Product: Guardium
Use-Case: Data Access
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 36 | 19 | 1 | 3 | 9 |
| Event Type | Rules | Models |
|---|---|---|
| database-alert | T1213 - Data from Information Repositories ↳ DB-UN-ALERT-F: First database alert name for user ↳ DB-UN-ALERT-A: Abnormal database alert name for user ↳ DB-GN-ALERT-F: First database alert name in the peer group ↳ DB-GN-ALERT-A: Abnormal database alert name in the peer group ↳ DB-OU-ALERT-F: First database alert triggered for this user in the organization ↳ DB-OU-ALERT-A: Abnormal user triggering database alert in the organization ↳ DB-OG-ALERT-F: First database alert triggered for peer group in the organization ↳ DB-OG-ALERT-A: Abnormal peer group triggering database alert in the organization ↳ DB-DbU-F: First access to database for user ↳ DB-DbU-A: Abnormal access to database for user ↳ DB-DbG-F: First access to database for peer group ↳ DB-DbG-A: Abnormal access to database for peer group ↳ DB-UDbZ-F: First database activity from source zone per user, database ↳ DB-UDbZ-A: Abnormal database activity from source zone per user, database ↳ DB-UDbH-F: First database activity from host per user, database ↳ DB-UDbH-A: Abnormal database activity from host per user, database ↳ DB-UDbI-F: First database activity from IP per user, database ↳ DB-UDbI-A: Abnormal database activity from IP per user, database ↳ DB-UDbR: Abnormal database query response size for user, database ↳ DB-DbZR: Abnormal database query response size for source zone, database ↳ A-DB-AN-ALERT-F: First database alert name on the asset ↳ A-DB-AN-ALERT-A: Abnormal database alert name on the asset ↳ A-DB-ON-ALERT-F: First database alert (by name) in the organization ↳ A-DB-ON-ALERT-A: Abnormal database alert (by name) in the organization ↳ A-DB-ZN-ALERT-A: Abnormal database alert (by name) in the zone ↳ A-DB-ZN-ALERT-F: First database alert (by name) in the zone ↳ A-DB-OA-ALERT-F: First database alert triggered for asset in the organization ↳ A-DB-OA-ALERT-A: Abnormal asset triggering database alert in the organization ↳ A-DB-ZA-ALERT-F: First database alert triggered for asset inb the zone ↳ A-DB-ZA-ALERT-A: Abnormal asset triggering database alert for zone |
• A-DB-ZA-ALERT: Assets triggering database alerts in the zone • A-DB-OA-ALERT: Assets triggering database alerts in the organization • A-DB-ZN-ALERT: Database alert names triggered in the zone • A-DB-ON-ALERT: Database alert names triggered in the organization • A-DB-AN-ALERT: Database alert names on asset • DB-DbZR: Response size of database queries per zone, database • DB-UDbR: Response size of database queries per user, database • DB-UDbI: Database activity from source IP per user, database • DB-UDbH: Database activity from host per user, database • DB-UDbZ: Database activity from source zone per user, database • DB-DbG: Peer groups per database • DB-DbU: Users per database • DB-OG-ALERT: Peer groups triggering database alerts in the organization • DB-OU-ALERT: Users triggering database alerts in the organization • DB-GN-ALERT: Database alert names in the peer group • DB-UN-ALERT: Database alert names for user |
| database-login | T1213 - Data from Information Repositories ↳ DB-DbU-F: First access to database for user ↳ DB-DbU-A: Abnormal access to database for user ↳ DB-DbG-F: First access to database for peer group ↳ DB-DbG-A: Abnormal access to database for peer group ↳ DB-UDbZ-F: First database activity from source zone per user, database ↳ DB-UDbZ-A: Abnormal database activity from source zone per user, database ↳ DB-UDbH-F: First database activity from host per user, database ↳ DB-UDbH-A: Abnormal database activity from host per user, database ↳ DB-UDbI-F: First database activity from IP per user, database ↳ DB-UDbI-A: Abnormal database activity from IP per user, database |
• DB-UDbI: Database activity from source IP per user, database • DB-UDbH: Database activity from host per user, database • DB-UDbZ: Database activity from source zone per user, database • DB-DbG: Peer groups per database • DB-DbU: Users per database |
| database-query | T1213 - Data from Information Repositories ↳ DB-DbU-F: First access to database for user ↳ DB-DbU-A: Abnormal access to database for user ↳ DB-DbG-F: First access to database for peer group ↳ DB-DbG-A: Abnormal access to database for peer group ↳ DB-UDbZ-F: First database activity from source zone per user, database ↳ DB-UDbZ-A: Abnormal database activity from source zone per user, database ↳ DB-UDbH-F: First database activity from host per user, database ↳ DB-UDbH-A: Abnormal database activity from host per user, database ↳ DB-UDbI-F: First database activity from IP per user, database ↳ DB-UDbI-A: Abnormal database activity from IP per user, database ↳ DB-UDbO-F: First database operation for user, database ↳ DB-UDbO-A: Abnormal database operation for user, database ↳ DB-GDbO-F: First database operation for peer group, database ↳ DB-GDbO-A: Abnormal database operation for peer group, database ↳ DB-DbZO-F: First database operation from source zone for database ↳ DB-DbZO-A: Abnormal database operation from source zone for database ↳ DB-UDbR: Abnormal database query response size for user, database ↳ DB-DbZR: Abnormal database query response size for source zone, database |
• DB-DbZR: Response size of database queries per zone, database • DB-UDbR: Response size of database queries per user, database • DB-DbZO: Database operations per database, source zone • DB-GDbO: Database operations per peer group, database • DB-UDbO: Database operations per user, database • DB-UDbI: Database activity from source IP per user, database • DB-UDbH: Database activity from host per user, database • DB-UDbZ: Database activity from source zone per user, database • DB-DbG: Peer groups per database • DB-DbU: Users per database |