Healthcare (OT) - AI Engine Rules | LogRhythm Documentation

AIE Rule ID	AIE Rule Name	AIE Rule Description
1567	HC: Account Added To Privileged Group	Observes for an account added to an admin/privileged user group.
1568	HC: Admin Password Modified	Observes for an admin/privileged user password modification.
1569	HC: Crit Application Config Change	Observes for changes to critical application configurations.
1570	HC: Crit Backup Failure	Observes for failed critical backup events.
1571	HC: Crit Database Config Change	Observes for changes to critical database configurations.
1572	HC: Crit Net Access Config Change	Observes for changes to critical network access configurations.
1573	HC: Crit Service Stopped	Observes for critical service stop events that are not followed by service start events.
1574	HC: Crit System Config Change	Observes for changes to critical system configurations.
1575	HC: Crit System Shutdown	Observes for critical system shutdowns that are not followed by startup activity.
1576	HC: Data Copy To Removable Device	Observes for data transfer to a removable device (e.g., USB drive).
1577	HC: Default Or Weak Password	Observes for a default or weak password.
1578	HC: Device Modified	Observes for device modifications.
1579	HC: Device Sent Plaintext Credentials	Observes for device transmission of a plaintext password.
1580	HC: Device Software Vulnerability	Observes for device software vulnerabilities.
1581	HC: Door Access Granted	Observes for successful door authentications.
1582	HC: Expired Certificate	Observes for an expired TLS certificate.
1583	HC: File Deletion Activity	Observes for file deletions.
1584	HC: Firmware Change	Observes for device firmware changes.
1585	HC: Malicious IP	Observes for device communication with a destination IP flagged as potentially malicious.
1586	HC: Multiple Account Lockouts	Observes for an account locked out multiple times (>=3) per hour.
1587	HC: Multiple Door Access Failures	Observes for multiple failed door authentications.
1588	HC: New Hardware Detected	Observes for connection of a new external device (e.g., USB drive, keyboard, mouse) to a system.
1589	HC: New Medical Device	Observes for a newly discovered medical device (e.g., infusion pump).
1590	HC: Sensor Connected/Disconnected	Observes for sensor connections/disconnections.
1591	HC: SMBv1 Communication	Observes for device communication over SMBv1.
1592	HC: Software Install/Update Failure	Observes for failed software installations/updates.
1593	HC: Software Installed/Updated	Observes for successful software installations/updates.
1594	HC: System Time Changed	Observes for system time changes.
1595	HC: User Account Created	Observes for creation of a new user account.
1596	HC: Vulnerability Scan Event	Observes for vulnerability scans.