Skip to main content
Skip table of contents

NERC User Guide – AI Engine Rules

AIE Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues.

Port Misuse – FTP, HTTP, SSH In, SSH Out

LogRhythm’s AIE (#880, 881, 882, 883) creates an event when network-facing servers encounter no-standard port activity. This rule requires the use of LogRhythm’s Network Monitor or a next-generation firewall.

Malware Detected Rule

A cornerstone of NERC-CIP is the ability to continuously monitor the environment from all layers. Alerts (#862) are configured for detecting malicious activity within the environment. This AIE Rule creates an event and notification alert for malware detection on devices that have been designated as log sources or devices that support network monitoring.

Attack Detected, Software Status Change after an Attack, Time Change After an Attack

LogRhythm aims to help organizations identify malicious activity earlier in the attack lifecycle and provide a deeper understanding of the nature of the attack. Various AIE rules (#863, 872, 873) look for activities that occur as a result of an attack or exploited vulnerability. These AIE rules not only alert when an attack occurs but also provide correlation for activities that may result from the attack.

Privileged Group Access Granted

This AIE rule (#844) creates an event, and alerts anytime an account’s access is provisioned to a privileged group within the organization’s environment. This aims to augment existing user access provisioning practices and identify where excessive privileged access may be assigned.

Physical Access Failure and Success

As NERC-CIP combines both the cyber and physical protection of BES assets in your organization, these AIE Rules (#841, 842) work with physical access systems to identify entry activity. These AIE rules assist IT Operations in confirming the appropriateness of access attempts into areas containing in-scope IT assets.

Log Requirements

These AIE rules cover all log sources in your environment but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, physical access control systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.

Knowledge Base Content




NERC-CIP: Port Misuse: FTP


NERC-CIP: Port Misuse: HTTP


NERC-CIP: Port Misuse: SSH In


NERC-CIP: Port Misuse: SSH Out


NERC-CIP: Malware Detected Rule


NERC-CIP: Attack Detected Rule


NERC-CIP: Software Status Change After Attack


NERC-CIP: System Time Change After Attack


NERC-CIP: Priv Group Access Granted Rule


NERC-CIP: Physical Access Failure Rule


NERC-CIP: Physical Access Success Rule


To configure AIE rules, they need to be enabled and assigned to the appropriate Log Sources. User lists can be further leveraged to apply monitoring controls for identifying compromised credentials and accounts. The Port Misuse rules will require the use of a next-generation firewall or LogRhythm’s Network Monitor to facilitate this level of logging.


If alerts are triggered for one or more of these rules, appropriate actions should be taken to investigate, classify, and quarantine any potential attacks. Configuration changes to any solution that could adversely impact overall security within the environment should be promptly communicated to security personnel. In addition, any file modification should be investigated to ensure adherence to the organization’s change control management policies and practices.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.