Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: SecureNet
Product: SecureNet
Use-Case: Lateral Movement
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 3 | 6 | 2 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| vpn-login | T1090 - Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP T1090.003 - Proxy: Multi-hop Proxy ↳ Auth-Tor-Shost: User authentication or login from a known TOR IP | |
| vpn-logout | T1558 - Steal or Forge Kerberos Tickets ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting ↳ KL-USnCOUNT-A: Abnormal number of services used to obtain TGTs by user ↳ KL-GSnCOUNT-A: Abnormal number of services used to obtain TGTs by peer group T1021 - Remote Services ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts within a session for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts within a session for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group T1078 - Valid Accounts ↳ RA-UHcount-S: Abnormal number of accessed hosts for user (S) ↳ RA-UHcount-M: Abnormal number of accessed hosts within a session for user (M) ↳ RA-UHcount-L: Abnormal number of accessed hosts for user (L) ↳ RA-OHcount: Abnormal number of accessed hosts within a session for the organization ↳ RA-GHcount: Abnormal number of accessed assets for group | • KL-GSnCOUNT: Count of services used to obtain kerberos TGTs in a session for peer group • KL-USnCOUNT: Count of services used to obtain kerberos TGTs in a session for user • RA-OHcount: Count of assets access per user in the organization |