Vendor: SecureNet

Product: SecureNet

Use-Case: Privilege Abuse

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
3	2	3	2	2

Event Type	Rules	Models
vpn-login	T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account
vpn-logout	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1078 - Valid Accounts ↳ WPA-UACount: Abnormal number of privilege access events for user	• EM-InB-Perm: Models the number of mailbox permissions given by this user. • WPA-UACount: Count of admin privilege events for user