NERC – AI Engine Rules
AI Engine Rule Name | Description | ID | Notification Area | Corresponding Investigation | Directly Meets Requirements | Augment Requirements | Alarming | Classifications | Log Sources |
|---|---|---|---|---|---|---|---|---|---|
NERC-CIP: Account Locked or Disabled Rule | This AIE rule creates an event any time an account is locked or disabled within the environment. | 868 | Audit | N/A | 007 R5 | N/A | FALSE | Audit : Access Revoked | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Attack Detected Rule | This AIE rule creates an event and alerts on known attacks or failed attack attempts across the environment. | 863 | Security Operations | NERC-CIP: Attack Detected Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Attack | NERC-CIP: BES Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Backup Critical/Error Rule | This AIE rule creates an event and alarms on any “critical” or “error” status relating to a backup operation. | 869 | IT Operations | NERC-CIP: Backup Critical/Error Status Detail | N/A | 009-5 R1, 011-1 R1 | TRUE | Operations : Critical | NERC-CIP: All Log Sources |
NERC-CIP: Compromise Detected Rule | This AIE rule creates an event and alerts on potential compromises across the environment. | 864 | Security Operations | NERC-CIP: Compromise Detected Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Compromise | NERC-CIP: BES Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Concur VPN From Multiple Cities | This AIE Rule provides details on multiple VPN authentication successes from the same origin login from different cities within a given time period (default 6 hours). | 858 | Security Operations | NERC-CIP: Concur VPN Auths Same User Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Compromise | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Concur VPN From Multiple Country | This AIE Rule provides details on multiple VPN authentication successes from the same origin login from different countries within a given time period (default 1 day). | 859 | Security Operations | NERC-CIP: Concur VPN Auths Same User Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security: Compromise | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Concur VPN From Multiple Region | This AIE Rule provides details on multiple VPN authentication successes from the same origin login from different regions within a given time period (default 12 hours). | 860 | Security Operations | NERC-CIP: Concur VPN Auths Same User Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Compromise | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Concur VPN Same User | This AIE Rule provides details on multiple VPN logins from the same user, but from different origin hosts within a short period of time. | 856 | Security Operations | NERC-CIP: Concur VPN Auths Same User Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2 | TRUE | Security: Compromise | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Config/Policy Change | This AIE Rule creates an event when there is a change to any device configurations or policies within the defined environment. | 870 | Audit | NERC-CIP: Config/Policy Change Detail | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | FALSE | Audit : Configuration | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Data Destruction Rule | This AIE rule creates an event and alerts when a compromise or attack occurs. This is followed by file integrity monitoring activities on the same impacted host. | 865 | Security Operations | NERC-CIP: Data Loss Defender Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 008-5 R1, 008-5 R2, 008-5 R3, 009-5 R1, 011-1 R1 | TRUE | Security : Compromise | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Data Exfiltration Rule | This AIE rule creates an event anytime an external attack or compromise occurs within the environment, followed by data leaving the same system. | 866 | Security Operations | NERC-CIP: Data Loss Defender Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 008-5 R1, 008-5 R2, 008-5 R3, 009-5 R1, 011-1 R1 | FALSE | Security : Compromise | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Data Loss Prevention Rule | This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender, when configured. | 867 | Security Operations | NERC-CIP: Data Loss Defender Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 008-5 R1, 008-5 R2, 008-5 R3, 009-5 R1, 011-1 R1 | FALSE | Operations : Information | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Default Act Auth/Accs Failure Rule | This AIE Rule generates an alert on default account authentication failure activity (login failure). | 853 | Audit | NERC-CIP: Default Act Auth/Accs Failure Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit: Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: ESP Network Allowed Egress Rule | This AIE Rule provides details on allowed egress network communication to the ESP (electronic security perimeter). | 878 | IT Operations | NERC-CIP: ESP Ingress/Egress Net Detail | 005-5 R1, 007-5 R4 | 005-5 R1, 005-5 R2, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2 | FALSE | Operations : Network Allow | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: ESP Network Allowed Ingress Rule | This AIE Rule provides details on allowed ingress network communication to the ESP (electronic security perimeter). | 879 | IT Operations | NERC-CIP: ESP Ingress/Egress Net Detail | 005-5 R1, 007-5 R4 | 005-5 R1, 005-5 R2, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2 | FALSE | Operations : Network Allow | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: ESP Network Denied Egress Rule | This AIE Rule provides details on denied egress network communication to the ESP (electronic security perimeter). | 876 | IT Operations | NERC-CIP: ESP Ingress/Egress Net Detail | 005-5 R1, 007-5 R4 | 005-5 R1, 005-5 R2, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2 | FALSE | Operations : Network Deny | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: ESP Network Denied Ingress Rule | This AIE Rule provides details on denied ingress network communication to the ESP (electronic security perimeter). | 877 | IT Operations | NERC-CIP: ESP Ingress/Egress Net Detail | 005-5 R1, 007-5 R4 | 005-5 R1, 005-5 R2, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2 | FALSE | Operations : Network Deny | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Files Deleted by Admin | This AIE Rule creates an event when a privileged user login is followed by multiple file deletions, indicating the administrator may be destroying large amounts of data. | 875 | Security Operations | N/A | N/A | ID.GV-1, ID.GV-1, PR.PT-1 | TRUE | Security : Suspicious | NERC-CIP: BES Cyber Systems |
NERC-CIP: Int Acct Created, Used, Deleted | This AIE Rule creates an alert and provides details when a new account is created, used, and deleted within the same day. | 843 | Security Operations | NERC-CIP: Int Acct Created, Used, Deleted | 007-5 R4, 007-5 R5, 005-5 R1 | 004-5 R4, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Suspicious | NERC-CIP: BES Cyber Systems |
NERC-CIP: Malware Detected Rule | This AIE rule creates an event and alerts when malware is detected across the environment. | 862 | Security Operations | NERC-CIP: Malware Detected Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Security : Malware | NERC-CIP: BES Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Physical Access Failure Rule | This AIE Rule creates events of physical security authentication or access failures across the Physical Security Perimeter. | 841 | Audit | NERC-CIP Physical Access Detail | 004-5 R5, 006-5 R1, 007-5 R4, 007-5 R5 | 004-5 R4, 006-5 R2, 007-5 R4 | TRUE | Audit : Access Failure | NERC-CIP: Physical Security Perimeter |
NERC-CIP: Physical Access Success Rule | This AIE Rule creates events of physical security authentication or access success across the Physical Security Perimeter. | 842 | Audit | NERC-CIP Physical Access Detail | 004-5 R5, 006-5 R1, 007-5 R4, 007-5 R5 | 004-5 R4, 004-5 R5, 006-5 R2, 007-5 R4 | FALSE | Audit : Access Success | NERC-CIP: Physical Security Perimeter |
NERC-CIP: Port Misuse: FTP | This rule creates an event when FTP servers are running non-standard ports. This requires the use of LogRhythm's Network Monitor or a next-gen firewall with capabilities of application or port identification logging. | 880 | Security Operations | N/A | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | FALSE | Security : Suspicious | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Port Misuse: HTTP | This rule creates an event when HTTP traffic is not using the common ports of 80 and 443. This requires the use of LogRhythm's Network Monitor or a next-gen firewall with capabilities of application or port identification logging. | 881 | Security Operations | N/A | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | FALSE | Security : Suspicious | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Port Misuse: SSH In | This AIE rule creates an event when inbound SSH traffic is connecting over non- standard ports (not 22). This requires the use of LogRhythm's Network Monitor or a next-gen firewall with capabilities of application or port identification logging. | 882 | Security Operations | N/A | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | FALSE | Security : Suspicious | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Port Misuse: SSH Out | This AIE rule creates an event when outbound SSH traffic is connecting over non- standard ports (not 22). This requires the use of LogRhythm's Network Monitor or a next-gen firewall with capabilities of application or port identification logging. | 883 | Security Operations | N/A | 005-5 R1, 007-5 R4 | 007-5 R3, 008-5 R1, 008-5 R2, 008-5 R3, 007-5 R4, 005-5 R1, 005-5 R2 | FALSE | Security : Suspicious | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Priv Act Auth/Accs Failure Rule | This AIE Rule generates an alert on privileged account authentication failure activity (login failure). | 848 | Audit | NERC-CIP: Priv Act Auth/Accs Failure Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit : Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Priv Act Auth/Accs Success Rule | This AIE Rule provides details on privileged account authentication success (login success) or access success within the organization infrastructure. | 849 | Audit | NERC-CIP: Priv Act Auth/Accs Success Detail | 007-5 R4, 007-5 R5 | 004-5 R4, 007-5 R4 | FALSE | Audit : Authentication Success | NERC-CIP: BES Cyber Systems |
NERC-CIP: Priv Group Access Granted Rule | This AIE Rule creates an alert and provides details on access granted to privileged groups (administrators, dnsadmins, domain admins, enterprise admins, schema admins) according to the established list of NERC-CIP: Default Priv Groups. | 844 | Audit | NERC-CIP: Priv Group Access Granted Detail | 007-5 R4, 007-5 R5 | 007-5 R4, 004-5 R4, 011-1 R1 | TRUE | Audit : Access Granted | NERC-CIP: BES Cyber Systems |
NERC-CIP: Rogue WAP Detected Rule | This AIE Rule creates an event and alerts on all rogue wireless interfaces or access points logged based on common events. | 855 | Security Operations | NERC-CIP: Rogue WAP Detected Detail | 005-5 R1 | 005-5 R1, 005-5 R2 | TRUE | Security : Suspicious | NERC-CIP: Electronic Security Perimeter |
NERC-CIP: Shared Act Auth/Accs Failure Rule | This AIE Rule generates an alert on shared account authentication failure activity (login failure). | 850 | Audit | NERC-CIP: Shared Act Auth/Accs Failure Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit: Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Software Installation Rule | This AIE rule creates an event and alerts on any software installation activity across the environment. | 871 | Audit | NERC-CIP: Software Installation Detail | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | TRUE | Audit : Configuration | NERC-CIP: BEs Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Software Status Change After Attack | This AIE Rule creates an event and alerts when a security event is followed by an application installation on the same host. | 872 | Security Operations | NERC-CIP: Attack Detected Detail | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | TRUE | Security : Compromise | NERC-CIP: All Log Sources |
NERC-CIP: Suspicious Activity Rule | This AIE Rule creates an event and alerts on suspicious activity across all log sources. | 857 | Security Operations | NERC-CIP: Suspicious Activity Detail | 004-5 R5, 005-5 R1, 007-5 R4, 007-5 R5, 006-5 R1 | 005-5 R1, 007-5 R4. 007-5 R5, 004-5 R5, 006-5 R1 | TRUE | Security : Suspicious | NERC-CIP: All Log Sources |
NERC-CIP: System Critical/Error Status Rule | This AIE rule creates an alert and generates an event for critical or error conditions encountered across all NERC-CIP Log Sources. | 854 | Security Operations | NERC-CIP: System Critical/Error Status Detail | 005-5 R1, 007-5 R4 | 008-5 R1, 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Operations: Critical | NERC-CIP: All Log Sources |
NERC-CIP: System Time Change After Attack | This AIE rule creates an event every time an attack occurs within the environment, followed by a time change. | 873 | IT Operations | NERC-CIP: Attack Detected Detail | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | TRUE | Security : Compromise | NERC-CIP: All Log Sources |
NERC-CIP: Term Act Auth/Accs Failure Rule | This AIE Rule generates an alert on terminated account authentication failure activity (login failure). | 851 | Audit | NERC-CIP: Term Act Auth/Accs Failure Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit: Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Term Act Auth/Accs Success Rule | This AIE Rule provides details on terminated account authentication success (login success) or access success within the organization infrastructure. | 852 | Audit | NERC-CIP: Term Act Auth/Accs Success Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit: Authentication Success | NERC-CIP: BES Cyber Systems |
NERC-CIP: Vendor Act Auth/Accs Failure Rule | This AIE Rule generates an alert on vendor account authentication failure activity (login failure). | 847 | Audit | NERC-CIP: Vendor Act Auth/Accs Failure Detail | 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R4 | TRUE | Audit: Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: VPN Node Registration Fail (Auth) | This AIE Rule creates an event and alerts on any unsuccessful Virtual Private Network (VPN) node registration attempt into the Electronic Security Perimeter for authorized VPN users (list). | 845 | Audit | NERC-CIP: VPN Node Registration Failure Detail (Auth) | 005-5 R1, 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Audit : Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: VPN Node Registration Fail (unAuth) | This AIE Rule creates an event and alerts on any unsuccessful Virtual Private Network (VPN) node registration attempt into the Electronic Security Perimeter for accounts not authorized as indicated within the authorized VPN users list | 846 | Audit | NERC-CIP: VPN Node Registration Failure Detail (un-Auth) | 005-5 R1, 007-5 R4, 007-5 R5, 007 R5 | 004-5 R4, 007-5 R3, 007-5 R4, 007 R5, 008-5 R1, 008-5 R2, 008-5 R3 | TRUE | Audit : Authentication Failure | NERC-CIP: BES Cyber Systems |
NERC-CIP: Vulnerability Detected Rule | This AIE Rule creates an event and alerts on potential vulnerabilities detected across the environment. | 861 | Security Operations | NERC-CIP: Vulnerability Detected Detail | 005-5 R1, 007-5 R4 | 007-5 R3, 007-5 R4, 007-5, 008-5 R1, 008-5 R2, 008-5 R3, 010-1 R3 | TRUE | Security : Vulnerability | NERC-CIP: BES Cyber Systems NERC-CIP Electronic Security Perimeter |
NERC-CIP: Windows Firewall Change | This AIE Rule creates an event and alerts when a change occurs to the host's Windows Firewall, based on specific vendor message IDs. | 874 | Audit | NERC-CIP: Windows Firewall Change Detail | N/A | 010-1 R1, 010-1 R2, 010-1 R3 | TRUE | Audit : Configuration | NERC-CIP: Electronic Security Perimeter |