Skip to main content
Skip table of contents

Network Detection and Response User Guide – AI Engine Rules

C2: Attack then Outbound Connection

AIE Rule ID: 1419

Attack Lifecycle: C2

Rule Description:

An observed external attack or compromise followed by data leaving the system and going to the attacker.

Common Event: AIE: C2: Attack then Outbound Connection

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is looking for sensitive financial information. The attacker successfully compromises a host and is able to copy the information to the attacker's host.


C2: Blacklisted Country Observed

AIE Rule ID: 1410

Attack Lifecycle: C2

Rule Description:

Allowed connection to a host in a suspicious country specified in the list ' Network: Black Listed Countries'

Common Event: AIE: C2: Blacklisted Country Observed

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker in a blacklisted country has compromised an internal host and it is communicating with a command and control server.

Configuration: Populate filter List "Network: Blacklisted Countries".


C2: Blacklisted Egress Port

AIE Rule ID: 1431

Attack Lifecycle: C2

Rule Description:

An internal host communicates with a host outside the network using a port not on the allowed list.

Common Event: AIE: C2: Blacklisted Egress Port

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A misconfigured firewall is allowing traffic to pass outside the network over the common VNC port (5900).

Configuration: The LogRhythm List "Network: Allowed Egress Ports" must be populated for this rule to work.


C2: Blocked Outbound Traffic then Allow

AIE Rule ID: 1411

Attack Lifecycle: C2

Rule Description:

400 or more internal network traffic denies, followed by a network allow event with the same origin host.

Common Event: AIE: C2: Blocked Outbound Traffic then Allow

Classification: Security/Attack

Suppression Multiple: 30

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 8

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A piece of malware is trying to phone home to its command and control server but a content inspection firewall is denying the connection.


C2: DMZ Jumping

AIE Rule ID: 1422

Attack Lifecycle: C2

Rule Description:

Internal communication is seen that originated externally without passing through the DMZ.

Common Event: AIE: C2: DMZ Jumping

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A host on the internet has gained access to a system inside the network and traffic is passing directly between the two.

Configuration: DMZ network ranges are definied in the entities tab.


C2: Excessive Outbound Firewall Denies

AIE Rule ID: 1413

Attack Lifecycle: C2

Rule Description:

Excessive number (400) of network denied events from an internal host within 5 minutes.

Common Event: AIE: C2: Excessive Outbound Firewall Denies

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An internal compromised host is attempting communication via blocked protocol.


C2: Excessive Unique Outbound Connections

AIE Rule ID: 1388

Attack Lifecycle: C2

Rule Description:

Excessive network connections (default of 100) on any port other than 80 or 443. 

Common Event: AIE: C2: Excessive Unique Outbound Connections

Classification: Security/Suspicious

Suppression Multiple: 6

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 7

AIE Rule Additional Details

Actions:  Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN and block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP is known and reputable along with if Impacted Port is a known application. Determine if Origin IP was compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was successful.

Use Case:  An internal user is using BitTorrent to download a pirated movie or an internal user is using Skype. Excessive outbound network connections (default of 100) on any port other than 53, 80 or 443.

Configuration: Mail Servers generally have a large number of unique outbound connections. Create an exclude filter using List "Mail Servers" where Origin Host = mail servers to ensure normal SMTP activity doesn't trigger this rule.

(Optional)

  1. Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.
  2. Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the host name of any Proxies.


C2: External DNS Server Used

AIE Rule ID: 1433

Attack Lifecycle: C2

Rule Description:

Internal hosts using an external DNS server.

Common Event: AIE: C2: External DNS Server Used

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 4

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A network host has been infected with malware and is using a compromised external DNS server.


C2: High Entropy Traffic

AIE Rule ID: 1414

Attack Lifecycle: C2

Rule Description:

Network traffic which is considered to have a high level of entropy. This indicates that the traffic is encrypted but of an unknown protocol.

Common Event: AIE: C2: High Entropy Traffic

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An infected network host is communicating with its command and control server using an unknown encrypted protocol.


C2: Internationalized Domain Name (IDN)

AIE Rule ID: 1417

Attack Lifecycle: C2

Rule Description:

Internationalized domain name (non-ASCII characters) in HTTP.

Common Event: AIE: C2: Internationalized Domain Name (IDN)

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Black Hole Exploit kit, among others, uses internationalized domain names for hosting malware.

Configuration: Since many Western organizations will see very limited use of IDNs, any usage may be deemed suspicious and possibly caused by malware. However, each organization can exclude legitimate domains to fit their environment.


C2: IRC on Non-Standard Port

AIE Rule ID: 1436

Attack Lifecycle: C2

Rule Description:

IRC traffic run on a non-standard IRC port is seen.

Common Event: AIE: C2: IRC on Non-Standard Port

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: IRC traffic run on a non-standard IRC port for avoidance.


C2: Long Running Session

AIE Rule ID: 1407

Attack Lifecycle: C2

Rule Description:

Session lasting longer than 48 hours.

Common Event: AIE: C2: Long Running Session

Classification: Security/Suspicious

Suppression Multiple: 7200

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 4

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is exfiltrating data externally through an SSH tunnel but is slowly transferring the data to avoid detection.


C2: Long Session: ICMP

AIE Rule ID: 1403

Attack Lifecycle: C2

Rule Description:

Inbound ICMP flow lasting over 1 hour. 

Common Event: AIE: C2: Long Session: ICMP

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 1

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is communicating externally to an internal host through a covert channel - a long running icmp flow.


C2: Malware: Outbound IRC

AIE Rule ID: 1390

Attack Lifecycle: C2

Rule Description:

An internal host seen communicating using IRC ports.

Common Event: AIE: C2: Malware: Outbound IRC

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 7

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host and service and quarantine or remove from the network if unknown. Block the Impacted and Origin IP from inbound and outbound on perimeter Firewall. Determine if Origin IP was compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was successful.

Use Case:  An internal host has been compromised and is now part of a botnet, typically controlled via IRC.

Configuration:  (Optional) Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.


C2: New Application

AIE Rule ID: 1427

Attack Lifecycle: C2

Rule Description:

New application that hasn't been seen in the environment within the past 10 days.

Common Event: AIE: C2: New Application

Classification: Security/Suspicious

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A user is seen installing Steam to play games during work hours.


C2: Non-Whitelisted Country Observed

AIE Rule ID: 1406

Attack Lifecycle: C2

Rule Description:

Allowed connection with host in a suspicious country absent in the list 'Network: White Listed Countries'.

Common Event: AIE: C2: Non-Whitelisted Country Observed

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker in blacklisted country has compromised an internal host and is now communicating with that host.

Configuration: Populate filter List "Network: Whitelisted Countries".


C2: Outbound Connections Increase

AIE Rule ID: 1397

Attack Lifecycle: C2

Rule Description:

Measures the normal amount of outbound connections a host makes and generates an event when that amount increases.

Common Event: AIE: C2: Outbound Connections Increase

Classification: Security/Suspicious

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 8

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host and Application are known, add IP Impacted to block outbound and inbound on Firewall if unknown or add to Watch List for further assessment.

Use Case: A host is compromised and is being used as a spam bot.

Configuration: In rule block 2, on the Log Source Critieria tab include filter, add List "Vulnerability Scanners" that LogRhythm is collecting from.


C2: Port Misuse: 22

AIE Rule ID: 1415

Attack Lifecycle: C2

Rule Description:

Traffic on port 22 that is not SSH

Common Event: AIE: C2: Port Misuse: 22

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Detection of local hosts tunneling traffic over port 22. This would typically be a violation of network policy and a security risk.

Configuration: Requires DNIP Address (Origin)ToName resolution to be turned on in the mediator and requires Network Monitor or similar.


C2: Port Misuse: 443

AIE Rule ID: 1416

Attack Lifecycle: C2

Rule Description:

Traffic over port 443 that is not HTTPS.

Common Event: AIE: C2: Port Misuse: 443

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Detection of local hosts tunneling traffic over port 443. This would typically be a violation of network policy and a security risk.

Configuration: Requires DNIP Address (Origin)ToName resolution to be turned on in the mediator and requires Network Monitor or similar.


C2: Port Misuse: 53

AIE Rule ID: 1424

Attack Lifecycle: C2

Rule Description:

Traffic not using DNS over the common DNS port (53)

Common Event: AIE: C2: Port Misuse: 53

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Detection of local hosts tunneling traffic over port 53. This would typically be a violation of network policy and a security risk.


C2: Port Misuse: 80

AIE Rule ID: 1423

Attack Lifecycle: C2

Rule Description:

Traffic not using HTTP over the common HTTP port (80).

Common Event: AIE: C2: Port Misuse: 80

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Detection of local hosts tunneling traffic over port 80. This would typically be a violation of network policy and a security risk.


C2: Port Misuse: FTP

AIE Rule ID: 1405

Attack Lifecycle: C2

Rule Description:

Detects FTP servers running on non-standard ports.

Common Event: AIE: C2: Port Misuse: FTP

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Valuable in detecting compromised hosts and network/policy abuse.


C2: Port Misuse: HTTP

AIE Rule ID: 1399

Attack Lifecycle: C2

Rule Description:

Detects HTTP traffic not using the common port 80.

Common Event: AIE: C2: Port Misuse: HTTP

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An unauthorized web service running inside a corporate network that hasn't been properly vetted and configured, has become compromised and is collecting employee credentials.

Configuration: Authorized web applications need to have their ports added to the exclude filter list.


C2: Port Misuse: SSH Outbound

AIE Rule ID: 1401

Attack Lifecycle: C2

Rule Description:

Outbound SSH traffic connecting over a non-standard port (not 22). 

Common Event: AIE: C2: Port Misuse: SSH Outbound

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case:  Valuable in detecting compromised hosts and network/policy abuse.


C2: Spamming Bot

AIE Rule ID: 1386

Attack Lifecycle: C2

Rule Description:

Non-mail server sending mail out to multiple, unique, external SMTP servers within a very short period of time.

Common Event: AIE: C2: Spamming Bot

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known Email Server or if the emailing service is known, quarantine unknown emailing systems to a Remediation VLAN and block the Origin IP outbound on the Firewall.

Use Case: A compromised host that has become a botnet zombie is being used to send spam messages.

Configuration:

  1. Create an Exclude Filter where Origin Host = mail servers.
  2. Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.


C2: Suspicious Top Level Domain (TLD)

AIE Rule ID: 1418

Attack Lifecycle: C2

Rule Description:

HTTP traffic to TLDs that wouldn't be expected in most cases.

Common Event: AIE: C2: Suspicious Top Level Domain (TLD)

Classification: Security/Attack

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 8

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Malware beacons back to a .ru or other suspicious TLD.

Configuration: Add an exclude filter List "Top Common Domains Using Suspicious TLDs" for the Group of domain names which are allowed in your environment.

(Optional) Add an Impacted Host exclude filter List for Vulnerability Scanners, Mail Servers, perimeter devices, proxies, and AV servers in Rule Block 1.


Compromise: Attack then Critical Event

AIE Rule ID: 1387

Attack Lifecycle: Compromise

Rule Description:

Attack event against a host followed by an error on the same host.

Common Event: AIE: Compromise: Attack then Critical Event

Classification: Security/Attack

Suppression Multiple: 4

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN and block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP was compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was successful.

Use Case: An attacker launches an attack which was identified by an IDS. The attack causes a service to crash, indicating a successful attack.


Compromise: Authentication From a DMZ Host

AIE Rule ID: 1435

Attack Lifecycle: Compromise

Rule Description:

A host in the DMZ is requesting authentication is seen.

Common Event: AIE: Compromise: Authentication From a DMZ Host

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A host in the DMZ is requesting authentication is seen.


Compromise: Blacklisted Application

AIE Rule ID: 1409

Attack Lifecycle: Compromise

Rule Description:

A host is seen using an unauthorized or risky application defined in the list 'Network: Unauthorized/Risky Applications.

Common Event: AIE: Compromise: Blacklisted Application

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 1

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An employee is using bit torrent to illegally download movies.

Configuration: Populate the List "Network: Unauthorized/Risky Applications".


Compromise: Cross-site Scripting (XSS)

AIE Rule ID: 1393

Attack Lifecycle: Compromise

Rule Description:

Common URL-encoded <script> tags in a URL, indicating a reflected cross-site scripting attack.

Common Event: AIE: Compromise: Cross-site Scripting (XSS)

Classification: Security/Attack

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall and determine what the Attacker was looking for to aid in evaluating if compromise was successful. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case: An attacker has found a XSS vulnerability in a web application. The attacker crafts a URL that passes malicious java script as an HTTP parameter and distributes this URL to a specific audience. One of the recipients clicks the URL, and because of the XSS vulnerability, the injected script is then presented back to the client from the vulnerable web application and run client-side.


Compromise: Cross-Site Scripting (XSS) Event

AIE Rule ID: 1439

Attack Lifecycle: Compromise

Rule Description:

Alarm generated from an IDS/IPS or WAF event identifying a Cross-Site scripting attempt.

Common Event: AIE: Compromise: Cross-Site Scripting (XSS) Event

Classification: Security/Attack

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker has found a XSS vulnerability in a web application. The attacker crafts a URL that passes malicious java script as an HTTP parameter and distributes this URL to a specific audience. One of the recipients clicks the URL, and because of the XSS vulnerability, the injected script is then presented back to the client from the vulnerable web application and run client-side.

Configuration: This rule is designed to look at events coming from an IDS/IPS or WAF. If you don't have one of these devices, then use AIE Rule 98 Compromise: Cross-site Scripting (XSS) as an alternative.


Compromise: Inbound RDP/VNC

AIE Rule ID: 1412

Attack Lifecycle: Compromise

Rule Description:

Remote Desktop Protocol (RDP) or VNC connection from an external to internal host.

Common Event: AIE: Compromise: Inbound RDP/VNC

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Valuable in detecting compromised hosts and network/policy abuse.


Compromise: Insecure Protocol

AIE Rule ID: 1404

Attack Lifecycle: Compromise

Rule Description:

Usage of inherently insecure transfer protocols.

Common Event: AIE: Compromise: Insecure Protocol

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Valuable in detecting compromised hosts and network/policy abuse.


Compromise: Malicious Payload Drop

AIE Rule ID: 1389

Attack Lifecycle: Compromise

Rule Description:

An attack or compromise event followed by a download of a potentially malicious payload on the host. 

Common Event: AIE: Compromise: Malicious Payload Drop

Classification: Security/Compromise

Suppression Multiple: 6

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 4

AIE Rule Additional Details

Actions: Investigate the Impacted IP if it’s a known host and service and quarantine or remove from the network if unknown. Block the Impacted and Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP was compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was successful.

Use Case: A host was compromised and exploits were then downloaded to the compromised machine to assist in privilege escalation or to assist in exploitation of other hosts.


Compromise: Multiple Unique Attack Events

AIE Rule ID: 1385

Attack Lifecycle: Compromise

Rule Description:

Multiple, unique attack events against the same host.  

Common Event: AIE: Compromise: Multiple Unique Attack Events

Classification: Security/Attack

Suppression Multiple: 6

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 1

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is using an automated tool to launch a variety of attacks against a host.

Configuration: (Optional) Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.


Compromise: New Network Host

AIE Rule ID: 1421

Attack Lifecycle: Compromise

Rule Description:

A new host is seen communicating in the environment for the first time.

Common Event: AIE: Compromise: New Network Host

Classification: Security/Suspicious

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 8

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker has cracked a company's internal wireless WPA2 key and has setup a rogue host to listen in promiscuous mode to all wireless traffic in the hopes of obtaining senstive information.

Configuration:

  1. Be collecting from the LogRhythm Network Monitor.
  2. Define all internal network ranges. Then create an include filter in both the baseline and live period where Network (Origin) is defined network ranges
  3. In the Log Manager advanced properties turn on DNIP Address (Origin)ToName resolution. Optional: When turning on this rule for the first time, turn on suppression for 2 or 3 days. Then, after 2 or 3 days turn the suppression off again. This will allow data to build up in the baseline and alerts will become more accurate.


Compromise: Obsolete SSL/TLS Version

AIE Rule ID: 1437

Attack Lifecycle: Compromise

Rule Description:

SSL/TLS Vulnerable Versions Detected.

Common Event: AIE: Compromise: Obsolete SSL/TLS Version

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Older versions of SSL/TLS protocols pose a risk for Man In The Middled (MITM), where encrypted data can be read by unintended recipients. Many web servers and browsers are configured to "Fall Back" to an older and most likely vulnerable version of SSL/TLS if unable to negotiate at the recommended version at the time.

Configuration: Cannot tune this but assists with reporting and insight. It is recommended to enforce web server policy to not fallback to older/vulnerable versions. It is also recommended for web browsers.


Compromise: Port Misuse: SSH Inbound

AIE Rule ID: 1425

Attack Lifecycle: Compromise

Rule Description:

Detects inbound SSH traffic connecting over a non-standard port (not 22)

Common Event: AIE: Compromise: Port Misuse: SSH Inbound

Classification: Security/Suspicious

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Valuable in detecting compromised hosts and network/policy abuse.


Compromise: Repeated Attacks Against Host

AIE Rule ID: 1430

Attack Lifecycle: Compromise

Rule Description:

The same security event is detected on the same host multiple times within a short window.

Common Event: AIE: Compromise: Repeated Attacks Against Host

Classification: Security/Attack

Suppression Multiple: 12

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A Snort IDS deployment is firing repeatedly because an infected host is attempting to spread on the network.


Compromise: SQL Injection

AIE Rule ID: 1392

Attack Lifecycle: Compromise

Rule Description:

Common URL-encoded SQL Injection string in a URL.  

Common Event: AIE: Compromise: SQL Injection

Classification: Security/Attack

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall and determine what the Attacker was looking for to aid in evaluating if compromise was successful. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case:  An insider is attempting to launch a SQL Injection attack by adding ;-- to an HTTP parameter that is being passed to a backend database, hoping to comment out the remainder of the application's SQL statement after injecting malicious SQL.


Compromise: SQL Injection Event

AIE Rule ID: 1438

Attack Lifecycle: Compromise

Rule Description:

Alarm generated from an IDS/IPS event identifying a SQL Injection attempt.

Common Event: AIE: Compromise: SQL Injection Event

Classification: Security/Attack

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An insider is attempting to launch a SQL Injection attack that is modifying a HTTP request being passed to a backend database that has been detected by a Web Application Firewall.

Configuration: This rule is designed to look at events coming from an IDS/IPS or WAF. If you don't have one of these devices, then use AIE Rule 96 Compromise: SQL Injection as an alternative.


Compromise: Vuln Exploited Externally

AIE Rule ID: 1395

Attack Lifecycle: Compromise

Rule Description:

Security related events on a specific host and port, preceeded by a vulnerability event on the same host and port.

Common Event: AIE: Compromise: Vuln Exploited Externally

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 8

AIE Rule Additional Details

Actions:  Investigate the Origin IP if it’s a known host and should be added to the Vulnerability Scanner List, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall and determine if the Impacted IP is vulnerable to compromise. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case:  An attacker attacks a host with a known vulnerability Assumptions : Collecting from IDS and Vulnerability scanner

Configuration: In rule block 2, on the Log Host (Origin) Critieria tab include filter, add List "Vulnerability Scanners" that LogRhythm is collecting from.


Disruption: Denial of Service

AIE Rule ID: 1384

Attack Lifecycle: Disruption

Rule Description:

An observed denial of service log initiated from an internal source followed by a critical, error, or startup/shutdown on the same impacted host. 

Common Event: AIE: Disruption: Denial of Service

Classification: Security/Denial of Service

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker wants to prevent the timely release of a signature file/software release, so the attacker successfully launches a DoS attack resulting in an application/host crashing, preventing the release from happening on time. A Denial of Service event identified impacting or originating from an internal host.


Disruption: Distributed Denial of Service Attack

AIE Rule ID: 1398

Attack Lifecycle: Disruption

Rule Description:

Excessive number of hosts communicating with a single host.

Common Event: AIE: Disruption: Distributed DoS Attack

Classification: Security/Denial of Service

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Impacted IP and Impacted Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Origin IP Host and Application are known and perform Incident Response on internal Origin IPs, or add to Watch List for further assessment.

Use Case: Attacker is using a botnet to attempt to take a public-facing service offline.


Disruption: DMZ DDoS

AIE Rule ID: 1408

Attack Lifecycle: Disruption

Rule Description:

25x increase in the number of unique hosts connecting to the internal/DMZ webservers.

Common Event: AIE: Disruption: DMZ DDoS

Classification: Security/Denial of Service

Suppression Multiple: 3

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Impacted IP and Impacted Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall or add to Watch List for further assessment. Assess Impacted IP and Application for mitigations against such an attack.

Use Case: An attacker has rented a botnet from Russia for the day and is using it to DoS your webservers.


Disruption: DoS (Traffic Threshold)

AIE Rule ID: 1400

Attack Lifecycle: Disruption

Rule Description:

Large number of packets sent from a single external host.

Common Event: AIE: Disruption: DoS (Traffic Threshold)

Classification: Security/Denial of Service

Suppression Multiple: 12

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 7

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: Detection of reconnaissance activity.


Disruption: Network Device Configuration Wiped

AIE Rule ID: 1434

Attack Lifecycle: Disruption

Rule Description:

A device on a predefined list of Network Devices has had its configuration deleted or disabled. This could indicate a compromised device.

Common Event: AIE: Disruption: Network Device Config Wiped

Classification: Security/Compromise

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 4

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Network Device has been compromised and or what was changed prior to the configuration being deleted.

Use Case: An attacker has compromised a network device and wiped the configuration in order to cause service disruption within the network.

Configuration: Populate the List "Network Devices".


Exfiltration: Large Outbound Transfer

AIE Rule ID: 1426

Attack Lifecycle: Exfiltration

Rule Description:

Single host is seen sending a lot of data, within the same 30 minute-long session, out of the network.

Common Event: AIE: Exfiltration: Large Outbound Transfer

Classification: Security/Suspicious

Suppression Multiple: 2

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 2

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A disgruntled employee is exfiltrating Intellectual Property out of the network.


Exfiltration: Unauthorized Cloud Service

AIE Rule ID: 1488

Attack Lifecycle: Exfiltration

Rule Description:

Use of an unauthorized Cloud Service has been observed

Common Event: AIE: Exfiltration: Unauthorized Cloud Service

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 7

AIE Rule Additional Details:

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment. Ascertain origin user and disable user account.

Use Case: A user is exfiltrating data using a personal cloud storage provider

Configuration: Populate the Network: Unauthorized/Risky Applications list with the cloud services that are not authorized in your environment.


Exfiltration: Unauthorized VPN Usage

AIE Rule ID: 1489

Attack Lifecycle: Exfiltration

Rule Description:

Use of an unauthorized VPN product has been observed.

Common Event: AIE: Exfiltration: Unauthorized VPN Usage

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 7

AIE Rule Additional Details:

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment. Ascertain origin user and disable user account.

Use Case: An attacker has moved laterally to a system with Internet access to exfiltrate data over a VPN and hide the destination of the exfiltration.

Configuration: Populate the Network: Authorized Applications list with the VPN services that are authorized in your environment.


Lateral: Internal Recon After Attack

AIE Rule ID: 1420

Attack Lifecycle: Lateral

Rule Description:

A security related event followed by a port sweep from the same source.

Common Event: AIE: Lateral: Internal Recon After Attack

Classification: Security/Attack

Suppression Multiple: 12

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A host has been compromised by a self-replicating worm/malware, and is now trying to identify other machines to infect on the network that are running a particular vulnerable service.


Lateral: Multiple MACs for Same IP

AIE Rule ID: 1402

Attack Lifecycle: Lateral

Rule Description:

Single IP address associated with multiple MAC addresses. 

Common Event: AIE: Lateral: Multiple MACs for Same IP

Classification: Security/Suspicious

Suppression Multiple: 3

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A suspicious host changing its MAC address to masquerade as another host or avoid MAC filtering.

Configuration: If there are mulitple Network Monitor appliances on the network you should clone this rule to run per Network Monitor log source or enable Data Segregation.


Lateral: Non-SCADA traffic in SCADA Network

AIE Rule ID: 1487

Attack Lifecycle: Lateral

Rule Description:

Traffic tagged as non-SCADA observed in SCADA-only Networks

Common Event: AIE: Lateral: Non-SCADA traffic in SCADA Network

Classification: Security/Suspicious

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 7

AIE Rule Additional Details:

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A firewall configuration is modified by an attacker to gain access to the SCADA network from the administrative network.

Configuration:

Define the networks that should only contain SCADA protocols. This can be accomplished in one of two ways:
- Populate the Network: SCADA IP Ranges list with the IP address range(s) of the ICS networks
- Create LogRhythm Entities for the ICS networks and populate them with Host records for each SCADA host. Populate the Network: SCADA Entities list with the Entities that have been created.


Progression: to Command and Control

AIE Rule ID: 1004

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.

Common Event: AIE: Progression: to Command and Control

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Command and Control

AIE Rule ID: 1009

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.

Common Event: AIE: Progression: to Command and Control

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Command and Control

AIE Rule ID: 1014

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.

Common Event: AIE: Progression: to Command and Control

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Exfil, Corruption, Disruption

AIE Rule ID: 1007

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.

Common Event: AIE: Progression: to Exfil, Corruption, Disruption

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Exfil, Corruption, Disruption

AIE Rule ID: 1012

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.

Common Event: AIE: Progression: to Exfil, Corruption, Disruption

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Exfil, Corruption, Disruption

AIE Rule ID: 1017

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.

Common Event: AIE: Progression: to Exfil, Corruption, Disruption

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Initial Compromise

AIE Rule ID: 1003

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.

Common Event: AIE: Progression: to Initial Compromise

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Initial Compromise

AIE Rule ID: 1008

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.

Common Event: AIE: Progression: to Initial Compromise

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Initial Compromise

AIE Rule ID: 1013

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.

Common Event: AIE: Progression: to Initial Compromise

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Lateral Movement

AIE Rule ID: 1005

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.

Common Event: AIE: Progression: to Lateral Movement

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Lateral Movement

AIE Rule ID: 1010

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.

Common Event: AIE: Progression: to Lateral Movement

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Lateral Movement

AIE Rule ID: 1015

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.

Common Event: AIE: Progression: to Lateral Movement

Classification: Security/Attack

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Target Attainment

AIE Rule ID: 1006

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.

Common Event: AIE: Progression: to Target Attainment

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Target Attainment

AIE Rule ID: 1011

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.

Common Event: AIE: Progression: to Target Attainment

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Progression: to Target Attainment

AIE Rule ID: 1016

Attack Lifecycle: Progression

Rule Description:

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.

Common Event: AIE: Progression: to Target Attainment

Classification: Security/Compromise

Suppression Multiple: 1

Alarm on Event Occurrence: No

Environmental Dependence Factor: High

False Positive Probability: 1

AIE Rule Additional Details

This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.


Recon: Blacklisted Ingress Port

AIE Rule ID: 1432

Attack Lifecycle: Recon

Rule Description:

An external host communicates with a network host on a port not on the allowed ingress list.

Common Event: AIE: Recon: Blacklisted Ingress Port

Classification: Security/Reconnaissance

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: A misconfigured firewall is allowing traffic to pass into the network on the common VNC port (5900).

Configuration: The LogRhythm List "Network: Allowed Ingress Ports" must be populated for this rule to work.


Recon: Blocked External Traffic then Allow

AIE Rule ID: 1429

Attack Lifecycle: Recon

Rule Description:

400 or more instances of denied network traffic from an external source, followed by a network allow event.

Common Event: AIE: Recon: Blocked ExternalTraffic then Allow

Classification: Security/Reconnaissance

Suppression Multiple: 30

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 6

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is using the “Cisco Auditing Tool” that comes with backtrack to try and exploit known vulnerabilities in older versions of Cisco IOS. Eventually seeing some sort of allowed activity where the attacker successfully exploited the Cisco IOS and gained access to a web management portal.


Recon: Excessive HTTP Errors

AIE Rule ID: 1391

Attack Lifecycle: Recon

Rule Description:

Excessive HTTP Error Codes seen on the same Impacted Host, originating from the same Origin Host, indicating some sort of automated scanning activity.

Common Event: AIE: Recon: Excessive HTTP Errors

Classification: Security/Reconnaissance

Suppression Multiple: 30

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 4

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall and determine what the Attacker was looking for to aid in evaluating if compromise was successful. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case:  An attacker has written a script that attempts to access various default phpmyadmin access directories on a given website. The attacker is running the script against a web server.


Recon: Excessive Inbound Firewall Denies

AIE Rule ID: 1428

Attack Lifecycle: Recon

Rule Description:

For this rule we look for an excessive number (400) of network denied events from a host within 5 minutes.

Common Event: AIE: Recon: Excessive Inbound Firewall Denies

Classification: Security/Reconnaissance

Suppression Multiple: 12

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 9

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An external compromised host is attempting communication via a blocked protocol.


Recon: Metasploit Activity Observed

AIE Rule ID: 1396

Attack Lifecycle: Recon

Rule Description:

Observed traffic on port 4444, the default port for most Metasploit attack vector.

Common Event: AIE: Recon: Metasploit Activity Observed

Classification: Security/Reconnaissance

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 5

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host and should be added to the Vulnerability Scanner List, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case: An attacker is using Metasploit to launch an attack without changing the default port.


Recon: Port Scan

AIE Rule ID: 1383

Attack Lifecycle: Recon

Rule Description:

External host sending traffic to over 40 ports on an internal host, indicating a possible port scan.

Common Event: AIE: Recon: Port Scan

Classification: Security/Reconnaissance

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 7

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An external attacker is running a port scan to determine which services are running on a target machine.

Configuration:

Optional: Create an Exclude Filter for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.


Recon: Port Sweep

AIE Rule ID: 1382

Attack Lifecycle: Recon

Rule Description:

TCP/UDP traffic to the same port to multiple hosts.

Common Event: AIE: Recon: Port Sweep

Classification: Security/Reconnaissance

Suppression Multiple: 60

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 7

AIE Rule Additional Details

Actions: Investigate the Origin IP and Origin Application if it is known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application, and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case 1: An external attacker performing reconnaissance is aware of a vulnerability for a service for exploitation and is trying to identify if this service is running on any hosts within the network.

Use Case 2: An internal attacker performing reconnaissance is aware of a vulnerability for a service for exploitation and is trying to identify if this service is running on any hosts within the network.

Use Case 3: An internal attacker performing external reconnaissance is aware of a vulnerability for a service for exploitation and is trying to identify if this service is running on any hosts within the network.

Configuration:

(1) Depending on how NetFlow is configured, standard web browsing traffic can be seen with a source IP of the egress route.  This activity will cause the rule to fire.  Create an Exclude Filter List "External IP Addresses" where IP (Host (Origin)) = egress IP to filter out this activity.

(2) Create an Exclude Filter List "Vulnerability Scanners" for Origin Host in Rule Block 1 where the Origin Host is the name of any vulnerability scanners.


Recon: URL Directory Traversal

AIE Rule ID: 1394

Attack Lifecycle: Recon

Rule Description:

Attempt to perform dot dot directory traversals using URL parameters. 

Common Event: AIE: Recon: URL Directory Traversal

Classification: Security/Reconnaissance

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Medium

False Positive Probability: 3

AIE Rule Additional Details

Actions: Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall and determine what the Attacker was looking for to aid in evaluating if compromise was successful. Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case: An attacker is attempting to access directories on a web server via his browser using the dot dot slash technique of directory traversal.


Recon: URL Directory Traversal Event

AIE Rule ID: 1440

Attack Lifecycle: Recon

Rule Description:

Alarm generated from an IDS/IPS or WAF event attempting a directory traversal.

Common Event: AIE: Recon: URL Directory Traversal Event

Classification: Security/Reconnaissance

Suppression Multiple: 3600

Alarm on Event Occurrence: No

Environmental Dependence Factor: Low

False Positive Probability: 3

AIE Rule Additional Details:

Actions: Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown or add to Watch List for further assessment.

Use Case: An attacker is attempting to access directories on a web server via his browser using the dot dot slash technique of directory traversal.

Configuration: This rule is designed to look at events coming from an IDS/IPS or WAF. If you don't have one of these devices, then use AIE Rule 100 Recon: URL Directory Traversal as an alternative.



JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close