Product: GravityZone
Use-Case: Privilege Abuse
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 15 | 7 | 3 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-F-SA-NC: New service account access to application |
|
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-04: Failed logon by a service account ↳ SEQ-UH-05: Failed interactive logon by a service account ↳ SEQ-UH-12: Logon attempt on a disabled account |
• AE-UA: All activity for users |
| local-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset ↳ DC18-new: Account switch by new user T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • AL-OU-CS: Logon to critical servers • RA-UH: Assets accessed by this user remotely • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |