Required Out-of-the-Box AIE Rules
-
CSC: Temporary Account Used
-
CSC: Password Modified by Another User
-
CSC: Accounts Disabled by Admin
-
Lateral: Account Added to Admin Group
-
Lateral: Multiple Account Passwords Modified by Admin
AIE Rule Use Cases
The following table has additional information about which AIE rules go with which use cases.
|
[ID] Use Case |
AIE Rule |
Import File |
|
[1] UEBA Finance Data * |
Finance Account Anomaly: Privilege Escalation v2 Finance Account Anomaly: Suspicious File Access v2 Finance Account Anomaly: Temporary Account Usage v2 Finance Account Compromise: Corroborated Anomalies v2 |
UC1a_AIERule.airx UC1b_AIERule.airx UC1c_AIERule.airx UC1d_AIERule.airx |
|
[8] Sensitive Data Exfiltration * |
Suspicious: Sensitive Data Exfiltration v2 |
UC8_AIERule.airx |
|
[14] SSH on Non-Standard Port |
Inbound SSH on Non-standard Port |
UC14_AIERule.airx |
|
[17] Carbon Black – Unknown Binary |
Suspicious Process - Carbon Black - Unknown Binary Running |
UC17_AIERule.airx |
|
[18] Concurrent VPN Account Usage |
Concurrent VPN from Multiple Locations |
UC18_AIERule.airx |
|
[19] Temporary Account Used |
CSC: Temporary Account Used |
OOTB |
|
[23] NetMon/LogRhythm DPA – Detect Credit Card |
DPA rule and AIE rule together |
UC23_AIERule.airx |
|
[25] Account Anomaly – Password Modified by Another User |
CSC: Password Modified by Another User |
OOTB |
|
[26] Admin Changing Multiple Account Passwords |
Lateral: Multiple Account Passwords Modified by Admin |
OOTB |
|
[27] Account Anomaly - Admin Disabling Multiple Accounts |
CSC: Accounts Disabled by Admin |
OOTB |
|
[28] Account Anomaly - Account Added to Administrator Group |
Lateral: Account Added to Admin Group |
OOTB |
|
[29] Single Password Changed by Admin |
Password Modified by Admin |
UC29_AIERule.airx |
|
[34] Carbon Black – End User PowerShell Network Activity |
Carbon Black - End User PowerShell Network Activity |
UC34_AIERule.airx |
|
[34] Carbon Black – End User PowerShell Network Activity |
[SmartResponse] Endpoint Lockdown Used by AIE Rule “Carbon Black - End User PowerShell Network Activity” |
UC34_SRPlugin.lpi |
|
[35] Ops - Printer Misuse: Excessive Pages Printed |
Excessive Pages Printed |
UC35_AIERule.airx |
|
[39] Unauthorized Sudo Attempt |
CSC: Linux sudo Failure |
UC39_AIERule.airx |
|
[43] VPN While Logged in Locally Admin |
Concurrent VPN from Multiple Locations |
UC43_AIERule.airx |
|
[46] Cylance - Malware Outbreak |
Cylance - Malware Detected |
UC46_AIERule.airx |
LogRhythm versions prior to 7.3.1 do not import AIE Rules with nested lists. Importing AIE Rules for Use Cases with an asterisk requires LogRhythm version 7.3.1 or later.