Product: Weblogin
Use-Case: Malware
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 23 | 7 | 10 | 1 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| web-activity-allowed | T1071 - Application Layer Protocol ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access T1568 - Dynamic Resolution ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA ↳ A-WEB-DGA: Asset has accessed a domain that has been identified as DGA T1190 - Exploit Public Fasing Application ↳ WEB-Mime-Types-Org-F: First occurence of this mime type for organization T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204 - User Execution ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566 - Phishing ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain |
• A-WEB-IP: IPs an asset has directly browsed to • WEB-Mime-Types-Org: MIME types in the organization • WEB-URank: Web activity to low ranked domains for the user • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity |