The following table describes the log source types that should be collected to make effective use of each AIE rule in the UEBA Module.
|
AIE Rule ID |
AIE Rule Name |
Log Sources (minimum) |
Log Sources (recommended) |
|---|---|---|---|
|
1245 |
Attainment: Abnormal File Access |
LogRhythm Sysmon |
Other File Integrity Monitoring |
|
1246 |
Attainment: Corroborated Account Anomalies |
AI Engine Events |
AI Engine Events |
|
1247 |
C2: Abnormal Origin Location |
Active Directory or LDAP |
Host Logs |
|
1248 |
Compromise: Abnormal Process Activity |
Host Logs |
LogRhythm SysMon |
|
1249 |
C2: Blacklist Location Auth |
Active Directory or LDAP |
Host Logs |
|
1250 |
Compromise: Concurrent VPN from Multiple Locations |
Authentication Log Sources |
N/A |
|
1251 |
Recon: Linux sudo Privilege Escalation |
Linux Host Logs |
Active Directory or LDAP |
|
1252 |
Compromise: Windows RunAs Privilege Escalation |
Windows Host Logs |
Active Directory or LDAP |
|
1253 |
Compromise: Auth After Numerous Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1254 |
Compromise: Auth After Security Event |
Intrusion Detection System Host Logs |
Intrusion Detection System LogRhythm SysMon |
|
1255 |
Compromise: Distributed Brute Force |
Active Directory or LDAP |
Host Logs, Web Server Logs |
|
1256 |
Compromise: External Brute Force Auths |
Active Directory or LDAP |
Host Logs, Web Server Logs, VPN |
|
1257 |
Compromise: Lateral Movement With Account Sweep |
Active Directory or LDAP |
Host Logs |
|
1258 |
Corruption: Audit Disabled by Admin |
Host Logs |
LogRhythm SysMon |
|
1259 |
Disruption: Files Deleted by Admin |
Host Logs |
Active Directory or LDAP, LogRhythm SysMon |
|
1260 |
Lateral: Abnormal Auth Behavior |
Active Directory or LDAP |
Host Logs |
|
1261 |
Compromise: Account Added to Admin Group |
Active Directory or LDAP |
Host Logs |
|
1262 |
Lateral: Admin Password Modified |
Active Directory or LDAP |
Host Logs |
|
1263 |
Lateral: Auth After Dispersed Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1264 |
Lateral: Brute Force Internal Auth Failure |
Active Directory or LDAP |
Host Logs |
|
1265 |
Lateral: External Attack then Account Creation |
Active Directory or LDAP |
Host Logs |
|
1266 |
Lateral: Failed Auths then Success |
Active Directory or LDAP |
Host Logs |
|
1267 |
Lateral: Internal Attack then Account Creation |
Intrusion Detection System and Active Directory or LDAP |
Intrusion Detection System and Host Logs |
|
1268 |
Lateral: Internal Recon then Account Creation |
Intrusion Detection System and Active Directory or LDAP |
Intrusion Detection System and Host Logs |
|
1269 |
Lateral: Multiple Account Passwords Modified by Admin |
Active Directory or LDAP |
Host Logs |
|
1270 |
Lateral: Numerous and Dispersed Internal Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1271 |
Lateral: Numerous Internal Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1272 |
Lateral: Password Modified by Admin |
Active Directory or LDAP |
Host Logs |
|
1273 |
Lateral: Privilege Escalation after Attack |
Intrusion Detection System Host Logs |
Intrusion Detection System, LogRhythm SysMon |
|
1278 |
Compromise: UEBA Multiple User Threat Events |
LogRhythm UEBA Events |
N/A |
|
1279 |
Recon: Disabled Account Auth Failures |
Active Directory or LDAP |
Host Logs |
|
1281 |
Recon: Failed Distributed Account Probe |
Active Directory or LDAP |
Host Logs |
|
1282 |
Recon: Failed Distributed Brute Force |
Active Directory or LDAP |
Host Logs |
|
1283 |
Recon: Multiple Lockouts |
Active Directory or LDAP |
Host Logs |
|
1284 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1285 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1286 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1287 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1288 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1289 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1290 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1291 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1292 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1293 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1294 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1295 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1296 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1297 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1298 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1299 |
Compromise: Log Cleared |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
1300 |
Compromise: Security Event then Process Starting |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
1301 |
Compromise: System Time Change |
Host Security Logs/IDS/IPS |
NextGen Firewall |
|
1302 |
Compromise: Unusual Auth then Unusual Process |
Host Security Logs/AD/LDAP |
LogRhythm Sysmon |
|
1303 |
Compromise: Security Event then Scheduled Task |
Host Security Logs/AV/IDS/IPS |
SysMon/CarbonBlack |
|
1304 |
Lateral: Locally Created and Used |
Host Security Logs |
Single Sign On Logs |
|
1305 |
Compromise: Change to Host File |
LogRhythm Sysmon: File Monitor |
N/A |
|
1306 |
Disruption: Critical Windows Binaries Modified/Deleted |
LogRhythm Sysmon: File Monitor |
N/A |
|
1307 |
Compromise: UEBA and Recent User Location |
LogRhythm UEBA Events |
UEBA and VPN Logs |
|
1308 |
Compromise: UEBA and Location Watch List |
LogRhythm UEBA Events |
UEBA and VPN Logs |
|
1309 |
Compromise: UEBA and User Recently Added to a Privileged Group |
LogRhythm UEBA Events/Active Directory or LDAP |
UEBA and Host Logs |
|
1310 |
Compromise: UEBA and User-related Security Classification Event |
LogRhythm UEBA Events/Any Log Source |
UEBA and Host Logs |
|
1312 |
Compromise: UEBA Threat Event |
LogRhythm UEBA Events/Active Directory or LDAP |
UEBA and Host Logs |
|
1336 |
Compromise: UEBA Threat Event and Identity Lists |
LogRhythm UEBA Events/Active Directory or LDAP |
UEBA and Host Logs |
|
1490 |
Exfiltration: UEBA and File (NGFW) Detection |
UEBA/NGFW |
UEBA and Palo Alto Firewall |
|
1491 |
Exfiltration: UEBA and Sensitive Data (NGFW) Detection |
UEBA/NGFW |
UEBA and Palo Alto Firewall |
|
1549 |
Compromise: UEBA and User-related Security Classification Event: Impacted User |
UEBA/Any Log Source |
UEBA and Host Logs |
|
1560 |
Compromise: UEBA Multiple O365 Files Del:1st |
UEBA/API - Office 365 Management Activity |
UEBA and API - Office 365 Management Activity |
|
1561 |
Compromise: UEBA Multiple O365 Files Del:2nd |
UEBA/API - Office 365 Management Activity |
UEBA and API - Office 365 Management Activity |
|
1562 |
Compromise: UEBA Multiple O365 Downloads |
UEBA/API - Office 365 Management Activity |
UEBA and API - Office 365 Management Activity |
|
1563 |
Compromise: UEBA New Host & User Pass Change |
UEBA/Authentication |
UEBA and Microsoft Security |
|
1564 |
Compromise: UEBA User Score & Pass Modified |
UEBA/Authentication |
UEBA and Microsoft Security |
|
1598 |
LogRhythm Intelligence and File (NGFW) Detection |
Syslog - Open Collector - Exabeam Cases and Palo Alto Firewall |
Syslog - Open Collector - Exabeam Cases and Palo Alto Firewall |
|
1599 |
LogRhythm Intelligence and Location Watch List |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
|
1600 |
LogRhythm Intelligenceand Recent User Location |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
|
1601 |
LogRhythm Intelligence and Sensitive Data (NGFW) Detection |
Syslog - Open Collector - Exabeam Cases and NextGen Firewall |
Syslog - Open Collector - Exabeam Cases and NextGen Firewall |
|
1602 |
LogRhythm Intelligence and User Recently Added to a Privileged Group |
Syslog - Open Collector - Exabeam Cases and Active Directory or LDAP |
Syslog - Open Collector - Exabeam Cases and Host Logs |
|
1603 |
LogRhythm Intelligence and User related Security Classification Event:Impacted User |
Syslog - Open Collector - Exabeam Cases and Any Log Source |
Syslog - Open Collector - Exabeam Cases and Host Logs |
|
1604 |
LogRhythm Intelligence and User related Security Classification Event:Origin User |
Syslog - Open Collector - Exabeam Cases and Any Log Source |
Syslog - Open Collector - Exabeam Cases and Host Logs |
|
1605 |
LogRhythm Intelligence Multiple O365 Downloads |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
|
1606 |
LogRhythm Intelligence Multiple O365 Files Del:1st |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
|
1607 |
LogRhythm Intelligence Multiple O365 Files Del:2nd |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
Syslog - Open Collector - Exabeam Cases and API - Office 365 Management Activity |
|
1608 |
LogRhythm Intelligence New Host & User Pass Change |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
Syslog - Open Collector - Exabeam Cases and Microsoft Security |
|
1609 |
LogRhythm IntelligenceThreat Event |
Syslog - Open Collector - Exabeam Cases and Active Directory or LDAP |
Syslog - Open Collector - Exabeam Cases and Host Logs |
|
1610 |
LogRhythm Intelligence Threat Event and Identity Lists |
Syslog - Open Collector - Exabeam Cases and Active Directory or LDAP |
Syslog - Open Collector - Exabeam Cases and Host Logs |
|
1611 |
LogRhythm Intelligence User Score & Pass Modified |
Syslog - Open Collector - Exabeam Cases and Authentication Log Sources |
Syslog - Open Collector - Exabeam Cases and Microsoft Security |
|
1612 |
LogRhythm Intelligence Multiple User Threat Events |
Syslog - Open Collector - Exabeam Cases |
Syslog - Open Collector - Exabeam Cases |