Product: Sonicwall
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 119 | 58 | 22 | 6 | 12 |
| Event Type | Rules | Models |
|---|---|---|
| failed-vpn-login | T1133 - External Remote Services ↳ SEQ-UH-15: Failed VPN login |
|
| network-alert | T1027 - Obfuscated Files or Information ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. |
• A-AL-ZT-SERVER: Server zones based on number of servers • A-IDS-OAN: Network alert names triggered in the organization • A-IDS-LZAN: Network alert names triggered in zone • A-IDS-dZdPort: Destination ports on which network alerts have triggered in zone • A-IDS-HdPort: Destination ports on which network alerts have triggered for the asset • A-IDS-OdPort: Destination ports on which network alerts have triggered in the organization • A-IDS-OLZ: Zones in which network alerts are triggered in the organization • A-IDS-ZLA: Assets that triggered network alerts in the zone • A-IDS-OLA: Assets that triggered network alerts in the organization |
| remote-logon | T1078 - Valid Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-UT-F: Logon to New Asset Type ↳ AL-UT-A: Logon to Abnormal asset type ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ AL-UZ-F: First logon to network zone ↳ AL-UZ-A: Abnormal logon to network zone ↳ RL-GH-F: First remote logon to asset for group ↳ UA-UI-F: First activity from ISP ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ AL-GZ-F-new: First logon to network zone for new user of group ↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user ↳ RL-HU-F-new: Remote logon to private asset for new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ A-AL-DhU-F: First user per asset ↳ A-AL-DhU-A: Abnormal user per asset T1133 - External Remote Services ↳ UA-UI-F: First activity from ISP ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries T1021 - Remote Services ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization ↳ RL-UH-F: First remote logon to asset ↳ RL-UH-A: Abnormal remote logon to asset ↳ RL-GH-F: First remote logon to asset for group ↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user ↳ RL-HU-F-new: Remote logon to private asset for new user T1550 - Use Alternate Authentication Material ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected ↳ RLA-UAPackage-F: First time usage of Windows authentication package ↳ RLA-UAPackage-A: Abnormal usage of Windows authentication package T1078.002 - T1078.002 ↳ SL-UH-I: Interactive logon using a service account ↳ SL-UH-A: Abnormal access from asset for a service account ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information ↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user ↳ RL-OZ-F-DC: First logon to a Domain Controller from zone for organization ↳ RL-OZ-A-DC: Abnormal logon to a Domain Controller from zone for organization T1550.003 - Use Alternate Authentication Material: Pass the Ticket ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1558 - Steal or Forge Kerberos Tickets ↳ EXPERT-PENTEST-DOMAINS: Possible credentials theft attack detected T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset ↳ AL-HLocU-A: Abnormal local user logon to this asset |
• A-AL-DhU: Users per Host • RL-HU: Remote logon users • AL-GZ: Network zones accessed by this peer group • RL-GH-A: Assets accessed remotely by this peer group • RLA-UAPackage: Windows authentication packages used when connecting to remote hosts • UA-UI-new: ISP of users during application activity • RL-UH: Remote logons • RL-OZ-DC: Source zones in the organization during domain controller access • RL-UZ-DC: Source zones per user logging into domain controller • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers • AL-UT: Types of hosts • AL-UsH: Source hosts per User • IL-UH-SA: Interactive logon hosts for service accounts • NKL-HU: Users logging into this host remotely |
| vpn-login | T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ VPN-GsH-F: First VPN connection from device for peer group ↳ VPN-GsH-A: Abnormal VPN connection from device for peer group ↳ AE-GA-F-VPN-new: First VPN connection for group of new user ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ PA-VPN-01: VPN login after badge access T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries |
• PA-VPN-01: Users who vpn-in after badge access • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-GA: All activity for peer groups • VPN-GsH: VPN endpoints in this peer group • UA-UI-new: ISP of users during application activity • AE-UA: All activity for users |
| vpn-logout | T1078 - Valid Accounts ↳ APP-UAgC-F: First activity from country and first os/browser/user agent for user in same session ↳ AL-UHcount-S: Abnormal number of logon assets (S) ↳ AL-UHcount-M: Abnormal number of logon assets (M) ↳ AL-UHcount-L: Abnormal number of logon assets (L) ↳ AL-OHcount: Abnormal number of logged on assets compared to the organization ↳ AL-GHcount: Abnormal number of logged on assets compared to group ↳ VPN-End-DUR: Abnormal VPN session duration ↳ DC08d-new: Abnormal number of assets compared to group for a new user ↳ DC14g-new: Abnormal number of accessed assets for group of new user ↳ DC17j-new: Abnormal number of accessed zones for group of a new user T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session ↳ VPN-End-DUR: Abnormal VPN session duration T1110 - Brute Force ↳ APP-UFL-COUNT: Abnormal number of failed application logins for user |
• VPN-End-DUR: VPN session duration • VPN-BSum: Sum of bytes uploaded during VPN • AL-OHcount: Count of assets logon per user in the organization • APP-UFL-COUNT: Count of failed application logins in a session |
| web-activity-allowed | T1190 - Exploit Public Fasing Application ↳ A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization ↳ A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity. ↳ A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1071 - Application Layer Protocol ↳ WEB-UUa-OS-F: First web activity using this operating system for this user ↳ WEB-GUa-OS-F: First web activity using this operating system for the peer group ↳ WEB-OUa-OS-F: First web activity using this operating system for the organization ↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain ↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system ↳ WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain ↳ WEB-GUa-Browser-F: First activity using this web browser for the peer group ↳ WEB-OUa-Browser-F: First activity using this web browser for the organization ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IP-COUNTRY-A: Abnormal direct access to an IP address belonging to an abnormal country for user to access ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access ↳ A-NET-HCountry-Outbound-WEB-F: First web connection to this country from asset ↳ A-NET-HCountry-Outbound-WEB-A: Abnormal web browsing communication country for asset ↳ A-NET-OCountry-Outbound-WEB-F: First web browsing connection to this country from organization ↳ A-NET-OCountry-Outbound-WEB-A: Abnormal web browsing connection country for the organization T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UUa-OS-F: First web activity using this operating system for this user ↳ WEB-GUa-OS-F: First web activity using this operating system for the peer group ↳ WEB-OUa-OS-F: First web activity using this operating system for the organization ↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain ↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system ↳ WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain ↳ WEB-GUa-Browser-F: First activity using this web browser for the peer group ↳ WEB-OUa-Browser-F: First activity using this web browser for the organization ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IP-COUNTRY-A: Abnormal direct access to an IP address belonging to an abnormal country for user to access ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access ↳ A-NET-HCountry-Outbound-WEB-F: First web connection to this country from asset ↳ A-NET-HCountry-Outbound-WEB-A: Abnormal web browsing communication country for asset ↳ A-NET-OCountry-Outbound-WEB-F: First web browsing connection to this country from organization ↳ A-NET-OCountry-Outbound-WEB-A: Abnormal web browsing connection country for the organization T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA |
• A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization • A-NET-OCountry-Outbound: Outbound country per organization • A-NET-HCountry-Outbound: Outbound country per asset • A-WEB-IP: IPs an asset has directly browsed to • A-WEB-HA: Web activity per Host • WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-OUa-Browser-New: Top web browsers being used in this organization • WEB-GUa-Browser-New: Top web browsers being used by peer group • WEB-UUa-Browser-New: Top web browsers being used by user • WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device • WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user • WEB-OUa-OS-New: Top operating systems being used to connect to the web for organization • WEB-GUa-OS-New: Top operating systems being used to connect to the web for peer group • WEB-UUa-OS-New: Top operating systems being used to connect to the web for user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |
| web-activity-denied | T1190 - Exploit Public Fasing Application ↳ A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization ↳ A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity. ↳ A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1071 - Application Layer Protocol ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA |
• A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization • A-NET-HCountry-Outbound: Outbound country per asset • A-WEB-IP: IPs an asset has directly browsed to • A-WEB-HA: Web activity per Host • WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |