MAS-TRMG – AI Engine Rules
AIE Rules | ID | Description | Alarm | Notification Area | Corresponding Investigation | Directly Meet Requirements | Augment Requirements | Classifications | Log Sources |
|---|---|---|---|---|---|---|---|---|---|
MAS: Data Loss Prevention Rule | 1018 | This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured. | No | Operations : Information | MAS: Data Loss Prevention Inv | 7.4.3, 9.6.6, 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Information | MAS: Data Loss Prevention |
MAS: Data Exfiltration Rule | 1019 | This AIE rule creates an event anytime an external attack or compromise occurs within the environment, followed by data leaving the same system. | No | 7.4.3, 9.6.6, 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Security : Compromise | MAS: Network Access Control Systems, MAS: Network Security Systems | ||
MAS: Data Destruction Rule | 1020 | This AIE rule creates an event and alerts when a compromise or attack occurs, followed by file integrity monitoring activities on the same impacted host. | Yes | 7.4.3, 9.6.6, 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Security : Compromise | 1. MAS: Network Access Control Systems, MAS: Network Security Systems 2. MAS: File Integrity Monitors | ||
MAS: Physical Access Rule | 1021 | This AIE rule creates an event for any access attempts (success or failure) to the defined physical security boundary. | No | 10.2.4, 12.1.4 | 5.1.4, 5.2.3, 10.2.1, 10.2.2, 10.2.3, 10.2.4 | Audit : Access Failure | MAS: Physical Security Systems | ||
MAS: FIM Critical/Error/Information Alert | 1022 | This AIE Rule alerts on the occurrence of any critical, failure, or error to file integrity monitoring solutions. | Yes | Operations : Error, Operations : Critical | MAS: FIM Critical/Error/Information Inv | 7.4.3, 9.6.6, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.5.2, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Critical | MAS: File Integrity Monitors |
MAS: Acct Created, Used, Then Deleted Alert | 1023 | This AIE Rule creates an alert and provides details on a new account created, then used, and then the account is deleted within the same day. | Yes | Security : Suspicious | MAS: Acct Created, Used, Deleted Inv | 7.4.3, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Security : Suspicious | MAS: Network Access Control Systems |
MAS: Vendor Act Access Fail Alert Rule | 1024 | This AIE rule alerts on the occurrence of any vendor or third party account's (list) failure to authenticate to the organization's production environment, including remote access. | Yes | Audit : Access Failure | MAS: Vendor Acct Access Failure Inv | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 1.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Access Failure | All Log Sources |
MAS: TST Environment Error Alert | 1025 | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Test Servers (entity structure). This rule assists with change management testing procedures. | Yes | Operations : Error, Operations : Critical | MAS: TST Environment Error Inv | N/A | 6.2.1, 6.2.2, 6.2.5, 6.4.4, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 9.5.2 | Operations : Critical | All Log Sources |
MAS: TST Priv Acct Auth | 1026 | This AIE rule creates a common event for any privileged account authentication against a test environment (entity structure). | No | Audit : Authentication Success, Audit : Authentication Failure | MAS: TST Priv Acct Authentication Inv | N/A | 6.2.1, 6.2.2, 6.2.5, 6.4.4, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 9.5.2 | Audit : Authentication Failure | All Log Sources |
MAS: Vendor Acct Auth Failure Alert Rule | 1027 | This AIE rule alerts on the occurrence of any vendor or third party account's (list) access failures to the organization's production environment, including remote access. | Yes | Audit : Authentication Failure | MAS: Vendor Acct Authentication Failure Inv | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources |
MAS: Critical Environment Error Alert | 1028 | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Critical Servers-Systems (entity structure). | Yes | Operations : Critical, Operations : Error | MAS: Critical Environment Error Inv | 7.4.3, 9.6.6 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.9, 5.1.10, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.5.2, 9.6.2, 9.6.3 | Operations : Critical | All Log Sources |
MAS: Production Environment Error Alert | 1029 | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Production Servers-Systems (entity structure). | Yes | Operations : Critical, Operations : Error | MAS: Production Environment Error Inv | 7.4.3, 9.6.6 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.9, 5.1.10, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, .2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.5.2, 9.6.2, 9.6.3 | Operations : Critical | All Log Sources |
MAS: LogRhythm Silent Log Source Error Alert | 1030 | This AIE Rule creates an alert and provides information when a LogRhythm Log Source has not received logs from a critical or production server-system during the defined error period. | Yes | Operations : Warning | MAS: LogRhythm Silent Log Source Error Inv | 7.4.3, 9.6.6, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.7, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 8.4.1, 8.4.3, 8.4.4, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.5.2, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Warning | All Log Sources |
MAS: Backup Failure/Error Alert | 1031 | This AIE rule creates an alert and provides information when a backup system or server issues a critical or error log message. | Yes | Operations : Critical, Operations : Error | MAS: Backup Failure/Error Inv | 7.4.3, 9.6.6, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.7, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.6, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 8.4.1, 8.4.3, 8.4.4, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.4, 9.6.2, 9.6.3, 12.0.3, 2.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Critical | MAS: Backup Servers- Systems |
MAS: Critical/PRD Envir Config/Policy Change Alert | 1032 | This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure). | Yes | Audit : Configuration, Audit : Policy | MAS: Config/Policy Change Inv | N/A | 4.0.2, 4.1.1, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 9.3.1, 9.3.2, 9.5.1, 9.5.2 | Audit : Policy | All Log Sources |
MAS: Critical/PRD Envir Patch Failure Alert | 1033 | This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure). | Yes | Operations : Error | MAS: Patch Failure Inv | N/A | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.9, 5.1.10, 5.2.5, 6.0.1, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 9.3.1, 9.3.2, 9.5.1, 9.5.2 | Operations : Error | All Log Sources |
MAS: Critical/PRD Envir Signature Fail Alert | 1034 | This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure). | Yes | Operations : Error | MAS: Signature Failure Inv | N/A | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.9, 5.1.10, 5.2.5, 6.0.1, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, 9.3.1, 9.3.2, 9.5.1, 9.5.2 | Operations : Error | All Log Sources |
MAS: Time Sync Error Alert | 1035 | This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source. | Yes | Operations : Warning | MAS: Time Sync Error Inv | 7.4.3, 9.6.6, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.9, 5.1.10, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.7, 7.2.2, .3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.5.2, 9.6.2, 9.6.3, 12.0.3, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Warning | All Log Sources |
MAS: Malware Alert | 1036 | This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied. | Yes | Security : Malware | MAS: Malware Detected Inv | 7.4.3, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.2.3, 12.2.4 | Security : Malware | MAS: Malware Prevention Systems |
MAS: Vulnerability Detected Alert | 1037 | This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment. | Yes | Security : Vulnerability | MAS: Vulnerability Detected Inv | 7.4.3, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 7.1.6, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.2.3, 12.2.4 | Security : Vulnerability | MAS: Network Security Systems |
MAS: Attack Detected Alert | 1038 | This AIE rule creates an event and alerts on known attacks or failed attack attempts across the environment. | Yes | Security : Attack | MAS: Attack Detected Inv | 7.4.3, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.2.3, 12.2.4 | Security : Attack | MAS: Malware Prevention Systems MAS: Network Access Control Systems MAS: Network Security Systems |
MAS: Rogue Access Point Alert | 1039 | This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment. | Yes | Security : Suspicious | MAS: Rogue Access Point Inv | 7.4.3, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 7.1.6, 9.3.3, 9.3.4, 9.3.5, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.2.3, 12.2.4 | Security : Suspicious | MAS: Network Security Systems |
MAS: Priv Acct Auth Failure Alert | 1040 | This AIE rule creates an alarm any time a privileged account fails to authenticate against a critical or production environment (entity structure). | Yes | Audit : Authentication Failure | MAS: Priv Acct Auth Failure Inv | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources |
MAS: Priv Acct Access Failure Alert | 1041 | This AIE rule creates an alarm any time a privileged account experiences an access failure against a critical or production environment (entity structure). | Yes | Audit : Access Failure | MAS: Priv Acct Access Failure Inv | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | All Log Sources |
MAS: Backup Activity Rule | 1042 | This AIE rule creates an AIE event any time backup activity occurs within the environment. This may assist with monitoring backup activities for operations and audit purposes. | No | Operations : Information | MAS: Backup Activity Inv | 7.4.3, 9.6.6, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.7, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.2.1, 6.4.3, 7.1.6, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 8.4.1, 8.4.3, 8.4.4, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.4, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Information | MAS: Backup Servers- Systems |
MAS: FIM Activity Rule | 1043 | This rule creates an event for file integrity monitoring activity including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions. | No | Operations : Information | MAS: FIM Activity Inv | 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 12.1.1, 12.1.3, 12.1.5, 12.2.3, 12.2.4 | Operations : Information | MAS: File Integrity Monitors |
MAS: Audit Log Cleared Failure Alert | 1044 | This AIE Rule alerts on the occurrence of audit log clearing. | Yes | Audit : Other Audit Failure | MAS: Audit Log Inv | 7.4.3, 9.6.6, 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.7, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 8.4.1, 8.4.3, 8.4.4, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.5.2, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Other Audit Failure | MAS: All Log Sources |
MAS: Audit Log Write Alert | 1045 | This AIE Rule alerts on the occurrence of audit log write failures. | Yes | Audit | MAS: Audit Log Inv | 7.4.3, 9.6.6, 12.1.4, 12.1.9 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.1.7, 5.1.9, 5.1.10, 5.2.3, 5.2.5, 6.0.1, 6.2.1, 6.4.3, 7.1.1, 7.1.2, 7.1.4, 7.1.5, 7.1.6, 7.1.7, 7.2.2, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 8.4.1, 8.4.3, 8.4.4, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.3.3, 9.3.4, 9.4.1, 9.4.2, 9.4.3, 9.5.2, 9.6.1, 9.6.2, 9.6.3, 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Access Success | MAS: All Log Sources |
MAS: Non-Encrypted Protocol | 1046 | This report provides a summary of non-encrypted protocols seen on the network. | Yes | Operations : Information | MAS: Non-Encrypted Protocol Inv | 7.4.3 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.6.2, 9.6.3, 12.1.3 | Operations : Information | All Log Sources |
MAS: HR Payroll Acct Auth Failure Rule | 1056 | This rule creates an event around HR or Payroll account (list) authentication failures across Critical and Production environments (entity structure). | No | 7.4.3 | 4.0.2, 4.1.1, 4.4.3, 4.5.1, 5.1.4, 5.2.3, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.1, 9.3.2, 9.6.2, 9.6.3, 12.1.3 | Operations : Information | All Log Sources | ||
MAS: HR Payroll Acct Auth Success Rule | 1057 | This rule creates an event around HR or Payroll account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources | ||
MAS: HR Payroll Acct Accs Failure Rule | 1058 | This rule creates an event around HR or Payroll account (list) access failure across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Success | All Log Sources | ||
MAS: HR Payroll Acct Accs Success Rule | 1059 | This rule creates an event around access success for HR or Payroll accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | All Log Sources | ||
MAS: HR Payroll Acct Disable/Enable Rule | 1060 | This rule creates an event when an HR or Payroll account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: HR Payroll Acct UAM | 1061 | This rule creates a common event when various access modifications to HR or Payroll accounts (list) occur within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
| MAS: Priv Acct Access Failure Alert | 1062 | This rule creates an event around privileged account authentication successes across Critical and Production environments (entity structure). | Yes | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | MAS: Network Access Control Systems | ||
MAS: Priv Acct UAM Rule | 1063 | This rule creates an event for various access modifications to privileged accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: Priv Acct Access Success Rule | 1064 | This rule creates an event for access success of privileged accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: Priv Acct Disabled/Enabled Rule | 1065 | This rule creates an event when a privileged account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
MAS: Vendor Acct Auth Success Rule | 1066 | This rule creates an event for vendor account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Authentication Success | MAS: Network Access Control Systems | ||
MAS: Vendor Acct Access Success Rule | 1067 | This rule creates an event for access success of vendor accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: Vendor Acct Disabled/Enabled Rule | 1068 | This rule creates an event when a vendor account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
MAS: Vendor Acct UAM Rule | 1069 | This rule creates an event of various access modifications to vendor accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.2, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: Default Acct Auth Failure Rule | 1070No | This rule creates an event for default and generic account (list) authentication failures across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources | ||
MAS: Default Acct Auth Success Rule | 1071 | This rule creates an event for default and generic account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Success | All Log Sources | ||
MAS: Default Acct Access Failure Rule | 1072 | This rule creates an event for access failures of default and generic accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | MAS: Network Access Control Systems | ||
MAS: Default Acct Access Success Rule | 1073 | This rule creates an event for access success of default and generic accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: Default Acct Disabled/Enabled Rule | 1074 | This rule creates an event when a vendor account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
MAS: Default Acct UAM Rule | 1075 | This rule creates an event of various access modifications to vendor accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: Shared Acct Auth Failure Rule | 1076 | This rule creates an event for shared account (list) authentication failures across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources | ||
MAS: Shared Acct Auth Success Rule | 1077 | This rule creates an event for shared account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Success | All Log Sources | ||
MAS: Shared Acct Access Failure Rule | 1078 | This rule creates an event for access failures of shared accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | MAS: Network Access Control Systems | ||
MAS: Shared Acct Access Success Rule | 1079 | This rule creates an event for access success of shared accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: Shared Acct Disabled/Enabled Rule | 1080 | This rule creates an event when a shared account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
MAS: Shared Acct UAM Rule | 1081 | This rule creates an event of various access modifications to shared accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: BU Acct Auth Failure Rule | 1082 | This rule creates an event for business user account (list) authentication failures across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources | ||
MAS: BU Acct Auth Success Rule | 1083 | This rule creates an event around business user account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Success | All Log Sources | ||
MAS: BU Acct Access Failure Rule | 1084 | This rule creates an event around access failures for business user accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | All Log Sources | ||
MAS: BU Acct Access Success Rule | 1085 | This rule creates an event for access success of business user accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: BU Acct Disabled/Enabled Rule | 1086 | This rule creates an event when a business user account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
MAS: BU Acct UAM Rule | 1087 | This rule creates an event for access modifications to business user accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: IT Acct Auth Failure Rule | 1088 | This rule creates an event around IT user account (list) authentication failures across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Failure | All Log Sources | ||
MAS: IT Acct Auth Success Rule | 1089 | This rule creates an event around IT user account (list) authentication success across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Authentication Success | All Log Sources | ||
MAS: IT Acct Access Failure Rule | 1090 | This rule creates an event around access failures for IT user accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Failure | MAS: Network Access Control Systems | ||
MAS: IT Acct Access Success Rule | 1091 | This rule creates an event around access success for IT user accounts (list) within the Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Access Success | All Log Sources | ||
MAS: IT Acct Disabled/Enabled Rule | 1092 | This rule creates an event when a IT user account (list) has access revoked (disabled) or granted (enabled) across Critical and Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Revoked Audit : Access Granted | MAS: Network Access Control Systems | ||
| MAS: IT Acct UAM Rule | 1093 | This rule creates an event for various access modifications to IT user accounts (list) occurring within Critical or Production environments (entity structure). | No | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems | ||
MAS: Account Created Alert | 1094 | This rule creates an event around account creations as compared to existing user lists within LogRhythm and supplements User Access Management activities. | Yes | Audit : Account Created | MAS: Account Created Inv | 11.1.3 | 4.1.1, 6.2.1, 6.4.3, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.6.2, 9.6.3, 11.1.1, 11.1.4, 11.1.6 | Audit : Account Modified | MAS: Network Access Control Systems |
MAS: Terminated User Access Activity Alert | 1095 | This rule creates an event around access success and failures from terminated accounts (list) within Critical and Production environments (entity structure). | Yes | Audit : Access Success, Audit : Access Failure | MAS: Terminated User Access Activity Inv | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 10.2.1, 11.1.1, 11.1.2, 11.1.4, 11.1.5, 11.1.6 | Audit : Access Failure | All Log Sources |
MAS: Terminated User Auth Activity Alert | 1096 | This rule creates an event around authentication successes and failures from terminated accounts (list) within Critical and Production environments (entity structure). | Yes | Audit : Authentication Failure, Audit : Authentication Success | MAS: Terminated User Authentication Activity Inv | 11.1.3 | 4.1.1, 5.1.3, 5.1.4, 5.1.5, 5.1.6, 5.1.7, 5.2.3, 10.2.1, 11.1.1, 11.1.2, 11.1.4, 11.1.5, 11.1.6 | Audit : Authentication Failure | All Log Sources |
MAS: Suspicious Door Access Alert | 1097 | This AIE Rule provides details on suspicious physical door access. | Yes | Security : Suspicious | MAS: Suspicious Door Access Inv | 10.2.4, 12.1.4 | 5.1.4, 5.2.3, 10.2.1, 10.2.2, 10.2.3, 10.2.4 | Security : Suspicious | MAS: Physical Security Systems |
MAS: Suspected Wireless Attack Alert | 1098 | This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices. | Yes | Security : Attack | MAS: Suspected Wireless Attack Inv | 7.4.3 | 4.1.1, 4.4.3, 4.5.1, 6.2.1, 6.4.3, 7.3.2, 7.3.3, 7.3.6, 7.3.7, 7.3.10, 7.3.12, 7.4.2, 9.0.2, 9.1.1, 9.1.2, 9.1.6, 9.3.3, 9.3.4, 9.3.5, 9.4.1, 9.4.2, 9.4.3, 9.6.1, 9.6.2, 9.6.3 | Security : Attack | MAS: Wireless IDS |
MAS: Online Banking Auth Success Rule | 1099 | This rule creates an event around account authentication success within Online Banking environments (entity structure). | No | 12.1.4 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Authentication Success | All Log Sources | ||
MAS: Online Banking Auth Fail Rule | 1100 | This rule creates an event around account authentication failures within Online Banking environments (entity structure). | No | 12.1.4 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Authentication Failure | All Log Sources | ||
MAS: Online Banking Accs Success Rule | 1101 | This rule creates an event for access success of accounts within the Online Banking environments (entity structure). | No | 12.1.4 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Access Success | All Log Sources | ||
MAS: Online Banking Accs Fail Rule | 1102 | This rule creates an event around access failures for accounts within the Online Banking environments (entity structure). | No | 12.1.4 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Access Failure | All Log Sources | ||
MAS: Online Bank Config/Policy Change Alert | 1103 | This AIE rule creates an alert any time a configuration or policy modification logs are received from an Online Banking environment (entity structure). | Yes | Audit : Policy Audit : Configuration | MAS: Config/Policy Change Inv | 12.1.4, 12.1.9 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Audit : Policy | All Log Sources |
MAS: Online Banking Patch Failure Alert | 1104 | This AIE rule creates an alert any time a patch fails to apply to the Online Banking environments (entity structure). | Yes | Operations : Error | MAS: Patch Failure Inv | 12.1.4, 12.1.9 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Error | All Log Sources |
MAS: Online Banking Signature Fail Alert | 1105 | This AIE Rule creates an alert on signature update failures within the Online Banking environments (entity structure). | Yes | Operations : Error | MAS: Signature Failure Inv | 12.1.4, 12.1.9 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Error | All Log Sources |
MAS: Online Banking Error Alert | 1119 | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Online Banking Systems (entity structure). | Yes | Operations : Critical, Operations : Error | MAS: Online Banking Error Inv | 12.1.4, 12.1.9 | 12.0.3, 12.1.1, 12.1.2, 12.1.3, 12.1.4, 12.1.5, 12.1.6, 12.2.3, 12.2.4 | Operations : Critical | All Log Sources |