Vendor: Cisco
June 14, 2023 · View on GitHub
Product: ISE
Use-Case: Account Manipulation
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 10 | 7 | 2 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
| vpn-logout | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1484 - Group Policy Modification ↳ FDS-Count: Abnormal number of failed directory service events in the organization ↳ FDS-GCount: Abnormal number of failed directory service events in the peer group ↳ FDS-UCount: Abnormal number of failed directory service events in the user ↳ DS-Count: Abnormal number of directory service events in the organization ↳ DS-GCount: Abnormal number of directory service events in the peer group ↳ DS-UCount: Abnormal number of directory service events in the user | • EM-InB-Perm: Models the number of mailbox permissions given by this user. • DS-UCount: Count of directory service activity events in the user • DS-GCount: Count of directory service activity events in the peer group • DS-Count: Count of directory service activity events in the organization • FDS-UCount: Count of failed directory service activity events in the user • FDS-GCount: Count of failed directory service activity events in the peer group • FDS-Count: Count of failed directory service activity events in the organization |