NERC User Guide – AI Engine Rules
AIE Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues.
Port Misuse – FTP, HTTP, SSH In, SSH Out
LogRhythm’s AIE (#880, 881, 882, 883) creates an event when network-facing servers encounter no-standard port activity. This rule requires the use of LogRhythm’s Network Monitor or a next-generation firewall.
Malware Detected Rule
A cornerstone of NERC-CIP is the ability to continuously monitor the environment from all layers. Alerts (#862) are configured for detecting malicious activity within the environment. This AIE Rule creates an event and notification alert for malware detection on devices that have been designated as log sources or devices that support network monitoring.
Attack Detected, Software Status Change after an Attack, Time Change After an Attack
LogRhythm aims to help organizations identify malicious activity earlier in the attack lifecycle and provide a deeper understanding of the nature of the attack. Various AIE rules (#863, 872, 873) look for activities that occur as a result of an attack or exploited vulnerability. These AIE rules not only alert when an attack occurs but also provide correlation for activities that may result from the attack.
Privileged Group Access Granted
This AIE rule (#844) creates an event, and alerts anytime an account’s access is provisioned to a privileged group within the organization’s environment. This aims to augment existing user access provisioning practices and identify where excessive privileged access may be assigned.
Physical Access Failure and Success
As NERC-CIP combines both the cyber and physical protection of BES assets in your organization, these AIE Rules (#841, 842) work with physical access systems to identify entry activity. These AIE rules assist IT Operations in confirming the appropriateness of access attempts into areas containing in-scope IT assets.
Log Requirements
These AIE rules cover all log sources in your environment but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, physical access control systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.
Knowledge Base Content
ID | Name |
|---|---|
880 | NERC-CIP: Port Misuse: FTP |
881 | NERC-CIP: Port Misuse: HTTP |
882 | NERC-CIP: Port Misuse: SSH In |
883 | NERC-CIP: Port Misuse: SSH Out |
862 | NERC-CIP: Malware Detected Rule |
863 | NERC-CIP: Attack Detected Rule |
872 | NERC-CIP: Software Status Change After Attack |
873 | NERC-CIP: System Time Change After Attack |
844 | NERC-CIP: Priv Group Access Granted Rule |
841 | NERC-CIP: Physical Access Failure Rule |
842 | NERC-CIP: Physical Access Success Rule |
Configuration
To configure AIE rules, they need to be enabled and assigned to the appropriate Log Sources. User lists can be further leveraged to apply monitoring controls for identifying compromised credentials and accounts. The Port Misuse rules will require the use of a next-generation firewall or LogRhythm’s Network Monitor to facilitate this level of logging.
Actions
If alerts are triggered for one or more of these rules, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the environment should be promptly communicated to security personnel. In addition, any file modification should be investigated to ensure adherence to the organization’s change control management policies and practices.