GPG-13 – AI Engine Rules
Name | Description | Rule ID | Classification | Corresponding Investigation | Direct/Augment Control Activity | Alarming | Log Source Lists |
|---|---|---|---|---|---|---|---|
GPG-13: Attck Recog Software Policy Change | This AIE Rule creates an event and alerts on any change to boundary attack recognition software policies (signature) to supplement testing of GPG-13 control PMC3.9. The AIE Rule is not a direct requirement, but can be enabled for a more proactive approach to change management. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 665 | Audit : Configuration | N/A | PMC3.9 – Direct | Yes | GPG-13: Security Boundary Monitoring Devices |
GPG-13: Malware Detected on Host | This AIE Rule creates an event and alerts for any malware detection on any host (server or workstation) that exists within the boundary in direct support of GPG-13 control PMC4.2 [Alert A]. | 667 | Security : Malware | GPG-13: Malware Detected on Host (Server or Workstation) | PMC4.2 [A] – Direct | Yes | GPG-13: Servers and Workstations |
GPG-13: Auth Failure on Intrnl Boundary Dvc | This AIE Rule creates an event and alerts on authentication failures on any internal boundary monitoring device to supplement testing of GPG-13 control PMC5.3 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 670 | Audit : Authentication Failure | N/A | PMC5.3 [B] - Direct | Yes | GPG-13: Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices GPG-13: Internal Network Devices |
GPG-13: Auto Response from Intrnl Bndry Dvc | This AIE rule creates an event and alerts on automated responses from internal firewalls to supplement testing of GPG-13 control PMC5.14. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 673 | Operations: Network Deny | N/A | PMC5.14 [D] - Augment | Yes | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Backup Ops Critical Error Failure | This AIE Rule creates an event and alerts on various backup operation failures or errors that could impact the preservation and recovery of files or database elements on critical servers or workstations (list). This rule supplements testing of GPG-13 control PMC8.2 [Alert A] by alerting and providing information around the backup operation failure based on a common event search against critical server or workstation logs (list). This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 681 | Operations : Critical | N/A | PMC8.2 [A] – Direct | Yes | GPG-13: All Log Sources |
GPG-13: Bndry Mon Dvce Config/Policy Chg | This AIE Rule creates an event and alerts on any change to boundary monitoring device configurations or policies to supplement testing of GPG-13 control PMC3.7. This is not a direct requirement, but can be enabled for a more proactive approach to apply change management to monitoring devices. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 664 | Audit : Configuration | N/A | PMC3.7 [B] – Direct | Yes | GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices |
GPG-13: Boundary Monitoring Device Critical | This AIE Rule creates an event and alerts on any message from a boundary monitoring device at critical status and above to supplement testing of GPG-13 control PMC3.2 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 661 | Operations : Critical | N/A | PMC3.2 [B] – Direct | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Intrnl Bndry Monitoring Dvc Chg | This AIE Rule creates an event and alerts on any change to internal boundary monitoring device configurations or policies to supplement testing of GPG-13 control PMC5.6 [Alert A]. The AIE rule is not a direct requirement, but can be enabled to enhance and supplement the capabilities of the Summary Report to meet control objectives. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 671 | Audit: Configuration | GPG-13: Internal Boundary Monitoring Device Change | PMC5.6 - Direct | Yes | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Intrnl Monitor Dvc Critical | This AIE Rule creates an event and alerts on any message from a boundary monitoring device at critical status and above to supplement testing of GPG-13 control PMC5.2 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 669 | Operations : Critical | N/A | PMC5.2 [B] – Direct | Yes | GPG-13 Internal Boundary Enforcing Devices GPG-13: Internal Monitoring Devices |
GPG-13: Network Connection Console Critical | This AIE Rule creates an event and alerts on any message from a network connection console at the boundary to supplement testing of GPG-13 control PMC6.7 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 676 | Operations : Critical | N/A | PMC6.7 [B] – Direct | Yes | GPG-13: Network Connection Consoles |
GPG-13: VPN Node Registration Failure | This AIE Rule creates an event and alerts on any unsuccessful Virtual Private Network (VPN) node registration attempt into the boundary to supplement testing of GPG-13 control PMC6.2 [Alert A]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 675 | Audit : Authentication Failure | N/A | PMC6.2 [A] – Direct | Yes | GPG-13: GPG-13: VPN Devices |
GPG-13: Attack Detected at Boundary | This AIE Rule creates an event and alerts on suspected attacks (success/failure) against all boundary monitoring devices to supplement testing of GPG-13 control PMC3.4 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 663 | Security : Attack | GPG-13: Attack Detected at Boundary | PMC3.4 [B] - Direct | Yes | GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Auth Failure on Boundary Device | This AIE Rule creates an event and alerts on authentication failures on any boundary monitoring device to supplement testing of GPG-13 control PMC3.3 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 662 | Audit : Authentication Failure | GPG-13: Auth Failure on Boundary Device | PMC3.3 [B] – Direct | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Blocked File Import/Export Attempt | This AIE Rule creates an event and alerts for any blocked attempts to import or export files across the boundary to supplement testing of GPG-13 control PMC2.4 [Alert B], 2.5 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 620 | Operations: Network Deny | GPG-13: Failed File Import/Export Attempt | PMC2.4 [B] & 2.5 [B] – Direct | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Blocked Web Browsing Activity | This AIE Rule creates an event and alerts for any denied web browsing activity within the boundary to supplement testing of GPG-13 control PMC2.3 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 619 | Operations: Network Deny | N/A | PMC2.3 [B] - Direct | Yes | GPG-13: Security Boundary Content Gateways |
GPG-13: Boundary Anti- Malware Policy Change | This AIE Rule creates an event and alerts based on anticipated policy change logs from Anti-Malware software within a 24 hour time period. The customer should define this time period according to their Anti-Malware maintenance window. This AIE Rule is not a direct requirement, but can be enabled to enhance the ability to track and respond to Anti-Malware policy changes and ensure changes are appropriate. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 618 | Audit : Configuration | N/A | PMC2.2 [A] -Direct | Yes | GPG-13: Security Boundary Anti-Malware Gateways |
GPG-13: Critical Host at Critical Status | This AIE Rule creates an event and alerts on any message from a critical host (defined servers and workstations) at critical status and above to supplement testing of GPG-13 control PMC4.1 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 666 | Operations : Critical | N/A | PMC4.1 [B] – Direct | Yes | GPG-13: Critical Servers GPG-13: Critical Workstations |
GPG-13: File Monitoring Event - File Changes | This AIE Rule creates an event and alerts for any modifications made to a files within a file system included within the GPG-13: File Integrity Monitors. This alerting requires customization according to the prescribed application of file integrity monitoring (FIM) capabilities within a LogRhythm Agent installed on in-scope file systems. This rule supplements testing of GPG-13 control PMC4.11 [Alert C]. Appropriate system monitoring agent settings should be configured for endpoint FIM monitoring based on the environment (Windows/Linux) to capture file path information. | 668 | Security: Activity | N/A | PMC4.11 [C] - Direct | Yes | GPG-13: File Integrity Monitoring |
GPG-13: IPS Command and Response | This AIE Rule creates an event and alerts on any command and automated response from an IPS to supplement testing of GPG-13 control PMC3.14 [Alert D]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 684 | Audit: Access Failure | N/A | PMC3.14 [D] – Augment | Yes | GPG-13: Security Boundary Enforcing Devices |
GPG-13: Logging Exception | This AIE rule creates an event and alerts on logging exceptions within the LogRhythm console as a result of a log reset, error condition, failure or threshold exception to supplement testing of GPG-13 control PMC10.1 [A]. | 683 | Operations: Warning | N/A | PMC10.1 [A] - Direct | Yes | GPG-13: All Log Sources |
GPG-13: Malware Detected at Boundary | This AIE Rule creates an event and alerts for any malware detection on any device that exists on the Boundary Log Source List or device supporting network monitoring in direct support of GPG-13 control PMC2.1 [Alert A]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 617 | Security : Malware | GPG-13: Malware Detection Activity | PMC2.1 [A] – Direct | Yes | GPG-13: Security Boundary Anti-Malware Gateways GPG-13: Security Boundary Content Gateways GPG-13: Security Boundary Enforcing Devices GPG-13: Security Boundary Monitoring Devices |
GPG-13: Network Account Locked Out Status | This AIE Rule creates an event and alerts on any network account status change to locked or locked-out to supplement testing of GPG-13 control PMC7.5 [Alert B]. An exclusion rule is used to skip computer accounts that end in '$'. Further, the network account 'locked-out' activities are captured in reporting to meet control PMC7.2 [Report A] reference to this alert. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 680 | Audit: Access Revoked | N/A | PMC7.5 [B] – Direct | Yes | GPG-13: Servers and Workstations |
GPG-13: Network Auth Failure | This AIE Rule creates an event and alerts on any authentication failure activity against a network connection console at the boundary to supplement testing of GPG-13 control PMC6.8 [Alert B]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 677 | Audit : Authentication Failure | N/A | PMC6.8 [B] – Direct | Yes | GPG-13: Network Connection Consoles |
GPG-13: Rejected Connection to Network | This Rule creates an event and alerts on failed attempts to connect equipment to protected network attachment points at the boundary to supplement testing of GPG-13 control PMC6.6 [Alert B]. This Rule is specifically concerned with 802.1x port security on switches. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 685 | Audit : Other Audit Failure | N/A | PMC6.6 [B] – Direct | Yes | GPG-13: Network Connection Consoles |
GPG-13: Remote Access Auth Failure | This AIE Rule creates an event and alerts on any authentication failure activity originating from a remote access point to supplement testing of GPG-13 control PMC6.1 [Alert A]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 674 | Audit : Authentication Failure | GPG-13: Remote Auth Failure | PCM6.1 [A] – Direct | Yes | GPG-13: Remote Access Devices |
GPG-13: Suspected Internal Attack | This AIE Rule creates an event and alerts on suspected attacks (success/failure) against the internal boundary monitoring devices to supplement testing of GPG-13 control PMC5.7 [Alert C]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 672 | Security : Attack | GPG-13: Suspected Internal Attack | PMC5.7 [C] – Direct | Yes | GPG-13: Internal Boundary Enforcing Devices |
GPG-13: Suspected Wireless Attack | This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices to supplement testing of GPG-13 control PMC6.12 [Alert D]. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 678 | Security : Attack | N/A | PMC6.12 [D] – Direct | Yes | GPG-13: Wireless IDS |
GPG-13: Suspicious Rogue Host Activity | This AIE Rule creates an event and alerts on all rogue wireless interfaces or access points logged based on common event and directly supports GPG-13 control PMC6.17 and indirectly supports PMC6.10. This AIE Rule is based on Data Segregation according to Log Source Root Entity. | 679 | Security : Suspicious | N/A | PMC6.10 – Augment PMC6.17 [D] - Direct | Yes | GPG-13: Wireless IDS |
GPG-13: Time Sync Error | This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source Entities in direct support of GPG-13 control PMC1.2 [Alert A] and in supplemental support of PMC1.1 and 1.3. This AIE Rule is based on Data Segregation according to Log Source Root Entity | 616 | Operations : Warning | N/A | PMC1.2 [A] – Direct PMC1.1 & 1.3 - Augment | Yes | GPG-13: All Log Sources |