Create New AI Engine Rules
- On the main toolbar, click Deployment Manager.
- Click the AI Engine tab.
- On the bottom of the grid, click the Rules tab.
- On the Rules tab toolbar, click the plus icon.
- In the Rule Block Types pane, select and drag a rule block to the Rule Block Designer from one of the twelve possible types of rule blocks. - Rule Blocks - Description - LOG - Observed - A log message that met the user-defined parameters was observed. 
 It can be in any position in the rule.- Not Observed Compound - No log message that met the user-defined parameters was observed after a preceding rule block was satisfied. 
 It must follow another rule block and be the last block in the rule.- Not Observed Scheduled - No log message that met the user-defined parameters was observed when expected based on a defined schedule. It must be the only block in the rule. - This type of Log Rule Block cannot be enabled with Entity Segregation. - THRESHOLD - Observed - The defined threshold was reached across one or more log messages that met user-defined parameters. A threshold is quantitative such as number of bytes out. It can be in any position in the rule. - Not Observed Compound - The defined threshold was not reached across one or more log messages after a preceding rule block was satisfied. It must follow another rule block and be the last block in the rule. - Not Observed Scheduled - The defined threshold was not reached across one or more log messages based on a defined schedule. It must be the only block in the rule. - This type of Threshold Rule Block cannot be enabled with Entity Segregation. - UNIQUE VALUES - Observed - Unique values were observed for a specified metadata field across two or more log messages having specific characteristics. Examples of unique values: 10 unique logins or 10 unique hosts. It can be in any position in the rule. - Not Observed Compound - Unique values were not observed for a specified metadata field across two or more log messages after a preceding rule block was satisfied. Examples of unique values: 10 unique logins or 10 unique hosts. It must follow another rule block and be the last block in the rule. - Not Observed Scheduled - Unique values were not observed for a specified metadata field across two or more log messages based on a defined schedule. Examples of unique values: 10 unique logins or 10 unique hosts. It must be the only block in the rule. - This type of Unique Values Rule Block cannot be enabled with Entity Segregation. - BEHAVIORAL - Whitelist - Similar to a Log Observed block, except that it only triggers when the selected Grouped By values of the Log are not found in the associated whitelist of the Whitelist Profile block to which it is linked. (The linked Whitelist Profile block is created automatically and cannot be separately deleted or created.) In this case, a log is observed in a metadata field that is not in the associated whitelist. - A Whitelist Rule Block enables users to record almost any behavior from a source integrated with the LogRhythm Data Filters. By comparing current logs to historical behavior, a Whitelist can be used to send an alert when behavior from a user or a system changes. - Use Case. Whitelisting processes on production servers – In this scenario, the user creates a rule that records all processes observed on production servers. The rule runs for a set amount of time called a learning period. After the learning period, any processes observed that are not on the whitelist trigger an alarm. The event triggering the alarm could be a web server that has been compromised launching a malicious process to allow attackers to gain shell access. - Statistical - During runtime of the AIE Engine, a particular set of statistics will be collected. These statistics are collected within the AIE Runtime object the statistic observed. At a regular interval, a routine will be executed to collect the data from the various runtime engine components and send the information to the database for persistence. - Use Case. Look for an abnormal number of authentication failures. Statistical rules compare live data to live data. If I know that the number of successful logins to unsuccessful logins in a 10 to 1 ratio, I can create a statistical rule that looks for the ratio of successes to failures to drop below 10 to 1. For example, if the amount of unsuccessful logins increases to a 12 to 2 ratio, an alarm is triggered. - Multiple expression can be written into the rule to reflect a range, for example, there must be between 5 and 10 times as many successful logins. Also floors can be implemented, such as the ratio must be greater than a 10 to 1 ratio and there must be at least 100 successful logins so a very low log rate won’t cause false positives. This also lets you compare static data fields within the same window. You can compare the origin user to the impacted user to make sure they are different in an account modification log if your environment does not allow people to modify their own accounts. - Trend - The AIE Trending Rule Block provides for automatic base-lining of log and flow data against which various trends can be established. These trends can then be evaluated against current log and flow data to determine if a deviation has occurred. Deviations in a trend might be an indication of a security, compliance, or operations issue. In this case, a set of criteria is met comparing current log messages with recent log messages. - The Trend Rule block compares prerecorded data to live data in an attempt to identify anomalies in behavior. Unlike other rule blocks, the Trend Rule block is able to add additional data to the baseline to accommodate changes in behavior over a period of time. Comparing a baseline that is able to change over time to live data enables the Trend Rule Block to look for anomalies in behavior while accommodating normal changes in the organization. - Use Case. Look for increased traffic on the network. You can build a baseline, over a week, measuring the amount of traffic your network receives through its ports. If the traffic increases by a predetermined percentage, an alarm is triggered. This is also how rogue host detection is implemented. In this case, the MAC addresses seen on the network are recorded over a 30 day period. When a MAC address is observed that does not exist in the baseline, this means a new host is on the network. This causes an alarm to trigger. - The AI Engine Rule Block Wizard appears. The number of tabs may differ based on the type of Rule Block selected. 
- Complete the appropriate information on each tab and click Next. For information on the options in the all the tabs of the wizard, see Use the Filter Editor. 
- Click OK when complete. 
- (Optional) Add another rule block. 
 The AI Engine Rule Block Wizard appears.
- Complete the appropriate information on all the tabs and click OK. 
 If this is the second or third rule block in this rule, the AI Engine Rule Block <Rule Block Number> Relationship window appears to allow you to define the connection between rule blocks.
