Vendor: BeyondTrust
June 14, 2023 · View on GitHub
Product: BeyondInsight
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 13 | 8 | 2 | 5 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| account-switch | T1078 - Valid Accounts ↳ AS-UA-F-PRIV: Account switch to a privileged or executive account | |
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • APP-AT-PRIV: Privileged application activities |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| privileged-access | TA0002 - TA0002 ↳ WPA-UP-F: First privileged process for user ↳ WPA-UP-A: Abnormal privileged process for user ↳ WPA-GP-F: First privileged process for peer group ↳ WPA-GP-A: Abnormal privileged process for peer group ↳ WPA-PD-F: First directory for privileged process ↳ WPA-PD-A: Abnormal directory for privileged process ↳ WPA-HP-F: First privileged process for host ↳ WPA-HP-A: Abnormal privileged process for host ↳ WPA-OP-F: First privileged process for organization ↳ WPA-OP-A: Abnormal privileged process for organization | • WPA-OP: Processes for organization • WPA-HP: Processes for host • WPA-PD: Directories per process • WPA-GP: Privileged processes for peer group • WPA-GP-All: Processes for peer group • WPA-UP: Privileged processes for user • WPA-UP-All: Processes for user |