|
AI Engine Rule Name |
Description |
Rule Block Summary |
|
|---|---|---|---|
|
HC: Account Added to Privileged Group |
Observes for an account added to an admin/privileged user group |
Primary Criteria |
Common Event Is : Account Added To Group and Group Is : Privileged Groups |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
User (Origin) Group User (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Admin Password Modified |
Observes for an admin/privileged user password modification |
Primary Criteria |
Common Event Is : Password Modified and User (Impacted) Is : HC: Privileged Users |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
User (Origin) User (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit Application Config Change |
Observes for changes to critical application configurations |
Primary Criteria |
Common Event Is : Configuration Modified : Application Configuration Deleted : Application Configuration Enabled : Application Configuration Loaded : Application |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Process Name Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit Backup Failure |
Observes for failed critical backup events |
Primary Criteria |
Common Event Is : Backup Failed Backup Falure |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit Database Config Change |
Observes for changes to critical database configurations |
Primary Criteria |
Common Event Is : Configuration Deleted : Database Configuration Disabled : Database Configuration Modified : Database Configuration Enabled : Database Configuration Loaded : Database |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) Object |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit Net Access Config Change |
Observes for changes to critical network access configurations |
Primary Criteria |
Common Event Is : Configuration Deleted : Network Access Configuration Disabled : Network Access Configuration Modified : Network Access Configuration Enabled : Network Access Configuration Loaded : Network Access |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit Service Stopped |
Observes for critical service stop events that are not followed by service start events |
Primary Criteria |
Common Event Is : Process/Service Stopped Process/Service Stopping Service Shutdown |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) Process Name |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit System Config Change |
Observes for changes to critical system configurations |
Primary Criteria |
Common Event Is : Configuration Deleted: System Configuration Disabled : System Configuration Modified : System Configuration Enabled : System Configuration Loaded : System |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Crit System Shutdown |
Observes for critical system shutdowns that are not followed by startup activity |
Primary Criteria |
Common Event Is : System Restarting System Shutdown System Shutting Down |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Data Copy To Removable Device |
Observes for data transfer to a removable device (e.g., USB drive) |
Primary Criteria |
Rule Block 1: Log Source Type Is : LogRhythm Data Loss Defender and MPE Rule Name Is : CONNECTED - CDRom CONNECTED - Removable Rule Block 2: Log Source Type Is : LogRhythm Data Loss Defender and MPE Rule Name Is : DATACOPY - Removable/CDRom |
|
|
Log Sources |
Rule Block 1: All Log Sources Rule Block 2: All Log Sources |
|
|
Group By |
Rule Block 1: User (Origin) Common Event Rule Block 2: User (Origin) Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Default Or Weak Password |
Observes for a default or weak password |
Primary Criteria |
Common Event Is : Vuln Low Severity : Default Password Vuln Medium Severity : Default Password Vuln High Severity : Default Password Password Too Short |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Device Modified |
Observes for device modifications |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Object Modified |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Device Sent Plaintext Credentials |
Observes for device transmission of a plaintext password |
Primary Criteria |
Log Source Type Is : Syslog - Medigate CEF and Common Event Is : Vuln High Severity : General |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Device Software Vulnerability |
Observes for device software vulnerabilities |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Vuln Low Severity : General |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Door Access Granted |
Observes for successful door authentications |
Primary Criteria |
Log Source Type Is : Flat File - S2 Badge Reader Flat File - KERISYS Doors Event Export Format and Common Event Is : Object Accessed Door Access Granted |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification User (Origin) Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Expired Certificate |
Observes for an expired TLS certificate |
Primary Criteria |
Log Source Type Is : Syslog - Medigate Syslog - Ordr SCE |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: File Deletion Activity |
Observes for file deletions |
Primary Criteria |
Common Event Is : File Deleted File Monitoring Event - Delete |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
User (Origin) Host (Impacted) Object |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Firmware Change |
Observes for device firmware changes |
Primary Criteria |
Log Source Type Is : Syslog - Medigate and Common Event Is : Upgrade Information |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Malicious IP |
Observes for device communication with a destination IP flagged as potentially malicious |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE Syslog - Medigate CEF and Common Event Is : Bad IP Reputation |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Multiple Account Lockouts |
Observes for an account locked out multiple times (>=3) per hour |
Primary Criteria |
Common Event Is : Account Locked User Logon Failure : Account Locked Out |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
User (Impacted) Log Source Common Event |
||
|
Thresholds |
Log Count >=3 |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Multiple Door Access Failures |
Observes for multiple failed door authentications |
Primary Criteria |
Log Source Type Is : Flat File - S2 Badge Reader Flat File - KERISYS Doors Event Export Format UDLA - Symmetry Access Control and Common Event Is : Access Object Failure |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
Thresholds |
Log Count >=3 |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: New Hardware Detected |
Observes for connection of a new external device (e.g., USB drive, keyboard, mouse) to a system |
Primary Criteria |
Common Event Is : New Device Found Hardware Installed Object Initialized General Device Manager Message |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: New Medical Device |
Observes for a newly discovered medical device (e.g., infusion pump) |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE Syslog - Medigate and Common Event Is : New Device Found Object Created |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Sensor Connected/Disconnected |
Observes for sensor connections/disconnections |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Interface Connected Interface Disconnected |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: SMBv1 Communication |
Observes for device communication over SMBv1 |
Primary Criteria |
Log Source Type Is : Syslog - Medigate and Common Event Is : SMB Session Created |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Software Install/Update Failure |
Observes for failed software installations/updates |
Primary Criteria |
Common Event Is : Install Failed Software Installation Failed Software Update Failed Update Failed |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Software Installed/Updated |
Observes for successful software installations/updates |
Primary Criteria |
Common Event Is : Software Installed Software Updated Update Successful |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: System Time Changed |
Observes for system time changes |
Primary Criteria |
Common Event : Session Setting Changed Time Adjusted System Time Updated |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: User Account Created |
Observes for creation of a new user account |
Primary Criteria |
Classification Is : Account Created |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
User (Origin) Host (Impacted) |
||
|
AI Engine Rule Name |
Description |
Rule Block Summary
|
|
|
HC: Vulnerability Scan Event |
Observes for vulnerability scans |
Primary Criteria |
Log Source Type Is : Syslog - Ordr SCE Common Event Is : Scan Started Scan Stopped |
|
|
Log Sources |
All Log Sources |
|
|
Group By |
Classification Common Event |
||