Vendor: Cisco

June 14, 2023 · View on GitHub

Product: Netflow

Use-Case: Lateral Movement

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
51211111
Event TypeRulesModels
netflow-connectionT1190 - Exploit Public Fasing Application
A-NET-HCountry-Inbound-F: First inbound connection from this country for asset
A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset
A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone
A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone
A-NET-OCountry-Inbound-F: First inbound connection from this country for organization
A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization
A-NET-Log4j-IP: Asset was accessed by an external IP associated with Log4j exploit

T1071 - Application Layer Protocol
A-NET-ZdH-Inbound-A: Abnormal inbound connection to host for the zone.

TA0011 - TA0011
A-NETFLOW-sHdP-F: First time access of this port by this asset
A-NETFLOW-sHdP-A: Abnormal access to port by this asset
A-NETFLOW-sHdP-Server-F: First/Abnormal access of this port by this server
A-NET-HCountry-Inbound-F: First inbound connection from this country for asset
A-NET-HCountry-Inbound-A: Abnormal connection from this country for asset
A-NET-ZCountry-Inbound-F: First inbound connection from this country for zone
A-NET-ZCountry-Inbound-A: Abnormal connection from this country for the zone
A-NET-OCountry-Inbound-F: First inbound connection from this country for organization
A-NET-OCountry-Inbound-A: Abnormal connection from this country for the organization
A-NET-HCountry-Outbound-F: First outbound connection to this country from asset
A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset
A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone
A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone
A-NET-OCountry-Outbound-F: First outbound connection to this country from organization
A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization
A-NET-TI-H-Outbound: Outbound connection to a known malicious host
A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP
A-NET-TI-H-Inbound: Inbound connection from a known malicious host
A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization
A-NET-ZsH-Outbound-F: First outbound connection for asset for zone
A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone
A-NET-HsH-Outbound-F: First outbound connection for asset
A-NET-HsH-Outbound-A: Abnormal outbound connection for asset
A-NET-OsZ-Outbound-F: First outbound connection from zone for organization
A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization
A-NET-ZsZ-Outbound-F: First outbound connection from zone
A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset
A-NET-HsZ-Outbound-F: First outbound connection from zone for asset
A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone
A-NET-OdH-Inbound-F: First inbound connection to host for the organization.
A-NET-OdH-Inbound-A: Abnormal inbound connection to host for the organization.
A-NET-ZdH-Inbound-F: First inbound connection to host for the zone.

TA0010 - TA0010
A-NET-HCountry-Outbound-F: First outbound connection to this country from asset
A-NET-HCountry-Outbound-A: Abnormal outbound communication country for asset
A-NET-ZCountry-Outbound-F: First outbound connection to this country from zone
A-NET-ZCountry-Outbound-A: Abnormal outbound connection country for the zone
A-NET-OCountry-Outbound-F: First outbound connection to this country from organization
A-NET-OCountry-Outbound-A: Abnormal outbound connection country for the organization
A-NET-OsH-Outbound-A: Abnormal outbound connection for asset in the organization
A-NET-ZsH-Outbound-F: First outbound connection for asset for zone
A-NET-ZsH-Outbound-A: Abnormal outbound connection for asset for zone
A-NET-HsH-Outbound-F: First outbound connection for asset
A-NET-HsH-Outbound-A: Abnormal outbound connection for asset
A-NET-OsZ-Outbound-F: First outbound connection from zone for organization
A-NET-OsZ-Outbound-A: Abnormal outbound connection from zone for organization
A-NET-ZsZ-Outbound-F: First outbound connection from zone
A-NET-ZsZ-Outbound-A: Abnormal outbound connection from zone for asset
A-NET-HsZ-Outbound-F: First outbound connection from zone for asset
A-NET-HsZ-Outbound-A: Abnormal outbound connection from zone

T1090.003 - Proxy: Multi-hop Proxy
A-NET-TOR-Outbound: Outbound connection to a known TOR IP
A-NET-TOR-Inbound: Inbound connection from a known TOR IP

T1021.001 - Remote Services: Remote Desktop Protocol
A-NETFLOW-RDP-F: Asset receiving RDP connection for the first time

T1046 - Network Service Scanning
A-NETFLOW-OsH-SweepScan-F: First time for asset to access 20 assets in 10 seconds
A-NETFLOW-OsH-PortScan-F: First vertical port scan for organization
A-NETFLOW-OsH-PortScan-A: Abnormal vertical port scan for organization

T1021 - Remote Services
A-RLA-sHdZ-F: First remote access to zone from asset
A-RLA-sHdZ-A: Abnormal remote access to zone from asset
A-RLA-dHsZ-F: First remote access from zone to asset
A-RLA-dHsZ-A: Abnormal remote access from zone to asset
A-NETFLOW-SP-F: Service running on port used by asset
A-NETFLOW-dZdP-LowPort-F: First time access to this port in this zone
A-NETFLOW-dZdP-LowPort-A: Abnormal access to this port in this zone
A-NETFLOW-dZdP-Service-F: First time access to this service in this zone
A-NETFLOW-dZdP-Service-A: Abnormal access to this service in this zone
A-NETFLOW-dHdP-LowPort-F: First time access to this port in this asset
A-NETFLOW-dHdP-LowPort-A: Abnormal access to this port in this asset

T1210 - Exploitation of Remote Services
A-NETFLOW-SP-F: Service running on port used by asset
A-NETFLOW-dZdP-LowPort-F: First time access to this port in this zone
A-NETFLOW-dZdP-LowPort-A: Abnormal access to this port in this zone
A-NETFLOW-dZdP-Service-F: First time access to this service in this zone
A-NETFLOW-dZdP-Service-A: Abnormal access to this service in this zone
A-NETFLOW-dHdP-LowPort-F: First time access to this port in this asset
A-NETFLOW-dHdP-LowPort-A: Abnormal access to this port in this asset

TA0008 - TA0008
A-NETFLOW-sHdP-F: First time access of this port by this asset
A-NETFLOW-sHdP-A: Abnormal access to port by this asset
A-NETFLOW-sHdP-Server-F: First/Abnormal access of this port by this server

T1018 - Remote System Discovery
A-RLA-sHdZ-F: First remote access to zone from asset
A-RLA-sHdZ-A: Abnormal remote access to zone from asset
A-RLA-dHsZ-F: First remote access from zone to asset
A-RLA-dHsZ-A: Abnormal remote access from zone to asset		A-NET-ZdH-Inbound: Hosts receiving inbound communications in the zone
A-NET-OdH-Inbound: Hosts receiving inbound communications in the organization
A-NET-HsZ-Outbound: Outbound communicating zones for the asset
A-NET-ZsZ-Outbound: Outbound communicating zones
A-NET-OsZ-Outbound: Outbound communicating zones in the organization
A-NET-HsH-Outbound: Outbound communicating hosts for the asset
A-NET-ZsH-Outbound: Outbound communicating hosts in the zone
A-NET-OsH-Outbound: Outbound communicating hosts
A-NET-OCountry-Outbound: Outbound country per organization
A-NET-ZCountry-Outbound: Outbound country per zone
A-NET-HCountry-Outbound: Outbound country per asset
A-NET-OCountry-Inbound: Origination country per organization
A-NET-ZCountry-Inbound: Origination country per zone
A-NET-HCountry-Inbound: Inbound country per asset
A-NETFLOW-RDP-DestHost: Asset accessing RDP services.
A-NETFLOW-OsH-Scanners: Assets that access multiple assets within seconds in the organization
A-NETFLOW-dHdP: Destination Ports per asset
A-NETFLOW-dZdP: Destination Ports per zone
A-NETFLOW-sHdP: Ports accessed by this asset
A-RLA-dHsZ: Destination Host to Source zone communication
A-RLA-sHdZ: Source Host to Destination zone communication