0% found this document useful (0 votes)

28 views67 pages

GUIDES Core Threat Detection RevD

CORE

Uploaded by

Darwin Betancourth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

28 views67 pages

GUIDES Core Threat Detection RevD

CORE

Uploaded by

Darwin Betancourth

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 67

Core Threat Detection Module

December 11, 2019

© LogRhythm, Inc. All rights reserved.
This document contains proprietary and confidential information of LogRhythm, Inc., which is protected by copyright
and possible non-disclosure agreements. The Software described in this Guide is furnished under the End User License
Agreement or the applicable Terms and Conditions (“Agreement”) which governs the use of the Software. This
Software may be used or copied only in accordance with the Agreement. No part of this Guide may be reproduced or
transmitted in any form or by any means, electronic or mechanical, including photocopying and recording for any
purpose other than what is permitted in the Agreement.

Disclaimer
The information contained in this document is subject to change without notice. LogRhythm, Inc. makes no warranty
of any kind with respect to this information. LogRhythm, Inc. specifically disclaims the implied warranty of
merchantability and fitness for a particular purpose. LogRhythm, Inc. shall not be liable for any direct, indirect,
incidental, consequential, or other damages alleged in connection with the furnishing or use of this information.

Trademark
LogRhythm is a registered trademark of LogRhythm, Inc. All other company or product names mentioned may be
trademarks, registered trademarks, or service marks of their respective holders.

LogRhythm Inc.
4780 Pearl East Circle
Boulder, CO 80301
(303) 413-8745
www.logrhythm.com

Phone Support (7am - 6pm, Monday-Friday)

Toll Free in North America (MT) +1-866-255-0862
Direct Dial in the Americas (MT) +1-720-407-3990
EMEA (GMT) +44 (0) 844 3245898
META (GMT+4) +971 8000-3570-4506
APAC (SGT) +65 31572044
Table of Contents
Matrices ........................................................................................................................... 4
Core Threat Detection—AI Engine Rules........................................................................ 5
Attack Lifecycle Progression Rules....................................................................................................... 13
Core Threat Detection—Lists........................................................................................ 17
Core Threat Detection—Reports .................................................................................. 20
Core Threat Detection Module Deployment Guide ..................................................... 22
Module Contents ................................................................................................................................... 22
Prerequisites ......................................................................................................................................... 22
Overview of Steps ................................................................................................................................. 22
Core Threat Detection Deployment Guide—Upgrade Considerations............................................... 23
Core Threat Detection Deployment Guide—Configure Audit Logging Levels.................................... 25
Core Threat Detection Deployment Guide—Import and Synchronize the Module ........................... 27
Core Threat Detection Deployment Guide—Configure the Module ................................................... 28
Core Threat Detection Module User Guide .................................................................. 30
Prerequisites ......................................................................................................................................... 30
How to Use This Guide .......................................................................................................................... 30
Core Threat Detection User Guide—AI Engine Rules........................................................................... 31
Core Threat Detection User Guide—Reports ....................................................................................... 67

LogRhythm, Inc. | Contents 3

Core Threat Detection Module

This guide describes how to deploy the Core Threat Detection module. This module is a collection of fundamental AI
Engine rules that can be utilized to provide a balanced and basic level of security coverage with minimal configuration.
Additionally, this rule set can be used as an introduction to AI Engine rules before an organization begins moving on to
more complex and customizable rules. The full security modules themselves can be utilized for more comprehensive
insight into specific, targeted areas. This module contains content from the Core Threat Detection Module, the Network
Threat Detection Module, and the User Threat Detection Module. Refer to those Deployment Guides for more
information.

The Core Threat Detection Module contains licensed content that is available only to registered customers
with a valid maintenance contract.

Core Threat Detection Deployment Guide Core Threat Detection User Guide

Matrices
AI Engine Rules Lists Reports

Matrices 4
Core Threat Detection Module

Core Threat Detection—AI Engine Rules

Core Threat Detection—AI Engine Rules 5

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

AD/LDAP In Windows,
3 Compromise: 9 1 Normal 12 No AD/LDAP,Host X
activate Audit
Distributed
Account
Brute Force
Management
for successes in
the Group/Local
Security Policy.

AD/LDAP
9 Recon: Failed 4 1 Normal 6 No AD/LDAP,Host X
Distributed
Account Probe

IDS/IPS
17 Lateral: External 9 1 Normal 1 No IDS/IPS X
Attack then
Account
Creation

Host Security
19 Attainment: Log 9 3 Normal 1 No NextGen Firewall X
Logs/AV/IDS/IPS
Cleared

IDS/Security/
29 Lateral: 9 1 Normal 2 No IDS/Security/AD/ X
AD/LDAP
Privilege LDAP
Escalation after
Attack

Core Threat Detection—AI Engine Rules 6

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

IDS/Security/
52 Lateral: Internal 9 4 Normal 6 No IDS/Security/AD/ X
AD/LDAP
Attack then LDAP
Account
Creation

AV/IDS/IPS
72 Compromise: 9 3 Normal 2 No NextGen Firewall X
Malware
Outbreak

Firewall or
79 C2: Malware: 6 7 Normal 3600 No LogRhythm X
Network Flow
Outbound IRC Network Monitor,
Data (internal/
Next Gen Firewall
egress)
(internal/egress)

IDS/Sec Evt, AD,

86 Lateral: Internal 9 1 Normal 3 No Host X
LDAP
Recon then
Account
Creation

Web Server
89 Recon: 4 5 Normal 30 No Web Server X
Excessive HTTP
Errors

Core Threat Detection—AI Engine Rules 7

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

Firewall or
111 Recon: 4 5 Normal 3600 No LogRhythm X
Network Flow
Metasploit Network Monitor,
Data (internal)
Activity Next Gen Firewall
Observed (internal)

Firewall or
473 Compromise: 6 3 Normal 3600 No LogRhythm X
Network Flow
Inbound RDP/ Network Monitor,
Data
VNC Next Gen Firewall
(perimeter)
(perimeter)

Firewall or
475 C2: Excessive 6 5 Normal 60 No LogRhythm X
Network Flow
Outbound Network Monitor,
Data
Firewall Denies Next Gen Firewall
(perimeter)
(perimeter)

Core Threat Detection—AI Engine Rules 8

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

AD/LDAP
510 Lateral: 6 8 Normal 60 No Host (Optional) If you X
Password would like to
Modified by exclude system
Admin accounts from
this alarm,
add an exclude
filter for an
Origin Login or
Account which
matches the
regular
expression ‘. *?/
$'

AD/LDAP
511 Lateral: Admin 6 3 Normal 60 No Host (Optional) If you X
Password would like to
Modified exclude system
accounts from
this alarm,
add an exclude
filter for an
Origin Login or
Account which
matches this
regular
expression: \$$

Core Threat Detection—AI Engine Rules 9

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

AD/LDAP
546 Recon: Multiple 6 5 Normal 1 No Host X
Lockouts

IDS/IPS and
711 C2: Attack then 8 5 Normal 1 No LogRhythm X
Firewall or
Outbound Network Monitor,
Network Flow
Connection Next Gen Firewall
Data

AD/LDAP, Host A include filter

713 Corruption: 9 1 Normal 1 No AD/LDAP, Host X
Logs where Origin
Audit Disabled Logs
Login = list of
by Admin
privileged user
ids must be
entered into
RB1.

Host Security
715 Lateral: Locally 9 5 Normal 2 No Single Sign On X
Logs
Created and Logs
Used

716 Exfil: Lateral 9 5 Normal 2 No Host Security NextGen Firewall X

Movement then Logs/AV/IDS/IPS
Exfil

Core Threat Detection—AI Engine Rules 10

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

739 C2: Port Misuse: 6 6 Normal 3600 No LogRhythm LogRhythm X

53 Network Network Monitor
Monitor

742 Exfiltration: 6 2 Normal 2 No Firewall or LogRhythm X

Large Outbound Network Flow Network Monitor,
Transfer Data Next Gen Firewall

744 Recon: 4 9 Normal 12 No Firewall or LogRhythm X

Excessive Network Flow Network Monitor,
Inbound Data Next Gen Firewall
Firewall Denies (perimeter) (perimeter)

770 Compromise: 8 5 Normal 12 No IDS/IPS Next Gen Firewall X

Repeated
Attacks Against
Host

776 C2: External 6 4 Normal 3600 No Firewall or LogRhythm X

DNS Server Network Flow Network Monitor,
Used Data Next Gen Firewall

Core Threat Detection—AI Engine Rules 11

Core Threat Detection Module

Minimum Data Recommended Configuration Endpoi Netwo User

Rule Rule Risk FPP Runtime Supp Alarm
Requirement Data Steps nt rk Threat
ID Rating Priority ressi on
Requirement Threat Threat Detect
on Event
Detect Detect ion
Multi
ion ion
ple

783 Compromise: 9 5 Normal 1 No Host Security NextGen Firewall X

Malware Not Logs/Host
Cleaned Application
Logs/AV/IDS/IPS

Firewall or LogRhythm
1180 Compromise: 6 6 Normal 3600 No Cannot tune X
Network Flow Network Monitor,
Obsolete SSL/ this but assists
Data Next Gen Firewall
TLS Version with reporting
and insight. It is
recommended
to enforce
web server
policy to not
fallback to
older/
vulnerable
versions. It is
also
recommended
for web
browsers.

Core Threat Detection—AI Engine Rules 12

Core Threat Detection Module

Attack Lifecycle Progression Rules

The AI Engine rules contained in the Network Threat Detection Module are categorized by Attack Lifecycle stage. Each
stage reflects steps involved in a security event, and activity moving forward through stages should be considered a
more serious event. The Network Threat Detection Module also contains Attack Lifecycle Progression rules which are
meant to identify this activity. These rules are listed in the following table.

Core Threat Detection—AI Engine Rules 13

Core Threat Detection Module

Rule ID Rule Risk Rating FPP Runtime Suppression Alarm on Endpoint Network User Threat
Priority Multiple Event Threat Threat Detection
Detection Detection

1003 Progression: 8 1 Normal 1 Yes X X X

to Initial
Compromise

1004 Progression: 8 1 Normal 1 Yes X X X

to Command
and Control

1005 Progression: 8 1 Normal 1 Yes X X X

to Lateral
Movement

1006 Progression: 9 1 Normal 1 Yes X X X

to Target
Attainment

1007 Progression: 9 1 Normal 1 Yes X X X

to Exfil,
Corruption,
Disruption

1008 Progression: 8 1 Normal 1 Yes X X X

to Initial
Compromise

Core Threat Detection—AI Engine Rules 14

Core Threat Detection Module

Rule ID Rule Risk Rating FPP Runtime Suppression Alarm on Endpoint Network User Threat
Priority Multiple Event Threat Threat Detection
Detection Detection

1009 Progression: 8 1 Normal 1 Yes X X X

to Command
and Control

1010 Progression: 8 1 Normal 1 Yes X X X

to Lateral
Movement

1011 Progression: 9 1 Normal 1 Yes X X X

to Target
Attainment

1012 Progression: 9 1 Normal 1 Yes X X X

to Exfil,
Corruption,
Disruption

1013 Progression: 9 1 Normal 1 Yes X X X

to Initial
Compromise

1014 Progression: 8 1 Normal 1 Yes X X X

to Command
and Control

Core Threat Detection—AI Engine Rules 15

Core Threat Detection Module

Rule ID Rule Risk Rating FPP Runtime Suppression Alarm on Endpoint Network User Threat
Priority Multiple Event Threat Threat Detection
Detection Detection

1015 Progression: 8 1 Normal 1 Yes X X X

to Lateral
Movement

1016 Progression: 9 1 Normal 1 Yes X X X

to Target
Attainment

1017 Progression: 9 1 Normal 1 Yes X X X

to Exfil,
Corruption,
Disruption

Core Threat Detection—AI Engine Rules 16

Core Threat Detection Module

Core Threat Detection—Lists

Core Threat Detection—Lists 17

Core Threat Detection Module

Object Type Rule ID Object Name

ID Name Endpoint Threat Network Threat User Threat Detection
Detection Detection

AIE Rule 511 Lateral: Admin

-2091 Privileged Users X
Password Modified

AIE Rule 713 Corruption: Audit

Disabled by Admin

-2471 Module: Core Threat

Detection Rules

-2549 Attack Lifecycle: Recon and X X X

Planning

-2550 Attack Lifecycle: Initial X X X

Compromise

-2551 Attack Lifecycle: Command X X X

and Control

-2552 Attack Lifecycle: Lateral X X X

Movement

-2553 Attack Lifecycle: Target X X X

Attainment

Core Threat Detection—Lists 18

Core Threat Detection Module

Object Type Rule ID Object Name

ID Name Endpoint Threat Network Threat User Threat Detection
Detection Detection

-2554 Attack Lifecycle: Exfil, X X X

Corruption, Disruption

Core Threat Detection—Lists 19

Core Threat Detection Module

Core Threat Detection—Reports

Core Threat Detection—Reports 20

Core Threat Detection Module

Endpoint Threat Network Threat User Threat

Report ID Report Name Minimum Data Recommended Data
Detection Detection Detection
Requirement Requirement

X
1014 Account Management Active Directory or Host Logs
Activity LDAP

X X
1015 Top Attackers Any Security Log Anti-Virus, Intrusion
Summary Source Detection System,
Vulnerability Scanner,
LogRhythm Network
Monitor,
Next Generation Firewall

Core Threat Detection—Reports 21

Core Threat Detection Module

Core Threat Detection Module Deployment Guide

This guide is for LogRhythm administrators who are responsible for the security of their organization’s infrastructure
and for anyone installing and configuring the SIEM.

Module Contents
This module adds to an existing LogRhythm deployment, as follows:
• 42 AI Engine Rules (15 Progression Rules)
• 8 Lists
• 2 Reports

Prerequisites
The deployment of this module assumes the following:
• The overall LogRhythm deployment is in a fully-deployed and healthy state.
• LogRhythm version 7.1 or later is installed.

Overview of Steps
This guide is divided into the following sections:
Core Threat Detection Deployment Guide—Upgrade Considerations
Core Threat Detection Deployment Guide—Import and Synchronize the Module
Core Threat Detection Deployment Guide—Configure the Module

Core Threat Detection Module Deployment Guide 22

Core Threat Detection Module

Core Threat Detection Deployment Guide—Upgrade Considerations

The current release (version 4) of the Core Threat Detection Module (CTDM) includes a substantial number of changes
since the last release (version 3). This section should help you understand the implications of updating to the latest
version of CTDM, based on your current deployment.

Definitions
Existing. Refers to the original state of CTDM (v3 or lower) prior to upgrading to the current version (v4).
Upgrade. Refers to importing the KB that includes updates to CTDM.

Three-Step Upgrade Process

If you have never downloaded or activated the Core Threat Detection Module, you will automatically have all the CTDM
v4 rules and settings. This scenario requires no special considerations. You can enable CTDM via the KB Manager, and
enable rules and objects according to the suggestions outlined in the CTDM User Guide.
If you have previously downloaded and used the CTDM, you need to follow a three-step process:
1. Decide whether to use Advanced Synchronization to pull down filter changes and other internal settings.
2. Manually update the Risk Rating, FPP, Runtime Priority, Suppression Period, and Alarm on Event values.
3. Manually retire obsolete, deleted, or outdated rules. Each of these steps is discussed in detail below.

Step 1 - Use the Advanced Synchronization Settings and Reset the Module
When you synchronize a module, you can deploy some or all the recommended settings. By default, the KB
synchronization will only update the system fields that cannot be changed, such as the name and common event. Other
editable settings, such as include/exclude filters or risk rating will not be updated. In the default synchronization, new
filters will be added, but existing filters will not be reset or updated.

Because of the rule merge, it is possible that custom modifications may conflict with the CTDM v4 changes,
resulting in a rule that will not fire because the filter settings are contradictory. For example, if a rule with
primary criteria of Network Allow or Network Deny has been tuned by adding an exclude filter for the
classification Network Deny, the KB sync could modify the rule’s primary criteria to the classification of
Network Deny. This results in a rule with system primary criteria and custom exclude filter which conflict. The
rule will never fire.

You may choose to synchronize more settings by using the Advanced Synchronization function. Some LogRhythm SIEM
versions have advanced settings that allow you to synchronize values like Risk Rating, FPP, Runtime Priority,
Suppression Period and Alarm on Event automatically, whereas with other LogRhythm versions you may need to
update these values manually.
To use Advanced Synchronization
1. In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.
2. Under AI Engine Rule Properties, select the Enable Advanced Synchronization Settings check box.

Core Threat Detection Module Deployment Guide 23

Core Threat Detection Module

3. In the Knowledge Base Manager, click Synchronization Settings, and then click the Synchronize Additional
System Properties tab.
This setting synchronizes user editable rule settings for all system AI Engine rules, including rule block time limit
settings, unique value rule block occurrences, and threshold rule block values.
4. Select the Only sync additional properties for disabled rules check box.
This only synchronizes advanced settings when the AI Engine rule has been disabled, preventing unexpected
changes to currently active rules.
5. Click OK and proceed with the KB synchronization.

After the KB synchronization, revert these changes to prevent accidental overwrites of other modules when
synchronizing the KB in the future.

Step 2 – Manually Update the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm on
Event values
After the rules are synchronized, the Risk Rating, FPP, Runtime Priority, Supression Period and Alarm on Event values
will not be updated to the current values recommended LogRhythm Labs.
To update the values, open each rule and change the Risk Rating, FPP, Runtime Priority, Suppression Period and Alarm
on Event values according to the AIE Rules table. If you have tuned these values for your environment, you can retain
your custom values instead of accepting the value suggested by LogRhythm.

Step 3 – Retire Old Content

CTDM v4 declared several previous rules obsolete or redundant. These rules are no longer part of the module. However,
if you previously deployed CTDM v3, these obsolete rules will not be removed as part of the upgrade. The old rules are
left behind so you can gradually move to the new CTDM content and clear up any process you may have that depends
on the old rules.
You can manually retire obsolete rules by looking at the module revisions for any rule that has been removed.
Optionally, you can look at the naming structure, as all current rule names were updated to match the attack life cycle,
and obsolete rules will have inconsistent names.

Core Threat Detection Module Deployment Guide 24

Core Threat Detection Module

Core Threat Detection Deployment Guide—Configure Audit Logging Levels

Enable Windows Security Event Account Added to Group

1. Under Administrative Tools on your machine, click Local Security Policy.
2. Expand Local Policies, and then Audit Policy.
3. Make sure Audit account management is set to audit Success events. Failure auditing is optional.
The following list provides some examples of audit account management events:
• A user account or group is created, changed, or deleted.
• A user account is renamed, disabled, or enabled.
• A password is set or changed.

Enable Impersonation Event Logging

1. To be able to detect when a user right-clicks on a program and clicks Run as administrator, the local audit policy
must be configured for process tracking.
2. Under Administrative Tools on your machine, click Local Security Policy.
3. Expand Local Policies and then Audit Policy. Make sure Audit process tracking is set to audit Success events.
Failure auditing is optional.
This security setting audits detailed tracking information for events such as program activation, process exit,
handle duplication, and indirect object access.
4. On the Control Panel on your machine, click User Accounts.
5. Click Turn User Account Control On or Off.
6. Do one of the following:
• On Windows 2008, select the Use User Account Control (UAC) check box to help protect your computer.
• On Windows 7, slide the bar to the top to Always notify.

Configure Exchange Server Auditing Levels

Exchange Server 2000 / 2003 / 2007

1. Open the Exchange System Manager and keep expanding the tree until the server object is visible.
2. Right-click it, and then click Properties.
3. On the Diagnostics Logging tab, expand MSExchangeIS, and then click Mailbox.
4. Select the Logons and Access Control categories, and then set them to Maximum.

Exchange Server 2010 / 2013

1. Open the Exchange Management Console, navigate to the exchange server, and then click the Server
Configuration node.
2. On the right side of the screen, click Manage Diagnostic Logging Properties.
3. Scroll down and expand the MSExchangeIS node, expand the 9000 Private node, and increase the logging for
Access Control and Logons to High.

Core Threat Detection Module Deployment Guide 25

Core Threat Detection Module

Configure Linux Audit Logging

By default, most recent Linux distributions log the event of “user NOT in sudoers file” when a user tries to sudo without
permission. The only requirement here is that LogRhythm collects the Auth.log via syslog, flat file, or syslog file log
sources. The most common collection method is to configure rsyslog to send all facilities and severities to a LogRhythm
System Monitor Agent.

Data Collection Requirements

To get the most out of this module, there are certain deployment and data collection requirements that should be met.
Minimally, Active Directory or LDAP logs must be collected from the organization’s domain controller(s) or equivalent
systems. This will allow only a limited number of AI Engine Rules to work effectively. To ensure all content works fully,
and that rich forensic/contextual data is available for analysis, logs should be collected from all endpoints either
through remote Windows Event log collection, or by deploying LogRhythm System Monitor agents to individual
endpoints. Deploying agents provides additional forensic visibility not available via the native logs alone. For
information on remote Windows Event log collection, see Windows Event Log Collection.

Core Threat Detection Module Deployment Guide 26

Core Threat Detection Module

Core Threat Detection Deployment Guide—Import and Synchronize the

Module
The following information should be gathered prior to implementing the Core Threat Detection Module. This
information is required when populating Lists and configuring individual AI Engine Rules:
• Privileged groups
• Critical Network Devices
• Vulnerability scanners
The Core Threat Detection Module is part of the LogRhythm Knowledge Base (KB). Updating the KB automatically
creates the proper Lists and AI Engine Rules.
1. In the Client Console on the Tools menu, click Knowledge, and then click Knowledge Base Manager.

To open the Knowledge Base Manager, the Deployment Manager must be closed.

2. Under Knowledge Base Modules, find the Core Threat Detection module.
If the module is available, you will see Core Threat Detection in the grid. If the module name does not appear,
update the Knowledge Base by doing either of the following:
• Automatic Download. Click Check for Knowledge Base Updates, and then click Synchronize Stored
Knowledge Base.
• Manual Download. For manual download instructions, see Import a Knowledge Base.
3. Locate the Enabled column in the grid. If the box is checked, the module is already enabled and available to
users in the SIEM deployment. If the Enabled box is not checked, enable the module by selecting its Action check
box, right-clicking the module name, clicking Actions, and then clicking Enable Module.
A dialog box appears to enable the selected module(s).
4. Leave the Enable Intelligent Indexing on Module Objects cleared unless you fully understand the effects of this
setting. For more information, see the Intelligent Indexing topic in the SIEM Reference Guide.

Core Threat Detection Module Deployment Guide 27

Core Threat Detection Module

Core Threat Detection Deployment Guide—Configure the Module

Configure Lists
There are user-configurable lists included with the module. Use these lists to narrow the scope of AI Engine Rules and to
filter events. Refer to the Description section of the List Properties to verify what should be added to the list.
1. Open the LogRhythm Console and click List Manager on the main toolbar.
2. Use the Name or List ID column filter to find the list you want.
3. To open the List Properties window, double-click the list.
4. Click on the List Items tab, and then click Add Item.
5. Use the Add Item dialog to add items to the list individually, or click Import to import a text file or clipboard
contents.
6. Click Apply and then click OK.
To identify which lists need to be configured in the environment, see the List matrix.

Configure Individual AI Engine Rules

This module contains a collection of AI Engine Rules. Some rules require additional configuration to ensure that they
will work properly. For configuration steps, see the AI Engine Rule matrix.

Enable AI Engine Rules

1. Open the LogRhythm Console and click Deployment Manager on the main toolbar.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Core Threat Detection to find AI Engine rules tied to this module.
4. Select the Action check box of each rule you want to configure.
5. Right-click the AI Engine Rule Manager, click Actions, click Batch Enable Alarms, and then click Enable
Alarms.
6. If the Restart column displays “Needed” for a rule, you must restart the AI Engine service to load the new rules.
Click Restart AI Engine Servers at the top of the window. (This action only restarts the necessary services, not
the appliance itself.)

You must select the AI Engine instance in the View field to see the Restart column.

To view tuning and configuration notes for a rule, right-click the rule, click Properties, and then click the Information
tab.
Your LogRhythm Professional Services Engineer can also provide assistance with tuning AI Engine Rules for your
environment.

Enable AI Engine Rule Alarming

By default, alarming is initially turned off for all AI Engine Rules. Even without alarms, events are generated when the
rule is enabled and its criteria are satisfied. These events are displayed in the Web Console Dashboard and they can be
seen by running an Investigation or Tail against the Platform Manager.

Core Threat Detection Module Deployment Guide 28

Core Threat Detection Module

Before enabling Alarming, review these events and tune rules as necessary to meet an acceptable level of false
positives. Refer to the Core Threat Detection Module User Guide for information about tuning individual AI Engine Rules.
When finished tuning, enable alarming on the rules to bring events to the alarm layer, providing visibility to the
monitoring team and allowing for notification and SmartResponse.
1. Open the LogRhythm Console and click Deployment Manager.
2. Click the AI Engine tab.
3. Filter in the Rule Group column for Network Threat Detection to find AI Engine rules tied to this module.
The value in the Alarm Status column indicates whether alarm is enabled for a rule.
4. Select the Action check box of each rule you want to configure.
5. Right-click the grid, click Actions, click Batch Enable Alarms, and then click Enable Alarms.

Alarm settings are located on the Settings tab of the Alarm Properties dialog box.

Core Threat Detection Module Deployment Guide 29

Core Threat Detection Module

Core Threat Detection Module User Guide

The Core Threat Detection Module is a collection of AI Engine rules designed to detect unusual or malicious activity that
is occurring on an organization’s network. This guide is for LogRhythm administrators who are responsible for the
security of their organization’s infrastructure. Other security suite documentation can be used when upgraded to more
advanced rule sets. LogRhythm publications and Support contact information are available on the LogRhythm Support
Portal, and additional information can be found in the LogRhythm Community.

The Core Threat Detection Module contains licensed content that is available only to registered customers
with a valid maintenance contract.

Prerequisites
This guide assumes the following:
• The Core Threat Detection Module has been imported and the AI Engine rules you want are enabled following
the steps in the Core Threat Detection Module Deployment Guide.
• Appropriate log sources, such as LogRhythm System Monitor Agents, Windows Security Events, Firewalls,
Intrusion Detection Systems, Anti Virus, and others have been configured to work with LogRhythm.
• In order to identify internal and external sources for directional traffic, the network entity structure has been
configured.
• The LogRhythm Lists referenced by rules in this suite have been configured to the organization’s environment.

How to Use This Guide

This guide is meant to be used as a day-to-day reference for the Core Threat Detection Module content. All the content
included in this module is listed here along with a detailed explanation, suggested response, and configuration and
tuning notes.
• Suppression Period. The Suppression Period defines how much time must pass before the same AI Engine rule
can be triggered again for the same set of criteria.
• Environmental Dependence Factor. EDF is a high level quantification of how much effort is required in
configuration and tuning for an AI Engine rule to perform as expected. This setting has no impact on processing.
• False Positive Probability. FPP is a factor determining how likely it is that an event represents a real risk, as
follows:
• 0: The event represents a real risk less than 1 time out of 10.
• 1: The event represents a real risk 1 time out of 10.
• 9: The event represents a real risk 9 times out of 10.
This guide is divided into the following sections:
• Core Threat Detection User Guide—AI Engine Rules
• Core Threat Detection User Guide—Reports

Core Threat Detection Module User Guide 30

Core Threat Detection Module

Core Threat Detection User Guide—AI Engine Rules

Compromise: Distributed Brute Force

Gaining access to an internal account is often the first step in a malicious actor's efforts to pilfer an organization.
Because software frequently uses default logins and many users have inadequate passwords, this is an extraordinarily
effective method (change your default passwords!!). This rule detects a successful brute force authentication from an
external source -- it first tracks multiple failed authentication attempts from different external hosts against the same
host and account, and then connects that with a following successful authentication.

AIE Rule ID: 3

Attack Lifecycle: Initial Compromise

Rule Description
A successful brute force authentication -- multiple failed authentication attempts from different external hosts to
the same host using the same origin login, followed by an authentication success.
Common Event: AIE: Compromise: Distributed Brute Force
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1

Log Sources (minimum)

AD/LDAP

Log Sources (recommended)

AD/LDAP, Host

Actions
This rule fires when the attacker was able to compromise at least one account. In this case, it is vital to quickly
contain the compromise by disconnecting infected hosts, disabling the compromised account, and blocking the
attacker's access -- organizations should have an incident response plan for a compromise. Also, after stopping
the active attack, forensics will need to be conducted to insure that an implant isn't hidden in the network,
information wasn't stolen, or other accounts were compromised.

Core Threat Detection Module User Guide 31

Core Threat Detection Module

Use Case
An attacker knows a login ID to a specific host and repeatedly attempts to authenticate using various passwords
from different origin hosts in an attempt to mask the password guessing activity, and eventually successfully
authenticates.

Recon: Failed Distributed Account Probe

Gaining access to an internal account is often the first step in a malicious actor's efforts to pilfer an organization.
Because software frequently uses default logins and many users have inadequate passwords, this is an extraordinarily
effective method (change your default passwords!!). This rule detects an unsuccessful account probe from an external
source with the idea that an attacker knows a username and password but not a host that the account has access to -- it
first tracks multiple failed authentication attempts from the same account but not the same impacted host. It looks for
5 or more failed authentications against different impacted hosts. If an authentication success is not seen within 15
minutes, the rule will fire.

AIE Rule ID: 9

Attack Lifecycle: Recon

Rule Description
The same external account unsuccessfully attempts to authenticate to multiple hosts within a short period of
time.
Common Event: AIE: Recon: Failed Distributed Account Probe
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1

Log Sources (minimum)

AD/LDAP

Log Sources (recommended)

AD/LDAP,Host

Actions
Responses to 'failure' alarms should include hardening the potential victim host and account and blocking the
attacker. It is also useful to determine if the attack is a determined effort to compromise the network or just a
passing probe. Perform follow-up investigations for additional logs generated by the attacker and victim.
Remember that a failure alarm may mean that the attacker was still successful in other attempts.

Core Threat Detection Module User Guide 32

Core Threat Detection Module

Use Case
A malicious individual finds a ""sticky note"" with a user name and password. The attacker then attempts to use
these credentials on several different hosts, with no successful authentication observed.

Lateral: External Attack then Account Creation

By itself, a single attack event can easily be a false positive or an inconsequential probe, and most large organizations
can expect a significant number of these events every day. However, if that attack event is followed by a second,
security-related event on the same host, such as a new account being created, it should be a major cause for concern.
This is an indicator that the attack was successful, and that the malicious actor has begun moving deeper into their
attack cycle.

AIE Rule ID: 17

Attack Lifecycle: Lateral Movement

Rule Description
Attack or compromise event from an external source followed by an account creation on the same host.
Common Event: AIE: Lateral: External Attack then Acct Creation
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 1

Log Sources (minimum)

IDS/IPS

Log Sources (recommended)

IDS/IPS

Actions
The cost and recovery time of a compromise grows exponentially with each stage of the attack cycle, so it is
imperative to stop the attack as early as possible. These rules indicate that the attacker has moved past the initial
stages and is consolidating their beachhead. After the attack is stopped, it is very important to do a full sweep of
the network for other signs of continued infection.

Use Case
A savvy hacker successfully attacked a machine to gain access. Once in the exploited machine the hacker now
created an account to use for future use and exploitation.

Core Threat Detection Module User Guide 33

Core Threat Detection Module

Attainment: Log Cleared

By itself, a single attack event can easily be a false positive or an inconsequential probe, and most large organizations
can expect a significant number of these events every day. However, if that attack event is followed by a second,
security-related event on the same host, such as a log being erased, it should be a major cause for concern. This is an
indicator that the attack was successful, and that the malicious actor has begun moving deeper into their attack cycle.

AIE Rule ID: 19

Attack Lifecycle: Target Attainment

Rule Description
A compromise event from an external source followed by the audit log being cleared on the same compromised
host. ETD CTD
Common Event: AIE: Attainment: Log Cleared
Classification: Security : Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 3

Log Sources (minimum)

Host Security Logs/AV/IDS/IPS

Log Sources (recommended)

NextGen Firewall

List
Not applicable

Actions
Run investigations for the impacted host and user that performed the activity. Check what process cleared the
audit log and make sure it is legitimate.

Use Case
An attacker compromises a host and clears the audit log to cover their tracks.

Lateral: Privilege Escalation after Attack

Core Threat Detection Module User Guide 34

Core Threat Detection Module

security-related event on the same host, such as an account gaining new rights on the target, it should be a major cause
for concern. This is an indicator that the attack was successful, and that the malicious actor has begun moving deeper
into their attack cycle.

AIE Rule ID: 29

Attack Lifecycle: Lateral Movement

Rule Description
Compromised host event followed by a new account created or account modified on the same host.
Common Event: AIE: Lateral: Privilege Escalation after Attack
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 1

Log Sources (minimum)

IDS/Security/AD/LDAP

Log Sources (recommended)

IDS/Security/AD/LDAP

Use Case
An IDS has detected some sort of hacking activity from an external host. Later, the same external host is seen
successfully authenticating with an internal host, indicating a successful network penetration.

Lateral: Internal Attack then Account Creation

Attacks that originate from inside the network are particularly troubling -- an attacker has solidified their foothold on an
infected machine is spreading laterally through the organization's network. This rule will track attacks from a malicious
actor against other hosts within the network that are followed by a second security event. If a new account is created on
a target host, the malicious actor has successfully begun to move laterally throughout the network

Core Threat Detection Module User Guide 35

Core Threat Detection Module

AIE Rule ID: 52

Attack Lifecycle: Lateral Movement

Rule Description
Attack or compromise event from an internal host followed by an account creation on the victim host.
Common Event: AIE: Lateral: Internal Attack then Acct Creation
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4

Log Sources (minimum)

IDS/Security/AD/LDAP

Log Sources (recommended)

IDS/Security/AD/LDAP

Actions
Because the attack has already progressed to an advanced stage, it is imperative to stem the damage and stop the
attack as early as possible. These rules indicate that the attacker has moved past the initial stages, is spreading
throughout the network, and likely has already begun to pillage. After the attack is stopped, use the logs from the
alarm to help with a full sweep of the network for other signs of continued infection.

Use Case
A system is successfully attacked, and the attacker then creates a new account on the system in order to maintain
access.

Compromise: Malware Outbreak

Several malware events emanating from different hosts within the organization may be an indication that malware has
begun to spread throughout the network. It may also mean those hosts are falling victim to an external zero-day exploit
or other similar, external security event. In any case, an outbreak is more threatening than an isolated infection and
should be treated accordingly.

AIE Rule ID: 72

Attack Lifecycle: Initial Compromise

Core Threat Detection Module User Guide 36

Core Threat Detection Module

Rule Description
Multiple observed malware detections or failed malware detections within a given period on different impacted
hosts - grouped by Common Event and Threat Name. ETD CTD
Common Event: AIE: Compromise: Malware Outbreak
Classification: Compromise
Suppression Period: 2
Environmental Dependence Factor: 1
False Positive Probability: 3

Log Sources (minimum)

AV/IDS/IPS

Log Sources (recommended)

NextGen Firewall ListN/A

Actions
Not applicable

Use Case
Not applicable

C2: Outbound IRC

IRC ports have been associated with botnet communication channels. If more than 3 different external hosts
communicating with internal ones, this might be a sign of a peer botnet.

AIE Rule ID: 79

Attack Lifecycle: C2
Rule Description
An internal host seen communicating using IRC ports.
Common Event: AIE: C2: Malware: Outbound IRC
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 7

Core Threat Detection Module User Guide 37

Core Threat Detection Module

Log Sources (minimum)

Firewall or Network Flow Data (internal/egress)

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall (internal/egress)

Actions
Investigate the Origin IP if it’s a known host and service and quarantine or remove from the network if unknown.
Block the Impacted and Origin IP from inbound and outbound on perimeter Firewall. Determine if Origin IP was
compromised and remediate as necessary otherwise add Impacted IP to a Watch List to determine if Attack was
successful.

Use Case
An internal host has been compromised and is now part of a botnet, typically controlled via IRC.

Lateral: Internal Recon then Account Creation

A malicious actor with access to an internal host will be in an ideal position for laterally moving to other hosts within the
network. This can be detected when an internal host begins to scan other hosts for vulnerable ports. If it was able to
create an account on a victim host, the attack was obviously successful.

AIE Rule ID: 86

Attack Lifecycle: Lateral Movement

Rule Description
Internal reconnaissance event followed by an account creation on the same target host, indicating a possible
compromise.
Common Event: AIE: Lateral: Internal Recon then Account Creation

Classification: Compromise

Suppression Period: 1

Environmental Dependence Factor: 1

False Positive Probability: 1

Log Sources (minimum)

IDS/Sec Evt, AD, LDAP

Core Threat Detection Module User Guide 38

Core Threat Detection Module

Log Sources (recommended)

Host

Actions
Since an internal host is already compromised, follow incident response procedures. Investigate the attacking
host to see if it was able to access any additional hosts. Investigate the created account to see what actions it was
able to take.

Use Case
An attacker scans a machine for open ports. The IDS then misses the actual attack, but shortly after the scan is
detected a new account is created on the target machine, indicating some sort of attempt to maintain access.

Recon: Excessive HTTP Errors

As an attacker probes web applications for vulnerabilities, the web servers may generate dozens or hundreds of HTTP
errors. This rule looks for an origin host logging 20 or more unique HTTP errors in 2 minutes. In addition to preemptively
detecting potential attacks, tracking HTTP errors can also find broken links and other problems with web servers
affecting normal use.

AIE Rule ID: 89

Attack Lifecycle: Recon

Rule Description
Excessive HTTP Error Codes seen on the same Impacted Host, originating from the same Origin Host, indicating
some sort of automated scanning activity.
Common Event: AIE: Recon: Excessive HTTP Errors
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4

Log Sources (minimum)

Web Server

Log Sources (recommended)

Web Server

Core Threat Detection Module User Guide 39

Core Threat Detection Module

Actions
Investigate the Origin IP if it’s a known host, quarantine unknown hosts to a Remediation VLAN, block the Origin IP
from inbound and outbound on perimeter Firewall and determine what the Attacker was looking for to aid in
evaluating if compromise was successful. Determine if Impacted IP Host and Application are known and
quarantine if compromise is found or add to Watch List for further compromise assessment.

Use Case
An attacker has written a script that attempts to access various default phpmyadmin access directories on a given
website. The attacker is running the script against a web server.

Recon: Metasploit Activity Observed

Metasploit has a default port for launching attacks. This rule will detect use of the default port originating from within
the organization's network.

AIE Rule ID: 111

Attack Lifecycle: Recon

Rule Description
Observed traffic on port 4444, the default port for most Metasploit attack vector.
Common Event: AIE: Recon: Metasploit Activity Observed
Classification: Reconnaissance
Suppression Period: 1 Environmental
Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

Firewall or Network Flow Data (internal)

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall (internal)

Actions
Investigate the Origin IP if it’s a known host and should be added to the Vulnerability Scanner List, quarantine
unknown hosts to a Remediation VLAN, block the Origin IP from inbound and outbound on perimeter Firewall.
Determine if Impacted IP Host and Application are known and quarantine if compromise is found or add to Watch
List for further compromise assessment.

Core Threat Detection Module User Guide 40

Core Threat Detection Module

Use Case
An attacker is using Metasploit to launch an attack without changing the default port.

Compromise: Inbound RDP/VNC

RDP connections without a VPN are a security risk, and thus it is useful to identify when the protocol is used.

AIE Rule ID: 473

Attack Lifecycle: Initial Compromise

Rule Description
Remote Desktop Protocol (RDP) or VNC connection from an external to internal host.
Common Event: AIE: Compromise: Inbound RDP/VNC
Classification: Suspicious

Suppression Period: 1

Environmental Dependence Factor: 1

False Positive Probability: 3

Log Sources (minimum)

Firewall or Network Flow Data (perimeter)

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

Actions
Investigate the Origin IP and Origin Application if it’s known, quarantine unknown hosts to a Remediation VLAN,
block the Origin IP from inbound and outbound on perimeter Firewall. Determine if Impacted IP Host, Application
and reputation are known, block the Impacted IP from inbound and outbound on perimeter Firewall if unknown
or add to Watch List for further assessment.

Use Case
Valuable in detecting compromised hosts and network/policy abuse.

C2: Excessive Outbound Firewall Denies

A spike in firewall denies can indicate any number of issues -- malware beaconing from infected machines, to users
running non-standard services, to accidental blocking of updates. This rule alerts security analysts to begin
investigating this suspicious behavior.

Core Threat Detection Module User Guide 41

Core Threat Detection Module

AIE Rule ID: 475

Attack Lifecycle: C2
Rule Description
Excessive number (400) of network denied events from an internal host within 5 minutes.
Common Event: AIE: C2: Excessive Outbound Firewall Denies
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

Firewall or Network Flow Data (perimeter)

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

Use Case
An internal compromised host is attempting communication via blocked protocol.

Lateral: Password Modified by Admin

Tracking administrator actions is useful for both auditing potential privilege abuse and for security monitoring. This
rule will alarm when a user account (defined in your LogRhythm list "Privileged users") changes the password of
another user.

AIE Rule ID: 510

Attack Lifecycle: Lateral Movement

Rule Description
Privileged user changes the password of another account.
Common Event: AIE: Lateral: Password Modified by Admin
Classification: Suspicious

Core Threat Detection Module User Guide 42

Core Threat Detection Module

Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 8

Log Sources (minimum)

AD/LDAP

Log Sources (recommended)

Host

Actions
Verify the change control procedure has been followed and that this user's password was reset according to
standards and guidelines.

Use Case
A privilege user changes the password of another user.

Lateral: Admin Password Modified

AIE Rule ID: 511

Attack Lifecycle: Lateral Movement

Rule Description
User changes the password of a different privileged user account.
Common Event: AIE: Lateral: Admin Password Modified
Classification: Suspicious

Suppression Period: 1

Environmental Dependence Factor: 2

False Positive Probability: 3

Log Sources (minimum)

AD/LDAP

Core Threat Detection Module User Guide 43

Core Threat Detection Module

Log Sources (recommended)

Host

Privilege Users
-2091

Actions
Verify the admin was aware of the password change. Also verify change control procedure has been followed and
that this user's password was reset according to standards and guidelines.

Use Case
A user's password has been changed by a privileged user.

Recon: Multiple Lockouts

Account lockouts are a fairly normal occurrence -- a user may forget their password or type it incorrectly several times.
However, if the same account is having multiple lockouts per hour, then it may be a sign of brute force authentication
attempts.

AIE Rule ID: 546

Attack Lifecycle: Recon

Rule Description
An account is locked out 2 or more times per hour.
Common Event: AIE: Recon: Multiple Lockouts
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

AD/LDAP

Log Sources (recommended)

Host

Core Threat Detection Module User Guide 44

Core Threat Detection Module

Actions
Accounts under attack should be temporarily disabled while under investigation. Attack sources should be
blocked via firewall or other security devices.

Use Case
In large companies it sometimes can be daunting and tedious to sift through the ""noise"" of potential operational
events of interest. This alarm alerts when accounts are locked out 2 or more times in an hour instead of every time
an account is locked out.

Compromise: Attack then Outbound Connection

Attack events that are followed by an external connection might be a sign of a malicious implant beaconing back to a
control server.

AIE Rule ID: 711

Attack Lifecycle: C2
Rule Description
An observed external attack or compromise followed by data leaving the system and going to the attacker.
Common Event: AIE: C2: Attack then Outbound Connection
Classification: Attack
Suppression Period: 24
Environmental Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

IDS/IPS and Firewall or Network Flow Data

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall

Use Case
An attacker is looking for sensitive financial information. The attacker successfully compromises a host and is able
to copy the information to the attacker's host.

Core Threat Detection Module User Guide 45

Core Threat Detection Module

Corruption: Audit Disabled by Admin

After achieving privilege escalation, a malicious actor will attempt to hide their tracks. This means removing data from
logs, hiding malicious files, and disabling audits. Fortunately, LogRhythm collects from logs in real time, meaning that
these events can be tracked.

AIE Rule ID: 713

Attack Lifecycle: Exfiltration, Corruption

Rule Description
Login by an administrator followed by disabling of an audit process.
Common Event: AIE: Corruption: Audit Disabled by Admin
Classification: Compromise
Suppression Period: 8
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

AD/LDAP, Host Logs

Log Sources (recommended)

AD/LDAP, Host Logs

Privilege Users
-2091

Actions
If audits are being disabled, it is highly likely that malicious activity is taking place. Immediately launch
LogRhythm investigations on the Log Source where this is occurring.

Use Case
A disgruntled administrator plans on malicious activity and disables auditing beforehand to ensure the activity
isn't logged.

Configuration
An include filter where Origin Login = list of privileged user ids must be entered into RB1.

Core Threat Detection Module User Guide 46

Core Threat Detection Module

Lateral: Locally Created and Used

Local accounts can sometimes be used as an effective method for avoiding security restrictions and detection. This rule
looks fora user creating a local account followed by the same user logging into that account.

AIE Rule ID: 715

Attack Lifecycle: Lateral Movement

Rule Description
An account is created on a host and then used shortly thereafter on the same host. ETD CTD
Common Event: AIE: Lateral: Locally Created and Used

Classification: Compromise

Suppression Period: 1

Environmental Dependence Factor: 1

False Positive Probability: 5

Log Sources (minimum)

Host Security Logs

Log Sources (recommended)

Single Sign On Logs ListN/A

Actions
Not applicable

Use Case
Not applicable

Exfil: Lateral Movement then Exfil

Attacks that originate from inside the network are particularly troubling --an attacker has solidified their foothold on an
infected machine is spreading laterally through the organization's network. This rule will track attacks from a malicious
actor against other hosts within the network that are followed by a second security event. If a large amount of traffic
leaves the target host, the malicious actor has successfully begun to exfiltrate data from the target.

AIE Rule ID: 716

Attack Lifecycle: Exfil

Core Threat Detection Module User Guide 47

Core Threat Detection Module

Rule Description
Attack or compromise event from an internal host followed by data leaving the victim host. ETD CTD
Common Event: AIE: Exfil: Lateral Movement then Exfil
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

Host Security Logs/AV/IDS/IPS

Log Sources (recommended)

NextGen Firewall ListN/A

Actions
Not applicable

Use Case
Not applicable

C2: Port Misuse: 53

In order to hide command and control communication among legitimate traffic, malicious implants may use standard
protocol ports even if their covert channels don't conform to protocol standards. Because LogRhythm Network Monitor
can accurately identify protocols without relying solely on port, it is able to detect port misuse by such malware.

AIE Rule ID: 739

Attack Lifecycle: C2
Rule Description
Traffic not using DNS over the common DNS port (53).
Common Event: AIE: C2: Port Misuse: 53
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 6

Core Threat Detection Module User Guide 48

Core Threat Detection Module

Log Sources (minimum)

LogRhythm Network Monitor

Log Sources (recommended)

LogRhythm Network Monitor

Use Case
Detection of local hosts tunneling traffic over port 53. This would typically be a violation of network policy and a
security risk.

Exfiltration: Large Outbound Transfer

Most hosts in an organization will be data sinks, meaning that they should receive much more data than they send. For
the most part, it will be rare for a typical host to upload 1GB of data in a single, 30 minute- long session. If doing so, this
might be a sign of data exfiltration.

AIE Rule ID: 742

Attack Lifecycle: Exfiltration

Rule Description
Single host is seen sending a lot of data, within the same 30 minute-long session, out of the network.
Common Event: AIE: Exfiltration: Large Outbound Transfer
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 2

Log Sources (minimum)

Firewall or Network Flow Data

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall

Core Threat Detection Module User Guide 49

Core Threat Detection Module

Use Case
A disgruntled employee is exfiltrating Intellectual Property out of the network.

Recon: Excessive Inbound Firewall Denies

A spike of inbound firewall denies can indicate any number of issues -- external scans, improper port use, or even
malware command and control.

AIE Rule ID: 744

Attack Lifecycle: Recon

Rule Description
For this rule we look for an excessive number (400) of network denied events from a host within 5 minutes.
Common Event: AIE: Recon: Excessive Inbound Firewall Denies
Classification: Reconnaissance
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 9

Log Sources (minimum)

Firewall or Network Flow Data (perimeter)

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall (perimeter)

Use Case
An external compromised host is attempting communication via a blocked protocol.

Core Threat Detection Module User Guide 50

Core Threat Detection Module

Compromise: Repeated Attacks Against Host

This AI Engine rule looks for 10 or more attack, malware, or other security activity logs in a short time span. Such
redundancy reduces the chance of being bogged down by one-off false positives. Using the Vendor Message ID field as
the Group By value will focus on devices like IDSs that assign signature values.

AIE Rule ID: 770

Attack Lifecycle: Initial Compromise

Rule Description
The same security event is detected on the same host multiple times within a short window.
Common Event: AIE: Compromise: Repeated Attacks Against Host
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 5

Log Sources (minimum)

IDS/IPS

Log Sources (recommended)

Next Gen Firewall

Use Case
A Snort IDS deployment is firing repeatedly because an infected host is attempting to spread on the network.

C2: External DNS Server Used

For security reasons, an organization might want all DNS requests to go through their own DNS server. If a host is
circumventing this system, it might be a sign of malware infection or possibly misconfiguration.

AIE Rule ID: 776

Attack Lifecycle: C2

Core Threat Detection Module User Guide 51

Core Threat Detection Module

Rule Description
Internal hosts using an external DNS server.
Common Event: AIE: C2: External DNS Server Used
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 1
False Positive Probability: 4

Log Sources (minimum)

Firewall or Network Flow Data

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall

Use Case
A network host has been infected with malware and is using a compromised external DNS server.

Compromise: Malware Not Cleaned

In some cases, a malware removal tool will quarantine or delete malware only for it to pop back from memory or
another hiding place. This rule will find instances where a malware cleaning event is followed by a malware detection
event on the same host.

AIE Rule ID: 783

Attack Lifecycle: Initial Compromise

Rule Description
A malware removal event from a host followed immediately (within 1 hour) by another malware event. This
indicates that the malware was not completely removed. ETD CTD
Common Event: AIE: Compromise: Malware Not Cleaned
Classification: Malware
Suppression Period: 1

Core Threat Detection Module User Guide 52

Core Threat Detection Module

Environmental Dependence Factor: 1

False Positive Probability: 5

Log Sources (minimum)

Host Security Logs/Host Application Logs/AV/IDS/IPS

Log Sources (recommended)

NextGen Firewall ListN/A

Actions
Not applicable

Use Case
Not applicable

Progression: to Initial Compromise

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity
categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
AIE Rule ID: 1003
Attack Lifecycle: Progression

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Core Threat Detection Module User Guide 53

Core Threat Detection Module

Actions
This rule looks for AIE Feedback events which move through the Attack Lifecycle stages. There will always be a
Host (Impacted), Host (Origin), or User (Origin) in common. Drilling down on this alarm will return the AIE events
which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User
or Host specified to look for related activity.

Use Case
Not applicable

Progression: to Command and Control

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity
categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control with the same
user or host.
AIE Rule ID: 1004
Attack Lifecycle: Progression

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control
with the same user or host.
Common Event: AIE: Progression: to Command and Control
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Core Threat Detection Module User Guide 54

Core Threat Detection Module

Use Case
Not applicable

Progression: to Lateral Movement

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity
categorized as an earlier stage is followed by Lateral Movement with the same user or host.
AIE Rule ID: 1005
Attack Lifecycle: Progression

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Target Attainment

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity
categorized as any earlier stage is followed by Target Attainment with the same user or host.
AIE Rule ID: 1006

Core Threat Detection Module User Guide 55

Core Threat Detection Module

Attack Lifecycle: Progression

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or
host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Exfiltration, Corruption, Disruption

Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed activity
categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or host.
AIE Rule ID: 1007
Attack Lifecycle: Progression

Core Threat Detection Module User Guide 56

Core Threat Detection Module

Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Initial Compromise

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack

Core Threat Detection Module User Guide 57

Core Threat Detection Module

Suppression Period: 1

Environmental Dependence Factor: 3

False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Command and Control

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or
host.
Common Event: AIE: Progression: to Command and Control
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Core Threat Detection Module User Guide 58

Core Threat Detection Module

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Lateral Movement

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as Reconnaissance and Planning is followed by Initial Compromise with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Core Threat Detection Module User Guide 59

Core Threat Detection Module

Use Case
Not applicable

Progression: to Target Attainment

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control
with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Core Threat Detection Module User Guide 60

Core Threat Detection Module

Use Case
Not applicable

Progression: to Exfiltration, Corruption, Disruption

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as an earlier stage is followed by Lateral Movement with the same user or host.
Common Event: AIE: Progression: to Exfiltration, Corruption, Disruption
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Initial Compromise

Core Threat Detection Module User Guide 61

Core Threat Detection Module

Attack Lifecycle: Progression

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as Reconnaissance and Planning or Initial Compromise is followed by Command and Control
with the same user or host.
Common Event: AIE: Progression: to Initial Compromise
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Command and Control

Core Threat Detection Module User Guide 62

Core Threat Detection Module

Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Lateral Movement

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Lateral Movement
Classification: Attack
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Core Threat Detection Module User Guide 63

Core Threat Detection Module

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Progression: to Target Attainment

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Target Attainment with the same user or host.
Common Event: AIE: Progression: to Target Attainment
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Core Threat Detection Module User Guide 64

Core Threat Detection Module

which triggered it. Drill down on those events to return the underlying log data. Run an investigation for the User
or Host specified to look for related activity.

Use Case
Not applicable

Progression: to Exfiltration, Corruption, Disruption

Rule Description
Progression rules monitor for activity moving through the attack lifecycle. This alarm will fire when observed
activity categorized as any earlier stage is followed by Exfiltration, Corruption, Disruption with the same user or
host.
Common Event: AIE: Progression: to Exfil, Corruption, Disruption
Classification: Compromise
Suppression Period: 1
Environmental Dependence Factor: 3
False Positive Probability: 1

Log Sources (minimum)

Not applicable

Log Sources (recommended)

Not applicable

Use Case
Not applicable

Core Threat Detection Module User Guide 65

Core Threat Detection Module

Compromise: Obsolete SSL/TLS Version

Vulnerabilities are known in older versions of SSL/TLS and may be exploited by attackers. Visibility into devices using
this protocol can help organizations identify systems that need to be upgraded.
AIE Rule ID: 1180
Attack Lifecycle: Initial Compromise

Rule Description
SSL/TLS Vulnerable Versions Detected.
Common Event: AIE: Compromise: Obsolete SSL/TLS Version
Classification: Suspicious
Suppression Period: 1
Environmental Dependence Factor: 2
False Positive Probability: 3

Log Sources (minimum)

Firewall or Network Flow Data

Log Sources (recommended)

LogRhythm Network Monitor, Next Gen Firewall

Use Case
Older versions of SSL/TLS protocols pose a risk for Man In The Middled (MITM), where encrypted data can be read by
unintended recipients. Many web servers and browsers are configured to "Fall Back" to an older and most likely
vulnerable version of SSL/TLS if unable to negotiate at the recommended version at the time.

Core Threat Detection Module User Guide 66

Core Threat Detection Module

Core Threat Detection User Guide—Reports

This section includes the Reports that are included in the Core Threat Detection Module.

Account Management Activity

Summarizes all account management activity.
Report ID: 1014

Minimum Log Sources

Active Directory or LDAP

Recommended Log Sources

Host Logs

Top Attackers Summary

Summarizes top attackers by Origin Host.
Report ID: 1015

Minimum Log Sources

Any Security Log Source

Recommended Log Sources

• Antivirus
• Intrusion Detection System
• Vulnerability Scanner
• LogRhythm Network Monitor
• Next Generation Firewall

Core Threat Detection Module User Guide 67

Test Bank For Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2
100% (1)
Test Bank For Computer Security Principles and Practice, 5th Edition by William Stallings Lawrie Brown 2
145 pages
Insider Threats: Risks & Mitigation
No ratings yet
Insider Threats: Risks & Mitigation
1 page
EDR Presentation Slides
100% (1)
EDR Presentation Slides
50 pages
Leveraging AI To Accelerating Cyber Defence
No ratings yet
Leveraging AI To Accelerating Cyber Defence
11 pages
Logrhythm Handbook
No ratings yet
Logrhythm Handbook
17 pages
Using Bitcry
No ratings yet
Using Bitcry
4 pages
Threat Hunting 101
100% (1)
Threat Hunting 101
25 pages
Ch10 Crypto7e
No ratings yet
Ch10 Crypto7e
28 pages
ICS Question Bank
No ratings yet
ICS Question Bank
5 pages
Building Next Gen SOC-20p
100% (2)
Building Next Gen SOC-20p
20 pages
Aligning PCI DSS With ISO 27001 - ISMS - Online
No ratings yet
Aligning PCI DSS With ISO 27001 - ISMS - Online
14 pages
Deep Learning Machine Learning Cybersecurity Ebook
No ratings yet
Deep Learning Machine Learning Cybersecurity Ebook
16 pages
Automated Threat Detection and Response (ATDR) : Customer Presentation
No ratings yet
Automated Threat Detection and Response (ATDR) : Customer Presentation
16 pages
Sector Mapping Chart - Nov11
No ratings yet
Sector Mapping Chart - Nov11
177 pages
Digital Signatures Certificate
No ratings yet
Digital Signatures Certificate
12 pages
Denq5aia6vwa WatchguardEndpointSecurityPPTDeck
No ratings yet
Denq5aia6vwa WatchguardEndpointSecurityPPTDeck
89 pages
Module 1 Lesson 4
No ratings yet
Module 1 Lesson 4
8 pages
Security Course Day 4
No ratings yet
Security Course Day 4
27 pages
Vulnerability Management and Patch Management: Enhancing Security Posture
No ratings yet
Vulnerability Management and Patch Management: Enhancing Security Posture
3 pages
LTE Security I: Concept and Authentication
No ratings yet
LTE Security I: Concept and Authentication
13 pages
Aircrack-Ng: Wirelesshacking Tool-Wpa/Wpa2 A Atqa Hus Sain MSIS-9
No ratings yet
Aircrack-Ng: Wirelesshacking Tool-Wpa/Wpa2 A Atqa Hus Sain MSIS-9
11 pages
Security Operations Center Guide
No ratings yet
Security Operations Center Guide
73 pages
Threat Intelligence and Security Monitoring 12-06-25
No ratings yet
Threat Intelligence and Security Monitoring 12-06-25
34 pages
Symantec Endpoint Threat Defense For Active Directory Proof of Concept Guide
No ratings yet
Symantec Endpoint Threat Defense For Active Directory Proof of Concept Guide
10 pages
Ec Council Certified Soc Analyst Module 4 - SIEM - Short & Detailed Teaching Guide
No ratings yet
Ec Council Certified Soc Analyst Module 4 - SIEM - Short & Detailed Teaching Guide
24 pages
Cyber Threat Management Is An Essential Aspect of Cybersecurity
No ratings yet
Cyber Threat Management Is An Essential Aspect of Cybersecurity
5 pages
Web Checklist by Chintan Gurjar
No ratings yet
Web Checklist by Chintan Gurjar
20 pages
LogRhythm SOAR Ecosystem November 2021
No ratings yet
LogRhythm SOAR Ecosystem November 2021
49 pages
Unit 01 Monitorización de Seguridad
No ratings yet
Unit 01 Monitorización de Seguridad
27 pages
The Threat Landscape
No ratings yet
The Threat Landscape
5 pages
LogRhythm NextGen SIEM v3
No ratings yet
LogRhythm NextGen SIEM v3
38 pages
Network Insight 7 1 Admin Guide
No ratings yet
Network Insight 7 1 Admin Guide
310 pages
Threat Hunting With Cortex XDR: Jani Haapio Channel SE
100% (1)
Threat Hunting With Cortex XDR: Jani Haapio Channel SE
32 pages
ANID - LR - Deployment Documentation-Ver1.0 - 171124
No ratings yet
ANID - LR - Deployment Documentation-Ver1.0 - 171124
40 pages
Soc 3
No ratings yet
Soc 3
16 pages
Compromise Assessment Report 8
No ratings yet
Compromise Assessment Report 8
6 pages
Why LogRhythm
No ratings yet
Why LogRhythm
17 pages
AI Powered Threat and Detection3
No ratings yet
AI Powered Threat and Detection3
8 pages
Real Time Computer Security Rudra
No ratings yet
Real Time Computer Security Rudra
10 pages
Security Operations Basics
No ratings yet
Security Operations Basics
75 pages
LogRhythm Admin Guide
0% (1)
LogRhythm Admin Guide
32 pages
Log Correlation SIEMRule Examplesand Correlation Engine Performance Data
No ratings yet
Log Correlation SIEMRule Examplesand Correlation Engine Performance Data
3 pages
Anxinsec NDR Solution v2.1
No ratings yet
Anxinsec NDR Solution v2.1
24 pages
Ai Da 24MDT0120
No ratings yet
Ai Da 24MDT0120
6 pages
Advanced Logging and Threat Analytics
No ratings yet
Advanced Logging and Threat Analytics
14 pages
Administration Fundamentals v7.3 v1.3
No ratings yet
Administration Fundamentals v7.3 v1.3
274 pages
16 Endpoint Threat Prevention
No ratings yet
16 Endpoint Threat Prevention
43 pages
Definitive Guide To
No ratings yet
Definitive Guide To
70 pages
Logrhythm and Forescout Counteract™: Integrated Enterprise Security
No ratings yet
Logrhythm and Forescout Counteract™: Integrated Enterprise Security
2 pages
Ai ML
No ratings yet
Ai ML
9 pages
3.stella - Viettel IDC June2024-V1.1 - Final
No ratings yet
3.stella - Viettel IDC June2024-V1.1 - Final
19 pages
Uws Threat Hunting 101 White Paper PDF
No ratings yet
Uws Threat Hunting 101 White Paper PDF
25 pages
The Absolute Guide To Siem
No ratings yet
The Absolute Guide To Siem
13 pages
Cybersecurity User Guide
No ratings yet
Cybersecurity User Guide
34 pages
Artificial Intelligence and Machine Learning in The Security Operations Center Overview
No ratings yet
Artificial Intelligence and Machine Learning in The Security Operations Center Overview
12 pages
Advanced Intelligence Engine Data Sheet
No ratings yet
Advanced Intelligence Engine Data Sheet
2 pages
Oscp Links
No ratings yet
Oscp Links
3 pages
SOC Analyst Interview Prep Guide
No ratings yet
SOC Analyst Interview Prep Guide
11 pages
Network Automation for Security Compliance
No ratings yet
Network Automation for Security Compliance
25 pages
At A Glance - EDR
No ratings yet
At A Glance - EDR
6 pages
Aes
No ratings yet
Aes
83 pages
Siem Evaluator Guide
No ratings yet
Siem Evaluator Guide
6 pages
Security Orchestration, Automation, and Response (SOAR)
No ratings yet
Security Orchestration, Automation, and Response (SOAR)
21 pages
Install and Deploy The Threat Intelligence Service: August 12, 2019
No ratings yet
Install and Deploy The Threat Intelligence Service: August 12, 2019
24 pages
Administration Fundamentals v7.4 - Student
No ratings yet
Administration Fundamentals v7.4 - Student
240 pages
7 Palo+Alto++Cortex+XDR+ +glenn
No ratings yet
7 Palo+Alto++Cortex+XDR+ +glenn
35 pages
CNS - Module-4-Network Security Notes
No ratings yet
CNS - Module-4-Network Security Notes
12 pages
Threat Intelligence Service v.1.9.2 User Guide: August 12, 2019
No ratings yet
Threat Intelligence Service v.1.9.2 User Guide: August 12, 2019
28 pages
LR Security Intelligence Platform Datasheet
No ratings yet
LR Security Intelligence Platform Datasheet
3 pages
Webinar
No ratings yet
Webinar
16 pages
Core Impact User Guide 18.2
No ratings yet
Core Impact User Guide 18.2
434 pages
Cyber Terrorism
No ratings yet
Cyber Terrorism
5 pages
Security Test Cases
No ratings yet
Security Test Cases
18 pages
3a - What Are The Symptoms of A Virus Infected Computer
No ratings yet
3a - What Are The Symptoms of A Virus Infected Computer
10 pages
Juniper PKI Primer 20XX
No ratings yet
Juniper PKI Primer 20XX
62 pages
Logrhythm Advanced Correlation For Operations Use Case
No ratings yet
Logrhythm Advanced Correlation For Operations Use Case
1 page
ElGamal Example
No ratings yet
ElGamal Example
28 pages
The Dusk Network
No ratings yet
The Dusk Network
36 pages
Understanding 0-Day Exploits in 2023
No ratings yet
Understanding 0-Day Exploits in 2023
61 pages
Encryption and Decryption Using Genetic Algorithm Operations and Pseudorandom Number
No ratings yet
Encryption and Decryption Using Genetic Algorithm Operations and Pseudorandom Number
5 pages
LogRhythm AI Engine Datasheet
No ratings yet
LogRhythm AI Engine Datasheet
2 pages
Dumpster Diving:Trashing - GeeksforGeeks
No ratings yet
Dumpster Diving:Trashing - GeeksforGeeks
2 pages
Security Information and Event Management (SIEM) Orchestration
No ratings yet
Security Information and Event Management (SIEM) Orchestration
28 pages
Cut Off Technician T-1 10122024
No ratings yet
Cut Off Technician T-1 10122024
2 pages
Farid Hashmi Resume
No ratings yet
Farid Hashmi Resume
1 page
RSA Algorithm Basics for Beginners
No ratings yet
RSA Algorithm Basics for Beginners
1 page
Log Collector Software Datasheet
No ratings yet
Log Collector Software Datasheet
2 pages
Create-Activate Individual DBS Online Account v0 2
0% (1)
Create-Activate Individual DBS Online Account v0 2
4 pages