SOX – AI Engine Rules
AI Engine Rule Name | Alarm | Log Sources | Rule Description | Rule ID | Notification Area | Corresponding Investigation |
|---|---|---|---|---|---|---|
SOX: Data Loss Prevention Rule | No | SOX: Data Loss Prevention | This AIE Rule provides details of data generated by the LogRhythm Data Loss Defender or other data loss prevention solutions, when configured. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: APO01.03, APO01.06, BAI04.03, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS06.06 | 926 | Operations : Information | SOX: Data Loss Prevention Inv |
SOX: Data Exfiltration Rule | No | SOX: Network Access Control Systems- Servers, SOX: Network Security Systems | This AIE rule creates an event anytime an external attack or compromise occurs within the environment, followed by data leaving the same system. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: APO01.03, APO01.06, BAI04.03, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS06.06 | 927 | Security : Compromise | SOX: Data Loss Prevention Inv |
SOX: Data Destruction Rule | Yes | 1. SOX: Network Access Control Systems-Servers, SOX: Network Security Systems 2. SOX: File Integrity Monitors | This AIE rule creates an event and alerts when a compromise or attack occurs, followed by file integrity monitoring activities on the same impacted host. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: APO01.03, APO01.06, BAI04.03, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS06.06 | 928 | Security : Compromise | SOX: Data Loss Prevention Inv |
SOX: Physical Access Rule | No | SOX: Physical Security Systems | This AIE rule creates an event for any access attempts (success or failure) to the defined physical security boundary. Organizations should consider defining their physical boundaries according to risk: data center(s), IT room(s), and external physical boundaries Direct: DSS05.05 Augment: APO01.03, APO01.06, DSS05.06, DSS06.06 | 929 | Audit : Access Failure | SOX: Physical Access Inv |
SOX: FIM Critical/Error/Information Alert | Yes | SOX: File Integrity Monitors | This AIE Rule alerts on the occurrence of any critical, failure, or error to file integrity monitoring solutions. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06 Augment: APO01.03, APO01.06, BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.06, DSS06.06 | 930 | Operations : Error | SOX: FIM Critical/Error/Information Inv |
SOX: Acct Created, Used, Deleted Alert | Yes | SOX: Network Access Control Systems- Servers | This AIE Rule creates an alert and provides details on a new account created, then used, and then the account is deleted within the same day. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: APO07.05, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.04, DSS05.07, DSS06.03 | 931 | Security : Suspicious | SOX: Acct Created, Used, Deleted Inv |
SOX: Vendor Auth Failure Alert Rule | Yes | All Log Sources | This AIE rule alerts on the occurrence of any vendor or third party account's (list) failure to authenticate to the organization's production environment, including remote access. Augment: APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02 | 932 | Audit : Authentication Failure | SOX: Vendor Acct Authentication Failure Inv |
SOX: Vendor Act Access Fail Alert Rule | Yes | All Log Sources | This AIE rule alerts on the occurrence of any vendor or third party account's (list) access failures to the organization's production environment, including remote access. Augment: APO10.03, APO10.04, APO10.05, BAI04.03, DSS01.02 | 933 | Audit : Access Failure | SOX: Vendor Acct Access Failure Inv |
SOX: TST Environment Error Alert | Yes | All Log Sources | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Test Servers (entity structure). This rule assists with change management testing procedures. Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 934 | Operations : Critical | SOX: TST Environment Error Inv |
SOX: TST Priv Acct Authentication | No | All Log Sources | This AIE rule creates a common event for any privileged account authentication against a test environment (entity structure). Privileged accounts within the test environment are defined as those accounts with the ability to migrate changes from test to production. Augment: BAI03.07, BAI03.08, BAI07.04, BAI07.05 | 935 | Audit : Authentication Failure | SOX: TST Priv Acct Authentication Inv |
SOX: Critical Environment Error Alert | Yes | All Log Sources | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Critical Servers-Systems (entity structure). Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06 Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 936 | Operations : Critical | SOX: Critical Environment Error Inv |
SOX: Production Environment Error Alert | Yes | All Log Sources | This AIE rule creates a common event any time an error or critical log message is received from the systems or servers assigned to the Production Servers-Systems (entity structure). Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06 Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 937 | Operations : Critical | SOX: Production Environment Error Inv |
SOX: LogRhythm Silent Log Source Error Alert | Yes | All Log Sources | This AIE Rule creates an alert and provides information when a LogRhythm Log Source has not received logs from a critical or production server-system during the defined error period. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: BAI04.01, BAI04.03, BAI04.04, BAI04.05, BAI07.06, BAI07.07, BAI07.08, BAI10.02, BAI10.03, BAI10.04, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 938 | Operations : Warning | SOX: LogRhythm Silent Log Source Error Inv |
SOX: Backup Failure/Error Alert | Yes | SOX: Backup Servers-Systems | This AIE rule creates an alert and provides information when a backup system or server issues a critical or error log message. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06 Augment: BAI04.01, BAI04.03, BAI04.05, BAI07.06, BAI07.07, BAI07.08, DSS01.01, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS04.07 | 939 | Operations : Critical | SOX: Backup Failure/Error Inv |
SOX: Critical/PRD Envir Config/Policy Change Alert | Yes | All Log Sources | This AIE rule creates an alert any time a configuration or policy modification logs are received from a critical or production environment (entity structure). Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 940 | Audit : Policy | SOX: Config/Policy Change Inv |
SOX: Critical/PRD Envir Patch Failure Alert | Yes | All Log Sources | This AIE rule creates an alert any time a patch fails to apply to the critical or production environments (entity structure). Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 941 | Operations : Error | SOX: Patch Failure Inv |
SOX: Critical/PRD Envir Signature Fail Alert | Yes | All Log Sources | This AIE Rule creates an alert on signature update failures on critical or production environments (entity structure). Augment: BAI04.03, BAI06.01, BAI06.02, BAI10.02, BAI10.03, BAI10.04 | 942 | Operations : Error | SOX: Signature Failure Inv |
SOX: Time Sync Error Alert | Yes | All Log Sources | This AIE Rule creates an event and alerts for any time sync errors occurring on any Log Source. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06 Augment: BAI04.04, BAI04.05, DSS01.01, DSS01.03, DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05 | 943 | Operations : Warning | SOX: Time Sync Error Inv |
SOX: Malware Alert | Yes | SOX: Malware Prevention Systems | This AIE Rule provides details on malware activity across the organization's environment where malware detection/prevention is applied. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 944 | Security : Malware | SOX: Malware Detected Inv |
SOX: Vulnerability Detected Alert | Yes | SOX: Network Security Systems | This AIE Rule alerts on the occurrence of vulnerabilities or suspicious events across the organization's environment. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.11 Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.03, DSS05.07 | 945 | Security : Vulnerability | SOX: Vulnerability Detected Inv |
SOX: Attack Detected Alert | Yes | SOX: Malware Prevention Systems | This AIE rule creates an event and alerts on known attacks or failed attack attempts across the environment. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 946 | Security : Attack | SOX: Attack Detected Inv |
SOX: Rogue Access Point Alert | Yes | SOX: Network Security Systems | This AIE Rule alerts on the occurrence of any rogue access point detection events against the organization's environment. Direct: DSS02.02, DSS02.03, DSS02.04, DSS02.05, DSS02.06, DSS05.01 Augment: DSS02.01, DSS02.07, DSS03.01, DSS03.02, DSS03.03, DSS03.04, DSS03.05, DSS05.02, DSS05.03, DSS05.07 | 947 | Security : Suspicious | SOX: Rogue Access Point Inv |
SOX: Priv Acct Auth Failure Alert | Yes | All Log Sources | This AIE rule creates an alarm any time a privileged account fails to authenticate against a critical or production environment (entity structure). Augment: APO07.05, DSS05.04, DSS05.07, DSS06.03 | 948 | Audit : Authentication Failure | SOX: Priv Acct Auth Failure Inv |
SOX: Priv Acct Access Failure Alert | Yes | SOX: Network Access Control Systems | This AIE rule creates an alarm any time a privileged account experiences an access failure against a critical or production environment (entity structure). Augment: APO07.05, DSS05.04, DSS05.07, DSS06.03 | 949 | Audit : Access Failure | SOX: Priv Acct Access Failure Inv |