Skip to main content
Skip table of contents

User and Entity Behavior Analytics – AI Engine Rules


The following table describes the log source types that should be collected to make effective use of each AIE rule in the UEBA Module.

AIE Rule ID

AIE Rule Name

Log Sources (minimum)

Log Sources (recommended)

1245

Attainment: Abnormal File Access

LogRhythm Sysmon

Other File Integrity Monitoring

1246

Attainment: Corroborated Account Anomalies

AI Engine Events

AI Engine Events

1247

C2: Abnormal Origin Location

Active Directory or LDAP

Host Logs

1248

Compromise: Abnormal Process Activity

Host Logs

LogRhythm SysMon

1249

C2: Blacklist Location Auth

Active Directory or LDAP

Host Logs

1250

Compromise: Concurrent VPN from Multiple Locations

Authentication Log Sources

N/A

1251

Recon: Linux sudo Privilege Escalation

Linux Host Logs

Active Directory or LDAP

1252

Compromise: Windows RunAs Privilege Escalation

Windows Host Logs

Active Directory or LDAP

1253

Compromise: Auth After Numerous Failed Auths

Active Directory or LDAP

Host Logs

1254

Compromise: Auth After Security Event

Intrusion Detection System Host Logs

Intrusion Detection System LogRhythm SysMon

1255

Compromise: Distributed Brute Force

Active Directory or LDAP

Host Logs, Web Server Logs

1256

Compromise: External Brute Force Auths

Active Directory or LDAP

Host Logs, Web Server Logs, VPN

1257

Compromise: Lateral Movement With Account Sweep

Active Directory or LDAP

Host Logs

1258

Corruption: Audit Disabled by Admin

Host Logs

LogRhythm SysMon

1259

Disruption: Files Deleted by Admin

Host Logs

Active Directory or LDAP, LogRhythm SysMon

1260

Lateral: Abnormal Auth Behavior

Active Directory or LDAP

Host Logs

1261

Compromise: Account Added to Admin Group

Active Directory or LDAP

Host Logs

1262

Lateral: Admin Password Modified

Active Directory or LDAP

Host Logs

1263

Lateral: Auth After Dispersed Failed Auths

Active Directory or LDAP

Host Logs

1264

Lateral: Brute Force Internal Auth Failure

Active Directory or LDAP

Host Logs

1265

Lateral: External Attack then Account Creation

Active Directory or LDAP

Host Logs

1266

Lateral: Failed Auths then Success

Active Directory or LDAP

Host Logs

1267

Lateral: Internal Attack then Account Creation

Intrusion Detection System and Active Directory or LDAP

Intrusion Detection System and Host Logs

1268

Lateral: Internal Recon then Account Creation

Intrusion Detection System and Active Directory or LDAP

Intrusion Detection System and Host Logs

1269

Lateral: Multiple Account Passwords Modified by Admin

Active Directory or LDAP

Host Logs

1270

Lateral: Numerous and Dispersed Internal Failed Auths

Active Directory or LDAP

Host Logs

1271

Lateral: Numerous Internal Failed Auths

Active Directory or LDAP

Host Logs

1272

Lateral: Password Modified by Admin

Active Directory or LDAP

Host Logs

1273

Lateral: Privilege Escalation after Attack

Intrusion Detection System Host Logs

Intrusion Detection System, LogRhythm SysMon

1278

Compromise: UEBA Multiple User Threat Events

LogRhythm UEBA Events

N/A

1279

Recon: Disabled Account Auth Failures

Active Directory or LDAP

Host Logs

1281

Recon: Failed Distributed Account Probe

Active Directory or LDAP

Host Logs

1282

Recon: Failed Distributed Brute Force

Active Directory or LDAP

Host Logs

1283

Recon: Multiple Lockouts

Active Directory or LDAP

Host Logs

1284

Progression: to Initial Compromise

AI Engine Events

N/A

1285

Progression: to Command and Control

AI Engine Events

N/A

1286

Progression: to Lateral Movement

AI Engine Events

N/A

1287

Progression: to Target Attainment

AI Engine Events

N/A

1288

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1289

Progression: to Initial Compromise

AI Engine Events

N/A

1290

Progression: to Command and Control

AI Engine Events

N/A

1291

Progression: to Lateral Movement

AI Engine Events

N/A

1292

Progression: to Target Attainment

AI Engine Events

N/A

1293

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1294

Progression: to Initial Compromise

AI Engine Events

N/A

1295

Progression: to Command and Control

AI Engine Events

N/A

1296

Progression: to Lateral Movement

AI Engine Events

N/A

1297

Progression: to Target Attainment

AI Engine Events

N/A

1298

Progression: to Exfil, Corruption, Disruption

AI Engine Events

N/A

1299

Compromise: Log Cleared

Host Security Logs/AV/IDS/IPS

NextGen Firewall

1300

Compromise: Security Event then Process Starting

Host Security Logs/AV/IDS/IPS

NextGen Firewall

1301

Compromise: System Time Change

Host Security Logs/IDS/IPS

NextGen Firewall

1302

Compromise: Unusual Auth then Unusual Process

Host Security Logs/AD/LDAP

LogRhythm Sysmon

1303

Compromise: Security Event then Scheduled Task

Host Security Logs/AV/IDS/IPS

SysMon/CarbonBlack

1304

Lateral: Locally Created and Used

Host Security Logs

Single Sign On Logs

1305

Compromise: Change to Host File

LogRhythm Sysmon: File Monitor

N/A

1306

Disruption: Critical Windows Binaries Modified/Deleted

LogRhythm Sysmon: File Monitor

N/A

1307

Compromise: UEBA and Recent User Location

LogRhythm UEBA Events

UEBA and VPN Logs

1308

Compromise: UEBA and Location Watch List

LogRhythm UEBA Events

UEBA and VPN Logs

1309

Compromise: UEBA and User Recently Added to a Privileged Group

LogRhythm UEBA Events/Active Directory or LDAP

UEBA and Host Logs

1310

Compromise: UEBA and User-related Security Classification Event

LogRhythm UEBA Events/Any Log Source

UEBA and Host Logs

1312

Compromise: UEBA Threat Event

LogRhythm UEBA Events/Active Directory or LDAP

UEBA and Host Logs

1336

Compromise: UEBA Threat Event and Identity Lists

LogRhythm UEBA Events/Active Directory or LDAP

UEBA and Host Logs

1490

Exfiltration: UEBA and File (NGFW) Detection

UEBA/NGFW

UEBA and Palo Alto Firewall

1491

Exfiltration: UEBA and Sensitive Data (NGFW) Detection

UEBA/NGFW

UEBA and Palo Alto Firewall

1549Compromise: UEBA and User-related Security Classification Event: Impacted UserUEBA/Any Log SourceUEBA and Host Logs
1560

Compromise: UEBA Multiple O365 Files Del:1st 

UEBA/API - Office 365 Management ActivityUEBA and API - Office 365 Management Activity
1561 Compromise: UEBA Multiple O365 Files Del:2nd UEBA/API - Office 365 Management ActivityUEBA and API - Office 365 Management Activity
1562 Compromise: UEBA Multiple O365 Downloads UEBA/API - Office 365 Management ActivityUEBA and API - Office 365 Management Activity
1563 Compromise: UEBA New Host & User Pass Change UEBA/AuthenticationUEBA and Microsoft Security
1564 Compromise: UEBA User Score & Pass Modified UEBA/AuthenticationUEBA and Microsoft Security


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.