Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: Azure
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 217 | 87 | 22 | 12 | 12 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization ↳ APP-AppSz-F: First application access from network zone ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity ↳ APP-AppED-F: New Email-domain found in application T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • APP-AppED: Email-domains per application • APP-AT-PRIV: Privileged application activities • APP-AppSz: Source zones per application • APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| app-login | T1190 - Exploit Public Fasing Application ↳ A-APP-Log4j-String: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability on this asset. ↳ A-App-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. ↳ APP-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords. T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-AppSz-F: First application access from network zone ↳ APP-AppED-F: New Email-domain found in application T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • APP-AppED: Email-domains per application • APP-AppSz: Source zones per application • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| database-query | T1213 - Data from Information Repositories ↳ DB-DbU-F: First access to database for user ↳ DB-DbU-A: Abnormal access to database for user ↳ DB-DbG-F: First access to database for peer group ↳ DB-DbG-A: Abnormal access to database for peer group ↳ DB-UDbZ-F: First database activity from source zone per user, database ↳ DB-UDbZ-A: Abnormal database activity from source zone per user, database ↳ DB-UDbH-F: First database activity from host per user, database ↳ DB-UDbH-A: Abnormal database activity from host per user, database ↳ DB-UDbI-F: First database activity from IP per user, database ↳ DB-UDbI-A: Abnormal database activity from IP per user, database ↳ DB-UDbO-F: First database operation for user, database ↳ DB-UDbO-A: Abnormal database operation for user, database ↳ DB-GDbO-F: First database operation for peer group, database ↳ DB-GDbO-A: Abnormal database operation for peer group, database ↳ DB-DbZO-F: First database operation from source zone for database ↳ DB-DbZO-A: Abnormal database operation from source zone for database ↳ DB-UDbR: Abnormal database query response size for user, database ↳ DB-DbZR: Abnormal database query response size for source zone, database | • DB-DbZR: Response size of database queries per zone, database • DB-UDbR: Response size of database queries per user, database • DB-DbZO: Database operations per database, source zone • DB-GDbO: Database operations per peer group, database • DB-UDbO: Database operations per user, database • DB-UDbI: Database activity from source IP per user, database • DB-UDbH: Database activity from host per user, database • DB-UDbZ: Database activity from source zone per user, database • DB-DbG: Peer groups per database • DB-DbU: Users per database |
| failed-app-login | T1078 - Valid Accounts ↳ APP-F-FL: Failed login to application | |
| file-delete | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity |
| file-read | T1003.001 - T1003.001 ↳ A-FA-LSASS: Possible Mimikatz attack on this asset by a user process ↳ FA-LSASS: Possible Mimikatz attack by a user process T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group T1003.003 - T1003.003 ↳ A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset. ↳ A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset. ↳ A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset. | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity • A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS |
| file-write | T1083 - File and Directory Discovery ↳ FA-UA-UI-F: First file activity from ISP ↳ FA-UA-UC-F: First file activity from country for user ↳ FA-UA-UC-A: Abnormal file activity from country for user ↳ FA-UA-GC-F: First file activity from country for group ↳ FA-UA-GC-A: Abnormal file activity from country for group ↳ FA-UA-OC-F: First file activity from country for organization ↳ FA-UA-OC-A: Abnormal file activity from country for organization ↳ FA-UTi: Abnormal user file activity time ↳ FA-UH-F: First file access from asset for user ↳ FA-UH-A: Abnormal file access from asset for user ↳ FA-OZ-F: First file access from network zone for organization ↳ FA-OZ-A: Abnormal file access from network zone for organization ↳ FA-UZ-F: First file access from network zone for user ↳ FA-UZ-A: Abnormal file access from network zone for user ↳ FA-UA-F: First file access activity for user ↳ FA-UA-A: Abnormal file access activity for user ↳ FA-OU-F: First access to source code files for user in the organization ↳ FA-OU-A: Abnormal access to source code files for user in the organization ↳ FA-OG-F: First access to source code files for user in the peer group ↳ FA-OG-A: Abnormal access to source code files for user in the peer group ↳ FA-UD-F: First file server access for user ↳ FA-UD-A: Abnormal file server access for user ↳ FA-GD-F: First file server access for group ↳ FA-GD-A: Abnormal file server access for group T1003.003 - T1003.003 ↳ A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset. ↳ A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset. ↳ A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset. ↳ A-NTDS-Shadow-Copy1: The NTDS database changed location to a shadowcopy using 'ntds.dit' and 'harddiskvolumeshadowcopy' in the file path on this asset. ↳ A-NTDS-Shadow-Copy2: The NTDS database changed location to a shadowcopy using 'harddiskvolumeshadowcopy' in the file path on this asset. T1003.002 - T1003.002 ↳ A-ATP-Tool-FGDump: Malicious exe/dll. ↳ A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset. | • FA-GD: File server access per group • FA-UD: File server access per user • FA-OG: Users accessing source code files in the peer group • FA-OU: Users accessing source code files in the organization • FA-UA: File access activities for user • FA-UZ: File accesses from network zone for user • FA-OZ: File accesses from network zone for organization • FA-UH: User file access source host • FA-UTi: File activity time for user • FA-UA-OC: Countries for organization file activities • FA-UA-GC: Countries for peer groups file activities • FA-UA-UC: Countries for user file activity • FA-UA-UI-new: ISP of users during file activity • A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS |
| network-alert | T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. ↳ Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone | • A-AL-ZT-SERVER: Server zones based on number of servers • A-IDS-OAN: Network alert names triggered in the organization • A-IDS-LZAN: Network alert names triggered in zone • A-IDS-dZdPort: Destination ports on which network alerts have triggered in zone • A-IDS-HdPort: Destination ports on which network alerts have triggered for the asset • A-IDS-OdPort: Destination ports on which network alerts have triggered in the organization • A-IDS-OLZ: Zones in which network alerts are triggered in the organization • A-IDS-ZLA: Assets that triggered network alerts in the zone • A-IDS-OLA: Assets that triggered network alerts in the organization |
| process-created | T1003.002 - T1003.002 ↳ A-GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility on this asset ↳ GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility ↳ ATP-PWDump: Malicious exe was run which is a part of credential dumping tool T1003.001 - T1003.001 ↳ A-CreateMiniDump-Hacktool: CreateMiniDump Hacktool detected on this asset. ↳ A-LSASS-Mem-Dump: LSASS Memory Dumping detected on this asset ↳ A-Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll detected on this asset ↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ A-PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters on this asset. ↳ CreateMiniDump-Hacktool: CreateMiniDump Hacktool ↳ LSASS-Mem-Dump: LSASS Memory Dumping ↳ Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll ↳ Sus-Procdump: Suspicious Use of Procdump ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline ↳ PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters. T1218.011 - Signed Binary Proxy Execution: Rundll32 ↳ A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset ↳ A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset. ↳ Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL ↳ PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline T1040 - Network Sniffing ↳ A-NSniff-Cred: Potential network sniffing was observed on this asset. ↳ A-EPA-SNIFF: Network sniffing tool has been found running on this asset ↳ A-EPA-OH-SNIFF-F: First time this asset has had an execution of a network sniffing tool ↳ A-EPA-OH-SNIFF-A: Abnormal asset running network sniffing tool ↳ A-EPA-OZ-SNIFF-F: First zone on which network sniffing tool was run ↳ A-EPA-OZ-SNIFF-A: Abnormal zone on which network sniffing tool was run ↳ EPA-SNIFF: Network sniffing tool has been run by this user ↳ EPA-OU-SNIFF-F: First time this user has run a network sniffing tool ↳ EPA-OU-SNIFF-A: Abnormal user has run a network sniffing tool ↳ EPA-OG-SNIFF-F: First time this peer group has run a network sniffing tool ↳ EPA-OG-SNIFF-A: Abnormal peer group running a network sniffing tool ↳ EPA-OH-SNIFF-F: First time this host has run a network sniffing tool ↳ EPA-OH-SNIFF-A: Abnormal host running a network sniffing tool ↳ EPA-OZ-SNIFF-F: First time this network zone on which a networking sniffing tool run. ↳ EPA-OZ-SNIFF-A: Abnormal network zone on which network sniffing tool was run ↳ NSniff-Cred: Potential network sniffing was observed T1003 - OS Credential Dumping ↳ A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset ↳ A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset ↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset ↳ Mimikatz-process: A highly dangerous attacker tool, Mimikatz, has been used ↳ CP-Sensitive-Files: Copying sensitive files with credential data ↳ ShadowCP-SymLink: Shadow Copies Access via Symlink ↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities ↳ Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon T1003.003 - T1003.003 ↳ AD-Diagnostic-Tool: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe) T1555 - Credentials from Password Stores ↳ A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset ↳ SecX-Tool-Exec: SecurityXploded Tool execution detected T1016 - System Network Configuration Discovery ↳ WINCMD-Route: 'Route' program used ↳ WINCMD-Netsh: 'Netsh' program used TA0002 - TA0002 ↳ EPA-UH-Pen-F: Known pentest tool used T1003.005 - T1003.005 ↳ A-Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon on this asset | • EPA-OZ-SNIFF: Network Zones on which network sniffing tools are run • EPA-OH-SNIFF: Hosts that have been found to be running network sniffing tools • EPA-OG-SNIFF: Peer groups that are running network sniffing tools • EPA-OU-SNIFF: Users that are running network sniffing tools • EPA-UH-Pen: Malicious tools used by user |
| remote-logon | T1078 - Valid Accounts ↳ A-AL-DhU-F: First user per asset ↳ A-AL-DhU-A: Abnormal user per asset ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ RL-GH-F: First remote logon to asset for group ↳ UA-UI-F: First activity from ISP ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550 - Use Alternate Authentication Material ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset | • RL-HU: Remote logon users • AL-GZ: Network zones accessed by this peer group • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • UA-UI-new: ISP of users during application activity • RL-UH: Remote logons • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers • AL-UT: Types of hosts • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts • NKL-HU: Users logging into this host remotely • A-AL-DhU: Users per Host |
| security-alert | T1078 - Valid Accounts ↳ A-SA-AN-ALERT-F: First security alert name on the asset ↳ A-SA-AN-ALERT-A: Abnormal security alert name on the asset ↳ A-SA-ON-ALERT-F: First security alert (by name) in the organization ↳ A-SA-ON-ALERT-A: Abnormal security alert (by name) in the organization ↳ A-SA-ZN-ALERT-F: First security alert (by name) in the zone ↳ A-SA-ZN-ALERT-A: Abnormal security alert (by name) in the zone ↳ A-SA-HN-ALERT-F: First security alert (by name) in the asset ↳ A-SA-HN-ALERT-A: Abnormal security alert (by name) in the asset ↳ A-SA-OA-ALERT-F: First security alert for this asset for organization ↳ A-SA-OA-ALERT-A: Abnormal asset triggering security alert for organization ↳ SA-OU-ALERT-F: First security alert triggered for this user in the organization ↳ SA-OU-ALERT-A: Abnormal user triggering security alert in the organization ↳ SA-OG-ALERT-F: First security alert triggered for peer group in the organization ↳ SA-OG-ALERT-A: Abnormal peer group triggering security alert in the organization ↳ SA-UA-F: First security alert name for user ↳ SA-UA-A: Abnormal security alert name for user ↳ SA-GA-F: First security alert name in the peer group ↳ SA-GA-A: Abnormal security alert name in the peer group ↳ SA-OA-F: First security alert name in the organization ↳ SA-OA-A: Abnormal security alert name in the organization T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. ↳ Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability T1133 - External Remote Services ↳ ALERT-VPN: Security Alert on asset accessed by this user during VPN session T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. | • SA-OA: Security alert names in the organization • SA-GA: Security alert names in the peer group • SA-UA: Security alert names for user • SA-OG-ALERT: Peer groups triggering security alerts in the organization • SA-OU-ALERT: Users triggering security alerts in the organization • A-SA-OA-ALERT: Assets triggering security alerts in the organization • A-SA-HN-ALERT: Security alert names triggered by the asset • A-SA-ZN-ALERT: Security alert names triggered in the zone • A-SA-ON-ALERT: Security alert names triggered in the organization • A-SA-AN-ALERT: Security alert names on asset |