yes

1223

Security : Attack

CCF: Suspected Wireless Attack Inv

N/A

CCF: Wireless IDS

CCF: Time Sync Error Alarm

This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

Yes

1215

Operations : Warning

CCF: Time Sync Error Inv

N/A

GDPR: All Log Sources

CCF: Unknown User Account Alarm

This rule identifies activity originating from unknown user accounts, based off of the CCF user lists.
Augment: Article 17, Article 18, Article 21, Article 22, Article 24, Article 25, Article 32, Article 34, Article 35, Article 40, Article 44, Article 45, Article 46, Article 47, Article 90

Yes

1243

Security : Suspicious

CCF: Unknown User Account Inv

N/A

GDPR: All Log Sources

CCF: Vulnerability Detected Alarm

This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment.
Augment: Article 22, Article 24, Article 25, Article 32, Article 33, Article 34, Article 35, Article 46, Article 47, Article 90

Yes

1218

Security : Vulnerability

CCF: Vulnerability Detected Inv

N/A

GDPR: All Log Sources

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close