Rules by Product and UseCase

Vendor: Osirium

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
5	4	1	1	0

Event Type	Rules	Models
app-login	T1078 - Valid Accounts ↳ APP-UApp-F: First login or activity within an application for user ↳ APP-UApp-A: Abnormal login or activity within an application for user ↳ APP-AppU-F: First login to an application for a user with no history ↳ APP-AppG-F: First login to an application for group ↳ APP-GApp-A: Abnormal login to an application for group	• APP-GApp: Group Logons to Applications • APP-AppG: Groups per Application • APP-AppU: User Logons to Applications • APP-UApp: Applications per User