Product: NCP
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 25 | 12 | 3 | 2 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| vpn-login | T1133 - External Remote Services ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ VPN-GsH-F: First VPN connection from device for peer group ↳ VPN-GsH-A: Abnormal VPN connection from device for peer group ↳ AE-GA-F-VPN-new: First VPN connection for group of new user ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries ↳ PA-VPN-01: VPN login after badge access T1078 - Valid Accounts ↳ SL-UA-F-VPN: First VPN connection for service account ↳ AE-UA-F-VPN: First VPN connection for user ↳ UA-UI-F: First activity from ISP ↳ UA-UC-new: Abnormal country for user by new user ↳ UA-GC-new: Abnormal country for group by new user ↳ UA-OC-new: Abnormal country for organization by new user ↳ UA-UC-Suspicious: Activity from suspicious country ↳ UA-UC-Two: Activity from two different countries ↳ UA-UC-Three: Activity from 3 different countries |
• PA-VPN-01: Users who vpn-in after badge access • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-GA: All activity for peer groups • VPN-GsH: VPN endpoints in this peer group • UA-UI-new: ISP of users during application activity • AE-UA: All activity for users |
| vpn-logout | T1078 - Valid Accounts ↳ APP-UAgC-F: First activity from country and first os/browser/user agent for user in same session ↳ AL-UHcount-S: Abnormal number of logon assets (S) ↳ AL-UHcount-M: Abnormal number of logon assets (M) ↳ AL-UHcount-L: Abnormal number of logon assets (L) ↳ AL-OHcount: Abnormal number of logged on assets compared to the organization ↳ AL-GHcount: Abnormal number of logged on assets compared to group ↳ VPN-End-DUR: Abnormal VPN session duration ↳ DC08d-new: Abnormal number of assets compared to group for a new user ↳ DC14g-new: Abnormal number of accessed assets for group of new user ↳ DC17j-new: Abnormal number of accessed zones for group of a new user T1133 - External Remote Services ↳ VPN-BSum: Abnormal amount of data uploaded during VPN Session ↳ VPN-End-DUR: Abnormal VPN session duration T1110 - Brute Force ↳ APP-UFL-COUNT: Abnormal number of failed application logins for user |
• VPN-End-DUR: VPN session duration • VPN-BSum: Sum of bytes uploaded during VPN • AL-OHcount: Count of assets logon per user in the organization • APP-UFL-COUNT: Count of failed application logins in a session |