Product: Watchguard
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 29 | 7 | 11 | 4 | 7 |
| Event Type | Rules | Models |
|---|---|---|
| network-connection-failed | TA0011 - TA0011 ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NETF-TI-H-Outbound: Outbound failed connection to a known malicious host |
|
| network-connection-successful | TA0011 - TA0011 ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NET-TI-IP-Inbound: Inbound connection from a known malicious IP ↳ A-NET-TI-H-Inbound: Inbound connection from a known malicious host |
|
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1190 - Exploit Public Fasing Application ↳ WEB-Mime-Types-Org-F: First occurence of this mime type for organization T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain |
• A-WEB-IP: IPs an asset has directly browsed to • WEB-Mime-Types-Org: MIME types in the organization • WEB-URank: Web activity to low ranked domains for the user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEBF-IP-Country-F: Asset failed to directly connect to an IP address in a country never before accessed ↳ A-WEBF-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access has failed T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1190 - Exploit Public Fasing Application ↳ WEB-Mime-Types-Org-F: First occurence of this mime type for organization T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain |
• A-WEB-IP: IPs an asset has directly browsed to • WEB-Mime-Types-Org: MIME types in the organization • WEB-URank: Web activity to low ranked domains for the user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |