NCA OTCC User Guide – AI Engine Rules
AI Engine Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues. The goal for many of these rules is to quickly identify traffic coming from or going to a country that has strict data protection laws, such as NCA OTCC for Saudi Arabia members. This can empower your organization and DPO to ensure policies are applied and consent is obtained as soon as possible to limit the time of non-compliance.
Malware Alarm Rule
A cornerstone of NCA OTCC is the ability to continuously monitor the environment from all layers. This Alarm (#1217) is configured to alert when malicious activity occurs within the environment. This AIE Rule creates an event and notification alarm for malware detection on devices that have been designated as log sources or devices that support network monitoring.
Data Loss Prevention
Data Loss Prevention (DLP) within CCF is focused on the protection of sensitive information within the organization’s environment. DLP can be coupled with enabling FIM policies to provide more robust monitoring of sensitive data and user activities that impact that data. For this example, we look at three rules: CCF: Data Loss Prevention, CCF: Corroborated Data Access Anomalies, and Abnormal Amount of Data Transferred. In addition to FIM rules and policies, DLP provides objects that look at suspicious activity that may be indicative of malicious activity impacting sensitive data. The Operational Technology Cybersecurity Controls (OTCC-1:2022) are developed to increase the protection of OT/ICS environments and these controls must be implemented as an extension to NCA’s Essential Cybersecurity Controls (ECC-1: 2018) so compliance is required for the overall critical infrastructure. Log sources should include systems storing sensitive data (as well as FIM applications) to ensure monitoring controls are in place to track tampering of data or unauthorized transfers of data that occur.
LogRhythm Silent Log Source Error Alarm
As LogRhythm Enterprise may serve as a mitigating control, it is crucial to be able to alarm on any instance where an in-scope log source does not send any logs. This rule (#1209) could be indicative of a control failure that needs to be addressed. This rule, in conjunction with other auditing failures, allows the organization to limit the time of control failure relating to logging and monitoring.
Log Requirements
These AIE rules cover all log sources in your environment but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, access management systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.
KB Content
Object Type | Name | ID |
---|---|---|
AIE Alarm Rule | CCF: LogRhythm Silent Log Source Error Alarm | 1209 |
AIE Alarm Rule | CCF: Malware Alarm | 1217 |
AIE Rule | CCF: Abnormal Amount of Data Transferred | 1230 |
AIE Rule | CCF: Corroborated Data Access Anomalies | 1201 |
AIE Rule | CCF: Data Loss Prevention | 1232 |