UAE-NESA User Guide – AI Engine Rules
AI Engine Rules leverage LogRhythm technology to correlate events across your environment, helping to identify events of interest and potential compliance issues. The goal for many of these rules is to quickly identify traffic coming from or going to a country that has strict data protection laws, such as GDPR for the EU members. This can empower your organization and DPO to ensure policies are applied and consent is obtained as soon as possible to limit the time of non-compliance.
Log Requirements
These AIE rules cover all log sources in your environment but specifically require logs from anti-malware systems, firewalls, servers, workstations, security enforcing devices, access management systems, and vulnerability detection systems. When configured correctly, LogRhythm’s advanced correlation and AIE rules provide near real-time alerts for malicious activities and/or attacks.
| Object Type | Name | ID |
|---|---|---|
| AIE Alarm Rule | CCF: Malware Alarm Rule | 1217 |
| AIE Rule | CCF: GeoIP General Activity | 1240 |
| AIE Rule | CCF: GeoIP Blacklisted Region Activity | 1241 |
| AIE Alarm Rule | CCF: LogRhythm silent Log Source Error Alarm | 1209 |
Malware Alarm Rule
A cornerstone of UAE-NESA is the ability to continuously monitor the environment from all layers. This Alarm (#1217) is configured to alert when malicious activity occurs within the environment. This AIE Rule creates an event and notification alarm for malware detection on devices that have been designated as log sources or devices that support network monitoring.
GeoIP Activity Rules
This set of AIE rules (#1240 & 1241) are designed to leverage GeoIP functionality to represent general activity. Further a blacklisted region (list) can be used to indicate when data is coming in from a region that has data protection policies or legislation that needs to be taken into consideration. This early notification can ensure the organization acts on policies to obtain consent and ensure adherence to data protection requirements.
LogRhythm Silent Log Source Error Alarm
As LogRhythm Enterprise may serve as a mitigating control, it is crucial to be able to alarm on any instance where an in-scope log source does not send any logs. This rule (#1209) could be indicative of a control failure that needs to be addressed. This rule, in conjunction with other auditing failures, allows the organization to limit the time of control failure relating to logging and monitoring.