Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: FireMon
Product: FireMon
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 7 | 4 | 2 | 1 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| authentication-successful | T1078 - Valid Accounts ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity |