DS001Mail-ET01Access
Event indicates a specific message has been accessed by a user from a specific source system
Consuming Use Cases Essentials
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET01Send". Maturing
Found search result(s) for 0 title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01Send". Mature
Found search result(s) for 0 title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET01Send".
Providing Technologies
Found search result(s) for 0 title:PT* contentBody:"DS001MAIL-ET01Send".
DS001Mail-ET02Receive
An event indicates a message has been received one or more user.
Consuming Use Cases Essentials
Found search result(s) for 1 title:UC* contentBody:"APC-Essential" contentBody:"DS001MAIL-ET02Receive".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found search result(s) for 1 title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET02Receive".
UC0077 Detection Risky Referral Domains(Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ...
Jun 24, 2016 Labels: creative
Mature
Found search result(s) for 1 title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET02Receive".
UC0077 Detection Risky Referral Domains(Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less than 48 ...
Jun 24, 2016 Labels: creative
Providing Technologies
Found search result(s) for 1 title:PT* contentBody:"DS001MAIL-ET02Receive".
PT001-Microsoft-Exchange(Narrative and Use Case Center)
... solution and channel of communication useful in various attacks access monitoring is imperative. Provides DS0 DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication
01MAIL
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016 Labels: provider-type
DS001Mail-ET03Send
Indicates a authorized user or system has sent a message to one or more recipients.
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 3 title:UC* contentBody:"APC-Essential" contentBody:"DS001Mail-ET03Send".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
UCESS031 Host Sending Excessive Email(Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate ...
May 02, 2016
UC0003 Server generating email outside of approved usage(Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to identify which server may generate email and what recipients are permitted. Identify servers receiving email from the internet without approval Identify ...
Apr 19, 2016
Maturing
Click here to expand...
Found search result(s) for 1 title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET03Send".
UC0004 Excessive number of emails sent from internal user(Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business problem using a technique not approved by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Providing Technologies Click here to expand...
Found search result(s) for 1 title:PT* contentBody:"DS001MAIL-ET03Send".
PT001-Microsoft-Exchange(Narrative and Use Case Center)
... solution and channel of communication useful in various attacks access monitoring is imperative. Provides D DS001MailET01Access DS001MAILET02Receive DS001MailET03Send DS003Authentication S001MAIL
Authentication occurs for Administrative action Active Sync ...
Apr 01, 2016 Labels: provider-type
DS002DNS-ET01Query
DNS request and response reassembled into a single event
DS002DNS-ET01QueryRequest — DNS Request from a client, response reassembly is not required
DS002DNS-ET01QueryResponse — Reassembled request response as a single event containing the original client ip
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 1 title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01Query".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Click here to expand...
Found search result(s) for 3 title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01Query".
UC0089 Detection of Communication with Algorithmically Generated Domain(Narrative and Use Case Center) Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware creative,
UC0076 Excessive DNS Failures(Narrative and Use Case Center)
endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries. Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0049 Detection of DNS Tunnel(Narrative and Use Case Center)
Endpoint utilizing DNS as a method of transmission for data exfiltration, command and control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries. Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies Click here to expand...
Found search result(s) for 2 title:PT* contentBody:"DS002DNS-ET01Query".
PT002-Splunk-Stream-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest
providertype Apr 25, 2016 Labels: provider-type
PT003-ExtraHop-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016 Labels: provider-type
DS002DNS-ET01QueryRequest
DNS Request from a client, response reassembly is not required
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryRequest".
Maturing
Click here to expand...
Found search result(s) for 3 title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryRequest".
UCESS019 Excessive DNS Queries(Narrative and Use Case Center)
Alerts when a host starts sending excessive DNS queries. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where the message ...
Aug 14, 2016
UC0072 Detection of unauthorized using DNS resolution for WPAD(Narrative and Use Case Center) Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain.
Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain(Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies Click here to expand...
Found search result(s) for 3 title:PT* contentBody:"DS002DNS-ET01QueryRequest".
PT013-ISCBIND-DNS(Narrative and Use Case Center)
Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016
Labels: provider-type
PT002-Splunk-Stream-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016 Labels: provider-type
PT003-ExtraHop-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016 Labels: provider-type
DS002DNS-ET01QueryResponse
Reassembled request response as a single event containing the original client ip
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS002DNS-ET01QueryResponse".
Maturing
Click here to expand...
Found search result(s) for 1 title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01QueryResponse".
UCESS018 Excessive DNS Failures(Narrative and Use Case Center)
Alerts when a host receives many DNS failures in a short span. Looking across the prior 60 minute period starting 5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016
Providing Technologies Click here to expand...
Found search result(s) for 3 title:PT* contentBody:"DS002DNS-ET01QueryResponse".
PT013-ISCBIND-DNS(Narrative and Use Case Center)
Provides DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype Apr 25, 2016
Labels: provider-type
PT002-Splunk-Stream-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016 Labels: provider-type
PT003-ExtraHop-DNS(Narrative and Use Case Center)
Provides DS002DNSET01Query DS002DNSET01QueryResponse DS002DNSET01QueryRequest providertype
Apr 25, 2016 Labels: provider-type
DS003Authentication-ET01Success
Indicates the authentication system validated the factors provided
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 5 title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET01Success".
UCESS053 Threat Activity Detected(Narrative and Use Case Center)
past 60 minutes starting 5 minutes after realtime, deduplicate the threat match field and value, generate the eventid and return raw, origsource (Saved Search), src, dest and all threat intel data model fields. Depending on the match ...
Sep 17, 2016
Labels: prt05-tacticalthreat-ransomeware
UCESS005 Activity from Expired User Identity(Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw Event Data, user ...
Aug 14, 2016
UCESS012 Brute Force Access Behavior Detected Over One Day(Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected(Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ...
Aug 14, 2016
UC0043 Direct Authentication to NHA(Narrative and Use Case Center)
Direct authentication via SSH or console session to a non human account indicates a violation of security policy by recording the password of a non human account for later use or by association of a SSH key to a non human account. Problem Types Addressed Risk ...
Apr 11, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET01Success".
UCESS016 Default Account Activity Detected(Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected(Narrative and Use Case Center) Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS015 Concurrent Login Attempts Detected(Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ...
Aug 14, 2016
UC0094 Insecure authentication method detected(Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where a successful event occurs without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access(Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0093 Previously active account has not accessed enclave/lifecycle(Narrative and Use Case Center) Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier, maintain the last accessed time and alert when the last ...
Jun 24, 2016
UC0045 Local authentication server(Narrative and Use Case Center)
Following provisioning, nix servers seldom require local administration. Investigate any use of local
authentication as it may indicate an attempt to compromise the host via KVM or virtual console. Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 11, 2016
UC0010 Detect unauthorized use of remote access technologies(Narrative and Use Case Center) Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016
UC0041 SSH v1 detected(Narrative and Use Case Center)
Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently insecure indication of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016
UC0042 SSH Authentication using unknown key(Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be investigated to determine the owner of the key and validate authorization to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016
Providing Technologies Click here to expand...
Found search result(s) for 2 title:PT* contentBody:"DS003Authentication-ET01Success".
PT012-Splunk-InternalLogging(Narrative and Use Case Center)
... Enterprise Application includes extensive internal logging covering performance and usage. Provides DS003 DS003AuthenticationET01Success DS003AuthenticationET02Failure DS006UserActivity Key Authentication
Facts Impact to index/license None LOADLow ...
Apr 01, 2016 Labels: provider-type
PT016-Cisco-ASA/PIX/FWSM(Narrative and Use Case Center)
Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ...
Jul 25, 2016 Labels: provider-type
DS003Authentication-ET02Failure
The authentication system did not approve the attempted based on invalid factors
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02Failure" NOT .
contentBody:"DS003Authentication-ET02Failure*"
Maturing
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02Failure" NOT .
contentBody:"DS003Authentication-ET02Failure*"
Providing Technologies Click here to expand...
Found search result(s) for 0 title:PT* contentBody:"DS003Authentication-ET02Failure" NOT .
contentBody:"DS003Authentication-ET02Failure*"
DS003Authentication-ET02FailureBadFactor
Indicates the authentication system determined the factors provided were invalid
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 2 title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureBadFactor".
UCESS012 Brute Force Access Behavior Detected Over One Day(Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected(Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications, count of failures ...
Aug 14, 2016
Maturing
Click here to expand...
Found search result(s) for 2 title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureBadFactor".
UCESS015 Concurrent Login Attempts Detected(Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time, application, source (host, IP, name) and user ...
Aug 14, 2016
UCESS020 Excessive Failed Logins(Narrative and Use Case Center)
Detects excessive number of failed login attempts (this is likely a brute force attack)For the past 1 hour starting 5 minutes after realtime, search for failure in the tag field and return values of app and Source IP, tags, distinct user ...
Aug 14, 2016
Providing Technologies Click here to expand...
Found search result(s) for 1 title:PT* contentBody:"DS003Authentication-ET02FailureBadFactor".
PT016-Cisco-ASA/PIX/FWSM(Narrative and Use Case Center)
Cisco ASA is a multi function firewall, VPN, reverse proxy device Provides DS003AuthenticationET01Success DS003AuthenticationET02Failure DS003AuthenticationET02FailureBadFactor
DS010NetworkCommunicationET01Traffic DS012NetworkIntrusionDetectionET01SigDetection
DS014WebServerET01Access Key Facts Impact to index/license Educated 3k nm nu = Total K per Day (average ...
Jul 25, 2016 Labels: provider-type
DS003Authentication-ET02FailureError
Indicates the authentication system encountered and error and was unable to authenticate the user.
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureError".
Maturing
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureError".
Providing Technologies Click here to expand...
Found search result(s) for 0 title:PT* contentBody:"DS003Authentication-ET02FailureError".
DS003Authentication-ET02FailureUnknownAccount
Indicates the authentication system was unable to locate the account, factors were not evaluated
Consuming Use Cases
Essentials
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication-ET02FailureUnknownAccount".
Maturing
Click here to expand...
Found search result(s) for 0 title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02FailureUnknownAccount".
Providing Technologies Click here to expand...
Found search result(s) for 0 title:PT* contentBody:"DS003Authentication-ET02FailureUnknownAccount".
DS004EndPointAntiMalware-ET01SigDetected
Endpoint product detected based on a signature or specified heuristics class
Consuming Use Cases
Essentials
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".
UCESS035 Host With Multiple Infections(Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the count is greater ...
Aug 14, 2016
UCESS025 High Number Of Infected Hosts(Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected(Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5 minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine(Narrative and Use Case Center) Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user priority ...
Aug 14, 2016
UCESS043 Outbreak Detected(Narrative and Use Case Center)
Alerts when a potential outbreak is observed based on newly infected systems all exhibiting the same infectionFor the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system that was affected by the malware ...
Apr 26, 2016
UCESS024 High Number of Hosts Not Updating Malware Signatures(Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts
UCESS024 High Number of Hosts Not Updating Malware Signatures(Narrative and Use Case Center) Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts