AI Engine Rules June 2014

AI Engine Rules June 2014

LogRhythm AI Engine Rules 2014 LogRhythm, Inc. All rights reserved This document contains proprietary information, which is protected by copyright. The software described in this guide is furnished under a software license or nondisclosure agreement. This software may be used or copied only in accordance with the terms of the applicable agreement. No part of this guide may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any purpose other than the purchaser s personal use without the written permission of LogRhythm, Inc. Warranty The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of the merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect, incidental, consequential, or other damage alleged in connection with the furnishing or use of this information. Trademark LogRhythm is a trademark of LogRhythm, Inc. LogRhythm Inc. 4780 Pearl East Circle Boulder CO, 80301 (303) 413-8745 www.logrhythm.com LogRhythm Customer Support support@logrhythm.com 2

LogRhythm AI Engine Rules Table of Contents Security Analytics Suites... 4 Advanced Persistent Threats (APTs)... 4 Multi-Dimensional Behavioral Analytics (MDBA)... 6 Network Behavior Anomaly Detection (NBAD)... 7 Privileged User Monitoring (PUM)... 8 Retail Cyber Crime*... 9 SANS Critical Security Controls... 9 Targeted Host Activity Monitoring*... 11 Web Application Defense... 11 Compliance Automation Suites... 12 201 CRM 17... 12 DoDI 8500.2... 12 FISMA... 12 GPG-13... 12 HIPAA... 13 ISO 27001... 13 NEI... 13 NERC CIP... 13 NIST 800-35... 15 NRC... 17 PCI DSS... 17 SOX-COSO... 18 3 2012 LogRhythm Inc.

Overview This document lists the currently available LogRhythm Advanced Intelligence Engine (AI Engine) Rules. These AI Engine Rules are available as of the 6.2.3 Knowledge Base release. Rules that are being released in BETA status are denoted with an asterisk (*) next to the rule name. Security Analytics Suites Advanced Persistent Threats (APTs) Abnormal Authentication Behavior Abnormal Data Transfer Size Abnormal Email Activity Abnormal FIM Activity Abnormal Connections Abnormal Malicious Classification Abnormal Outbound Connections Abnormal Process Activity Abnormal Rate Increase Of Outbound Traffic Account Compromised: Account Probe Account Attack: Account Probe On Multiple Hosts Account Attack: Account Probe On Multiple Hosts Account Compromised: Account Probe On Multiple Hosts Account Scan Account Scan Account Scan On Single Host Account Scan On Single Host Attack/Compromise Attack/Compromise Attack/Compromise Followed By Process Starting Attack/Compromise Followed By Process Starting Audit Log Cleared Audit Log Cleared Botnet Zombie Botnet Zombie Infestation Brute Force From Distributed Origin Hosts Brute Force From Distributed Origin Hosts Brute Force From A Single Origin Host Brute Force From A Single Origin Host Commonly Probed Port Commonly Probed Port Direction/Type Operations 4

Communication with Low Reputation Address Compromised Account Compromised Data Compromised Host Concurrent Authentications From Multiple Cities Concurrent Authentications From Multiple Countries Concurrent Authentications From Multiple Regions Concurrent VPN Authentications From Same User Connection Open Connection Opened To Attacker Critical Data Destruction Critical Data Destruction Data Loss Data Loss Data Stolen Denial Of Service Attack Denial Of Service Attack Distributed Denial Of Service Attack Excessive HTTP Errors Increase In Outbound Connections Malware Outbreak Multiple Unique Attacks Multiple Unique Attacks Against Same Host Non-Trivial Rate Increase In Outbound Traffic Ping Sweep Ping Sweep Port Probe Port Probe Port Scan Port Scan Port Scan Followed By an Attack Port Scan Followed By An Attack Privilege Escalation Privilege Escalation Reconnaissance Reconnaissance Reconnaissance Followed By Account Creation Reconnaissance Followed By Account Creation Reconnaissance Followed By Process Starting Reconnaissance Followed By Process Starting Corroborated Anomalies Corroborated Anomalies Corroborated Anomalies 5

Remote Authentication Slow Port Scan Slow Port Scan Spamming Zombie Abnormal Amount Of Audit Failures Abnormal Authentication Behavior Abnormal File Access Abnormal Origin Location Abnormal Process Activity Attack Followed By An Attacker Login Attack Followed By An Attacker Login Compromise or Attack Followed By Time Change Default MetaSploit Port Default MetaSploit Port Dot Dot Slash Directory Traversal Dot Dot Slash Directory Traversal Payload Download Observed SQL Injection SQL Injection Threat List - abuse.ch SpyEye IP Threat List - abuse.ch Zeus IP Threat List - AlienVault IP Threat List - SRI Malware Threat Center IP Threat List - Tor Exit Node Threat List - Tor Server Vulnerability Exploited Vulnerability Exploited XSS Attack XSS Attack ZeroAccess Botnet Communication Multi-Dimensional Behavioral Analytics (MDBA) Abnormal Authentication Behavior Abnormal Email Activity Abnormal FIM Activity Abnormal Connections Abnormal Malicious Classification Abnormal Outbound Connections Abnormal Process Activity Abnormal Rate Increase Of Outbound Traffic Communication with Low Reputation Address Account Account Account Account Account Direction/Type 6

Compromised Account Compromised Data Compromised Host Increase In Outbound Connections Non-Trivial Rate Increase In Outbound Traffic Abnormal Amount Of Audit Failures Abnormal Authentication Behavior Abnormal File Access Abnormal Origin Location Abnormal Process Activity Network Behavior Anomaly Detection (NBAD) Internationalized Domain Name (IDN) Abnormal Application Activity Blacklist Transfer During Off-Hours Chat Traffic Excessive FW Denies Excessive FW Denies Followed By Allow Excessive Firewall Accepts Multiple Src Single Dst Excessive FW Accepts To Multiple Hosts Excessive FW Denies Followed By Allow Excessive IRC Connections To A Single Impacted Host Excessive IRC Connections To A Single Origin Host Excessive Outbound FW Denies Hidden FTP Server Insecure Communication Usage ICMP Flood TCP Flood UDP Flood Unknown Flood Large Outbound Transfer Long ICMP Flow Outbound ICMP Flood Outbound TCP Flood Outbound UDP Flood Outbound Unknown Flood P2P Client Making Excessive Connections Potential DDoS Potential DDoS Against Single Host Potential ICMP DDoS Potential TCP DDoS Corroborated Anomalies Corroborated Anomalies Corroborated Anomalies Account Account Account Account Account Direction/Type 7

Repeat Signature Detection Rogue Host Detection Sessions Over 48 Hours Unauthorized/Risky Applications Web Server DDoS Attack Attack Followed By Firewall Allow DMZ Jumping Inbound Connection With Non-Whitelisted Country Inbound ICMP Flood Inbound RDP Access Inbound RDP From Blacklisted Country Inbound TCP Flood Inbound UDP Flood Inbound Unknown Flood Connection With Blacklisted Country MAC Spoofing New Application Detection Non-Whitelist Transfer During Off-Hours Outbound Connection With Blacklisted Country Outbound Connection With Non-Whitelisted Country Port Misuse 22 Port Misuse 443 Port Misuse 53 Port Misuse 80 Port Misuse HTTP Port Misuse SSH In Port Misuse SSH Out Rogue Wireless Host Top Level Domain (TLD) Privileged User Monitoring (PUM) Impersonation Mass File Deletion By A Privileged User Multiple Accounts Deleted By A Privileged User Multiple Accounts Disabled By A Privileged A User Multiple Failed Attempts To Logon To Non-Primary Exchange Account Multiple Users Added To A Privileged Group Multiple Users Removed From A Privileged Group New Administrator Activity Password Changed On Multiple Accounts By A Privileged User Direction/Type Account Account Account Account Account Account Account Account Audit Account 8

Password Modified By Privileged User Privileged User's Password Modified Recently Disabled Privileged Cant Access Failures Recently Disabled Privileged Cant Access Success User Not In Sudoers File Retail Cyber Crime* Abnormal CE From Payment System Abnormal CE From POS Endpoint Abnormal Payment Sys Authentication Activity Abnormal Payment System File Access Abnormal Payment System Network Communications Abnormal POS Authentication Activity Abnormal POS File Access Abnormal POS Network Communication New Process On Payment System New Process On POS Payment System Endpoint DLD Event Payment System File System Modified POS Endpoint DLD Event POS Endpoint File System Modified SANS Critical Security Controls Password Modified By Another User Abnormal File Access Account Created, Used, Deleted Impersonation Multiple Accounts Deleted By A Privileged User Multiple Accounts Disabled By A Privileged A User Recently Disabled Account Access Failures Recently Disabled Account Access Success User Not In Sudoers File Abnormal FIM Activity Dot Dot Slash Directory Traversal SQL Injection XSS Attack Malicious Use-Agent Threat List abuse.ch SpyEye IP Threat List abuse.ch Zeus IP Threat List AlienVault IP Threat List SRI Malware Threat Center IP Account Audit Account Audit Account Account Account Direction/Type Direction/Type Account Audit Account Account Account Account Account Account Account Account 9

Threat List Tor Exit Node Threat List Tor Server URL Characters Denial Of Service Attack Distributed Denial Of Service Attack Multiple Unique Attacks Against Same Host Port Scan Followed By An Attack Repeat Signature Detected Connection Opened To Attacker Data Loss Threat List abuse.ch SpyEye Domain Threat List abuse.ch Zeus Domain Threat List Malware Domains Threat List Malware Patrol URL Attack Followed By Config Change Configuration Deleted Configuration Disabled Configuration Modified Repeat Vulnerability Detected Vulnerability After Software Install Malware Not Cleaned Multiple Failed Access Attempts Multiple Object Access Failures Outbound DNS Activity Alarm On Malware Data Loss Malware Outbreak Misuse Unauthorized Egress Port Unauthorized Ingress Port Critical Error Due To Configuration Change Audit Disabled By Privileged User Blacklisted Wireless Device Seen Multiple Passwords Modified By Another User Multiple Users Added To Administrator Group Multiple Users Removed From Administrator Group Password Changed On Multiple Accounts By Administrator Privilege Escalation Temporary Account Created And Used Excessive FW Denies 10

Excessive FW Denies Followed By Allow Large Outbound Transfer Rogue Host Detection LogRhythm Agent Heartbeat Missed LogRhythm Log Manager Heartbeat Missed LogRhythm Silent Log Source Error Backup Failure Attack Followed By Firewall Allow DMZ Jumping Inbound Connection With Non-Whitelisted Country Inbound ICMP Flood Inbound TCP Flood Inbound UDP Flood Inbound Unknown Flood Inbound New Application Detection Port Misuse 53 Port Misuse 80 Port Misuse SSH In Rogue Wireless Host Targeted Host Activity Monitoring* After-Hours Activity Unauthorized Host Unauthorized Location Unauthorized Network Unauthorized Port/Application Unauthorized Process Unauthorized User Web Application Defense Bad Bot User-Agent Bad Bot User-Agent Malicious Use-Agent Malicious User-Agent URL Characters URL Characters Operations Operations Operations Direction/Type Direction/Type 11

Compliance Automation Suites 201 CRM 17 Attack Alert Compromise Alert Denial Of Service Alert Malware Alert Vulnerability Alert DoDI 8500.2 Alarm On Compromise FISMA Alarm On Compromise Failed Writing To Audit Log GPG-13 Alarm On Compromise Alarm On Critical Alarm On Malware Account Access Granted Rule Account Access Revoked Rule Account Created Rule Account Deleted Rule Account Disabled Rule Account Locked Rule Account Modified Rule Attack Rule Audit Log Cleared Rule Audit Logging Stoppage Rule Authentication Failure Rule Backup Critical Error Rule Backup Information Rule Compromise Rule Configuration Change Rule Critical Condition Rule Denial Of Service Rule Error Condition Rule Failed Audit Log Write Rule Malware Detection Rule 12

Misuse Rule Policy Change Rule Privileged Access Failure Rule Privileged Authentication Failure Rule Reconnaissance Rule Remote Authentication Failure Rule Rogue WAP Detection Rule Signature Update Failure Rule Signatures Updated Rule Software Installation Rule Software Uninstallation Rule Software Update Failure Rule Software Updated Rule Activity Rule Vulnerability Rule Web Browsing Deny Rule HIPAA Alarm On Attack Alarm On Compromise Alarm On Malware Alarm On Misuse ISO 27001 *NIX Host Critical Condition Alarm on Malware LogRhythm Silent Log Source Error Network Device Critical Condition Windows Host Critical Condition NEI Alarm On Compromise Failed Writing To Audit Log NERC CIP Alarm On Compromise Alarm On Malware Alarm On Attack Account Access Revoked Rule Account Disabled Rule Account Locked Rule 13

Antivirus Critical Condition Rule Antivirus Error Condition Rule Attack Rule Compromise Rule Configuration Deleted Rule Configuration Disabled Rule Configuration Modified Rule Critical Condition Rule Default Act Access Failure Rule Default Act Access Success Rule Default Act Authentication Failure Rule Default Act Authentication Success Rule Denial Of Service Rule Dial-Up Initiation Rule Door Access Success Rule ESP Allowed Egress Communication Rule ESP Allowed Ingress Communication Rule ESP Denied Egress Communication Rule ESP Denied Ingress Communication Rule Malware Rule Misuse Rule Modem Enabled/Installed Rule Policy Disabled Rule Policy Modified Rule Privileged Account Access Failure Rule Privileged Account Access Success Rule Privileged Account Authentication Failure Rule Privileged Account Authentication Success Rule Privileged Account Access Granted Rule Privilege Revoked Rule Reconnaissance Rule Remote Authentication Failure Rule Remote Authentication Success Rule Shared Act Access Failure Rule Shared Act Access Success Rule Shared Act Authentication Failure Rule Shared Act Authentication Success Rule Signature Update Failure Rule Software Update Failure Rule Activity Rule 14

Door Access Rule System Shutdown Rule Term Act Access Failure Rule Term Act Access Success Rule Term Act Authentication Failure Rule Term Act Authentication Success Rule Vendor Act Access Failure Rule Vendor Act Access Success Rule Vendor Act Authentication Failure Rule Vendor Act Authentication Success Rule Vulnerability Rule NIST 800-35 Account Access Revoked Rule Account Disabled Rule Account Locked Rule Activity Rule Antivirus Critical Condition Rule Antivirus Error Condition Rule Attack Rule Audit Log Cleared Rule Audit Logging Stopped Rule Backup Critical/Error Rule Backup Information Rule Compromise Rule Configuration Change Rule Critical Condition Rule Data Loss Prevention Rule Default Act Access Failure Rule Default Act Access Success Rule Default Act Authentication Failure Rule Default Act Authentication Success Rule Denial Of Service Rule Door Access Success Rule Error Condition Rule Brute Force Success From Distributed Origin Hosts Brute Force Success From Single Origin Host Rule Concurrent Remote Authentication Successes from Multiple Cities Rule Concurrent Remote Authentication Successes from Multiple Countries Rule Concurrent Remote Authentication Successes from Multiple Regions Rule Concurrent VPN Authentications From Same User 15

Host Compromise Followed by Account Created Rule Host Compromise Followed by Audit Log Cleared Rule Host Compromise Followed by Critical Data Destruction Rule Multiple Unique Attacks Against Same Host Successful Account Probe On Multiple Hosts Rule Successful Account Probe On Single Host Rule Successful Denial Of Service Rule Successful Distributed Denial Of Service Rule Failed Audit Log Write Rule File Integrity Monitor Log Rule Guest Act Access Failure Rule Guest Act Authentication Failure Rule Host Compromise by Attacker Followed by Time Change Rule Account Created, Used, Then Deleted Rule Brute Force Success From A Single Origin Host Rule Brute Force Success From Distributed Origin Hosts Rule Host Compromise Followed by Account Created Rule Host Compromise Followed by Audit Log Cleared Rule Host Compromise Followed by Critical Data Destruction Rule Malware Activity From Multiple Hosts Rule Multiple Unique Attacks Against Same Host Spamming System Rule Successful Account Probe On Multiple Hosts Rule Successful Account Probe On Single Host Rule Malware Rule Misuse Rule Policy Change Rule Privileged Account Access Failure Rule Privileged Account Authentication Failure Rule Privileged Group Access Granted Rule Reconnaissance Rule Remote Authentication Failure Rule Rogue WAP Detection Rule Shared Act Access Failure Rule Shared Act Authentication Failure Rule Signature Update Failure Rule Software Installed Rule Software Update Failure Rule SPAM Detection Rule Activity Rule 16

Door Access Rule Term Act Access Failure Rule Term Act Access Success Rule Term Act Authentication Failure Rule Term Act Authentication Success Rule Vendor Act Access Failure Rule Vendor Act Authentication Failure Rule Vulnerability Rule NRC Alarm On Compromise Failed Writing To Audit Log PCI DSS Account Disabled/Locked AIE Rule Attack Alert Rule Backup Failure Alert Rule Backup Information AIE Rule Compromise Alert Rule Database Authentication AIE Rule DB Account Authentication Failure Alert Rule Denial Of Service Alert Rule FIM Failure Alert Rule FIM Information AIE Rule Invalid Account Usage AIE Rule Invalid Act Authentication Failure Alert Rule Malware Alert Rule Rogue WAP Detected Alert Rule Software Update Failure Alert Rule Vendor Account Enabled Alert Rule Vendor Authentication Activity AIE Rule Vendor Authentication Failure Alert Rule Vulnerability Alert Rule Antivirus Failure Alert Rule Antivirus Information AIE Rule Audit Log Cleared Alert Rule Audit Log Write Failure Alert Rule Denied CDE => Internet Communication AIE Rule Denied DMZ => Communication AIE Rule Denied Inet => Communication AIE Rule Denied Internet => CDE Communication AIE Rule 17

Denied Internet => DMZ Comm AIE Rule Denied Internet => Inet Communication AIE Rule Denied Internet => Internet Communication AIE Rule Denied Test => Communication AIE Rule Denied Test => Internet Communication AIE Rule Denied Wireless => CDE Communication AIE Rule FIM Add Activity AIE Rule FIM Delete Activity AIE Rule FIM Group Change Activity AIE Rule FIM Modify Activity AIE Rule FIM Owner Change Activity AIE Rule FIM Permission Activity AIE Rule Firewall Policy Synch Information AIE Rule FW Policy Synch Failure Alert Rule Host Firewall Failure Alert Rule Host Firewall Information AIE Rule Invalid CDE => Internet Communication AIE Rule Invalid DMZ => Communication AIE Rule Invalid Inet => Internet Communication AIE Rule Invalid Internet => CDE Communication AIE Rule Invalid Internet => DMZ Communication AIE Rule Invalid Internet => Inet Communication AIE Rule Invalid Internet => Internet Communication AIE Rule Invalid Test => Communication AIE Rule Invalid Test => Internet Communication AIE Rule Invalid Wireless => CDE Communication AIE Rule Object Disposal Failure Alert Rule Physical Access Failure Alert Rule Physical Access Usage AIE Rule Privileged Acct Authentication Failure Alert Rule Reconnaissance Activity Alert Rule Remote Session Timeout AIE Rule Signature Update Failure Alert Rule Activity Alert Rule SOX-COSO Alarm On Attack Alarm On Compromise Alarm On Malware 18