Vendor: Microsoft
June 14, 2023 · View on GitHub
Product: DirectAccess
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 14 | 8 | 2 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| failed-vpn-login | T1133 - External Remote Services ↳ SEQ-UH-15: Failed VPN login | |
| vpn-login | T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ VPN-GsH-F: First VPN connection from device for peer group ↳ VPN-GsH-A: Abnormal VPN connection from device for peer group ↳ AE-GA-F-VPN-new: First VPN connection for group of new user ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ PA-VPN-01: VPN login after badge access T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • PA-VPN-01: Users who vpn-in after badge access • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-GA: All activity for peer groups • VPN-GsH: VPN endpoints in this peer group • UA-UI-new: ISP of users during application activity • AE-UA: All activity for users |