Rules by Product and UseCase

April 15, 2026 · View on GitHub

Vendor: SecureNet

Product: SecureNet

Use-Case: Privilege Abuse

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
32420
Event TypeRulesModels
vpn-loginT1078 - Valid Accounts
SL-UA-F-VPN: First VPN connection for service account

T1133 - External Remote Services
SL-UA-F-VPN: First VPN connection for service account
vpn-logoutT1078 - Valid Accounts
WPA-UACount: Abnormal number of privilege access events for user

T1098 - Account Manipulation
EM-InB-Perm-A: Abnormal number of mailbox permission given by user.

T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
EM-InB-Perm-A: Abnormal number of mailbox permission given by user.		WPA-UACount: Count of admin privilege events for user
EM-InB-Perm: Models the number of mailbox permissions given by this user.