Vendor: Cisco
June 14, 2023 · View on GitHub
Product: AnyConnect
Use-Case: Account Manipulation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 7 | 7 | 2 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| vpn-logout | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1484 - Group Policy Modification ↳ FDS-Count: Abnormal number of failed directory service events in the organization ↳ FDS-GCount: Abnormal number of failed directory service events in the peer group ↳ FDS-UCount: Abnormal number of failed directory service events in the user ↳ DS-Count: Abnormal number of directory service events in the organization ↳ DS-GCount: Abnormal number of directory service events in the peer group ↳ DS-UCount: Abnormal number of directory service events in the user | • EM-InB-Perm: Models the number of mailbox permissions given by this user. • DS-UCount: Count of directory service activity events in the user • DS-GCount: Count of directory service activity events in the peer group • DS-Count: Count of directory service activity events in the organization • FDS-UCount: Count of failed directory service activity events in the user • FDS-GCount: Count of failed directory service activity events in the peer group • FDS-Count: Count of failed directory service activity events in the organization |