Product: Watchguard
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 4 | 1 | 4 | 4 | 4 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity |
• APP-AT-PRIV: Privileged application activities |
| app-activity-failed | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account |
|
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |
|
| web-activity-denied | T1071 - Application Layer Protocol ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity ↳ A-WEB-DC: Web activity event on a Domain Controller T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity |