User and Entity Behavior Analytics – AI Engine Rules
The following table describes the log source types that should be collected to make effective use of each AIE rule in the UEBA Module.
AIE Rule ID | AIE Rule Name | Log Sources (minimum) | Log Sources (recommended) |
|---|---|---|---|
1245 | Attainment: Abnormal File Access | LogRhythm Sysmon | Other File Integrity Monitoring |
1246 | Attainment: Corroborated Account Anomalies | AI Engine Events | AI Engine Events |
1247 | C2: Abnormal Origin Location | Active Directory or LDAP | Host Logs |
1248 | Compromise: Abnormal Process Activity | Host Logs | LogRhythm SysMon |
1249 | C2: Blacklist Location Auth | Active Directory or LDAP | Host Logs |
1250 | Compromise: Concurrent VPN from Multiple Locations | Authentication Log Sources | N/A |
1251 | Recon: Linux sudo Privilege Escalation | Linux Host Logs | Active Directory or LDAP |
1252 | Compromise: Windows RunAs Privilege Escalation | Windows Host Logs | Active Directory or LDAP |
1253 | Compromise: Auth After Numerous Failed Auths | Active Directory or LDAP | Host Logs |
1254 | Compromise: Auth After Security Event | Intrusion Detection System Host Logs | Intrusion Detection System LogRhythm SysMon |
1255 | Compromise: Distributed Brute Force | Active Directory or LDAP | Host Logs, Web Server Logs |
1256 | Compromise: External Brute Force Auths | Active Directory or LDAP | Host Logs, Web Server Logs, VPN |
1257 | Compromise: Lateral Movement With Account Sweep | Active Directory or LDAP | Host Logs |
1258 | Corruption: Audit Disabled by Admin | Host Logs | LogRhythm SysMon |
1259 | Disruption: Files Deleted by Admin | Host Logs | Active Directory or LDAP, LogRhythm SysMon |
1260 | Lateral: Abnormal Auth Behavior | Active Directory or LDAP | Host Logs |
1261 | Compromise: Account Added to Admin Group | Active Directory or LDAP | Host Logs |
1262 | Lateral: Admin Password Modified | Active Directory or LDAP | Host Logs |
1263 | Lateral: Auth After Dispersed Failed Auths | Active Directory or LDAP | Host Logs |
1264 | Lateral: Brute Force Internal Auth Failure | Active Directory or LDAP | Host Logs |
1265 | Lateral: External Attack then Account Creation | Active Directory or LDAP | Host Logs |
1266 | Lateral: Failed Auths then Success | Active Directory or LDAP | Host Logs |
1267 | Lateral: Internal Attack then Account Creation | Intrusion Detection System and Active Directory or LDAP | Intrusion Detection System and Host Logs |
1268 | Lateral: Internal Recon then Account Creation | Intrusion Detection System and Active Directory or LDAP | Intrusion Detection System and Host Logs |
1269 | Lateral: Multiple Account Passwords Modified by Admin | Active Directory or LDAP | Host Logs |
1270 | Lateral: Numerous and Dispersed Internal Failed Auths | Active Directory or LDAP | Host Logs |
1271 | Lateral: Numerous Internal Failed Auths | Active Directory or LDAP | Host Logs |
1272 | Lateral: Password Modified by Admin | Active Directory or LDAP | Host Logs |
1273 | Lateral: Privilege Escalation after Attack | Intrusion Detection System Host Logs | Intrusion Detection System, LogRhythm SysMon |
1278 | Compromise: UEBA Multiple User Threat Events | LogRhythm UEBA Events | N/A |
1279 | Recon: Disabled Account Auth Failures | Active Directory or LDAP | Host Logs |
1281 | Recon: Failed Distributed Account Probe | Active Directory or LDAP | Host Logs |
1282 | Recon: Failed Distributed Brute Force | Active Directory or LDAP | Host Logs |
1283 | Recon: Multiple Lockouts | Active Directory or LDAP | Host Logs |
1284 | Progression: to Initial Compromise | AI Engine Events | N/A |
1285 | Progression: to Command and Control | AI Engine Events | N/A |
1286 | Progression: to Lateral Movement | AI Engine Events | N/A |
1287 | Progression: to Target Attainment | AI Engine Events | N/A |
1288 | Progression: to Exfil, Corruption, Disruption | AI Engine Events | N/A |
1289 | Progression: to Initial Compromise | AI Engine Events | N/A |
1290 | Progression: to Command and Control | AI Engine Events | N/A |
1291 | Progression: to Lateral Movement | AI Engine Events | N/A |
1292 | Progression: to Target Attainment | AI Engine Events | N/A |
1293 | Progression: to Exfil, Corruption, Disruption | AI Engine Events | N/A |
1294 | Progression: to Initial Compromise | AI Engine Events | N/A |
1295 | Progression: to Command and Control | AI Engine Events | N/A |
1296 | Progression: to Lateral Movement | AI Engine Events | N/A |
1297 | Progression: to Target Attainment | AI Engine Events | N/A |
1298 | Progression: to Exfil, Corruption, Disruption | AI Engine Events | N/A |
1299 | Compromise: Log Cleared | Host Security Logs/AV/IDS/IPS | NextGen Firewall |
1300 | Compromise: Security Event then Process Starting | Host Security Logs/AV/IDS/IPS | NextGen Firewall |
1301 | Compromise: System Time Change | Host Security Logs/IDS/IPS | NextGen Firewall |
1302 | Compromise: Unusual Auth then Unusual Process | Host Security Logs/AD/LDAP | LogRhythm Sysmon |
1303 | Compromise: Security Event then Scheduled Task | Host Security Logs/AV/IDS/IPS | SysMon/CarbonBlack |
1304 | Lateral: Locally Created and Used | Host Security Logs | Single Sign On Logs |
1305 | Compromise: Change to Host File | LogRhythm Sysmon: File Monitor | N/A |
1306 | Disruption: Critical Windows Binaries Modified/Deleted | LogRhythm Sysmon: File Monitor | N/A |
1307 | Compromise: UEBA and Recent User Location | LogRhythm UEBA Events | UEBA and VPN Logs |
1308 | Compromise: UEBA and Location Watch List | LogRhythm UEBA Events | UEBA and VPN Logs |
1309 | Compromise: UEBA and User Recently Added to a Privileged Group | LogRhythm UEBA Events/Active Directory or LDAP | UEBA and Host Logs |
1310 | Compromise: UEBA and User-related Security Classification Event | LogRhythm UEBA Events/Any Log Source | UEBA and Host Logs |
1312 | Compromise: UEBA Threat Event | LogRhythm UEBA Events/Active Directory or LDAP | UEBA and Host Logs |
1336 | Compromise: UEBA Threat Event and Identity Lists | LogRhythm UEBA Events/Active Directory or LDAP | UEBA and Host Logs |
1490 | Exfiltration: UEBA and File (NGFW) Detection | UEBA/NGFW | UEBA and Palo Alto Firewall |
1491 | Exfiltration: UEBA and Sensitive Data (NGFW) Detection | UEBA/NGFW | UEBA and Palo Alto Firewall |
| 1549 | Compromise: UEBA and User-related Security Classification Event: Impacted User | UEBA/Any Log Source | UEBA and Host Logs |
| 1560 | Compromise: UEBA Multiple O365 Files Del:1st | UEBA/API - Office 365 Management Activity | UEBA and API - Office 365 Management Activity |
| 1561 | Compromise: UEBA Multiple O365 Files Del:2nd | UEBA/API - Office 365 Management Activity | UEBA and API - Office 365 Management Activity |
| 1562 | Compromise: UEBA Multiple O365 Downloads | UEBA/API - Office 365 Management Activity | UEBA and API - Office 365 Management Activity |
| 1563 | Compromise: UEBA New Host & User Pass Change | UEBA/Authentication | UEBA and Microsoft Security |
| 1564 | Compromise: UEBA User Score & Pass Modified | UEBA/Authentication | UEBA and Microsoft Security |