Skip to main content
Skip table of contents

UAE-NESA User Guide – AI Engine Rules

AI Engine Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues. The goal for many of these rules is to quickly identify traffic coming from or going to a country that has strict data protection laws, such as GDPR for the EU members. This can empower your organization and DPO to ensure policies are applied and consent is obtained as soon as possible to limit the time of non-compliance.

Log Requirements

These AIE rules cover all log sources in your environment but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, access management systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.

Object TypeNameID
AIE Alarm RuleCCF: Malware Alarm Rule1217
AIE RuleCCF: GeoIP General Activity1240
AIE RuleCCF: GeoIP Blacklisted Region Activity1241
AIE Alarm RuleCCF: LogRhythm silent Log Source Error Alarm1209

Malware Alarm Rule

A cornerstone of UAE-NESA is the ability to continuously monitor the environment from all layers. This Alarm (#1217) is configured to alert when malicious activity occurs within the environment. This AIE Rule creates an event and notification alarm for malware detection on devices that have been designated as log sources or devices that support network monitoring.

GeoIP Activity Rules

This set of AIE rules (#1240 & 1241) are designed to leverage GeoIP functionality to represent general activity. Further a blacklisted region (list) can be used to indicate when data is coming in from a region that has data protection policies or legislation that needs to be taken into consideration. This early notification can ensure the organization acts on policies to obtain consent and ensure adherence to data protection requirements.

LogRhythm Silent Log Source Error Alarm

As LogRhythm Enterprise may serve as a mitigating control, it is crucial to be able to alarm on any instance where an in-scope log source does not send any logs. This rule (#1209) could be indicative of a control failure that needs to be addressed. This rule, in conjunction with other auditing failures, allows the organization to limit the time of control failure relating to logging and monitoring.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.