GPG-13 User Guide – AI Engine Rules
AI Engine Rules leverage LogRhythm technology to correlate events across your environment to help identify events of interest and potential compliance implications.
Suspected Internal Attack
LogRhythm’s AI Engine allows for alerting and correlation of events across the environment relating to suspected internal attacks. This alerting allows for reduced time-to-detection and time-to-remediate any potential attacks within the boundary. Alerts can be configured to notify operations and security personnel to research and address potential attacks sooner in the attack lifecycle.
Alarming to Support Continuous Monitoring
A cornerstone of GPG-13 is the ability to continuously monitor the environment from all layers. Various alerts are configured around changes to attack recognition software, boundary monitoring devices, anti-malware solutions or other solutions supporting this effort. This real time alerting supports continuous monitoring by allowing security and operations groups to be notified of changes that could impact the aforementioned solutions and support existing change control management practices.
File Integrity Monitoring and Alarming
After identifying critical files within your environment and building a list of those objects, the file integrity monitoring rules will assist in identifying when file modifications or permission changes take place and who made those modifications. Real-time alerting helps to ensure change management controls are applied and any deviations are investigated further.
Log Requirements
The following Log Source lists must be populated:
- Internal Boundary Enforcing Devices
- Security Boundary Monitoring Devices
- Security Boundary Content Gateways
- Security Boundary Anti-Malware Gateways
- File Integrity Monitoring
Knowledge Base Content
ID | Name |
|---|---|
672 | GPG-13: Suspected Internal Attack |
665 | GPG-13: Attck Recog Software Policy Change |
664 | GPG-13: Bndry Mon Dvce Config/Policy Chg |
618 | GPG-13: Boundary Anti-Malware Policy Change |
668 | GPG-13: File Monitoring Event - File Changes |
Configuration
Enable these AI Engine Rules and assign the appropriate Log Sources. Lists can be further leveraged to identify authorized remote user accounts.
Actions
In the event that either of these rules triggers and security personnel are alerted, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the boundary should be promptly communicated to security personnel. Further, any file modification should be investigated to ensure adherence to the organization’s change control management policy and practice.