Network Detection and Response – Lists
These lists require configuration in the LogRhythm environment.
List ID | List Name | Type | ID | Name |
|---|---|---|---|---|
| -2169 | Network : Search : HTTP | AIE Rule | 1417 | C2: Internationalized Domain Name (IDN) |
| AIE Rule | 1423 | C2: Port Misuse: 80 | ||
| -2171 | Network : Search : SSL/TLS | AIE Rule | 1416 | C2: Port Misuse: 443 |
-2177 | Network : Unauthorized/Risky Applications | AIE Rule | 1409 | Compromise: Blacklisted Applications |
Investigation | 205 | Network : Unauthorized/Risky Application Usage | ||
Report | 958 | Network : Unauthorized/Risky Application Usage | ||
-2179 | Network : Whitelisted Countries | AIE Rule | 1406 | C2: Non-Whitelisted Country Observed |
Investigation | 207 | Network : Non-Whitelisted Country Activity | ||
-2180 | Network : Blacklisted Countries | AIE Rule | 1410 | C2: Blacklisted Country Observed |
Investigation | 206 | Network : Blacklisted Country Activity | ||
-2181 | Network : Internal/DMZ Webservers | AIE Rule | 1408 | Disruption: DMZ DDoS |
-2187 | Network : Allowed Ingress Ports | AIE Rule | 1432 | Recon: Blacklisted Ingress Port |
-2188 | Network : Allowed Egress Ports | AIE Rule | 1431 | C2: Blacklisted Egress Port |
-2197 | Network Devices | AIE Rule | 1434 | Disruption: Network Device Configuration Wiped |
-2201 | Top Common Domains Using Suspicious TLDs | AIE Rule | 1418 | C2: Suspicious Top Level Domain (TLD) |
-2362 | Vulnerability Scanners | AIE Rule | 1382 | Recon: Port Sweep |
-2365 | Mail Servers | AIE Rule | 1388 | C2: Excessive Unique Outbound Connections |
-2366 | External IP Addresses | AIE Rule | 1382 | Recon: Port Sweep |
| -1000123 | Network: Authorized Applications | AIE Rule | 1489 | Exfiltration: Unauthorized VPN Usage |
| -1000124 | Network: SCADA IP Ranges | AIE Rule | 1487 | Lateral: Non-SCADA traffic in SCADA Network |
| -1000125 | Network: SCADA Entities | AIE Rule | 1487 | Lateral: Non-SCADA traffic in SCADA Network |