Product: TrapX
Use-Case: Compromised Credentials
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 21 | 9 | 3 | 1 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| network-alert | T1027 - Obfuscated Files or Information ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools ↳ A-IDS-OLA-F: First network alert on asset with no previous alerts for organization ↳ A-IDS-OLA-A: Abnormal network alert for asset for organization ↳ A-IDS-ZLA-F: First network alert on asset with no previous alerts for zone ↳ A-IDS-ZLA-A: Abnormal network alert for asset for zone ↳ A-IDS-OLZ-F: First network alert for zone in the organization ↳ A-IDS-OLZ-A: Abnormal network alert for zone in the organization ↳ A-IDS-OdPort-F: First network alert on port for organization ↳ A-IDS-OdPort-A: Abnormal network alert on port for organization ↳ A-IDS-HdPort-F: First network alert on port for asset ↳ A-IDS-HdPort-A: Abnormal network alert on port for asset ↳ A-IDS-dZdPort-F: First network alert on port for zone ↳ A-IDS-dZdPort-A: Abnormal network alert on port for zone ↳ A-IDS-LZAN-F: First network alert (by name) for zone ↳ A-IDS-LZAN-A: Abnormal network alert (by name) for zone ↳ A-IDS-OAN-F: First network alert (by name) for organization ↳ A-IDS-OAN-A: Abnormal network alert (by name) for organization ↳ A-IDS-SERVER: First or Abnormal network alert in server zone ↳ A-ALERT-Other: Alert on asset ↳ A-ALERT-Critical: Security Alert on a critical asset ↳ A-ALERT-Log4j: Alert associated with an exploitation or post exploitation as seen with Log4j Vulnerability was detected. T1190 - Exploit Public Fasing Application ↳ A-Log4j-Vul-Alert: Alert for the CVE-2021-44228 vulnerability on the asset. |
• A-AL-ZT-SERVER: Server zones based on number of servers • A-IDS-OAN: Network alert names triggered in the organization • A-IDS-LZAN: Network alert names triggered in zone • A-IDS-dZdPort: Destination ports on which network alerts have triggered in zone • A-IDS-HdPort: Destination ports on which network alerts have triggered for the asset • A-IDS-OdPort: Destination ports on which network alerts have triggered in the organization • A-IDS-OLZ: Zones in which network alerts are triggered in the organization • A-IDS-ZLA: Assets that triggered network alerts in the zone • A-IDS-OLA: Assets that triggered network alerts in the organization |