These lists require configuration in the LogRhythm environment.
|
List ID |
List Name |
Type |
ID |
Name |
|---|---|---|---|---|
|
-2169 |
Network : Search : HTTP |
AIE Rule |
1417 |
C2: Internationalized Domain Name (IDN) |
|
AIE Rule |
1423 |
C2: Port Misuse: 80 |
||
|
-2171 |
Network : Search : SSL/TLS |
AIE Rule |
1416 |
C2: Port Misuse: 443 |
|
-2177 |
Network : Unauthorized/Risky Applications |
AIE Rule |
1409 |
Compromise: Blacklisted Applications |
|
Investigation |
205 |
Network : Unauthorized/Risky Application Usage |
||
|
Report |
958 |
Network : Unauthorized/Risky Application Usage |
||
|
-2179 |
Network : Whitelisted Countries |
AIE Rule |
1406 |
C2: Non-Whitelisted Country Observed |
|
Investigation |
207 |
Network : Non-Whitelisted Country Activity |
||
|
-2180 |
Network : Blacklisted Countries |
AIE Rule |
1410 |
C2: Blacklisted Country Observed |
|
Investigation |
206 |
Network : Blacklisted Country Activity |
||
|
-2181 |
Network : Internal/DMZ Webservers |
AIE Rule |
1408 |
Disruption: DMZ DDoS |
|
-2187 |
Network : Allowed Ingress Ports |
AIE Rule |
1432 |
Recon: Blacklisted Ingress Port |
|
-2188 |
Network : Allowed Egress Ports |
AIE Rule |
1431 |
C2: Blacklisted Egress Port |
|
-2197 |
Network Devices |
AIE Rule |
1434 |
Disruption: Network Device Configuration Wiped |
|
-2201 |
Top Common Domains Using Suspicious TLDs |
AIE Rule |
1418 |
C2: Suspicious Top Level Domain (TLD) |
|
-2362 |
Vulnerability Scanners |
AIE Rule |
1382 |
Recon: Port Sweep |
|
-2365 |
Mail Servers |
AIE Rule |
1388 |
C2: Excessive Unique Outbound Connections |
|
-2366 |
External IP Addresses |
AIE Rule |
1382 |
Recon: Port Sweep |
|
-1000123 |
Network: Authorized Applications |
AIE Rule |
1489 |
Exfiltration: Unauthorized VPN Usage |
|
-1000124 |
Network: SCADA IP Ranges |
AIE Rule |
1487 |
Lateral: Non-SCADA traffic in SCADA Network |
|
-1000125 |
Network: SCADA Entities |
AIE Rule |
1487 |
Lateral: Non-SCADA traffic in SCADA Network |