AI Engine Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues. The goal for many of these rules is to quickly identify traffic coming from or going to a country that has strict data protection laws, such as GDPR for the EU members. This can empower your organization and DPO to ensure policies applied and consent is obtained as soon as possible to limit the time of non-compliance.
These AIE rules cover all log sources in your environment, but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, access management systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.
|AIE Alarm Rule||CCF: Malware Alarm Rule||1217|
|AIE Rule||CCF: GeoIP General Activity||1240|
|AIE Rule||CCF: GeoIP Blacklisted Region Activity||1241|
|AIE Alarm Rule||CCF: Unknown User Account Alarm||1243|
Malware Alarm Rule
A cornerstone of GDPR is the ability to continuously monitor the environment from all layers. This Alarm (#1217) is configured to alert when malicious activity occurs within the environment. This AIE Rule creates an event and notification alarm for malware detection on devices that have been designated as log sources or devices that support network monitoring.
GeoIP Activity Rules
This set of AIE rules (#1240 & 1241) are designed to leverage the Data Processor’s GeoIP functionality to represent general activity. Further a blacklisted region (list) can be used to indicate when data is coming in from a region that has data protection policies or legislation that needs to be taken into consideration. This early notification can ensure the organization acts on policies to obtain consent and ensure adherence to data protection requirements.
Unknown User Account Rule
In GDPR, it is critical to identify potential introduction of personal data into the environment, as seen with this rule (#1243). Leveraging a user list to confirm users who have given consent are leveraged in the rule to identify any user activity originating from an unknown account that may indicate an account that has not given consent. This can help facilitate policies to obtain consent and ensure adherence to data protection requirements.