Skip to main content
Skip table of contents

NCSC - AI Engine Rules

AI Engine RulesRule IDDescriptionNCSC Control Support*AlarmingClassificationsLog Sources
CCF: Abnormal Amount of Data Transferred1230This rule alerts whenever a significant change (400% increase or 75% decrease) in Bytes In or Bytes Out occurs from a specific host.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoOperations : Warning1. Include All Log Sources
2. Include All Log Sources
CCF: Abnormal Origin Location1208First tracks geographic locations for logins. Afterwards, triggers when a new origin location is seen for a user.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Attack1. Include All Log Sources
2. Include All Log Sources
CCF: Account Deleted Rule1367This rule provides details of accounts that have been deleted.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit: Account DeletedInclude All Log Sources
CCF: Account Disabled Rule1369This AIE Rule alerts whenever any accounts have access revoked.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit: Access RevokedInclude All Log Sources
CCF: Account Enabled Rule1368This AIE Rule alerts whenever any accounts have access granted.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit: Access GrantedInclude All Log Sources
CCF: Account Modification1377This AIE Rule creates a common event and provides detail around account modification activity.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit : Account ModifiedInclude All Log Sources
CCF: Admin Password Modified1326User changes the password of a different privileged user account.B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity: SuspiciousInclude All Log Sources
CCF: Attack then External Connection1211An observed external attack or compromise followed by data leaving the system and going to the attacker.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Audit Logging Cleared1328This AIE Rule provides details on audit logging being cleared.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit : ConfigurationInclude All Log Sources
CCF: Audit Logging Stopped Alarm1328This AIE Rule provides details on audit logging being stopped.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit : ConfigurationInclude All Log Sources
CCF: Auth After Numerous Failed Auths1199Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise

1. Include All Log Sources
2. Include All Log Sources

CCF: Auth After Security Event1200An observed attack, compromise, or other security event followed by successful access or authentication from the attacking host.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Backup Failure Alarm1236More than 10 backup failure events are detected.B4.a.04, B5.c.01, B5.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D1.b.04, D2.a.01, D2.a.02, D2.a.03YesOperations : ErrorInclude All Log Sources
CCF: Backup Information1237This AIE Rule creates events for information from backup software.B4.a.04, B5.c.01, B5.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D1.b.04, D2.a.01, D2.a.02, D2.a.03NoOperations : InformationInclude All Log Sources
CCF: Blacklist Location Auth1204Authentication success from a blacklisted location.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Blacklisted Account Alarm1334This AIE creates an alarm when a blacklisted account activity occurs within the environment.  This requires the CCF: User Blacklist to be populated and updated regularly.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit : Other Audit SuccessInclude All Log Sources
CCF: Compromise Detected Alarm1335This AIE rule creates an event and alerts on potential compromises across the environment.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : CompromiseInclude All Log Sources
CCF: Concurrent VPN from Multiple Locations1205Multiple VPN authentication successes from the same origin login are observed from different regions within a given time period (defaults to 3 hours).B2.a.01, B2.a.02, B2.a.03, B2.a.04, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Concurrent VPN from Same User1373This AIE Rule alerts on the occurrence of concurrent VPN access from the same user.B2.a.01, B2.a.02, B2.a.03, B2.a.04, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : SuspiciousInclude All Log Sources
CCF: Config Change After Attack1214Attack event on a host followed by a configuration change made to that host within 3 minutes. B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Config Change then Critical Error1216Configuration change followed by a critical error on the same host, indicating an erroneous configuration, malicious intent, or otherwise.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Config Deleted/Disabled1219Configuration deleted or disabled within the organization infrastructure.   B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseCCF: Production Servers
CCF: Config Modified1221Configuration modified within the organization infrastructure.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Corroborated Account Anomalies12073 or more unique behavioral anomalies for a given user within a 3 hour period. This rule requires Rule IDs 285 - 289 be turned on.

Use Case: An account has been compromised.		C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Corroborated Data Access Anomalies12012 or more unique behavioral anomalies for data within a 3 hour period. The alarm requires rule IDs 300-302 be turned on to trigger.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Critical Event After Attack1206An external attack or compromise followed by a critical event on the same host.

Action: This alarm can identify when an error message is generated as the result of a successful attack. This can be an unexpected process termination or a hardware fail.		C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Critical/PRD Envir Patch Failure Alarm1212This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure).B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.d.03, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesOperations : ErrorInclude All Log Sources
CCF: Data Destruction1202Attack event followed by a FIM delete/modify event on the same host.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Data Exfiltration Observed1193External attack or compromise followed by data leaving the same system.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Data Loss Prevention1232This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoOperations : InformationInclude All Log Sources
CCF: Denial of Service Alert1376This AIE Rule alerts on the occurrence of any identified Denial of Service events.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity: Denial Of ServiceInclude All Log Sources
CCF: Disabled Account Auth Success1194A recently disabled or deleted account authenticates or accesses resources on the network.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Distributed Brute Force1203A successful brute force authentication - multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Early TLS/SSL Alarm1238This AIE Rule alerts on the occurrence of any identified TLS LogRhythm Network Monitor event.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : ActivityInclude All Log Sources
CCF: Excessive Authentication Failures Rule1370This AIE Rule supports alerting on >10 authentication failures in 30 minutes (login failures). Match this threshold to your organization's specific authentication failure policies.B2.a.01, B2.a.02, B2.a.03, B2.a.04, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit : Authentication FailureInclude All Log Sources
CCF: External Brute Force Auths1197Successful authentication after multiple failed attempts from different external origin hosts to the same impacted host.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources

CCF: Failed Audit Log Write Alarm

1332This AIE Rule provides details on audit log write failures.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit : ConfigurationInclude All Log Sources
CCF: FIM Abnormal Activity1233This AIE Rule creates events for all abnormal file integrity monitoring activity.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Suspicious1. Include All Log Sources
2. Include All Log Sources
CCF: FIM Add Activity1234This AIE Rule creates events for all file integrity monitoring add activity.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : ActivityInclude All Log Sources
CCF: FIM Delete Activity Alarm1235This AIE Rule alarms on file integrity monitoring delete activity.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : ActivityInclude All Log Sources
CCF: FIM General Activity1239This rule creates an event for file integrity monitoring activity, including adds, deletes, modifies, group changes, owner changes, and permissions. The FIM log source can be established from LogRhythm's FIM or other FIM solutions.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoOperations : InformationInclude All Log Sources
CCF: FIM Information1229This AIE Rule creates events for general file integrity monitoring information.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoOperations : InformationInclude All Log Sources
CCF: GeoIP Blacklisted Region Activity1241This rule tracks activity associated with Blacklisted Regions (list).C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : SuspiciousInclude All Log Sources
CCF: GeoIP General Activity1240This rule is designed to use with the Data Processor's GeoIP functionality to represent general GeoIP activity.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03No

Security : Suspicious

New: Operations : Information

Include All Log Sources
CCF: Large Outbound Transfer1195Single host is seen sending over 1GB of data within 30 minutes out of the network.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : CompromiseInclude All Log Sources
CCF: Linux sudo Privilege Escalation1330User not in the LogRhythm list "CCF: Privileged Accounts" and not in the local 'sudoers' file tries to use sudo on a Linux host. B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : SuspiciousInclude All Log Sources
CCF: Local Account Created and Used1196An account is created on a host and then used shortly thereafter on the same host.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: LogRhythm Silent Log Source Error Alarm1209This AIE Rule creates an alert and provides information when a LogRhythm Log Source has not received logs from a critical or production server-system during the defined error period.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesOperations : WarningInclude All Log Sources
CCF: Malware Alarm1217This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied.B4.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : MalwareInclude All Log Sources
CCF: Misuse1231This AIE Rule provides details on misuse activity.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : MisuseInclude All Log Sources
CCF: Multiple Account Passwords Modified by Admin1327An observed login by a user in the privileged user list followed by the change of two or more other account passwords.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity: SuspiciousInclude All Log Sources
CCF: Non-Encrypted Protocol Alarm1222This investigation provides details of unencrypted applications being utilized within the critical and production systems or environments (entity structure).B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesOperations : InformationInclude All Log Sources
CCF: Password Modified by Admin1325Privileged user changes the password of another account.B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity: SuspiciousInclude All Log Sources
CCF: Password Modified by Another User1333User changes the password of another account (not their own).B2.a.01, B2.a.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit: Account ModifiedInclude All Log Sources
CCF: PRD Envir Config/Policy Change Alarm1210This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure).B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.d.03, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit : PolicyCCF: Production Servers
CCF: PRD Envir Signature Failure Alarm1213This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure).B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, B4.d.02, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.d.03, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesOperations : ErrorInclude All Log Sources
CCF: Priv Group Access Granted Alarm1324This AIE Rule provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) within the organization infrastructure.B2.a.01, B2.a.02, B2.c.01, B2.c.02, B2.c.04, B2.c.05, B2.c.08, B2.d.02, B2.d.03, B2.d.05, C1.a.01, C1.a.04, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit: Access GrantedInclude All Log Sources
CCF: Privilege Escalation After Attack Alarm1329Compromised host event followed by a new account created or account modified on the same host.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : Compromise1. Include All Log Sources
2. Include All Log Sources
CCF: Rogue Access Point Alarm1220This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity: SuspiciousInclude All Log Sources
CCF: Social Media Event1242This rule tracks social media activity to help identify if private or personal data that should not be in transmission is present within the environment's traffic.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : SuspiciousInclude All Log Sources
CCF: Software Install Failure Alarm1375This alerts on failed and incomplete attempts to update or install software in the organization.B4.b.05, B4.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit: ConfigurationInclude All Log Sources
CCF: Software Install Rule1371This AIE rule creates an event and alerts on any software installation activity across the environment.B4.b.05, B4.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit : ConfigurationInclude All Log Sources
CCF: Software Uninstall Failure Alarm1374This alerts on failed or interrupted software uninstallations.B4.b.05, B4.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesAudit: ConfigurationInclude All Log Sources
CCF: Software Uninstall Rule1372This AIE rule creates an event and alerts on any software uninstallation activity across the environment.B4.b.05, B4.c.03, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoAudit : ConfigurationInclude All Log Sources
CCF: Suspected Wireless Attack Alarm1223This AIE Rule creates an event and alerts on suspected wireless attacks (success/failure) against the boundary monitoring devices.B3.b.02, B3.c.02, B3.c.03, B3.c.04, B3.c.05, B3.d.01, B4.b.02, B4.b.03, B4.b.04, C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity: AttackCCF: Wireless IDS
CCF: Time Sync Error Alarm1215This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesOperations: WarningInclude All Log Sources
CCF: Unknown User Account Alarm1243This rule identifies activity originating from unknown user accounts, based off of the CCF user lists.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity : SuspiciousInclude All Log Sources
CCF: Vulnerability Detected Alarm1218This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03YesSecurity: VulnerabilityInclude All Log Sources
CCF: Windows RunAs Privilege Escalation1321User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option.C1.a.01, C1.a.05, C1.a.06, C1.c.01, C1.c.02, C1.c.03, C1.c.04, C1.c.05, C1.c.06, C1.d.01, C1.d.02, C1.e.01, C1.e.03, C2.a.01, C2.a.02, C2.a.03, C2.a.04, C2.b.01, D2.a.01, D2.a.02, D2.a.03NoSecurity : Suspicious1. Include All Log Sources
2. Include All Log Sources

*NCSC Control Key

Control Format

Definition

xx.x.xxObjective & Principal, Sub-Objective, Indicators of Good Practice (IGP)
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close