LogRhythm Echo Use Cases and Their AIE Rules, Lists, and SmartResponses
Required Out-of-the-Box AIE Rules
- CSC: Temporary Account Used
- CSC: Password Modified by Another User
- CSC: Accounts Disabled by Admin
- Lateral: Account Added to Admin Group
- Lateral: Multiple Account Passwords Modified by Admin
AIE Rule Use Cases
The following table has additional information about which AIE rules go with which use cases.
[ID] Use Case | AIE Rule | Import File |
[1] UEBA Finance Data * | Finance Account Anomaly: Privilege Escalation v2 Finance Account Anomaly: Suspicious File Access v2 Finance Account Anomaly: Temporary Account Usage v2 Finance Account Compromise: Corroborated Anomalies v2 | UC1a_AIERule.airx UC1b_AIERule.airx UC1c_AIERule.airx UC1d_AIERule.airx |
[8] Sensitive Data Exfiltration * | Suspicious: Sensitive Data Exfiltration v2 | UC8_AIERule.airx |
[14] SSH on Non-Standard Port | Inbound SSH on Non-standard Port | UC14_AIERule.airx |
[17] Carbon Black – Unknown Binary | Suspicious Process - Carbon Black - Unknown Binary Running | UC17_AIERule.airx |
[18] Concurrent VPN Account Usage | Concurrent VPN from Multiple Locations | UC18_AIERule.airx |
[19] Temporary Account Used | CSC: Temporary Account Used | OOTB |
[23] NetMon/LogRhythm DPA – Detect Credit Card | DPA rule and AIE rule together | UC23_AIERule.airx |
[25] Account Anomaly – Password Modified by Another User | CSC: Password Modified by Another User | OOTB |
[26] Admin Changing Multiple Account Passwords | Lateral: Multiple Account Passwords Modified by Admin | OOTB |
[27] Account Anomaly - Admin Disabling Multiple Accounts | CSC: Accounts Disabled by Admin | OOTB |
[28] Account Anomaly - Account Added to Administrator Group | Lateral: Account Added to Admin Group | OOTB |
[29] Single Password Changed by Admin | Password Modified by Admin | UC29_AIERule.airx |
[34] Carbon Black – End User PowerShell Network Activity | Carbon Black - End User PowerShell Network Activity | UC34_AIERule.airx |
[34] Carbon Black – End User PowerShell Network Activity | [SmartResponse] Endpoint Lockdown Used by AIE Rule “Carbon Black - End User PowerShell Network Activity” | UC34_SRPlugin.lpi |
[35] Ops - Printer Misuse: Excessive Pages Printed | Excessive Pages Printed | UC35_AIERule.airx |
[39] Unauthorized Sudo Attempt | CSC: Linux sudo Failure | UC39_AIERule.airx |
[43] VPN While Logged in Locally Admin | Concurrent VPN from Multiple Locations | UC43_AIERule.airx |
[46] Cylance - Malware Outbreak | Cylance - Malware Detected | UC46_AIERule.airx |
