Vendor: Cisco
June 14, 2023 · View on GitHub
Product: ISE
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 99 | 50 | 9 | 7 | 7 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization ↳ APP-AppSz-F: First application access from network zone ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity ↳ APP-AppED-F: New Email-domain found in application T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • APP-AppED: Email-domains per application • APP-AT-PRIV: Privileged application activities • APP-AppSz: Source zones per application • APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed | • AE-UA: All activity for users |
| failed-vpn-login | T1133 - External Remote Services ↳ SEQ-UH-15: Failed VPN login | |
| nac-logon | T1021 - Remote Services ↳ NAC-OAt-F: First authentication type for organization ↳ NAC-OAt-A: Abnormal authentication type for organization ↳ NAC-GAt-F: First authentication type for peer group ↳ NAC-GAt-A: Abnormal authentication type for peer group ↳ NAC-UAt-F: First authentication type for user ↳ NAC-UAt-A: Abnormal authentication type for user T1078 - Valid Accounts ↳ NAC-UAt-F: First authentication type for user ↳ NAC-UAt-A: Abnormal authentication type for user | • NAC-UAt: Authentication Types for user • NAC-GAt: Authentication Types for peer group • NAC-OAt: Authentication Types for organization |
| remote-logon | T1078 - Valid Accounts ↳ A-AL-DhU-F: First user per asset ↳ A-AL-DhU-A: Abnormal user per asset ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ RL-GH-F: First remote logon to asset for group ↳ UA-UI-F: First activity from ISP ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset | • RL-HU: Remote logon users • AL-GZ: Network zones accessed by this peer group • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • UA-UI-new: ISP of users during application activity • RL-UH: Remote logons • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers • AL-UT: Types of hosts • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts • NKL-HU: Users logging into this host remotely • A-AL-DhU: Users per Host |
| vpn-login | T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ VPN-GsH-F: First VPN connection from device for peer group ↳ VPN-GsH-A: Abnormal VPN connection from device for peer group ↳ AE-GA-F-VPN-new: First VPN connection for group of new user ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ PA-VPN-01: VPN login after badge access T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • PA-VPN-01: Users who vpn-in after badge access • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-GA: All activity for peer groups • VPN-GsH: VPN endpoints in this peer group • UA-UI-new: ISP of users during application activity • AE-UA: All activity for users |
| vpn-logout | T1110 - Brute Force ↳ APP-UFL-COUNT: Abnormal number of failed application logins for user T1078 - Valid Accounts ↳ AL-UHcount-S: Abnormal number of logon assets (S) ↳ AL-UHcount-M: Abnormal number of logon assets (M) ↳ AL-UHcount-L: Abnormal number of logon assets (L) ↳ AL-OHcount: Abnormal number of logged on assets compared to the organization ↳ AL-GHcount: Abnormal number of logged on assets compared to group ↳ VPN-End-DUR: Abnormal VPN session duration ↳ DC08d-new: Abnormal number of assets compared to group for a new user ↳ DC14g-new: Abnormal number of accessed assets for group of new user ↳ DC17j-new: Abnormal number of accessed zones for group of a new user ↳ APP-UAgC-F: First activity from country and first os/browser/user agent for user in same session T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session ↳ VPN-End-DUR: Abnormal VPN session duration | • APP-UFL-COUNT: Count of failed application logins in a session • VPN-End-DUR: VPN session duration • VPN-BSum: Sum of bytes uploaded during VPN • AL-OHcount: Count of assets logon per user in the organization |