Vendor: RSA
June 14, 2023 · View on GitHub
Product: SecurID
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 19 | 8 | 3 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |
| vpn-logout | T1110 - Brute Force ↳ APP-UFL-COUNT: Abnormal number of failed application logins for user T1078 - Valid Accounts ↳ AL-UHcount-S: Abnormal number of logon assets (S) ↳ AL-UHcount-M: Abnormal number of logon assets (M) ↳ AL-UHcount-L: Abnormal number of logon assets (L) ↳ AL-OHcount: Abnormal number of logged on assets compared to the organization ↳ AL-GHcount: Abnormal number of logged on assets compared to group ↳ VPN-End-DUR: Abnormal VPN session duration ↳ DC08d-new: Abnormal number of assets compared to group for a new user ↳ DC14g-new: Abnormal number of accessed assets for group of new user ↳ DC17j-new: Abnormal number of accessed zones for group of a new user ↳ APP-UAgC-F: First activity from country and first os/browser/user agent for user in same session T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session ↳ VPN-End-DUR: Abnormal VPN session duration | • APP-UFL-COUNT: Count of failed application logins in a session • VPN-End-DUR: VPN session duration • VPN-BSum: Sum of bytes uploaded during VPN • AL-OHcount: Count of assets logon per user in the organization |