Rules by Product and UseCase
December 5, 2023 · View on GitHub
Vendor:
Product:
Use-Case: Abnormal Authentication & Access
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 47 | 23 | 7 | 21 | 21 |
| Event Type | Rules | Models |
|---|---|---|
| account-creation | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ NEW-USER-F: User with no event history | |
| account-disabled | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| account-enabled | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| account-password-change | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| account-password-reset | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| account-switch | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| account-unlocked | T1078 - Valid Accounts ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| app-activity | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ NEW-USER-F: User with no event history ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user T1133 - External Remote Services ↳ UA-UC-F: First activity from country for user ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-UA: All activity for users |
| app-login | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ NEW-USER-F: User with no event history ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user T1133 - External Remote Services ↳ UA-UC-F: First activity from country for user ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-UA: All activity for users |
| audit-log-clear | T1078 - Valid Accounts ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| authentication-failed | T1133 - External Remote Services ↳ FA-UC-F: Failed activity from a country from which there was no prior successful activity ↳ FA-GC-F: First Failed activity in session from country in which group has never had a successful activity ↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity |
| authentication-successful | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user T1133 - External Remote Services ↳ UA-UC-F: First activity from country for user ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-UA: All activity for users |
| failed-app-login | T1133 - External Remote Services ↳ FA-UC-F: Failed activity from a country from which there was no prior successful activity ↳ FA-GC-F: First Failed activity in session from country in which group has never had a successful activity ↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity |
| failed-logon | T1110 - Brute Force ↳ SEQ-UH-09: Abnormal time of the week for a failed logon for user ↳ SEQ-UH-10: Failed logons had multiple reasons T1078 - Valid Accounts ↳ SEQ-UH-03: Failed logon to a top failed logon asset by user ↳ SEQ-UH-06: Abnormal failed logon to asset by user ↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed | • FL-UH: All Failed Logons per user • FL-OH: All Failed Logons in the organization |
| failed-vpn-login | T1133 - External Remote Services ↳ FA-UC-F: Failed activity from a country from which there was no prior successful activity ↳ FA-GC-F: First Failed activity in session from country in which group has never had a successful activity ↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity | • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity |
| member-removed | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| print-activity | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User | |
| privileged-access | T1078 - Valid Accounts ↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
| remote-logon | T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ AL-F-MultiWs: Multiple workstations in a single session ↳ NEW-USER-F: User with no event history ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-GH-F-new: First remote logon to asset for group by new user ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ PA-IT-NoPA: IT presence without badge access T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-GH-F-new: First remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1133 - External Remote Services ↳ UA-UC-F: First activity from country for user ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization T1078.002 - T1078.002 ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset | • PA-OU: Badge access by users in the organization • RL-HU: Remote logon users • AL-GZ: Network zones accessed by this peer group • RL-GH-A: Assets accessed remotely by this peer group • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • RL-UH: Remote logons • RL-UZ-DC: Source zones per user logging into domain controller • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UT: Types of hosts • AE-UA: All activity for users • NKL-HU: Users logging into this host remotely |
| vpn-login | T1133 - External Remote Services ↳ UA-UC-F: First activity from country for user ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ PA-VPN-01: VPN login after badge access T1078 - Valid Accounts ↳ DORMANT-USER: Dormant User ↳ AE-UA-F: First activity type for user ↳ UA-GC-F: First activity from country for group ↳ UA-GC-A: Abnormal activity from country for group ↳ UA-OC-F: First activity from country for organization ↳ UA-OC-A: Abnormal activity from country for organization ↳ NEW-USER-F: User with no event history ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user | • PA-VPN-01: Users who vpn-in after badge access • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-UA: All activity for users |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UUa-OS-F: First web activity using this operating system for this user ↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain ↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group | • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device • WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user • WEB-UUa-OS-New: Top operating systems being used to connect to the web for user |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group | • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user |