Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Claroty
Product: CTD
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 83 | 43 | 5 | 4 | 9 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization ↳ APP-AppSz-F: First application access from network zone ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity ↳ APP-AppED-F: New Email-domain found in application ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity • APP-AppED: Email-domains per application • APP-AT-PRIV: Privileged application activities • APP-AppSz: Source zones per application • APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User |
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed | • AE-UA: All activity for users |
| network-alert | T1027 - Obfuscated Files or Information ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. | • A-AL-ZT-SERVER: Server zones based on number of servers • A-IDS-OAN: Network alert names triggered in the organization • A-IDS-LZAN: Network alert names triggered in zone • A-IDS-dZdPort: Destination ports on which network alerts have triggered in zone • A-IDS-HdPort: Destination ports on which network alerts have triggered for the asset • A-IDS-OdPort: Destination ports on which network alerts have triggered in the organization • A-IDS-OLZ: Zones in which network alerts are triggered in the organization • A-IDS-ZLA: Assets that triggered network alerts in the zone • A-IDS-OLA: Assets that triggered network alerts in the organization |
| security-alert | T1027 - Obfuscated Files or Information ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. T1078 - Valid Accounts ↳ SA-OU-ALERT-F: First security alert triggered for this user in the organization ↳ SA-OU-ALERT-A: Abnormal user triggering security alert in the organization ↳ SA-OG-ALERT-F: First security alert triggered for peer group in the organization ↳ SA-OG-ALERT-A: Abnormal peer group triggering security alert in the organization ↳ SA-UA-F: First security alert name for user ↳ SA-UA-A: Abnormal security alert name for user ↳ SA-GA-F: First security alert name in the peer group ↳ SA-GA-A: Abnormal security alert name in the peer group ↳ SA-OA-F: First security alert name in the organization ↳ A-SA-AN-ALERT-F: First security alert name on the asset ↳ A-SA-AN-ALERT-A: Abnormal security alert name on the asset ↳ A-SA-ON-ALERT-F: First security alert (by name) in the organization ↳ A-SA-ON-ALERT-A: Abnormal security alert (by name) in the organization ↳ A-SA-ZN-ALERT-F: First security alert (by name) in the zone ↳ A-SA-ZN-ALERT-A: Abnormal security alert (by name) in the zone ↳ A-SA-HN-ALERT-F: First security alert (by name) in the asset ↳ A-SA-HN-ALERT-A: Abnormal security alert (by name) in the asset ↳ A-SA-OA-ALERT-F: First security alert for this asset for organization ↳ A-SA-OA-ALERT-A: Abnormal asset triggering security alert for organization T1133 - External Remote Services ↳ ALERT-VPN: Security Alert on asset accessed by this user during VPN session | • A-SA-OA-ALERT: Assets triggering security alerts in the organization • A-SA-HN-ALERT: Security alert names triggered by the asset • A-SA-ZN-ALERT: Security alert names triggered in the zone • A-SA-ON-ALERT: Security alert names triggered in the organization • A-SA-AN-ALERT: Security alert names on asset • SA-GA: Security alert names in the peer group • SA-UA: Security alert names for user • SA-OG-ALERT: Peer groups triggering security alerts in the organization • SA-OU-ALERT: Users triggering security alerts in the organization |