Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Swift
Product: Swift
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 68 | 37 | 13 | 4 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization ↳ APP-AppSz-F: First application access from network zone ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity ↳ APP-AppED-F: New Email-domain found in application ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity • APP-AppED: Email-domains per application • APP-AT-PRIV: Privileged application activities • APP-AppSz: Source zones per application • APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User |
| app-login | T1190 - Exploit Public Fasing Application ↳ APP-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords. ↳ A-APP-Log4j-String: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability on this asset. ↳ A-App-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-F-SA-NC: New service account access to application ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UTi: Abnormal user activity time ↳ APP-UAg-F: First user agent string for user ↳ APP-UAg-2: Second new user agent string for user ↳ APP-UAg-3: More than two new user agents used by the user in the same session ↳ APP-UOs-F: First os/browser combination for user ↳ APP-UsH-F: First source asset for user in application ↳ APP-UsH-A: Abnormal source asset for user in application ↳ APP-UId-F: First use of client Id for user ↳ APP-IdU-F: Reuse of client Id ↳ APP-AppSz-F: First application access from network zone ↳ APP-AppED-F: New Email-domain found in application ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • UA-UI-new: ISP of users during application activity • APP-AppED: Email-domains per application • APP-AppSz: Source zones per application • APP-IdU: User per Client Id • APP-UId: Client Id per User • APP-UsH: User's machines accessing applications • APP-UOs-New: OS and Browser from user agent • APP-UAg: User Agent Strings • APP-UTi: Application activity time for user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User |
| failed-app-login | T1078 - Valid Accounts ↳ APP-F-FL: Failed login to application | |
| web-activity-denied | T1190 - Exploit Public Fasing Application ↳ A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization ↳ A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity. ↳ A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1071 - Application Layer Protocol ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA | • A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization • A-NET-HCountry-Outbound: Outbound country per asset • A-WEB-IP: IPs an asset has directly browsed to • A-WEB-HA: Web activity per Host • WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |