Potential Signals of An Active Threat - mccright/FCCSCybersecurityInput GitHub Wiki
What Are Some Events You Can Analyze?
Account Authenticated To Critical Asset: A new user authenticates to a restricted asset.
Account Authenticated To Critical Asset From New Source: A permitted user authenticates to a restricted asset from a new source asset.
Account Authenticates With New Asset: A permitted user is authenticating to an application from a new source asset.
Account Created: An account was created on a 'monitored' or 'flagged' asset.
Account Enabled: A previously-disabled user account is re-enabled by an identity using an administrator role.
Account Leak: A user's credentials may have been leaked to the public domain.
Account Password Reset: A user resets the password for an account (special emphasis on 'monitored' or 'flagged' accounts, out-of-norm times/locations/endpoints, etc.)
Account Privilege Escalated: An identity using administrator permissions assigns higher level of privileges to the account (special emphasis on 'monitored' or 'flagged' accounts, out-of-norm times/locations/endpoints, etc.).
Account Received Suspicious: Link A user receives an email containing a link flagged by 'threat feeds' or another trusted source of threat information.
Account Visits Suspicious Link: A user accesses a link URL identified as a threat by your 'threat feeds' or another trusted source of threat information.
Malware Alert: An malware-identification system generates an alert.
Asset Connects To Network Honeypot: There was an attempt to interact with to a network honeypot -- or some level of 'successful' interaction.
Attacker Behavior Analytics: A detection model in your intrustion detection system fired -- alerting you for follow-up analysis and correlation with threat intelligence inputs.
Authentication Attempt From Disabled Account: A disabled user attempts to authenticate and/or directly access an asset.
Brute Force Attack Against Domain Account: One or more sources/assets has unsuccessfully attempted to authenticate using a domain account too many times within a given time threshold.
Brute Force Attack Against Local Account: One or more sources/assets has unsuccessfully attempted to authenticate using a local account too many times within a given time threshold.
Brute Force From Unknown Source: One or more unknown/unauthorized sources/assets failed to authenticate using a local account too many times within a given time threshold.
Domain Admin Added: A user has been added to a privileged group.
Local Admin Added: A user has been added to a privileged group.
First Ingress Authentication From Country: A user logged onto the network/system for the first time from a given country.
First Time Admin Action: An identity using administrator rights was employed for the first time in this domain or on this asset.
Harvested Credentials: Multiple accounts are attempting to authenticate to a single, unusual location.
Ingress From Disabled Account: A disabled user logs onto the network or a monitored cloud service.
Ingress From Non Expiring Account: An account with a password that never expires accesses the network from an external location.
Ingress From Service Account: A service account accesses the network from an external location.
Lateral Movement Domain Credentials: A domain account attempts to access several new assets in a short period of time.
Lateral Movement Local Credentials: A local account attempts to access several assets in a short period of time.
Log Deletion: A user deletes event logs on an asset.
Log Deletion: Local Account A local account deletes event logs on an asset.
Malicious Hash On An Asset: A flagged process hash starts running on an asset for the first time.
Multiple Country Authentications: A user accesses the network from several different countries within a short period of time.
Multiple Organization Authentications: A user accesses the network from multiple external organizations too quickly.
Network Access For Threat: A user accesses a domain or IP address tagged in the Threats section.
New Local User Primary Asset: A new local user account was added to the primary asset of a domain user.
New Mobile Device: A user accesses the network from a new mobile device.
Password Set To Never Expire: A password of an account has been set to never expire.
Protocol Poison: Misuse of a network protocol is detected
Volume change in the pattern of any given data communications flow relative to 'historical' flows
Change in the data 'payload' characteristics of any given data communications flow relative to 'historical' flows