Product: Auth0
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 30 | 9 | 16 | 5 | 11 |
| Event Type | Rules | Models |
|---|---|---|
| app-login | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| authentication-successful | T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP |
|
| failed-logon | T1210 - Exploitation of Remote Services ↳ A-Suspicious-Bluekeep1: The account AAAAAAA failed to logon on this asset. |
|
| remote-logon | TA0002 - TA0002 ↳ DEF-TEMP-DIRECTORY-F: First time process has been executed from a temporary directory by this user ↳ DEF-TEMP-DIRECTORY-A: Abnormal process has been executed from a temporary directory by this user ↳ A-EPA-TEMP-DIRECTORY-F: First execution of this process from a temporary directory on this asset ↳ A-EPA-TEMP-DIRECTORY-A: Abnormal execution of this process from a temporary directory T1078 - Valid Accounts ↳ Auth-Blacklist-Shost: User authentication or login from a known blacklisted IP T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected |
• A-EPA-UP-TEMP: Processes executed from TEMP directories on this asset • AE-UP-TEMP: Process executable TEMP directories for this user during a session |
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1190 - Exploit Public Fasing Application ↳ WEB-Mime-Types-Org-F: First occurence of this mime type for organization T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain |
• A-WEB-IP: IPs an asset has directly browsed to • WEB-Mime-Types-Org: MIME types in the organization • WEB-URank: Web activity to low ranked domains for the user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |