AIE Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues.
Port Misuse – FTP, HTTP, SSH In, SSH Out
LogRhythm’s AIE (#880, 881, 882, 883) creates an event when network facing servers encounter no-standard port activity. This rule requires the use of LogRhythm’s Network Monitor or a next generation firewall.
Malware Detected Rule
A cornerstone of NERC-CIP is the ability to continuously monitor the environment from all layers. Alerts (#862) are configured for detecting malicious activity within the environment. This AIE Rule creates an event and notification alert for malware detection on devices that have been designated as log sources or devices that support network monitoring.
Attack Detected, Software Status Change after an Attack, Time Change after an Attack
LogRhythm aims to help organizations identify malicious activity earlier in the attack lifecycle and provide a deeper understanding into the nature of the attack. Various AIE rules (#863, 872, 873) look for activities that occur as a result of an attack or exploited vulnerability. These AIE rules not only alert when an attack occurs, but also provide correlation for activities that may result from the attack.
Privileged Group Access Granted
This AIE rule (#844) creates an event, and alerts anytime an account’s access is provisioned to a privileged group within the organization’s environment. This aims to augment existing user access provisioning practices and identify where excessive privileged access may be assigned.
Physical Access Failure and Success
As NERC-CIP combines both the cyber and physical protection of BES assets in your organization, these AIE Rules (#841, 842) work with physical access systems to identify entry activity. These AIE rules assist IT Operations in confirming appropriateness of access attempts into areas containing in-scope IT assets.
These AIE rules cover all log sources in your environment, but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, physical access control systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.
Knowledge Base Content
NERC-CIP: Port Misuse: FTP
NERC-CIP: Port Misuse: HTTP
NERC-CIP: Port Misuse: SSH In
NERC-CIP: Port Misuse: SSH Out
NERC-CIP: Malware Detected Rule
NERC-CIP: Attack Detected Rule
NERC-CIP: Software Status Change After Attack
NERC-CIP: System Time Change After Attack
NERC-CIP: Priv Group Access Granted Rule
NERC-CIP: Physical Access Failure Rule
NERC-CIP: Physical Access Success Rule
To configure AIE rules, they need to be enabled and assigned to the appropriate Log Sources. User lists can be further leveraged to apply monitoring controls for identifying compromised credentials and accounts. The Port Misuse rules will require the use of a next-generation firewall or LogRhythm’s Network Monitor in order to facilitate this level of logging.
In the event that alerts are triggered for one or more of these rules, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the environment should be promptly communicated to security personnel. In addition, any file modification should be investigated to ensure adherence to the organization’s change control management policies and practices.