Rules by Product and UseCase

April 15, 2026 · View on GitHub

Vendor: BeyondTrust

Product: BeyondTrust

Use-Case: Privileged Activity

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
146333
Event TypeRulesModels
app-activityT1078 - Valid Accounts
APP-Account-deactivated: Activity from a de-activated user account
APP-AT-PRIV: Non-privileged user performing privileged application activity		APP-AT-PRIV: Privileged application activities
local-logonT1078 - Valid Accounts
AL-F-F-CS: First logon to a critical system for user
AL-F-A-CS: Abnormal logon to a critical system for user
AL-UH-CS-NC: Logon to a critical system for a user with no information
AL-OU-F-CS: First logon to a critical system that user has not previously accessed
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information
AL-HT-PRIV: Non-Privileged logon to privileged asset
AL-HT-EXEC-new: New user logon to executive asset

T1078.002 - T1078.002
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information		AL-HT-EXEC: Executive Assets
AL-HT-PRIV: Privilege Users Assets
RA-UH: Assets accessed by this user remotely
AL-UH-DC: Logons to Domain Controllers
AL-OU-CS: Logon to critical servers
process-createdT1482 - Domain Trust Discovery
A-Trickbot-Recon: Trickbot malware domain recon activity on this asset