Skip to main content
Skip table of contents

GPG-13 User Guide – AI Engine Rules

AI Engine Rules leverage LogRhythm technology to correlate events across your environment to help identify events of interest and potential compliance implications.

Suspected Internal Attack

LogRhythm’s AI Engine allows for alerting and correlation of events across the environment relating to suspected internal attacks. This alerting allows for reduced time-to-detection and time-to-remediate any potential attacks within the boundary. Alerts can be configured to notify operations and security personnel to research and address potential attacks sooner in the attack lifecycle.

Alarming to Support Continuous Monitoring

A cornerstone of GPG-13 is the ability to continuously monitor the environment from all layers. Various alerts are configured around changes to attack recognition software, boundary monitoring devices, anti-malware solutions or other solutions supporting this effort. This real time alerting supports continuous monitoring by allowing security and operations groups to be notified of changes that could impact the aforementioned solutions and support existing change control management practices.

File Integrity Monitoring and Alarming

After identifying critical files within your environment and building a list of those objects, the file integrity monitoring rules will assist in identifying when file modifications or permission changes take place and who made those modifications. Real-time alerting helps to ensure change management controls are applied and any deviations are investigated further.

Log Requirements

The following Log Source lists must be populated:

  • Internal Boundary Enforcing Devices
  • Security Boundary Monitoring Devices
  • Security Boundary Content Gateways
  • Security Boundary Anti-Malware Gateways
  • File Integrity Monitoring

Knowledge Base Content




GPG-13: Suspected Internal Attack


GPG-13: Attck Recog Software Policy Change


GPG-13: Bndry Mon Dvce Config/Policy Chg


GPG-13: Boundary Anti-Malware Policy Change


GPG-13: File Monitoring Event - File Changes


Enable these AI Engine Rules and assign the appropriate Log Sources. Lists can be further leveraged to identify authorized remote user accounts.


In the event that either of these rules triggers and security personnel are alerted, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the boundary should be promptly communicated to security personnel. Further, any file modification should be investigated to ensure adherence to the organization’s change control management policy and practice.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.