The following table describes the log source types that should be collected to make effective use of each AIE rule in the UEBA Module.
|
AIE Rule ID |
AIE Rule Name |
Log Sources (minimum) |
Log Sources (recommended) |
|---|---|---|---|
|
1245 |
Attainment: Abnormal File Access |
LogRhythm Sysmon |
Other File Integrity Monitoring |
|
1246 |
Attainment: Corroborated Account Anomalies |
AI Engine Events |
AI Engine Events |
|
1247 |
C2: Abnormal Origin Location |
Active Directory or LDAP |
Host Logs |
|
1248 |
Compromise: Abnormal Process Activity |
Host Logs |
LogRhythm Sysmon |
|
1249 |
C2: Blacklist Location Auth |
Active Directory or LDAP |
Host Logs |
|
1250 |
Compromise: Concurrent VPN from Multiple Locations |
Authentication Log Sources |
N/A |
|
1251 |
Recon: Linux sudo Privilege Escalation |
Linux Host Logs |
Active Directory or LDAP |
|
1252 |
Compromise: Windows RunAs Privilege Escalation |
Windows Host Logs |
Active Directory or LDAP |
|
1253 |
Compromise: Auth After Numerous Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1254 |
Compromise: Auth After Security Event |
Intrusion Detection System Host Logs |
Intrusion Detection System LogRhythm Sysmon |
|
1255 |
Compromise: Distributed Brute Force |
Active Directory or LDAP |
Host Logs, Web Server Logs |
|
1256 |
Compromise: External Brute Force Auths |
Active Directory or LDAP |
Host Logs, Web Server Logs, VPN |
|
1257 |
Compromise: Lateral Movement With Account Sweep |
Active Directory or LDAP |
Host Logs |
|
1258 |
Corruption: Audit Disabled by Admin |
Host Logs |
LogRhythm Sysmon |
|
1259 |
Disruption: Files Deleted by Admin |
Host Logs |
Active Directory or LDAP, LogRhythm Sysmon |
|
1260 |
Lateral: Abnormal Auth Behavior |
Active Directory or LDAP |
Host Logs |
|
1261 |
Compromise: Account Added to Admin Group |
Active Directory or LDAP |
Host Logs |
|
1262 |
Lateral: Admin Password Modified |
Active Directory or LDAP |
Host Logs |
|
1263 |
Lateral: Auth After Dispersed Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1264 |
Lateral: Brute Force Internal Auth Failure |
Active Directory or LDAP |
Host Logs |
|
1265 |
Lateral: External Attack then Account Creation |
Active Directory or LDAP |
Host Logs |
|
1266 |
Lateral: Failed Auths then Success |
Active Directory or LDAP |
Host Logs |
|
1267 |
Lateral: Internal Attack then Account Creation |
Intrusion Detection System and Active Directory or LDAP |
Intrusion Detection System and Host Logs |
|
1268 |
Lateral: Internal Recon then Account Creation |
Intrusion Detection System and Active Directory or LDAP |
Intrusion Detection System and Host Logs |
|
1269 |
Lateral: Multiple Account Passwords Modified by Admin |
Active Directory or LDAP |
Host Logs |
|
1270 |
Lateral: Numerous and Dispersed Internal Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1271 |
Lateral: Numerous Internal Failed Auths |
Active Directory or LDAP |
Host Logs |
|
1272 |
Lateral: Password Modified by Admin |
Active Directory or LDAP |
Host Logs |
|
1273 |
Lateral: Privilege Escalation after Attack |
Intrusion Detection System Host Logs |
Intrusion Detection System LogRhythm Sysmon |
|
1278 |
Compromise: CloudAI Multiple User Threat Events |
LogRhythm UEBA Events |
N/A |
|
1279 |
Recon: Disabled Account Auth Failures |
Active Directory or LDAP |
Host Logs |
|
1281 |
Recon: Failed Distributed Account Probe |
Active Directory or LDAP |
Host Logs |
|
1282 |
Recon: Failed Distributed Brute Force |
Active Directory or LDAP |
Host Logs |
|
1283 |
Recon: Multiple Lockouts |
Active Directory or LDAP |
Host Logs |
|
1284 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1285 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1286 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1287 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1288 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1289 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1290 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1291 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1292 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1293 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1294 |
Progression: to Initial Compromise |
AI Engine Events |
N/A |
|
1295 |
Progression: to Command and Control |
AI Engine Events |
N/A |
|
1296 |
Progression: to Lateral Movement |
AI Engine Events |
N/A |
|
1297 |
Progression: to Target Attainment |
AI Engine Events |
N/A |
|
1298 |
Progression: to Exfil, Corruption, Disruption |
AI Engine Events |
N/A |
|
1299 |
Compromise: Log Cleared |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
1300 |
Compromise: Security Event then Process Starting |
Host Security Logs/AV/IDS/IPS |
NextGen Firewall |
|
1301 |
Compromise: System Time Change |
Host Security Logs/IDS/IPS |
NextGen Firewall |
|
1302 |
Compromise: Unusual Auth then Unusual Process |
Host Security Logs/AD/LDAP |
LogRhythm Sysmon |
|
1303 |
Compromise: Security Event then Scheduled Task |
Host Security Logs/AV/IDS/IPS |
Sysmon/CarbonBlack |
|
1304 |
Lateral: Locally Created and Used |
Host Security Logs |
Single Sign On Logs |
|
1305 |
Compromise: Change to Host File |
LogRhythm Sysmon: File Monitor |
N/A |
|
1306 |
Disruption: Critical Windows Binaries Modified/Deleted |
LogRhythm Sysmon: File Monitor |
N/A |
|
1307 |
Compromise: CloudAI and Recent User Location Data Observed |
LogRhythm UEBA Events |
VPN Logs |
|
1308 |
Compromise: CloudAI and Location Watch List |
LogRhythm UEBA Events |
VPN Logs |
|
1309 |
Compromise: CloudAI and User Recently Added to a Privileged Group |
LogRhythm UEBA Events/Active Directory or LDAP |
Host Logs |
|
1310 |
Compromise: CloudAI and User related Security Classification Event |
LogRhythm UEBA Events/Any Log Source |
N/A |
|
1312 |
Compromise: CloudAI Threat Event |
LogRhythm UEBA Events/Active Directory or LDAP |
Host Logs |
|
1336 |
Compromise: CloudAI Threat Event and Identity Lists |
LogRhythm UEBA Events/Active Directory or LDAP |
Host Logs |
|
1490 |
Exfiltration: CloudAI and File (NGFW) Detection |
CloudAI/NGFW |
N/A |
|
1491 |
Exfiltration: CloudAI and Sensitive Data (NGFW) Detection |
CloudAI/NGFW |
N/A |