AI Engine Rules leverage LogRhythm technology to correlate events across your environment to help identify events of interest and potential compliance implications.
Suspected Internal Attack
LogRhythm’s AI Engine allows for alerting and correlation of events across the environment relating to suspected internal attacks. This alerting allows for reduced time-to-detection and time-to-remediate any potential attacks within the boundary. Alerts can be configured to notify operations and security personnel to research and address potential attacks sooner in the attack lifecycle.
Alarming to Support Continuous Monitoring
A cornerstone of GPG-13 is the ability to continuously monitor the environment from all layers. Various alerts are configured around changes to attack recognition software, boundary monitoring devices, anti-malware solutions or other solutions supporting this effort. This real time alerting supports continuous monitoring by allowing security and operations groups to be notified of changes that could impact the aforementioned solutions and support existing change control management practices.
File Integrity Monitoring and Alarming
After identifying critical files within your environment and building a list of those objects, the file integrity monitoring rules will assist in identifying when file modifications or permission changes take place and who made those modifications. Real-time alerting helps to ensure change management controls are applied and any deviations are investigated further.
The following Log Source lists must be populated:
- Internal Boundary Enforcing Devices
- Security Boundary Monitoring Devices
- Security Boundary Content Gateways
- Security Boundary Anti-Malware Gateways
- File Integrity Monitoring
Knowledge Base Content
GPG-13: Suspected Internal Attack
GPG-13: Attck Recog Software Policy Change
GPG-13: Bndry Mon Dvce Config/Policy Chg
GPG-13: Boundary Anti-Malware Policy Change
GPG-13: File Monitoring Event - File Changes
Enable these AI Engine Rules and assign the appropriate Log Sources. Lists can be further leveraged to identify authorized remote user accounts.
In the event that either of these rules trigger and security personnel are alerted, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the boundary should be promptly communicated to security personnel. Further, any file modification should be investigated to ensure adherence to the organization’s change control management policy and practice.