UEBA User Guide – AI Engine Rules
Lateral: Multiple Account Passwords Modified by Admin
AIE Rule ID: 1269
Attack Lifecycle: Lateral Movement
Rule Description:
An observed login by a user in the privileged user list followed by the change of two or more other account passwords.
Common Event: AIE: Lateral: Multiple Account Passwords Modified by Admin
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Decide the Origin User that changed the account passwords and investigate if this action was known or unknown. If unknown, you may want to isolate the Origin Host where the account passwords changed from until an investigation can decide if a compromise has occurred.
Use Case:
Administrator changes passwords on multiple accounts to either use as future backdoors or to prevent users from logging in.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Attainment: Abnormal File Access
AIE Rule ID: 1245
Attack Lifecycle: Target Attainment
Rule Description:
First tracks which files users generally accesses over a learning period. Afterward, triggers if a user begins accessing different files.
Common Event: AIE: Attainment: Abnormal File Access
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 7
Log Sources (minimum)
LogRhythm Sysmon
Log Sources (recommended)
Other File Integrity Monitoring
AIE Rule Additional Details
Action: Decide if the file access is known or unknown. If unknown, you may want to isolate the Origin Host until an investigation can decide if compromise is likely.
Use Case: A user's credentials are compromised. The attacker is using that account to enumerate a shared drive's files.
Configuration: LogRhythm file integrity monitoring is enabled.
Lateral: Auth After Dispersed Failed Auths
AIE Rule ID: 1263
Attack Lifecycle: Lateral Movement
Rule Description:
Within a short period of time, a single account unsuccessfully attempts to authenticate to multiple hosts from an external source.
Common Event: AIE: Lateral: Auth After Dispersed Failed Auths
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Verify the source of the attempts and if the authentication of the user account has attempted logins from the source previously. If found that the credentials have been used previously, this could indicate that the account is shared across multiple known systems. Shared accounts should be discouraged, and you should work with the account owner in setting up individual access. If the authentication is newly attempted, you may want to disable the account until an investigation can conclude if the account was compromised.
Use Case: A malicious individual finds a "sticky note" with a user name and password. The attacker then attempts to use these credentials on several different hosts, followed by a successful authentication.
Lateral: Brute Force Internal Auth Failure
AIE Rule ID: 1264
Attack Lifecycle: Lateral Movement
Rule Description:
Multiple failed authentication attempts from the same internal origin host to the same impacted host, without seeing an authentication success.
Common Event: AIE: Lateral: Brute Force Internal Auth Failure
Classification: Security : Reconnaissance
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: You may want to isolate the Origin Host until an investigation has been performed to determine if a compromise has occurred. Additionally, you may want to disable the account and or change the password.
Use Case: An attacker knows a login id to a specific host and repeatedly attempts to authenticate using various passwords (either manually or with an automated tool), and no successful authentication is observed.
Lateral: External Attack then Account Creation
AIE Rule ID: 1265
Attack Lifecycle: Lateral Movement
Rule Description:
Attack or compromise event from an external source followed by an account creation on the same host.
Common Event: AIE: Lateral: External Attack then Account Creatio
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: The cost and recovery time of a compromise grows exponentially with each stage of the attack cycle, so it is imperative to stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages and is consolidating their beachhead. After the attack is stopped, it is very important to do a full sweep of the network for other signs of continued infection.
Use Case: A savvy hacker successfully attacked a machine to gain access. Once in the exploited machine the hacker now created an account to use for future use and exploitation.
Lateral: Failed Auths then Success
AIE Rule ID: 1266
Attack Lifecycle: Lateral Movement
Rule Description:
Multiple internal unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.
Common Event: AIE: Lateral: Failed Auths then Success
Classification: Security : Compromise
Suppression Multiple: 30
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Determine if the Origin Host is known or unknown. If unknown, you may want to isolate the system until an investigation can determine if a compromise occurred. You may also want to determine the accounts being used and if they are active in your company. For active accounts, you may want to change account names if they are found to be “Generic” and or perform password resets.
Use Case: A malicious individual has a list of account names and is attempting to authenticate with one of these accounts on a single machine, followed by a successful authentication on the same machine.
Configuration: Depending on the environment the amount of unique values may need to be increased for Rule Block 1. An authentication failure log is created by each domain controller in your environment.
Compromise: Account Added to Admin Group
AIE Rule ID: 1261
Attack Lifecycle: Initial Compromise
Rule Description:
New user added to a privileged user group.
Common Event: AIE: Compromise: Account Added to Admin Group
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 2
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Decide if account being added is known or unknown. If unknown, you may want to isolate the host until an investigation can decide if a compromise is likely. You may want to add the administrative accounts that were added to a watch list of suspicious accounts to check for to find any other compromise use.
Use Case:
An attacker has created at least one account and added to the administrators group.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Lateral: Internal Recon then Account Creation
AIE Rule ID: 1268
Attack Lifecycle: Lateral Movement
Rule Description:
Internal reconnaissance event followed by an account creation on the same target host, indicating a possible compromise.
Common Event: AIE: Lateral: Internal Recon then Account Creation
Classification: Security : Compromise
Suppression Multiple: 3
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum)
Intrusion Detection System and Active Directory or LDAP
Log Sources (recommended)
Intrusion Detection System and Host Logs
AIE Rule Additional Details
Actions: Since an internal host is already compromised, follow incident response procedures. Investigate the attacking host to see if it could access any additional hosts. Investigate the created account to see what actions it could take.
Use Case: An attacker scans a machine for open ports. The IDS missed the actual attack, but shortly after the scan is detected a new account is created on the target machine, indicating some sort of attempt to maintain access.
Lateral: Abnormal Auth Behavior
AIE Rule ID: 1260
Attack Lifecycle: Lateral Movement
Rule Description:
First tracks which hosts an account typically authenticates to. Afterwards, triggers when a new host or hosts are being accessed by the account.
Common Event: AIE: Lateral: Abnormal Auth Behavior
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Decide if the authentication activity is known or unknown. If unknown, you may want to isolate the Origin Host until an investigation can decide if compromise is likely. You may also want to investigate the Impacted Host to decide if another compromise has occurred. If Impacted Host is found to be compromised, you may want to isolate the host until an investigation can decide the host is safe to return to the network. You may also want to disable the account being used and or change the password of the account.
Use Case: An account has been compromised and is now being used to authenticate to hosts that the user normally does not authenticate to.
Lateral: Numerous and Dispersed Internal Failed Auths
AIE Rule ID: 1270
Attack Lifecycle: Lateral Movement
Rule Description:
The same internal account unsuccessfully attempts to authenticate to multiple hosts within a short period of time.
Common Event: AIE: Lateral: Numerous and Dispersed Internal Failed Auths
Classification: Security : Suspicious
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: You may want to isolate the Origin Hosts that are performing the activity to determine if the hosts have been compromised. You may also want to investigate the accounts being used if they are “Generic” or if they are known in the company. If known, you may want to reset the passwords of the accounts being used.
Use Case: A malicious program is attempting to worm its way across the network with known credentials that might be old and thus the password is failing or with generic credentials like “Admin” or “Root” and default credentials are being attempted.
Lateral: Numerous Internal Failed Auths
AIE Rule ID: 1271
Attack Lifecycle: Lateral Movement
Rule Description:
Multiple, unique unsuccessful login attempts from an internal host are made on the same impacted host within a short period of time.
Common Event: AIE: Lateral: Numerous Internal Failed Auths
Classification: Security : Suspicious
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Determine if the Origin Host is known or unknown. If unknown, you may want to isolate the host until an investigation can determine if a compromise has occurred. You may also want to determine if the accounts are active in your environment and if so, you may want to change the name of generic accounts and or perform password resets.
Use Case: A malicious individual has a list of accounts and is attempting to authenticate with one of these accounts on a single machine, with no successful authentication observed.
Configuration: Depending on the environment the amount of unique values may need to be increased for Rule Block 1. An authentication failure log is created by each domain controller in your environment.
Lateral: Password Modified by Admin
AIE Rule ID: 1272
Attack Lifecycle: Lateral Movement
Rule Description:
Privileged user changes the password of another account.
Common Event: AIE: Lateral: Password Modified by Admin
Classification: Security : Suspicious
Suppression Multiple: 60
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Verify the change control procedure has been followed and that this user's password was reset according to standards and guidelines.
If your investigation reveals that the account is known and should be in the Privilege User List, you may use a smart response plugin to automatically add the user to the list to further reduce future false positives.
Use Case:
A compromised privileged account can change another credential’s password to further gain access to systems, applications like databases, and or data. A scenario would be that a compromised IT credential is being used to change the password of a known HR user account to gain access to data owned by HR but restricted to members of IT. The attacker would then change the password of the HR account and use that account to access the data owned by HR.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Lateral: Privilege Escalation after Attack
AIE Rule ID: 1273
Attack Lifecycle: Lateral Movement
Rule Description:
Compromised host event followed by a new account created or account modified on the same host.
Common Event: AIE: Lateral: Privilege Escalation after Attack
Classification: Security : Compromise
Suppression Multiple: 2
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
Intrusion Detection System Host Logs
Log Sources (recommended)
Intrusion Detection System LogRhythm Sysmon
AIE Rule Additional Details
Action: The cost and recovery time of a compromise grows exponentially with each stage of the attack cycle, so it is imperative to stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages and is consolidating their beachhead. After the attack is stopped, it is very important to do a full sweep of the network for other signs of continued infection.
Use Case: An IDS has detected some sort of hacking activity. Later, the same impacted host has an account created or permissions granted, indicating a likely compromise.
Compromise: CloudAI Multiple User Threat Events
AIE Rule ID: 1278
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI multiple high user threat scores.
Common Event: AIE: Compromise: CloudAI Multiple User Threat Even
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
LogRhythm UEBA Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous and has multiple recent observations, as decided by CloudAI. This could indicate an ongoing risk that should be investigated.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
Adjust the threshold count according to your company’s assessment of acceptable risk. To adjust the count:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Recon: Disabled Account Auth Failures
AIE Rule ID: 1279
Attack Lifecycle: Recon and Planning
Rule Description:
Recently disabled or deleted account unsuccessfully tries to authenticate or access resources.
Common Event: AIE: Recon: Disabled Account Auth Failures
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Decide if access attempt is known or unknown by confirming with the credential owner’s supervisor. If unknown, decide where access attempts are being made and you will want to isolate the host and or block the origin IP address.
Use Case: A malicious process is trying to use credentials that are disabled. Another use case would be an employee is terminated or has left an organization and shortly after tries to access network resources and fails.
Configuration: If using windows audit logging make sure audit account management is turned on for successes and audit account logon events is turned on for success and failures in the local security policy.
Optional: You can tune the rule to focus on high value accounts by adding a user list filter.
Lateral: Internal Attack then Account Creation
AIE Rule ID: 1267
Attack Lifecycle: Lateral Movement
Rule Description:
Attack or compromise event from an internal host followed by an account creation on the victim host.
Common Event: AIE: Lateral: Internal Attack then Account Creatio
Classification: Security : Compromise
Suppression Multiple: 6
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 4
Log Sources (minimum)
Intrusion Detection System and Active Directory or LDAP
Log Sources (recommended)
Intrusion Detection System and Host Logs
AIE Rule Additional Details
Action: Because the attack has already progressed to an advanced stage, it is imperative to stem the damage and stop the attack as early as possible. These rules indicate that the attacker has moved past the initial stages, is spreading throughout the network, and likely has already begun to pillage. After the attack is stopped, use the logs from the alarm to help with a full sweep of the network for other signs of continued infection.
Use Case: A system is successfully attacked, and the attacker then creates a new account on the system to maintain access.
Compromise: Auth After Numerous Failed Auths
AIE Rule ID: 1253
Attack Lifecycle: Initial Compromise
Rule Description:
Multiple external unique login attempts are seen on the same impacted host within a short period of time, followed by a successful authentication.
Common Event: AIE: Compromise: Auth After Numerous Failed Auths
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 2
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Investigate the source of the authentication and if it’s a known user source or new. If known, verify with the user if they are having trouble authenticating. If new source, you may want to deny or isolate the source until you can determine if the source is something that should be trusted or not. You may want to also investigate if the source has attempted any other authentications using other credentials to aid in further determining if the source is suspicious. If the source is suspicious you should disable the account being used until the investigation can determine how the account was possibly compromised. You should also reset the password of the possibly compromised account.
Use Case: A malicious individual has a list of email addresses from the company and is attempting to authenticate with one of these accounts from a single machine, followed by a successful authentication from the same machine.
Configuration:
You may want to exclude your cloud providers’ subnets or define them as part of your entity structure to list them as internal to reduce false positives.
Attainment: Corroborated Account Anomalies
AIE Rule ID: 1246
Attack Lifecycle: Target Attainment
Rule Description:
3 or more unique behavioral anomalies for a given user within a 3-hour period.
Common Event: AIE: Attainment: Corroborated Account Anomalies
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 3
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
AI Engine Events
AIE Rule Additional Details
Action: This alarm may show a heightened security issue that should be prioritized to decide if a compromise is likely.
Use Case: An account has been compromised.
Configuration: This rule needs the following rules to be enabled:
1) Compromise: Abnormal Process Activity, ID 1248
2) Lateral: Abnormal Auth Behavior, ID 1260
3) C2: Abnormal Origin Location, ID 1247
4) Attainment: Abnormal File Access, ID 1245
C2: Abnormal Origin Location
AIE Rule ID: 1247
Attack Lifecycle: Command and Control
Rule Description:
First tracks geographic locations for logins. Afterwards, triggers when a new origin location is seen for a user.
Common Event: AIE: C2: Abnormal Origin Location
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 8
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Contact the user to decide if this activity is known or unknown. If unknown, you may want to disable the account until an investigation can decide if the account is compromised. You may also want to change the password of the account.
Use Case: A user's credentials were compromised, and the attacker authenticates in from an area that is not common.
Compromise: Abnormal Process Activity
AIE Rule ID: 1248
Attack Lifecycle: Initial Compromise
Rule Description:
First tracks processes associated with a user. Afterwards, triggers if drastically different processes are observed from the user.
Common Event: AIE: Compromise: Abnormal Process Activity
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 8
Log Sources (minimum)
Host Logs
Log Sources (recommended)
LogRhythm Sysmon
AIE Rule Additional Details
Action: Decide if the process is known or unknown. On Windows systems, you may want to run a program like Microsoft Windows Sysinternals Process Monitor with Virus Total query enabled. If the process is suspicious or known to be malicious, you may want to isolate the system until an investigation can decide if a compromise has occurred.
Use Case: A user's credentials are compromised. The attacker uses the credentials to start a remote access toolkit (RAT) process on the user's machine.
C2: Blacklist Location Auth
AIE Rule ID: 1249
Attack Lifecycle: Command and Control
Rule Description:
Authentication success from a blacklisted location.
Common Event: AIE: C2: Blacklist Location Auth
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Verify with the user if they are using any 3rd party VPN service that is not supported by the company where they might be routed through a black listed country. Also, verify with the user what their external IP address is. If found that the user is not trying to connect through a black listed country, you should disconnect the active VPN session and disable the user account until an investigation can be performed and decide how the attempt was being made. Some well-known 3rd party VPN services are: NORDVPN, Private Internet Access, Express VPN, TORGUARD, Anonymizer, IPREDATOR, SLICKVPN, MULLVAD, BLACKVPN, VPNAREA, IPVANISH, IVPN, LIQUIDVPN, SMARTVPN, PRIVATEVPN, CRYPTOSTORM, BUFFERED and many more.
Use Case:
An attacker is using a compromised account to authenticate from a location considered unauthorized.
Configuration:
1. Enable Geolocation.
2. Populate the “Network: Blacklisted Countries” List.
a. Recommended that you review this list for accuracy at least quarterly.
Compromise: Concurrent VPN from Multiple Locations
AIE Rule ID: 1250
Attack Lifecycle: Initial Compromise
Rule Description:
Multiple authentication successes from the same origin login are observed from different geographic regions within a given time (default 3 hours).
Common Event: AIE: Compromise: Concurrent Authentication Success
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
Authentication Log Sources
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action: Verify with the user by calling them and verify if this activity is known. If unknown, disconnect active user sessions and disable the user account until you can determine how the other authentication session was initiated.
Use Case: An attacker has obtained the credentials of a user that currently logged on externally and authenticates with the compromised credentials from a different geographical location.
Configuration:
Enable Geolocation.
Lateral: Admin Password Modified
AIE Rule ID: 1262
Attack Lifecycle: Lateral Movement
Rule Description:
User changes the password of a different privileged user account.
Common Event: AIE: Lateral: Admin Password Modified
Classification: Security : Compromise
Suppression Multiple: 60
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Verify the admin was aware of the password change. Also verify change control procedure has been followed and that this user's password was reset according to standards and guidelines.
Use Case:
A compromised privileged account can change another privileged account credentials to further gain access to systems, applications like databases, and or data. A scenario would be that a compromised IT credential is being used to change the password of a known database privilege user to gain access to data on a database server that is restricted to members of IT. The attacker would then change the password of the privilege user account and use that account to access the data.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Compromise: Windows RunAs Privilege Escalation
AIE Rule ID: 1252
Attack Lifecycle: Initial Compromise
Rule Description:
User not in the LogRhythm List "Privileged Users" chooses to Run a Windows program as an administrator using the "Run as administrator" option.
Common Event: AIE: Compromise: Windows RunAs Privilege Escalatio
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
Windows Host Logs
Log Sources (recommended)
Active Directory or LDAP
AIE Rule Additional Details
Action:
Decide if the account being elevated is known or unknown on the Impacted Host. If unknown, you may want to isolate the host until an investigation can decide if compromise is likely.
If your investigation reveals that the account is known and should be in the Privilege User List, you may use a smart response plugin to automatically add the user to the list to further reduce future false positives.
To further contextualize the alert, you may want to pivot on Vendor Message ID 4624 and 4688.
Use Case:
You have hardened all the security settings on your internal chat sever (e.g., Microsoft Lync) and someone is trying to install a MITM spyware to capture chats. The malicious user needs to run the spyware as administrator to access various registry settings needed to complete the attack.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Recon: Multiple Lockouts
AIE Rule ID: 1283
Attack Lifecycle: Recon and Planning
Rule Description:
An account is locked out 2 or more times per hour.
Common Event: AIE: Recon: Multiple Lockouts
Classification: Security : Reconnaissance
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Accounts under attack should be temporarily disabled while under investigation. Attack sources should be blocked via security system or other security device.
Use Case: In large companies it sometimes can be daunting and tedious to sift through the "noise" of potential operational events of interest. This alarm alerts when accounts are locked out 3 or more times in an hour instead of every time an account is locked out.
Compromise: Auth After Security Event
AIE Rule ID: 1254
Attack Lifecycle: Initial Compromise
Rule Description:
An observed attack, compromise, or other security event followed by successful access or authentication from the attacking host.
Common Event: AIE: Compromise: Auth After Security Event
Classification: Security : Compromise
Suppression Multiple: 2
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
Intrusion Detection System Host Logs
Log Sources (recommended)
Intrusion Detection System LogRhythm Sysmon
AIE Rule Additional Details
Action: If a compromise of the account is suspected you may want to disable the account until an investigation can determine if the account was compromised. You may want to run an investigation on the Origin Host of the IDS detection and determine if it is known to the company or unknown. If unknown, you may want to deny the IP address and or range of IPs on the company firewall.
Use Case: An IDS has detected some sort of hacking activity from an external host. Later, the same external host is seen successfully authenticating with an internal host, indicating a successful network penetration.
Compromise: Distributed Brute Force
AIE Rule ID: 1255
Attack Lifecycle: Initial Compromise
Rule Description:
A successful brute force authentication -- multiple failed authentication attempts from different external hosts to the same host using the same origin login, followed by an authentication success.
Common Event: AIE: Compromise: Distributed Brute Force
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 1
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs, Web Server Logs
AIE Rule Additional Details
Action: This rule fires when the attacker could compromise at least one account. In this case, it is vital to quickly contain the compromise by disconnecting infected hosts, disabling the compromised account, and blocking the attacker's access -- organizations should have an incident response plan for a compromise. Also, after stopping the active attack, forensics will need to be conducted to ensure that an implant isn't hidden in the network, information wasn't stolen, or other accounts were compromised.
Use Case: An attacker knows a login ID to a specific host and repeatedly attempts to authenticate using various passwords from different origin hosts to mask the password guessing activity, and eventually successfully authenticates.
Configuration: In Windows, activate Audit Account Management for successes in the Group/Local Security Policy.
Compromise: External Brute Force Auths
AIE Rule ID: 1256
Attack Lifecycle: Initial Compromise
Rule Description:
Successful authentication after multiple failed attempts from different external origin hosts to the same impacted host.
Common Event: AIE: Compromise: External Brute Force Auths
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs, Web Server Logs, VPN
AIE Rule Additional Details
Action: Investigate if the login is valid. If so, you may wish to change the password of the account and utilize a complex and lengthy password to minimize brute force guessing success. If the login is found to be “generic” like “Admin” or “Root”, etc. you may want to rename the account to minimize brute forcing of generic login identities. For known accounts, deploy multi factor authentication to minimize the effectiveness of brute force password guessing and exposed credentials through 3rd party breaches.
Use Case: An attacker knows a login id to a specific host and repeatedly attempts to authenticate using various passwords from the same origin host to brute force authentication. The login id could’ve been obtained as part of a 3rd party data breach or an attempt to use default credentials like “Admin, Administrator, Root”, etc.
Configuration: To reduce false positives of failed authentications of login identities that are not applicable to your organization and would otherwise be considered generic, you may want to include a known user list to this rule.
Compromise: Lateral Movement With Account Sweep
AIE Rule ID: 1257
Attack Lifecycle: Initial Compromise
Rule Description:
The same internal account is used to attempt to authenticate to multiple hosts within a short period of time, followed by a successful authentication.
Common Event: AIE: Compromise: Lateral Movement With Account Swe
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: You may want to isolate the Origin Host that is performing the activity to determine if the host has been compromised. You may also want to investigate the accounts being used if they are “Generic” or if they are known in the company. If known, you may want to reset the passwords of the accounts being used.
Use Case: A malicious program is attempting to worm its way across the network with known credentials that might be old and thus the password is failing or with generic credentials like “Admin” or “Root” and default credentials are being attempted.
Corruption: Audit Disabled by Admin
AIE Rule ID: 1258
Attack Lifecycle: Corruption
Rule Description:
Login by an administrator followed by disabling of an audit process.
Common Event: AIE: Corruption: Audit Disabled by Admin
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
Host Logs
Log Sources (recommended)
LogRhythm Sysmon
AIE Rule Additional Details
Action:
If audits are being disabled, it is highly likely that malicious activity is taking place. Immediately launch LogRhythm investigations on the Log Source where this is occurring.
Use Case:
A disgruntled administrator plans on malicious activity and disables auditing beforehand to ensure the activity is not logged.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Disruption: Files Deleted by Admin
AIE Rule ID: 1259
Attack Lifecycle: Disruption
Rule Description:
Privileged user login followed by multiple file deletions, indicating the administrator may be destroying large amounts of data.
Common Event: AIE: Disruption: Files Deleted by Admin
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
Host Logs
Log Sources (recommended)
Active Directory or LDAP, LogRhythm Sysmon
AIE Rule Additional Details
Action:
Determine the Origin Host and if the host is known. If unknown, you may want to isolate the host until an investigation can decide if a compromise has occurred. You may also want to contact the account owner and or the file owners to decide if the action is known or unknown to further decide if a compromise is likely.
Use Case:
A destructive malicious application or a possible disgruntled administrator wants to disrupt company workflow by deleting commonly used files on a shared drive.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Recon: Linux sudo Privilege Escalation
AIE Rule ID: 1251
Attack Lifecycle: Recon and Planning
Rule Description:
User not in the LogRhythm list "Privileged Users" and not in the local 'sudoers' file tries to use sudo on a Linux host.
Common Event: AIE: Recon: Linux sudo Privilege Escalation
Classification: Security : Reconnaissance
Suppression Multiple: 3600
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum)
Linux Host Logs
Log Sources (recommended)
Active Directory or LDAP
AIE Rule Additional Details
Action:
Decide if the account being used is known or unknown on the Impacted Host. If unknown, you may want to isolate the host to decide if compromise is likely.
If your investigation reveals that the account is known and should be in the Privilege User List, you may use a smart response plugin to automatically add the user to the list to further reduce future false positives.
Use Case:
An attacker is testing their access by trying to run malicious code on a Linux box without super user privileges.
Configuration:
1. Populate the “Privileged Users” List.
a. Recommended that you review this list for accuracy at least quarterly.
Compromise: CloudAI and Recent User Location Data Observed
AIE Rule ID: 1307
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI anomalous authentication location activity observation and AI Engine observed authentication events involving location for the same user identity.
Common Event: AIE: Compromise: CloudAI and Recent User Location
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum)
LogRhythm UEBA Events
Log Sources (recommended)
VPN Logs
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, investigate the User (Origin) Identity around the time of the observed CloudAI anomaly for any suspicious authentications involving locations.
Use Case:
A user’s authentication location behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI. Detailed locations of the user authentications are needed to aid the analyst in deciding if the locations are suspicious.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
This rule uses the “CloudAI: Ignore for 24 Hours” list. Place user identities that you may want to ignore for 24 hours here that are generating many events for a known reason that would otherwise cause this rule to event and alarm if configured to do so.
Adjust the threat score according to your company’s assessment of acceptable risk. To adjust the score:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Compromise: Security Event then Process Starting
AIE Rule ID: 1300
Attack Lifecycle: Initial Compromise
Rule Description:
Security Classification of Compromise, Reconnaissance, Attack event against a host followed by a non-whitelisted process starting up on the same host, indicating a compromise.
Common Event: AIE: Compromise: Security Event then Process Start
Classification: Security : Compromise
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs/AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall
AIE Rule Additional Details
Action:
Run an investigation for the impacted host for activity around the time of the alarm. Find the process that started on the impacted host and confirm that it is a known non-malicious process and that the process action was known. If known, add the process in accordance to your company's change management process to the LogRhythm Whitelisted Processes list. If unknown, follow your company's incident response plan.
Use Case:
An attacker scans a machine for a vulnerability. The vulnerability is exploited, and a new malicious process is started up on the target machine.
Configuration:
This rule uses two lists named “Vulnerability Scanners” and “Network: Whitelisted Processes.” The following is information on configuring the lists for this rule:
1. Populate the “Vulnerability Scanners” list with the DNS, NetBios, and IP address where applicable for each vulnerability scanner you may have in your environment.
2. Populate the “Network: Whitelisted Processes” with process names that are trusted in your environment.
For both list items, you should review the lists quarterly for completeness.
Additionally, you may want to whitelist trusted users in User Origin such as System, Network Service, Local Service, etc.
Compromise: System Time Change
AIE Rule ID: 1301
Attack Lifecycle: Initial Compromise
Rule Description:
An attack or compromise events followed by time change activity on the same impacted host.
Common Event: AIE: Compromise: System Time Change
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs/IDS/IPS
Log Sources (recommended)
NextGen Firewall
AIE Rule Additional Details
Action: Investigate the impacted system to decide if the system was successfully compromised. You may want to look for how the system time was changed, i.e. if it was due to a user changing the time or if it was a potentially malicious process changing the time. If malicious, follow your company's security incident response process.
Use Case: An attacker successfully compromises a system and then changes the system time to obfuscate their activities. This activity could be a person on keyboard or automated malware.
Compromise: Unusual Auth then Unusual Process
AIE Rule ID: 1302
Attack Lifecycle: Initial Compromise
Rule Description:
First tracks normal hosts accessed by a user and which processes are used. Afterwards, triggers when the user authenticates to a different host and starts a process that was not seen in the same learning period.
Common Event: AIE: Compromise: Unusual Auth then Unusual Process
Classification: Security : Compromise
Suppression Multiple: 4
Alarm on Event Occurrence: No
Environmental Dependence Factor: High
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs/AD/LDAP
Log Sources (recommended)
LogRhythm Sysmon
AIE Rule Additional Details
Action: Investigate the impacted host to decide if the authentication is known and the process is non-malicious, and activity is authorized. If unauthorized or malicious activity is found, follow your company's security incident response process.
Use Case: Compromised credentials are being used to perform unauthorized access and compromise the impacted host by running unauthorized software tools, applications, or malware to corrupt, disrupt or exfil data from the host impacted.
Configuration:
1) It is recommended to not enable alarming on this rule until this rule has a chance to learn the environment and events being generated are minimal and relevant. You should check on this rule by running the Summary of AI Engine Events report weekly.
2) This is a learning Whitelist rule. It is recommended to re-tune this rule quarterly or when false negatives occur by opening the rule and right click on each of the Whitelist Profiles and select “Resync from Rule Block.” It is also recommended to disable alarming when resyncing.
Compromise: Security Event then Scheduled Task
AIE Rule ID: 1303
Attack Lifecycle: Initial Compromise
Rule Description:
A security event on a host followed by creation of a scheduled process.
Common Event: AIE: Compromise: Sec Event then Scheduled Task
Classification: Security : Compromise
Suppression Multiple: 6
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 6
Log Sources (minimum)
Host Security Logs/AV/IDS/IPS
Log Sources (recommended)
Sysmon/CarbonBlack
AIE Rule Additional Details
Action: Investigate the host to gather more context around what was done as part of the Scheduled Task, what security classification preceded it and what the origin host is. If the origin and impacted host are the same, investigate the security classification further to decide what was decided to be a security event and if the detection is a "True Positive" or "False Positive."
Use Case: A security classification was seen affecting the same host where a scheduled task was started. This tactic of using Scheduled Task is common in malicious attack scenarios for the attacker to execute malicious code remotely on the host as a privileged user.
Lateral: Locally Created and Used
AIE Rule ID: 1304
Attack Lifecycle: Lateral Movement
Rule Description:
An account is created on a host and then used shortly thereafter on the same host.
Common Event: AIE: Lateral: Locally Created and Used
Classification: Security : Compromise
Suppression Multiple: 2
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
Host Security Logs
Log Sources (recommended)
Single Sign On Logs
AIE Rule Additional Details
Action: Investigate the local account to decide what it was used for. Run an investigation around the Origin User of the account creation activity to see if any other unusual activity is seen.
Use Case: Local account creation is atypical in a corporate environment and can be used for malicious purposes. Local accounts are typically used to bypass domain authentication and domain policies creating an elevated security risk.
Recon: Failed Distributed Account Probe
AIE Rule ID: 1281
Attack Lifecycle: Recon and Planning
Rule Description:
The same external account unsuccessfully attempts to authenticate to multiple hosts within a short period of time.
Common Event: AIE: Recon: Failed External Auth to Multiple Hosts
Classification: Security : Reconnaissance
Suppression Multiple: 6
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Responses to 'failure' alarms should include hardening the potential victim host and account and blocking the attacker. It is also useful to determine if the attack is a determined effort to compromise the network or just a passing probe. Perform follow-up investigations for additional logs generated by the attacker and victim. Remember that a failure alarm may mean that the attacker was still successful in other attempts.
Use Case: A malicious individual finds a list of users and credentials from a recent data dump. The attacker then attempts to use these credentials on several different hosts, with no successful authentication observed.
Disruption: Critical Windows Binaries Modified/Deleted
AIE Rule ID: 1306
Attack Lifecycle: Disruption
Rule Description:
A change has been made to any executable in the C:\windows\system32 or C:\Windows\Syswow64\ folder.
Common Event: AIE: Disruption: Critical Windows Binaries Mod/Del
Classification: Security : Compromise
Suppression Multiple: 60
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum)
LogRhythm Sysmon: File Monitor
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action: Investigate the impacted host and decide if the binary is suspicious or known malicious. If found to be suspicious or known malicious, follow your company's normal security incident response process.
Use Case: An attacker is trying to setup the Sticky Keys exploit, renaming sethc.exe to cmd.exe. Changes may also be legitimate during Windows Updates as an example.
Configuration:
1) This rule needs the LogRhythm System Agent File Monitoring Event to be configured along with a FIM Policy to detect Add, Delete, Modify and Permission changes of files found in System32 and SysWOW64.
2) With the introduction of User (Origin), you will need to configure additional tuning to the Primary Criteria in Rule Block 1 to reduce false positives around the Windows System Account performing normally.
a. Open Rule Block 1 and edit the existing filter to add And Previous User (Origin) Is Not: system. System should be what is equivalent to the local system account.
Progression: to Target Attainment
AIE Rule ID: 1297
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Compromise: CloudAI and Location Watch List
AIE Rule ID: 1308
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI anomalous authentication location activity observation and AI Engine observed authentication for the same user identity events involving the location watch list.
Common Event: AIE: Compromise: CloudAI and Location Watch List
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 4
Log Sources (minimum)
LogRhythm UEBA Events
Log Sources (recommended)
VPN Logs
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, investigate the User (Origin) Identity around the time of the observed CloudAI anomaly for any suspicious authentications involving locations.
Use Case:
A user’s authentication location behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI. Detailed locations of the user authentications are needed to aid the analyst in deciding if the locations are suspicious.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
This rule uses two lists, the “CloudAI: Ignore for 24 Hours” and “Location Watch List”. The following is how to configure and use the rule:
1. The “CloudAI: Ignore for 24 Hours” list. Place user identities that you may want to ignore for 24 hours here that are generating many events for a known reason that would otherwise cause this rule to event and alarm if configured to do so.
2. Populate the “Location Watch List” List.
a. Recommended that you review this list for accuracy at least quarterly.
Adjust the threshold score according to your company’s assessment of acceptable risk. To adjust the score:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Compromise: CloudAI and User Recently Added to a Privileged Group
AIE Rule ID: 1309
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI anomalous user activity observation and AI Engine observed user identity recently added to a group on the privileged group list.
Common Event: AIE: Compromise: CloudAI and User Recently Added t
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 4
Log Sources (minimum)
LogRhythm UEBA Events/Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI and the user was recently added to a group on the privileged group list, showing more risk and possible insider threat.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
This rule uses two lists, the “CloudAI: Ignore for 24 Hours” and “Privileged Groups”. The following is how to configure and use the rule:
1. The “CloudAI: Ignore for 24 Hours” list. Place user identities that you may want to ignore for 24 hours here that are generating many events for a known reason that would otherwise cause this rule to event and alarm if configured to do so.
2. It is recommended that you populate the Privileged Groups List with the following values. Note: Your deployment may vary, and the following groups may or may not be available.
a. Any “Admin” named group
b. account operators
c. adm
d. administrators
e. bin
f. domain admins
g. enterprise admins
h. lpadmin
i. sudoers
j. sys
k. wheel
3. Recommended that you review this list for accuracy at least quarterly.
Adjust the threshold score according to your company’s assessment of acceptable risk. To adjust the score:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Compromise: CloudAI and User related Security Classification Event
AIE Rule ID: 1310
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI anomalous user activity observation and AI Engine observed user activity associated with a security classification.
Common Event: AIE: Compromise: CloudAI and User related Security
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 3
Log Sources (minimum)
LogRhythm UEBA Events/Any Log Source
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, evaluate the User (Origin) Identity activity associated with any security classification around the time of the CloudAI anomalous user activity.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI and the user’s activity is associated with a security classification, showing more risk and possible insider threat.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
Adjust the threshold score according to your company’s assessment of acceptable risk. To adjust the score:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Compromise: CloudAI Threat Event and Identity Lists
AIE Rule ID: 1336
Attack Lifecycle: Initial Compromise
Rule Description:
CloudAI anomalous user activity observation and AI Engine observed user on the following user lists:
Privileged Users
Executive Users
Watched Users
Common Event: AIE: Compromise: CloudAI Threat Event and Identity
Classification: Security : Suspicious
Suppression Multiple: 60
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 2
Log Sources (minimum)
LogRhythm UEBA Events/Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, evaluate the User (Origin) Identity activity associated with any security classification around the time of the CloudAI anomalous user activity.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI and the user is on one of the configured user lists, showing more risk and possible insider threat.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
This rule uses four lists:
CloudAI: Ignore for 24 Hours
Privileged Users
Executive Users
Watched Users
The following is how to configure and use the rule:
1. The “CloudAI: Ignore for 24 Hours” list. Place user identities that you may want to ignore for 24 hours here that are generating many events for a known reason that would otherwise cause this rule to event and alarm if configured to do so.
2. Populate the “Watched Users”, “Privileged Users”, and “Executive Users” lists.
a. Recommended that you review this list for accuracy at least quarterly.
Adjust the threshold score according to your company’s assessment of acceptable risk. To adjust the score:
1. Open the rule in AI Engine Rule Wizard.
2. On the Threshold Rule Block, Right Click and select Properties.
3. Select the Thresholds Tab.
4. Change the value under Threshold.
5. Click OK to close the AI Engine Rule Block Wizard.
6. Click OK to close the AI Engine Rule Wizard.
Compromise: CloudAI Threat Event
AIE Rule ID: 1312
Attack Lifecycle: Initial Compromise
Rule Description:
Any CloudAI anomalous user activity observation and event generation of the observation.
Common Event: AIE: Compromise: CloudAI Threat Event
Classification: Security : Suspicious
Suppression Multiple: 60
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 5
Log Sources (minimum)
LogRhythm UEBA Events/Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, evaluate the User (Origin) Identity activity associated with any security classification around the time of the CloudAI anomalous user activity.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI and the user is on the watch list, showing more risk and possible insider threat.
This rule is best suited to enable and to create events in the event database. This will likely aide you in the following ways:
• Events generated can be displayed on the Web UI Dashboards.
• Events can be used for reporting and compliance purposes.
• Events can be used to confirm that AI Engine did process the CloudAI observation.
• Rule can be used to event and alarm on other observations that are not already accounted for in other AI Engine rules.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
Enable the rule to generate CloudAI observation events into the events database.
Exfiltration: CloudAI and File (NGFW) Detection
AIE Rule ID: 1490
Attack Lifecycle: Exfil
Rule Description:
Any CloudAI anomalous user activity observation and important file activity observed by appliances like Next Generation Firewalls (NGFW).
Common Event: AIE: Exfiltration: CloudAI and File NGFW Detection
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
CloudAI/NGFW
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, evaluate the User (Origin) Identity activity associated with any security classification around the time of the CloudAI anomalous user activity.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI. Files in motion that might otherwise be normal is now pulled into question to help determine if data exfil has occurred.
This rule is best suited to enable and to create events in the event database. This will likely aide you in the following ways:
• Events generated can be displayed on the Web UI Dashboards.
• Events can be used for reporting and compliance purposes.
• Events can be used to confirm that AI Engine did process the CloudAI observation.
• Rule can be used to event and alarm on other observations that are not already accounted for in other AI Engine rules.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
Enable the rule to generate CloudAI observation events into the events database.
Compromise: Change to Host File
AIE Rule ID: 1305
Attack Lifecycle: Initial Compromise
Rule Description:
A change has been made to a local 'hosts' file, indicating that an IP has been statically assigned to a hostname.
Common Event: AIE: Compromise: Change to Host File
Classification: Security : Compromise
Suppression Multiple: 3600
Alarm on Event Occurrence: No
Environmental Dependence Factor: Medium
False Positive Probability: 1
Log Sources (minimum)
LogRhythm Sysmon: File Monitor
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action: Investigate the Host File to decide who made the change and confirm if the change was approved or if an unknown, malicious process performed the change to the Host File. If found to be unknown or malicious activity was involved in the changing of the Host File, follow your company's normal security incident response process.
Use Case: Changes to a local Host File can be used to redirect known good DNS address to possible malicious addresses on the network. Changes to a local Host File can also be used in legitimate operational use to give a DNS name to an IP address that may not have one internally or as a loop back on the system.
Progression: to Lateral Movement
AIE Rule ID: 1291
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Exfiltration: CloudAI and Sensitive Data (NGFW) Detection
AIE Rule ID: 1491
Attack Lifecycle: Exfil
Rule Description:
Any CloudAI anomalous user activity observation and sensitive data activity observed by appliances like Next Generation Firewalls (NGFW).
Common Event: AIE: Exfiltration: CloudAI Sensitive Data NGFW Det
Classification: Security : Suspicious
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 5
Log Sources (minimum)
CloudAI/NGFW
Log Sources (recommended)
N/A
AIE Rule Additional Details
Action:
Evaluate the anomalous user in CloudAI dashboard or CloudAI dashboard widgets to decide if the anomaly is benign or suspicious. Additionally, evaluate the User (Origin) Identity activity associated with any security classification around the time of the CloudAI anomalous user activity.
Use Case:
A user’s behavior has changed sufficiently that the user’s behavior is anomalous as decided by CloudAI. Sensitive file transfer activity detected by key words in the file while in motion that might otherwise be normal is now pulled into question to help determine if data exfil has occurred.
This rule is best suited to enable and to create events in the event database. This will likely aide you in the following ways:
• Events generated can be displayed on the Web UI Dashboards.
• Events can be used for reporting and compliance purposes.
• Events can be used to confirm that AI Engine did process the CloudAI observation.
• Rule can be used to event and alarm on other observations that are not already accounted for in other AI Engine rules.
Configuration:
The LogRhythm CloudAI service populates CloudAI rules to find anomalous user activity based on many indicators. LogRhythm CloudAI data is needed for this AI Engine rule - for more information please contact your Customer Relationship Manager.
Enable the rule to generate CloudAI observation events into the events database.
Progression: to Initial Compromise
AIE Rule ID: 1284
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Command and Control
AIE Rule ID: 1285
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Lateral Movement
AIE Rule ID: 1286
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Target Attainment
AIE Rule ID: 1287
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Exfil, Corruption, Disruption
AIE Rule ID: 1288
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Compromise: Log Cleared
AIE Rule ID: 1299
Attack Lifecycle: Initial Compromise
Rule Description:
A compromise event from an external source followed by the audit log being cleared on the same compromised host.
Common Event: AIE: Compromise: Log Cleared
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum)
Host Security Logs/AV/IDS/IPS
Log Sources (recommended)
NextGen Firewall
AIE Rule Additional Details
Action: Run investigations for the impacted host and user that performed the activity. Check what process cleared the audit log and make sure it is legitimate.
Use Case: An attacker compromises a host and clears the audit log to cover their tracks.
Progression: to Command and Control
AIE Rule ID: 1290
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Exfil, Corruption, Disruption
AIE Rule ID: 1298
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Target Attainment
AIE Rule ID: 1292
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Exfil, Corruption, Disruption
AIE Rule ID: 1293
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Security : Compromise
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Initial Compromise
AIE Rule ID: 1294
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Command and Control
AIE Rule ID: 1295
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Progression: to Lateral Movement
AIE Rule ID: 1296
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.
Recon: Failed Distributed Brute Force
AIE Rule ID: 1282
Attack Lifecycle: Recon and Planning
Rule Description:
Multiple failed authentication attempts from different external origin hosts to the same impacted host using the same origin login, without seeing an authentication success.
Common Event: AIE: Recon: Failed External Auth from Multiple Hos
Classification: Security : Reconnaissance
Suppression Multiple: 12
Alarm on Event Occurrence: No
Environmental Dependence Factor: Low
False Positive Probability: 3
Log Sources (minimum)
Active Directory or LDAP
Log Sources (recommended)
Host Logs
AIE Rule Additional Details
Action: Investigate to determine if the account has been attempted from the Origin Host previously and if not, you may want to disable the account until an investigation can determine if the account was compromised. Also, determine if the Origin Hosts have been seen previously authenticating or if they are new. If determined to be new, you may want to block their IPs and or subnets from being allowed to authenticate to the network.
Use Case: An attacker knows a login id to a specific host and repeatedly attempts to authenticate using various passwords from different origin hosts to mask the password guessing activity, and no successful authentication is observed.
Progression: to Initial Compromise
AIE Rule ID: 1289
Attack Lifecycle: Progression
Rule Description:
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Security : Attack
Suppression Multiple: 1
Alarm on Event Occurrence: Yes
Environmental Dependence Factor: High
False Positive Probability: 1
Log Sources (minimum)
AI Engine Events
Log Sources (recommended)
N/A
AIE Rule Additional Details
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User or Host specified to look for related activity.