Healthcare (OT) - AIE Rule Configuration
| AI Engine Rule Name | Description | Rule Block Summary | |
|---|---|---|---|
| HC: Account Added to Privileged Group | Observes for an account added to an admin/privileged user group | Primary Criteria | Common Event Is : Account Added To Group and Group Is : Privileged Groups |
| Log Sources | All Log Sources | ||
| Group By | User (Origin) Group User (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Admin Password Modified | Observes for an admin/privileged user password modification | Primary Criteria | Common Event Is : Password Modified and User (Impacted) Is : HC: Privileged Users |
| Log Sources | All Log Sources | ||
| Group By | User (Origin) User (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit Application Config Change | Observes for changes to critical application configurations | Primary Criteria | Common Event Is : Configuration Modified : Application Configuration Deleted : Application Configuration Enabled : Application Configuration Loaded : Application |
| Log Sources | All Log Sources | ||
| Group By | Process Name Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit Backup Failure | Observes for failed critical backup events | Primary Criteria | Common Event Is : Backup Failed Backup Falure |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit Database Config Change | Observes for changes to critical database configurations | Primary Criteria | Common Event Is : Configuration Deleted : Database Configuration Disabled : Database Configuration Modified : Database Configuration Enabled : Database Configuration Loaded : Database |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) Object | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit Net Access Config Change | Observes for changes to critical network access configurations | Primary Criteria | Common Event Is : Configuration Deleted : Network Access Configuration Disabled : Network Access Configuration Modified : Network Access Configuration Enabled : Network Access Configuration Loaded : Network Access |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit Service Stopped | Observes for critical service stop events that are not followed by service start events | Primary Criteria | Common Event Is : Process/Service Stopped Process/Service Stopping Service Shutdown |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) Process Name | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit System Config Change | Observes for changes to critical system configurations | Primary Criteria | Common Event Is : Configuration Deleted: System Configuration Disabled : System Configuration Modified : System Configuration Enabled : System Configuration Loaded : System |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Crit System Shutdown | Observes for critical system shutdowns that are not followed by startup activity | Primary Criteria | Common Event Is : System Restarting System Shutdown System Shutting Down |
| Log Sources | All Log Sources | ||
| Group By | Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Data Copy To Removable Device | Observes for data transfer to a removable device (e.g., USB drive) | Primary Criteria | Rule Block 1: Log Source Type Is : LogRhythm Data Loss Defender and MPE Rule Name Is : CONNECTED - CDRom CONNECTED - Removable Rule Block 2: Log Source Type Is : LogRhythm Data Loss Defender and MPE Rule Name Is : DATACOPY - Removable/CDRom |
| Log Sources | Rule Block 1: All Log Sources Rule Block 2: All Log Sources | ||
| Group By | Rule Block 1: User (Origin) Common Event Rule Block 2: User (Origin) Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Default Or Weak Password | Observes for a default or weak password | Primary Criteria | Common Event Is : Vuln Low Severity : Default Password Vuln Medium Severity : Default Password Vuln High Severity : Default Password Password Too Short |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Device Modified | Observes for device modifications | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Object Modified |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Device Sent Plaintext Credentials | Observes for device transmission of a plaintext password | Primary Criteria | Log Source Type Is : Syslog - Medigate CEF and Common Event Is : Vuln High Severity : General |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Device Software Vulnerability | Observes for device software vulnerabilities | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Vuln Low Severity : General |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Door Access Granted | Observes for successful door authentications | Primary Criteria | Log Source Type Is : Flat File - S2 Badge Reader Flat File - KERISYS Doors Event Export Format and Common Event Is : Object Accessed Door Access Granted |
| Log Sources | All Log Sources | ||
| Group By | Classification User (Origin) Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Expired Certificate | Observes for an expired TLS certificate | Primary Criteria | Log Source Type Is : Syslog - Medigate Syslog - Ordr SCE |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: File Deletion Activity | Observes for file deletions | Primary Criteria | Common Event Is : File Deleted File Monitoring Event - Delete |
| Log Sources | All Log Sources | ||
| Group By | User (Origin) Host (Impacted) Object | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Firmware Change | Observes for device firmware changes | Primary Criteria | Log Source Type Is : Syslog - Medigate and Common Event Is : Upgrade Information |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Malicious IP | Observes for device communication with a destination IP flagged as potentially malicious | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE Syslog - Medigate CEF and Common Event Is : Bad IP Reputation |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Multiple Account Lockouts | Observes for an account locked out multiple times (>=3) per hour | Primary Criteria | Common Event Is : Account Locked User Logon Failure : Account Locked Out |
| Log Sources | All Log Sources | ||
| Group By | User (Impacted) Log Source Common Event | ||
| Thresholds | Log Count >=3 | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Multiple Door Access Failures | Observes for multiple failed door authentications | Primary Criteria | Log Source Type Is : Flat File - S2 Badge Reader Flat File - KERISYS Doors Event Export Format UDLA - Symmetry Access Control and Common Event Is : Access Object Failure |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| Thresholds | Log Count >=3 | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: New Hardware Detected | Observes for connection of a new external device (e.g., USB drive, keyboard, mouse) to a system | Primary Criteria | Common Event Is : New Device Found Hardware Installed Object Initialized General Device Manager Message |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: New Medical Device | Observes for a newly discovered medical device (e.g., infusion pump) | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE Syslog - Medigate and Common Event Is : New Device Found Object Created |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Sensor Connected/Disconnected | Observes for sensor connections/disconnections | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE and Common Event Is : Interface Connected Interface Disconnected |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: SMBv1 Communication | Observes for device communication over SMBv1 | Primary Criteria | Log Source Type Is : Syslog - Medigate and Common Event Is : SMB Session Created |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Software Install/Update Failure | Observes for failed software installations/updates | Primary Criteria | Common Event Is : Install Failed Software Installation Failed Software Update Failed Update Failed |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Software Installed/Updated | Observes for successful software installations/updates | Primary Criteria | Common Event Is : Software Installed Software Updated Update Successful |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: System Time Changed | Observes for system time changes | Primary Criteria | Common Event : Session Setting Changed Time Adjusted System Time Updated |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: User Account Created | Observes for creation of a new user account | Primary Criteria | Classification Is : Account Created |
| Log Sources | All Log Sources | ||
| Group By | User (Origin) Host (Impacted) | ||
| AI Engine Rule Name | Description | Rule Block Summary | |
| HC: Vulnerability Scan Event | Observes for vulnerability scans | Primary Criteria | Log Source Type Is : Syslog - Ordr SCE Common Event Is : Scan Started Scan Stopped |
| Log Sources | All Log Sources | ||
| Group By | Classification Common Event | ||