Rules by Product and UseCase

December 5, 2023 · View on GitHub

Vendor:

Product:

Use-Case: Compromised Credentials

RulesModelsMITRE ATT&CK® TTPsActivity TypesParsers
21998281515
Event TypeRulesModels
app-activityT1078 - Valid Accounts
APP-UApp-F: First login or activity within an application for user
APP-UApp-A: Abnormal login or activity within an application for user
APP-AppU-F: First login to an application for a user with no history
APP-F-SA-NC: New service account access to application
APP-AppG-F: First login to an application for group
APP-GApp-A: Abnormal login to an application for group
APP-UTi: Abnormal user activity time
APP-UAg-F: First user agent string for user
APP-UAg-2: Second new user agent string for user
APP-UAg-3: More than two new user agents used by the user in the same session
APP-UOs-F: First os/browser combination for user
APP-UsH-F: First source asset for user in application
APP-UsH-A: Abnormal source asset for user in application
APP-UOb-F: First access to application object for user
APP-UOb-A: Abnormal access to application object for user
APP-UappA-F: First application activity for user
APP-UappA-A: Abnormal application activity for user
APP-GappA-F: First application activity for peer group
APP-GappA-A: Abnormal application activity for peer group
APP-AA-F: First application activity in the organization
APP-AA-A: Abnormal activity in application for the organization
APP-UId-F: First use of client Id for user
APP-IdU-F: Reuse of client Id
APP-UMime-F: First mime type for user
APP-UMime-A: Abnormal mime type for user
APP-GMime-F: First mime type for peer group
APP-GMime-A: Abnormal mime type for peer group
APP-OMime-F: First mime type for organization
APP-OMime-A: Abnormal mime type for organization
APP-AppSz-F: First application access from network zone
APP-AT-PRIV: Non-privileged user performing privileged application activity
APP-AppED-F: New Email-domain found in application
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries

T1133 - External Remote Services
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries		UA-OC: Countries for organization
UA-GC: Countries for peer groups
UA-UC: Countries for user activity
UA-UI-new: ISP of users during application activity
APP-AppED: Email-domains per application
APP-AT-PRIV: Privileged application activities
APP-AppSz: Source zones per application
APP-OMime: Mime types for organization
APP-GMime: Mime types per peer group
APP-UMime: Mime types per user
APP-IdU: User per Client Id
APP-UId: Client Id per User
APP-AA: Activity per application
APP-GappA: Application activity per peer group
APP-UappA: Application activity per user
APP-UOb: Application objects per user
APP-UsH: User's machines accessing applications
APP-UOs-New: OS and Browser from user agent
APP-UAg: User Agent Strings
APP-UTi: Application activity time for user
APP-GApp: Group Logons to Applications
APP-AppG: Groups per Application
APP-AppU: User Logons to Applications
APP-UApp: Applications per User
app-loginT1190 - Exploit Public Fasing Application
APP-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords.
A-APP-Log4j-String: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability on this asset.
A-App-Log4j-String-2: There was an attempt via app activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset.

T1078 - Valid Accounts
APP-UApp-F: First login or activity within an application for user
APP-UApp-A: Abnormal login or activity within an application for user
APP-AppU-F: First login to an application for a user with no history
APP-F-SA-NC: New service account access to application
APP-AppG-F: First login to an application for group
APP-GApp-A: Abnormal login to an application for group
APP-UTi: Abnormal user activity time
APP-UAg-F: First user agent string for user
APP-UAg-2: Second new user agent string for user
APP-UAg-3: More than two new user agents used by the user in the same session
APP-UOs-F: First os/browser combination for user
APP-UsH-F: First source asset for user in application
APP-UsH-A: Abnormal source asset for user in application
APP-UId-F: First use of client Id for user
APP-IdU-F: Reuse of client Id
APP-AppSz-F: First application access from network zone
APP-AppED-F: New Email-domain found in application
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries

T1133 - External Remote Services
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries		UA-OC: Countries for organization
UA-GC: Countries for peer groups
UA-UC: Countries for user activity
UA-UI-new: ISP of users during application activity
APP-AppED: Email-domains per application
APP-AppSz: Source zones per application
APP-IdU: User per Client Id
APP-UId: Client Id per User
APP-UsH: User's machines accessing applications
APP-UOs-New: OS and Browser from user agent
APP-UAg: User Agent Strings
APP-UTi: Application activity time for user
APP-GApp: Group Logons to Applications
APP-AppG: Groups per Application
APP-AppU: User Logons to Applications
APP-UApp: Applications per User
authentication-successfulT1078 - Valid Accounts
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries

T1133 - External Remote Services
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries		UA-OC: Countries for organization
UA-GC: Countries for peer groups
UA-UC: Countries for user activity
UA-UI-new: ISP of users during application activity
database-loginT1213 - Data from Information Repositories
DB-DbU-F: First access to database for user
DB-DbU-A: Abnormal access to database for user
DB-DbG-F: First access to database for peer group
DB-DbG-A: Abnormal access to database for peer group
DB-UDbZ-F: First database activity from source zone per user, database
DB-UDbZ-A: Abnormal database activity from source zone per user, database
DB-UDbH-F: First database activity from host per user, database
DB-UDbH-A: Abnormal database activity from host per user, database
DB-UDbI-F: First database activity from IP per user, database
DB-UDbI-A: Abnormal database activity from IP per user, database		DB-UDbI: Database activity from source IP per user, database
DB-UDbH: Database activity from host per user, database
DB-UDbZ: Database activity from source zone per user, database
DB-DbG: Peer groups per database
DB-DbU: Users per database
failed-app-loginT1078 - Valid Accounts
APP-F-FL: Failed login to application
failed-logonT1078 - Valid Accounts
SEQ-UH-04: Failed logon by a service account
SEQ-UH-05: Failed interactive logon by a service account
SEQ-UH-07: Failed logon to an asset that user has not previously accessed		AE-UA: All activity for users
failed-vpn-loginT1133 - External Remote Services
SEQ-UH-15: Failed VPN login
file-deleteT1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity
file-readT1003.003 - T1003.003
A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset.
A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset.
A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset.

T1003.001 - T1003.001
A-FA-LSASS: Possible Mimikatz attack on this asset by a user process

T1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS
FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity
file-writeT1003.003 - T1003.003
A-NTDS-Access-F: The NTDS database was accessed from a new location on this asset.
A-NTDS-Access-A: The NTDS database was accessed from a non default location on this asset.
A-NTDS-Access: The NTDS database was accessed from a non default location without 'ntds.dit' in the file path on this asset.
A-NTDS-Shadow-Copy1: The NTDS database changed location to a shadowcopy using 'ntds.dit' and 'harddiskvolumeshadowcopy' in the file path on this asset.
A-NTDS-Shadow-Copy2: The NTDS database changed location to a shadowcopy using 'harddiskvolumeshadowcopy' in the file path on this asset.

T1003.002 - T1003.002
A-ATP-Tool-FGDump: Malicious exe/dll.
A-ATP-Tool-PSTGDump: Malicious pstgdump.exe was run from a temp folder on this asset.

T1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		A-NTDS-Access: Models the amount of accesses to paths that are related to NTDS
FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity
process-createdT1003.001 - T1003.001
A-CreateMiniDump-Hacktool: CreateMiniDump Hacktool detected on this asset.
A-LSASS-Mem-Dump: LSASS Memory Dumping detected on this asset
A-Proc-Dump-Comsvcs: Process Dump via Rundll32 and Comsvcs.dll detected on this asset
A-Sus-Procdump: Suspicious Use of Procdump on this asset.
A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset
A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset.
A-PC-Procdump-LsassDump: Procdump was executed with lsass dump command line parameters on this asset.

T1218.011 - Signed Binary Proxy Execution: Rundll32
A-Procdump-Comsvcs-DLL: Process Dump via Comsvcs DLL on this asset
A-PC-Rundll-LsassDump: Rundll32 was run with minidump via commandline on this asset.

T1040 - Network Sniffing
EPA-OU-SNIFF-F: First time this user has run a network sniffing tool
EPA-OU-SNIFF-A: Abnormal user has run a network sniffing tool
EPA-OG-SNIFF-F: First time this peer group has run a network sniffing tool
EPA-OG-SNIFF-A: Abnormal peer group running a network sniffing tool
A-NSniff-Cred: Potential network sniffing was observed on this asset.
A-EPA-SNIFF: Network sniffing tool has been found running on this asset
A-EPA-OH-SNIFF-F: First time this asset has had an execution of a network sniffing tool
A-EPA-OH-SNIFF-A: Abnormal asset running network sniffing tool
A-EPA-OZ-SNIFF-F: First zone on which network sniffing tool was run
A-EPA-OZ-SNIFF-A: Abnormal zone on which network sniffing tool was run

T1003.005 - T1003.005
A-Cmdkey-Cred-Recon: Cmdkey Cached Credentials Recon on this asset

T1003 - OS Credential Dumping
Mimikatz-process: A highly dangerous attacker tool, Mimikatz, has been used
A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset
A-ShadowCP-SymLink: Shadow Copies Access via Symlink on this asset
A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset

T1003.002 - T1003.002
ATP-PWDump: Malicious exe was run which is a part of credential dumping tool
A-GRAB-REG-HIVES: Grabbing Sensitive Hives via Reg Utility on this asset

T1555 - Credentials from Password Stores
A-SecX-Tool-Exec: SecurityXploded Tool execution detected on this asset

T1003.003 - T1003.003
AD-Diagnostic-Tool: Invocation of Active Directory Diagnostic Tool (ntdsutil.exe)

T1016 - System Network Configuration Discovery
WINCMD-Route: 'Route' program used
WINCMD-Netsh: 'Netsh' program used

TA0002 - TA0002
EPA-UH-Pen-F: Known pentest tool used		EPA-OZ-SNIFF: Network Zones on which network sniffing tools are run
EPA-OH-SNIFF: Hosts that have been found to be running network sniffing tools
EPA-OG-SNIFF: Peer groups that are running network sniffing tools
EPA-OU-SNIFF: Users that are running network sniffing tools
EPA-UH-Pen: Malicious tools used by user
remote-logonT1078 - Valid Accounts
AL-UT-F: Logon to New Asset Type
AL-UT-A: Logon to Abnormal asset type
AL-F-F-CS: First logon to a critical system for user
AL-F-A-CS: Abnormal logon to a critical system for user
AL-UH-CS-NC: Logon to a critical system for a user with no information
AL-OU-F-CS: First logon to a critical system that user has not previously accessed
RL-UH-F: First remote logon to asset
RL-UH-A: Abnormal remote logon to asset
AL-UZ-F: First logon to network zone
AL-UZ-A: Abnormal logon to network zone
RL-GH-F: First remote logon to asset for group
UA-UI-F: First activity from ISP
RL-GH-A-new: Abnormal remote logon to asset for group by new user
AL-GZ-F-new: First logon to network zone for new user of group
AL-GZ-A-new: Abnormal logon to network zone for group of new user
RL-HU-F-new: Remote logon to private asset for new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries
A-AL-DhU-F: First user per asset
A-AL-DhU-A: Abnormal user per asset

T1133 - External Remote Services
UA-UI-F: First activity from ISP
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries

T1021 - Remote Services
RL-UZ-F-DC: First logon to a Domain Controller from zone for user
RL-OZ-F-DC: First logon to a Domain Controller from zone for organization
RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization
RL-UH-F: First remote logon to asset
RL-UH-A: Abnormal remote logon to asset
RL-GH-F: First remote logon to asset for group
RL-GH-A-new: Abnormal remote logon to asset for group by new user
RL-HU-F-new: Remote logon to private asset for new user

T1550 - Use Alternate Authentication Material
RLA-UAPackage-F: First time usage of Windows authentication package
RLA-UAPackage-A: Abnormal usage of Windows authentication package

T1078.002 - T1078.002
SL-UH-I: Interactive logon using a service account
SL-UH-A: Abnormal access from asset for a service account
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information
RL-UZ-F-DC: First logon to a Domain Controller from zone for user
RL-OZ-F-DC: First logon to a Domain Controller from zone for organization
RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization

T1550.003 - Use Alternate Authentication Material: Pass the Ticket
EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected

T1558 - Steal or Forge Kerberos Tickets
EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected

T1078.003 - Valid Accounts: Local Accounts
AL-HLocU-F: First local user logon to this asset
AL-HLocU-A: Abnormal local user logon to this asset		A-AL-DhU: Users per Host
RL-HU: Remote logon users
AL-GZ: Network zones accessed by this peer group
RL-GH-A: Assets accessed remotely by this peer group
RLA-UAPackage: Windows authentication packages used when connecting to remote hosts
UA-UI-new: ISP of users during application activity
RL-UH: Remote logons
RL-OZ-DC: Source zones in the organization during domain controller access
RL-UZ-DC: Source zones per user logging into domain controller
RA-UH: Assets accessed by this user remotely
AL-UH-DC: Logons to Domain Controllers
AL-OU-CS: Logon to critical servers
AL-UT: Types of hosts
AL-UsH: Source hosts per User
IL-UH-SA: Interactive logon hosts for service accounts
NKL-HU: Users logging into this host remotely
security-alertT1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
A-ALERT-Critical: Security Alert on a critical asset
A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected.

T1190 - Exploit Public Fasing Application
A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset.

T1078 - Valid Accounts
SA-OU-ALERT-F: First security alert triggered for this user in the organization
SA-OU-ALERT-A: Abnormal user triggering security alert in the organization
SA-OG-ALERT-F: First security alert triggered for peer group in the organization
SA-OG-ALERT-A: Abnormal peer group triggering security alert in the organization
SA-UA-F: First security alert name for user
SA-UA-A: Abnormal security alert name for user
SA-GA-F: First security alert name in the peer group
SA-GA-A: Abnormal security alert name in the peer group
SA-OA-F: First security alert name in the organization
A-SA-AN-ALERT-F: First security alert name on the asset
A-SA-AN-ALERT-A: Abnormal security alert name on the asset
A-SA-ON-ALERT-F: First security alert (by name) in the organization
A-SA-ON-ALERT-A: Abnormal security alert (by name) in the organization
A-SA-ZN-ALERT-F: First security alert (by name) in the zone
A-SA-ZN-ALERT-A: Abnormal security alert (by name) in the zone
A-SA-HN-ALERT-F: First security alert (by name) in the asset
A-SA-HN-ALERT-A: Abnormal security alert (by name) in the asset
A-SA-OA-ALERT-F: First security alert for this asset for organization
A-SA-OA-ALERT-A: Abnormal asset triggering security alert for organization

T1133 - External Remote Services
ALERT-VPN: Security Alert on asset accessed by this user during VPN session		A-SA-OA-ALERT: Assets triggering security alerts in the organization
A-SA-HN-ALERT: Security alert names triggered by the asset
A-SA-ZN-ALERT: Security alert names triggered in the zone
A-SA-ON-ALERT: Security alert names triggered in the organization
A-SA-AN-ALERT: Security alert names on asset
SA-GA: Security alert names in the peer group
SA-UA: Security alert names for user
SA-OG-ALERT: Peer groups triggering security alerts in the organization
SA-OU-ALERT: Users triggering security alerts in the organization
vpn-loginT1133 - External Remote Services
SL-UA-F-VPN: First VPN connection for service account
AE-UA-F-VPN: First VPN connection for user
UA-UI-F: First activity from ISP
VPN-GsH-F: First VPN connection from device for peer group
VPN-GsH-A: Abnormal VPN connection from device for peer group
AE-GA-F-VPN-new: First VPN connection for group of new user
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries
PA-VPN-01: VPN login after badge access

T1078 - Valid Accounts
SL-UA-F-VPN: First VPN connection for service account
AE-UA-F-VPN: First VPN connection for user
UA-UI-F: First activity from ISP
UA-UC-new: Abnormal country for user by new user
UA-GC-new: Abnormal country for group by new user
UA-OC-new: Abnormal country for organization by new user
UA-UC-Suspicious: Activity from suspicious country
UA-UC-Two: Activity from two different countries
UA-UC-Three: Activity from 3 different countries		PA-VPN-01: Users who vpn-in after badge access
UA-OC: Countries for organization
UA-GC: Countries for peer groups
UA-UC: Countries for user activity
AE-GA: All activity for peer groups
VPN-GsH: VPN endpoints in this peer group
UA-UI-new: ISP of users during application activity
AE-UA: All activity for users
web-activity-allowedT1190 - Exploit Public Fasing Application
A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization
A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity.
A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset.

T1071.001 - Application Layer Protocol: Web Protocols
WEB-UUa-OS-F: First web activity using this operating system for this user
WEB-GUa-OS-F: First web activity using this operating system for the peer group
WEB-OUa-OS-F: First web activity using this operating system for the organization
WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain
WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system
WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain
WEB-GUa-Browser-F: First activity using this web browser for the peer group
WEB-OUa-Browser-F: First activity using this web browser for the organization
WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed.
WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed.
WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed.
WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed.
WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user
WEB-UD-ALERT-N: Common security alert on this malicious domain for user
WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization
WEB-UZ-F: First web activity for this user in this zone
WEB-GZ-F: First web activity from this zone for the peer group
WEB-OZ-F: First web activity from this zone for the organization
WEB-ALERT-EXEC: Security violation by Executive in web activity
WEB-URank-F: First web activity to this low ranked web domain
WEB-URank-A: Abnormal web activity to this low ranked web domain
WEB-IP-COUNTRY-A: Abnormal direct access to an IP address belonging to an abnormal country for user to access
A-WEB-HA-F: First web activity event on asset
A-WEB-DC: Web activity event on a Domain Controller
A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed
A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access
A-NET-HCountry-Outbound-WEB-F: First web connection to this country from asset
A-NET-HCountry-Outbound-WEB-A: Abnormal web browsing communication country for asset
A-NET-OCountry-Outbound-WEB-F: First web browsing connection to this country from organization
A-NET-OCountry-Outbound-WEB-A: Abnormal web browsing connection country for the organization

T1102 - Web Service
A-WEB-DC: Web activity event on a Domain Controller

T1189 - Drive-by Compromise
WEB-URank-Binary: Executable download from first low ranked web domain

T1204.001 - T1204.001
WEB-URank-Binary: Executable download from first low ranked web domain

T1566.002 - Phishing: Spearphishing Link
WEB-URank-Binary: Executable download from first low ranked web domain

T1078 - Valid Accounts
WEB-ALERT-EXEC: Security violation by Executive in web activity

T1568.002 - Dynamic Resolution: Domain Generation Algorithms
WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA		A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization
A-NET-OCountry-Outbound: Outbound country per organization
A-NET-HCountry-Outbound: Outbound country per asset
A-WEB-IP: IPs an asset has directly browsed to
A-WEB-HA: Web activity per Host
WEB-URank: Web activity to low ranked domains for the user
WEB-OZ: Network zones where users performs web activity in the organization
WEB-GZ: Network zones where users performs web activity in the peer group
WEB-UZ: Network zones where a user performs web activity from
WEB-UT-TOW: Web activity activity time for user
WEB-UD-ALERT: Top malicious web domain accessed by the user
WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user
WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user
WEB-OUa-Browser-New: Top web browsers being used in this organization
WEB-GUa-Browser-New: Top web browsers being used by peer group
WEB-UUa-Browser-New: Top web browsers being used by user
WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device
WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user
WEB-OUa-OS-New: Top operating systems being used to connect to the web for organization
WEB-GUa-OS-New: Top operating systems being used to connect to the web for peer group
WEB-UUa-OS-New: Top operating systems being used to connect to the web for user
WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity
web-activity-deniedT1190 - Exploit Public Fasing Application
A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization
A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity.
A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset.

T1071.001 - Application Layer Protocol: Web Protocols
WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed.
WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed.
WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed.
WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed.
WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user
WEB-UD-ALERT-N: Common security alert on this malicious domain for user
WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization
WEB-UZ-F: First web activity for this user in this zone
WEB-GZ-F: First web activity from this zone for the peer group
WEB-OZ-F: First web activity from this zone for the organization
WEB-ALERT-EXEC: Security violation by Executive in web activity
WEB-URank-F: First web activity to this low ranked web domain
WEB-URank-A: Abnormal web activity to this low ranked web domain
WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed
A-WEB-HA-F: First web activity event on asset
A-WEB-DC: Web activity event on a Domain Controller
A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed
A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed
A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset
A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed

T1102 - Web Service
A-WEB-DC: Web activity event on a Domain Controller

T1189 - Drive-by Compromise
WEB-URank-Binary: Executable download from first low ranked web domain

T1204.001 - T1204.001
WEB-URank-Binary: Executable download from first low ranked web domain

T1566.002 - Phishing: Spearphishing Link
WEB-URank-Binary: Executable download from first low ranked web domain

T1078 - Valid Accounts
WEB-ALERT-EXEC: Security violation by Executive in web activity

T1568.002 - Dynamic Resolution: Domain Generation Algorithms
WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA		A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization
A-NET-HCountry-Outbound: Outbound country per asset
A-WEB-IP: IPs an asset has directly browsed to
A-WEB-HA: Web activity per Host
WEB-URank: Web activity to low ranked domains for the user
WEB-OZ: Network zones where users performs web activity in the organization
WEB-GZ: Network zones where users performs web activity in the peer group
WEB-UZ: Network zones where a user performs web activity from
WEB-UT-TOW: Web activity activity time for user
WEB-UD-ALERT: Top malicious web domain accessed by the user
WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user
WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user
WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity