Product: BeyondInsight
Use-Case: Data Access
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 31 | 16 | 3 | 5 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group ↳ APP-UOb-F: First access to application object for user ↳ APP-UOb-A: Abnormal access to application object for user ↳ APP-UappA-F: First application activity for user ↳ APP-UappA-A: Abnormal application activity for user ↳ APP-GappA-F: First application activity for peer group ↳ APP-GappA-A: Abnormal application activity for peer group ↳ APP-AA-F: First application activity in the organization ↳ APP-AA-A: Abnormal activity in application for the organization ↳ APP-UMime-F: First mime type for user ↳ APP-UMime-A: Abnormal mime type for user ↳ APP-GMime-F: First mime type for peer group ↳ APP-GMime-A: Abnormal mime type for peer group ↳ APP-OMime-F: First mime type for organization ↳ APP-OMime-A: Abnormal mime type for organization |
• APP-OMime: Mime types for organization • APP-GMime: Mime types per peer group • APP-UMime: Mime types per user • APP-AA: Activity per application • APP-GappA: Application activity per peer group • APP-UappA: Application activity per user • APP-UOb: Application objects per user • APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User |
| app-login | T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group |
• APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User |
| database-login | T1213 - Data from Information Repositories ↳ DB-DbU-F: First access to database for user ↳ DB-DbU-A: Abnormal access to database for user ↳ DB-DbG-F: First access to database for peer group ↳ DB-DbG-A: Abnormal access to database for peer group ↳ DB-UDbZ-F: First database activity from source zone per user, database ↳ DB-UDbZ-A: Abnormal database activity from source zone per user, database ↳ DB-UDbH-F: First database activity from host per user, database ↳ DB-UDbH-A: Abnormal database activity from host per user, database ↳ DB-UDbI-F: First database activity from IP per user, database ↳ DB-UDbI-A: Abnormal database activity from IP per user, database |
• DB-UDbI: Database activity from source IP per user, database • DB-UDbH: Database activity from host per user, database • DB-UDbZ: Database activity from source zone per user, database • DB-DbG: Peer groups per database • DB-DbU: Users per database |
| failed-app-login | T1078 - Valid Accounts ↳ APP-F-FL: Failed login to application |
|
| process-created | T1003 - OS Credential Dumping ↳ A-CP-Sensitive-Files: Copying sensitive files with credential data on this asset |