Академический Документы
Профессиональный Документы
Культура Документы
Copyright 2016
The information transmitted in this document is intended only for the addressee and may contain
confidential and/or privileged material. Any interception, review, retransmission, dissemination or other use
of or taking of any action upon this information by persons or entities other than the intended recipient is
prohibited by law and may subject them to criminal or civil liability.
Proprietary and Confidential Information shall include, but not be limited to, performance, sales, financial,
contractual and special marketing information, ideas, technical data and concepts originated by the disclosing
party, its subsidiaries and/or affiliates, not previously published or otherwise disclosed to the general public,
not previously available without restriction to the receiving party or others, nor normally furnished to others
without compensation, and which the disclosing party desires to protect against unrestricted disclosure or
competitive use, and which is furnished pursuant to this document and appropriately identified as being
proprietary when furnished.
Copyright 2016 Splunk, Inc. All rights reserved. The Splunk logo is a registered trademark of Splunk. All
other products and company names mentioned herein are trademarks or registered trademarks of their
respective owners.
Version Control
SECURITY PROGRAM REVIEW
Client Name
None
Client Contact
Document Issue No
2.1
Author(s)
Ryan Faircloth
Delivery Date
Data Classification
Proprietary
Splunk, Inc.
250 Brannan Street, 2nd Floor
San Francisco, CA 94107
+1.415.568.4200(M ain)
+1.415.869.3906 (Fax)
www.splunk.com
Preparation
Identify essential and beneficial staff per session based on the agenda that follows
Secure meeting space
Minimize meeting location changes as this is disruptive to progress and contributes to no shows
Adequate seating for attendes
One, preferable 2 projectors/screens
Guest Wifi
White boards
Splunk will provide a Webex session and use digital whiteboards, and utilize recording unless the customer has objections, this
is utilized to review enrich notes as needed to prepare deliverables and is not required if the customer is uncomfortable
Collect supporting documentation electronically
All applicable internal policies and supporting standards such as
Information Resource Classification
Information Retention and Destruction
Infrastructure logging and configuration
Database Logging and Configuration
Application Logging and Configuration
Inventory of Standards with requirments for logging and monitoring applicable to your business
Internal Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA inclusive current draft reports
External Audit/Self Asessment for applicable security standards such as PCI/SOX/HIPPA
Identifiy the following project roles and schedule for attendance
Project Manager
Senior Business Analyst
Senior Technical Analyst/Architect
Senior Security Analyst
Test Lead
Executive Sponsor
Executive Stakeholders or immediate deputies
Compliance Analysts
Internal Assors
Review tabled items from prior sessions, interview stake holders identified in prior sessions but not planed
Review Session 14:00 - 16:00
Review items captured
Resort priority based on latter learning
5
11
12
14
17
23
27
34
35
36
37
39
40
41
42
43
45
46
47
48
50
57
59
61
62
63
64
66
69
70
71
72
73
74
75
76
89
90
93
95
98
100
101
103
105
107
110
120
124
127
130
132
134
137
142
147
149
151
153
155
156
157
158
159
161
162
163
164
165
166
167
168
1.1.4.4 DS002DNS-ET01Query . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.4.1 DS002DNS-ET01QueryRequest . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.4.2 DS002DNS-ET01QueryResponse . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.5 DS003Authentication-ET01Success . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6 DS003Authentication-ET02Failure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.1 DS003Authentication-ET02FailureBadFactor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.2 DS003Authentication-ET02FailureError . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.6.3 DS003Authentication-ET02FailureUnknownAccount . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.7 DS004EndPointAntiMalware-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.8 DS004EndPointAntiMalware-ET02UpdatedSig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.9 DS004EndPointAntiMalware-ET03UpdatedEng . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.10 DS005WebProxyRequest-ET01Requested . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.10.1 DS005WebProxyRequest-ET01RequestedWebAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.11 DS005WebProxyRequest-ET02Connect . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.12 DS006UserActivity-ET01List . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.13 DS006UserActivity-ET02Read . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.14 DS006UserActivity-ET03Create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.15 DS006UserActivity-ET04Update . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.16 DS006UserActivity-ET05Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.17 DS006UserActivity-ET06Search . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.18 DS006UserActivity-ET07ExecuteAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.19 DS007AuditTrail-ET01Clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.20 DS007AuditTrail-ET02Alter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.21 DS007AuditTrail-ET03TimeSync . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.22 DS008HRMasterData-ET01Joined . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.23 DS008HRMasterData-ET02SeperationNotice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.24 DS008HRMasterData-ET03SeperationImmediate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.25 DS009EndPointIntel-ET01ObjectChange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.26 DS009EndPointIntel-ET01ProcessLaunch . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.27 DS010NetworkCommunication-ET01Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.27.1 DS010NetworkCommunication-ET01TrafficAppAware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.28 DS010NetworkCommunication-ET02State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.29 DS011MalwareDetonation-ET01Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.30 DS012NetworkIntrusionDetection-ET01SigDetection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.31 DS013TicketManagement-ET01 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.32 DS014WebServer-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.33 DS015ConfigurationManagement-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.34 DS016DataLossPrevention-ET01Violation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.35 DS017PhysicalSecurity-ET01Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.36 DS018VulnerabilityDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.37 DS019PatchManagement-Applied . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.38 DS019PatchManagement-Eligable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.39 DS019PatchManagement-Failed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.40 DS020HostIntrustionDetection-ET01SigDetected . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.41 DS021Telephony-ET01CDR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.42 DS022Performance-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.43 DS023CrashReporting-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.4.44 DS024ApplicationServer-ET01General . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5 Technology Provider View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.1 PT001-Microsoft-Exchange . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2 PT002-Splunk-Stream . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.1 PT002-Splunk-Stream-DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.2 PT002-Splunk-Stream-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.2.3 PT002-Splunk-Stream-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3 PT003-ExtraHop . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3.1 PT003-ExtraHop-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.3.2 PT003-ExtraHop-SMTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.4 PT004-McAfee Web Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.5 PT005-Microsoft-Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.6 PT006-PaloAlto Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.7 PT008-Snort . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.8 PT009-SourceFire . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.9 PT010-Websense . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.10 PT011-Bluecoat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.11 PT012-Splunk-InternalLogging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.12 PT013-ISCBIND-DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.13 PT014-PhysicalAccessControl . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.14 PT015-Linux-Deb/RH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.15 PT016-Cisco-ASA/PIX/FWSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.5.16 PT017-Trend-TippingPoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6 Enrichment Data View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
1.1.6.1 DE001AssetInformation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
169
171
172
173
176
177
178
179
180
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
205
207
208
212
214
216
218
219
220
221
222
223
224
225
227
228
229
230
231
232
234
235
236
237
238
239
240
241
242
244
245
246
247
248
249
250
251
252
253
255
256
257
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
Introduction
Target Audience
The repository has a number of well define audience targets each as the repository evolves each group should be better served.
Account Team - Utilizing key terms from customer dialog identify value proposition based on customer experiences
Sales Engineering - Cross reference Core, Premium, Third party, and services solutions to support customer objectives
Professional Services Managers - Better estimate project scope utilizing objective based planning with the ability to plan schedule based
on prior experiences
Professional Services Consultant - Better understand what was agreed to and implementation requirements
Scope
Presently the scope of the repository if focused on addressing motivating problems experienced by leaders in the Information Security and
Compliance markets.
How to Navigate
Reactive
Use of the repository allows the user to work along side the customer, typically analysts, managers, and architects, to demonstrate value which is
currently being realized or can be realized based on data sources. Careful consideration should be made in how the narratives are presented.
The amount of information can be overwhelming.
Using the left hand navigation menu or a short cut below begin with one of the following "views"
Supporting Data View - Supporting data represents types of data utilized to support a solution eventually achieving a business objective.
These data types can be consumed equally by use case narratives regardless of the underling technology. In some cases we recognize
that all technology sources are not equal and further define specific "events" and critical fields that must be provided to successfully
implement a narrative. This approach allows the user to head off failure on implementation when a give combination can not achieve
success.
Technology Provider View - Technology Providers roughly equate to Splunk Technology Add Ons. When working with preexisting
technology implementations the user can utilize this view to determine what use cases may be possible in a customer environment.
Proactive
Use of the repository allows the user to work along side the customer, typically executive leaders and senior leaders to identify the opportunities
within the organization where the greatest value gains can be realized for the smallest opportunity costs. When used in this way the Account team
can being documenting the motivating problems, ideal solution narratives (use cases), and perceived value early in the relationship. These
artifacts can easily be used by the account team, customer success, and professional services to assist the customer in staying on track to value
delivery and recognition of product value. This approach is summarized as objective lead solutions development.
Using the left hand navigation menu or a short cut below begin with one of the following "views"
Motivating Problem Type View - Motivating problems are those broad business needs requiring generally these are targeted at the
expected level conversation with executive leaders and senior leaders in a given organization. Our goal is to assist in defining the
problem to be addressed in such a way as to be clearly understood by all parties involved. These defined problems can become natural
Adoption
The first section of each use case contains a brief descriptive narrative element, followed by adoption phase descriptors. Three types of adoption
phase descriptors are used:
narrative. These reasons typically motivate customers in specific circumstances to adopt a use case narrative
though we may not expect adoption by other customers in similar verticals or maturity stages.
APC-Essential An essential use case narrative when filtered by a Motivating problem describes a solution
implemented almost by default. These use cases have qualities such as easy implementation, immediate
high value return, or compliance satisfaction as justification for early adoption.
APC-Mature A Mature use case narrative when filtered by a Motivating problem describes a solution used to
expand value from existing data sources or to justify the addition of data sources.
APC-Maturing A Maturing use case narrative when filtered by a Motivating problem describes a solution
which will present a high value to the customer; however, customer maturity, implementation requirements,
data sources, or complexity would likely cause delays.
APC-Superceded A Superceded use case narrative has been replaced with one or more improved
narratives. The excerpt of the Superceded narrative should be updated to include a direct link to the targets.
APC-Undetermined Adoption phase has yet to be assigned
industry. These narratives have not yet been widely adopted and represent an opportunity to provide value
not presently obtained from current solutions within the organization.
API-Dated Narratives described as dated will have little emotional appeal and potentially no longer provide
value when implemented. For customers with legacy needs it may be appropriate to recommend some use
cases from this category.
API-Distinctive Narratives described as distinctive represent utilization of unique capabilities of the Splunk
platform. While it may be possible to implement these narratives outside of the usage of Splunk factors such
as specialized skill or complexity make implementation impractical.
API-Expected Narratives described as expected could also be described as must and should do. Adequate
adoption in the industry allows the narrative to self justify implementation with little convincing of stakeholders
required.
API-Known Narratives described as known would have recognition in the industry. These narratives may still
be controversial but have been presented adequately as to not be considered foreign concepts.
API-Socializing Narratives described as socializing in the industry are currently being presented at
conferences, spoken about in blogs or other venues and have not yet made an impression of value with the
industry community.
Qualification
The second section of each use case contains attributes intended to assist the user and customer in evaluating the use case in consideration of
the customer environment, skill sets available and work load generated.
Severity
Severity of any notable event generated (automatically or manually) as a result of discoveries made
utilizing this use case.
SV1 - Low Low severity issues will frequently be trumped by higher priority issues and external work load. In
most organizations low priority issues frequently aged out without review.
SV2 - Medium Medium severity items must be addressed within the organizations service level agreement,
however such events may not be an organizational priority. For example, "it will get dealt with, but I may go to
lunch or an unrelated meeting before I actually address it."
SV3 - High High severity notable events will interrupt work for immediate attention. Evaluation of a high
event may result in a formal incident and or escalation. For example, "I will skip meetings and lunch and other
interruptions during the workday to deal with this; however, while I will stay late, I will not come in during the
night or skip my child's recital because of it."
SV4 - Critical Critical severity items require immediate and constant attention until resolved. For example: "I
will work nights and weekends and Christmas morning if necessary to resolve this."
Rate of Detection
Rate of Detection is a non scientific estimate of the number of occurrences for a specified event.
RATED0-Rare Rare events will occur less than once per day on average.
RATED1-Common Common events may occur a few times per day in a typical environment. It is generally
expected that common events will not overwhelm the operations team.
RATED2-Frequent Frequent Events are expected to occur often in a typical event, this type of event may
overwhelm a operations team without careful tuning and mitigations.
RATED9-Undetermined Adequate information has not yet been presented to determine this value
FIDELITY
The fidelity of a narrative describes the ratio of signal (valid/positive) to noise (invalid/false positive)
anticipated based on field experience.
FIDELITY-High This indicates a relatively high signal to noise ratio, and therefore a lower likelihood of false
System Load
System load estimates the noticeable impact of the narrative on system performance.
LOAD-Excessive Excessive impact to the system performance. Careful consideration should be made before
adoption of this use case such as limiting the scope to essential systems or users.
LOAD-High High impact to the system performance. Narratives are expected to require a noticeable amount
of time to execute.
LOAD-Low Low estimated impact to the system performance.
LOAD-Moderate Moderate estimated impact to the system performance, unlikely to create a perceptible
impact for interactive users, may contribute to the latency of scheduled searches.
LOAD-Undetermined Adequate information has not yet been presented to determine this value
Analyst Load
Relative level of load or work effort involved in resolution of the notable event
AnalystLoad-Automation Requires no outside information for triage and can be automated to resolution in
many environments. When automation is not available these narratives are considered low.
AnalystLoad-High Requires a large amount of time/effort to triage the notable event.
AnalystLoad-Low Requires a small amount of time/effort to triage the notable event.
AnalystLoad-Moderate Requires a Moderate amount of time/effort to triage the notable event, triage is
seldom expected to extend beyond the current shift
AnalystLoad-Undetermined Adequate information has not yet been presented to determine this value
Implementation Skill
Relative level of skill necessary to implement the use case.
SKILLI-Customer
SKILLI-PS-General
SKILLI-PS-SecurtityEnabled
SKILLI-PS-SecurtitySpecialist
SKILLI-Undetermined Adequate information has not yet been presented to determine this value
Measurement
Each narrative describes appropriate key performance indicators and recommends an appropriate review cadence. Each implementing customer
should utilize the metrics to monitor the effectiveness of each narrative in light of the organizations operational objectives.
Artifacts
Each narrative describes the components of an implemented solution or provides details on the content packages for implementation.
Adoption Motivations
Adoption motivations are an attempt to group together the impetus which drives a potential customer to seek out and/or be open to considering
our solution. Here are a few example motivations:
New functionality required by mandate (compliance requirement, executive directive, etc.)
New functionality requested due to one or more pain points have been identified that need to be alleviated
Existing functionality parity required due to a forced replacement (i.e. the existing system is EOL and its functionality must be replaced)
This view will assist the user in determine which use cases should be considered in during the adoption phase
Apr 07, 2016
A-C
D-M
N-T
U-Z
access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative
data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer
nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng
ucd-access
PRT01-Compliance
High level compliance problems regardless of specific regulation or standard applied tend may be addressed with very similar use case
narratives. Within the compliance problem type, individual common regulations will be addressed.
UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016
UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
... Contributing Events Search datamodel Malware MalwareAttacks search search
MalwareAttacks.dest="$dest$" Compliance YES Container App DAESSSecKitEndpointProtection Related
articles Related articles appear here ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
... IDSAttacks.category,IDSAttacks.signature `dropdmobjectname("IDSAttacks")` Note alternative
implementation with XS should be considered Compliance YES Container
App SecKitDAESSNetworkProtection
https://securitykit.atlassian.net/wiki/display/GD/SecKitDAESSNetworkProtection Windows 65m@m to 5m@m
...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT01-Compliance".
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
PRT01Compliance-PCI
Guidance for implementation of logging and monitoring for business as usual compliance with PCI 3.2
Guidance
1.1.1
In support of testing procedure 1.1.1b maintain online and searchable logs for all change activity.
In support of testing procedure 1.1.1b maintain online and searchable records for all change activity
1.1.4
In support of testing procedure 1.1.4.c maintain online and searchable logs for all DS010NetworkCommunication-ET01Traff
ic from any dvc designated as cardholder, border, or internet.
1.1.6
In support of 1.1.6.a build upon the work effort invested in 1.1.4 Implement the following monitoring controls:
UC0083 Communication from or to an enclave network permitted by previously unknown or modified firewall rule
In support of 1.1.6.c build upon work effort invested in 1.1.4 Implement the following monitoring controls:
UC0082 Communication with enclave by default rule
1.2.1
In support of 1.2.1.c implement the following monitoring controls to ensure continual compliance
UC0084 Monitor Execution of Triage Activtity
1.2.3
In support of 1.2.3b build upon the work effort of 1.1.6 ensure consideration in existing process to consider the wifi network
as an enclave
1.3.1
1.4
In support of 1.4.b Ensure data collection for DS010NetworkCommunication-ET02State from all devices in scope
2.1
In support of 2.1.a Ensure data collection for DS003Authentication-ET01Success from all in scope systems. Ensure all PIM
systems are correctly identified in DE001AssetInformation and ensure all default accounts have been correctly listed in DE0
02IdentityInformation prior to implementation of
UC0007 Account logon successful method outside of policy
2.2.1
In support of 2.2.1.a Ensure data collection for dynamic primary function identification is in place to support the complete
definition of DE001AssetInformation
UC0086 Detect Multiple Primary Functions
2.2.5
2.4
Implement a reliable dynamic asset identification solution DE001AssetInformation with the following attributes
Appropriate Values for pci_domain by cidr
All hosts within the CDE are identified with static IP address
All firewalls and interfaces containing the CDE are identified
Collect data from the following sources
DS010NetworkCommunication-ET01Traffic
DS003Authentication-ET01Success (Machine account)
DS015ConfigurationManagement-ET01General
3.1
Implement clear logging and collection for each application component responsible for deletion of online CHD. Generate a
customer specific use case for the absence of successful reports in the job execution window
3.2
3.4.1
If disk/share encryption is used implement data collection for the specific provider supporting the following data types
DS003Authentication-ET01Success
DS006UserActivity-ET02Read
DS006UserActivity-ET06Search
3.5.1
Implement customer specific use case alerting when a key is read, imported or assigned to a specific encrypted resource
review for review by the key administrator
3.5.2
Implement customer specific use case alerting when a key is accessed by a human manually review the access with the
key administrator
4.1
In support of 4.1.c ensure data collection for DS010NetworkCommunication-ET01TrafficAppAware is in place for all CDE
network segments and implement
RP001 New web application or network protocol detected
4.2
In support of 4.2.a ensure data collection for DS016DataLossPrevention-ET01Violation is in place and implement customer
specific use case for alerting on actual or attempted transmission of CHD via email chat FTP or removable media
5.1
In support of 5.1 ensure data collection for DS004EndPointAntiMalware-ET02UpdatedSig is in place and ensure
requires_antivirus is set for all applicable records in DE001AssetInformation implement the following use cases.
5.2
In support of 5.2.b 5.2.c and 5.2.d implement the following use cases
UCESS024 High Number of Hosts Not Updating Malware Signatures
UC0087 Malware signature not updated by SLA for compliance asset
6.4.1
In support of 6.4.1.b define an enclave for each CDE/lifecycle such that production and non production systems can be
identified
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule
6.4.2
In support of 6.4.2 define an enclave for each CDE/lifecycle such that production and non production systems can be
identified
UC0090 User account cross enclave access
6.4.3
In support of 6.4.3 identify ranges or fixed sets of PAN ranges that may be utilized in the non production life cycle and
create a set of periodic scripts to asses that no data exists outside of the fixed range. Log the results for compliance
reporting.
6.4.4
While not conclusive for all environments the implementation of control 6.4.3 may assist in ongoing evidence of compliance.
6.4.5.x
6.4.6
6.5.x
6.6
Capture and retain logs from automated software installation and testing processes to provide evidence of for
compliance to the execution of testing against common weaknesses.
Capture and retain applicable logs from defect tracking systems to evidence that issues were reported and reviewed
without modification prior to release of software to production
Using an external vulnerability scanner not granted unfiltered access scan the public facing networks
UCESS010 Anomalous New Listening Port
UC0091 Validate Execution of Vulnerability Scan
Periodically validate the implementation of the load balancer and web application firewall.
UC0092 Exception to Approved Flow for Web Applications
6.7
7.x
8.1
In support of this section all authentication success and failure events must be captured for all components of the
application infrastructure.
8.1.1
In support of continued monitoring of compliance with 8.1.1 implement the following use cases:
UC0039 Use of Shared Secret for access to critical or sensitive system
UC0088 User account sharing detection by source device ownership
8.1.2
8.1.3
Support continued compliance and verification through implementation of the following use case
UCESS005 Activity from Expired User Identity
8.1.4
Support continued compliance and verification through implementation of the following use case
UC0008 Activity on previously inactive account
UC0093 Previously active account has not accessed enclave/lifecycle
8.1.5
8.1.6
8.1.7
8.1.8
8.2
Implement an appropriate site specific compliance report to identify that all successful logins to a production enclave use
one of the approved authentication factors for that enclave/component.
8.2.1
Support continued compliance and verification through implementation of the following use case
UC0094 Insecure authentication method detected
8.2.2
8.2.3
8.2.4
8.2.5
8.2.6
8.3.x
Support continued compliance and verification through implementation of the following use case
UC0007 Account logon successful method outside of policy
8.4
Support continued compliance and verification through implementation of the following use case
8.5
Support continued compliance and verification through implementation of the following use case
UC0039 Use of Shared Secret for access to critical or sensitive system
UC0040 Use of Shared Secret for or by automated process with risky attributes
8.6
8.7
8.8
9.1
Support continued compliance and verification through implementation of the following use case
UC0045 Local authentication server
Review resulting events in consideration of approved physical access activity, change, incident, problem and virtual remote
console logs such as virtual infrastructure and KVM.
9.1.1
See 9.1
9.1.2
9.1.3
9.2
9.3
9.4
9.5
9.6
9.7
9.8
9.9
10.1
10.2
See below
10.2.1
10.2.2
10.2.3
10.2.4
10.2.5
Implement collection and retention of the following log sources as applied to authentication mechanisms such as directory
servers, two factor authentication systems, single sign on systems, and local authentication controls
DS006UserActivity-ET03Create
DS006UserActivity-ET04Update
DS006UserActivity-ET05Delete
10.2.6
Implement collection and retention of the following log sources as applied to the service and configuration utilized in
auditing
DS006UserActivity-ET04Update
Note include service start, stop, and alter for configuration controlling the audit process such as syslog, group
policy, windows registry, and database triggers
DS007AuditTrail-ET01Clear
DS007AuditTrail-ET02Alter
10.2.7
Implement collection and retention of the following log sources as applied to the service and configuration utilized in
auditing
10.3
Verify compliance of data sources identified with minimum requirements of the objective
10.4
10.5
10.5.1
Implement streaming collection of all log sources. Avoid batch collection activities and build adequate defensive and
detective controls to ensure audit processes are not tampered with when batch collection is in use.
Implement access controls as is appropriate to limit access to audit trail data in Splunk
Implement routine trim of original audit trails such that no audit data is retained on source systems beyond a
reasonable amount allowing recovery in the event of streaming collection failure
10.5.2
10.5.3
Implement Splunk Archiver function with a write only external service such as Amazon S3 to ensure data is archived to a
system under separate control.
10.5.4
Implementation of log collection for all web application server infrastructure logs especially the following:
DS002DNS-ET01QueryResponse
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS004EndPointAntiMalware-ET01SigDetected
DS004EndPointAntiMalware-ET03UpdatedEng
DS005WebProxyRequest-ET01Requested
DS006UserActivity
DS007AuditTrail
DS009EndPointIntel-ET01ProcessLaunch
DS010NetworkCommunication-ET01Traffic
DS014WebServer-ET01Access
DS015ConfigurationManagement-ET01General
DS018VulnerabilityDetection
DS019PatchManagement
DS020HostIntrustionDetection-ET01SigDetected
10.5.5
Implementation of log collection for all web application server infrastructure logs especially the following:
DS020HostIntrustionDetection-ET01SigDetected
10.6.1
Implementation of a robust set of correlation search to monitor each security technology in the enterprise
Management should daily review the PCI dashboards to ensure that notable events have been triaged and are being
resolve in accordance with the company policy
10.6.2
Expansion of monitoring beyond the immediate PCI scope to ensure attackers are kept more than one degree away from all
PCI systems.
Management should daily review critical dashboards such as and act on trends highlighted
Enterprise Security Security Posture
Incident Review
10.6.3
Notable events determined to indicate suspicious activities should be identified as formal incident and handled in according
to industry accepted practices.
10.7
Ensure all in scope event data is retained online and searchable for at minimum of 3 months.
Ensure adequate search hardware is available or can be provisions (cloud) to recall and search data up to 1 full year OR
ensure at least 1 full year for all data sources is available.
Ensure that log infrastructure can not be subject to denial of service attach by external actors by identification of points
where external actors can generate sufficient log traffic to cause early purge or failure of logging infrastructure. Identify
methods of mitigating this risk.
10.8
Identify methods of detecting and alerting failure of critical control systems to produce events
10.9
11.1
11.2
11.3
11.4
11.5
Implement collection of the following data sources, identify appropriate technology specific use cases for the environment.
DS009EndPointIntel
DS020HostIntrustionDetection-ET01SigDetected
11.6
12
12.5
Adopt a formal methodology align with enterprise risk assessment to identify risk and detective controls to be implemented
and monitored by appropriate sensor/detection technology with correlation in a single security event and information
management system
Supporting Documentation
PCI Data Security Standard (PCI-DSS)
PRT02Compliance-NercCIP
Currently, there are 16 critical infrastructure sectors that compose the assets, systems, and networks, whether physical or virtual, so vital to the
United States that their incapacitation or destruction would have significant implications nationwide, with potential impacts to national economic
security, public heath or safety, etc.
Requirement
Details
Guidance
CIP-002-3
R2
Enrichment:
The responsible entity shall develop a list of its identified critical assets
determined through an annual application of the risk-based assessment
methodology as required by this standard. List shall be reviewed and
updated annually, at minimum. Assets to be considered should include
the following:
Cyber Security:
Critical Cyber
Asset
Identification
R5.1
Cyber Security:
Security
Management
Controls
Access Control:
Enrichment:
CIP005-3a
R2
Cyber Security:
Electronic
Security
Perimeter
Enrichment:
CIP005-3a
R3
Cyber Security:
Electronic
Security
Perimeter
Use Cases:
CIP006-3c
R.1.3
Physical Security
of Critical Cyber
Assets
Enrichment:
CIP007-3a
R2
Cyber Security:
System Security
Management
Enrichment:
CIP007-3a
R3
Cyber Security:
System Security
Management
Enrichment:
CIP007-3a
R4
Cyber Security:
System Security
Management
Enrichment:
The Responsible Entity shall use anti-virus software and other malicious
software (malware) prevention tools, where technically feasible, to
detect, prevent, deter, and mitigate the introduction, exposure, and
propagation of malware on all Cyber Assets within the Electronic
Security Perimeter(s).
CIP007-3a
R5
Cyber Security:
System Security
Management
Account Management:
Enrichment:
UCXXXX Abnormal volume of access to CIP data (unstructured and structured data stores)
UCXXXX ARP poisoning detected
UCXXXX Abnormal volume of email from internal user (by bytes)
UCXXXX Abnormal amount of email from internal user (by volume)
PRT04-FFIEC
Information security enables a financial institution to meet its business objectives by implementing business systems with due consideration of
information technology (IT)- related risks to the organization, business and trading partners, technology service providers, and customers.
Organizations meet this goal by striving to accomplish the following objectives.Underlying Models for IT Security, NIST, SP800-33, p. 2.
Availability-The ongoing availability of systems addresses the processes, policies, and controls used to ensure authorized users have
prompt access to information. This objective protects against intentional or accidental attempts to deny legitimate users access to
information or systems.
Scope of monitoring must include all infrastructure involved in banking services in the modern environment
Network Infrastructure operational and change for routers switches firewalls and active protection devices
Network Communication
Network Intrusion Detection
Network Load Balancers and Global Load Balancers
Application Firewalls
Operating System Authentication and Change Audit for server and client operating systems.
Network Authentication (local and virtual)
Database Server
Middleware Application Server
Central Authentication and Authorization
Use of Distributed Authentication (web SSO, SAML, Kerberos)
Two Factor Authentication
DNS Request Logs
Honeypots
Null Routes and Sink Holes
email communication logs
Integrity of Data or Systems-System and data integrity relate to the processes, policies, and controls used to ensure information has not
been altered in an unauthorized manner and that systems are free from unauthorized manipulation that will compromise accuracy,
completeness, and reliability.
Host Intrusion Detection
Antimalware
Vulnerability Detection (Active and Passive)
IOC detection (scan and result)
Entitlement and Access Management
Infrastructure Management activity and change
Confidentiality of Data or Systems-Confidentiality covers the processes, policies, and controls employed to protect information of
customers and the institution against unauthorized access or use.
Entitlement and Access Management
Data Loss Prevention
Accountability-Clear accountability involves the processes, policies, and controls necessary to trace actions to their source. Accountability
directly supports nonrepudiation, deterrence, intrusion prevention, security monitoring, recovery, and legal admissibility of records.
Logs must be centralized in a secure and reliable manor including such features as log integrity checking, real time collection,
and long term storage
Assurance-Assurance addresses the processes, policies, and controls used to develop confidence that technical and operational security
measures work as intended. Assurance levels are part of the system design and include availability, integrity, confidentiality, and
accountability. Assurance highlights the notion that secure systems provide the intended functionality while preventing undesired actions.
Operating System Hardening System Compliance Scan and Result
Application System Hardening System Compliance Scan and Result
Automated Application Penetration Testing Scan and Result
Vulnerability Scan and Rsult
PRT02-SecurityVisibility
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT02-IdentifyPatientZero
PRT02-SecurityVisibilityEndpointMalware
PRT02-SecurityVisibilityExfiltration
PRT02-SecurityVisibilityLateralMovement
PRT02-SecurityVisibilityPhishingAttack
PRT02-SecurityVisibilityPriviledgeUserMonitoring
PRT02-SecurityVisibilityUserActivity
PRT02-SecurityVisibilityZeroDayAttacks
PRT02-SecurityVisiblityWebbait
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
PRT02-IdentifyPatientZero
In response to incursions identification of patient zero is a critical step. Information gathered in this identification activity can inform the
organization as to the methods of the attackers and assist in the preparation of improved defenses.
Maturing
PRT02-SecurityVisibilityEndpointMalware
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016
UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that
successfully gained access to an account that was no longer being used. Execute the inactiveaccountusage
macro and look across the time range of less than 90 days ago and greater ...
Aug 14, 2016
Looking across a realtime window of /5 minutes, run the macro getinterestingprocesses and return processes
that isprobhibited is set to true. Run the macros geteventid and mapnotablefields and add the following fields
to the output: origeventid (macro creates hash of indexer, time and raw event ...
Aug 14, 2016
PRT02-SecurityVisibilityExfiltration
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
PRT02-SecurityVisibilityLateralMovement
Indication of movement within an organizations network following the compromise of an initial endpoint.
Maturing
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
PRT02-SecurityVisibilityPhishingAttack
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
PRT02-SecurityVisibilityPriviledgeUserMonitoring
Users with privileged access to systems or information critical to the business should be monitored with greater scrutiny than users not similarly
entrusted.
Maturing
PRT02-SecurityVisibilityUserActivity
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate
and browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
Maturing
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB
devices ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more
than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account
and is attempting ...
Jun 08, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
PRT02-SecurityVisibilityZeroDayAttacks
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
PRT02-SecurityVisiblityWebbait
Similar to Phishing attacks using baited web content such as compromised advertising systems and watering hole web sites
Maturing
PRT03-PeerAdoption
Pressure to emulate similar peers based on the objective of security via minimum accepted industry norms. This view will assist the user in
determine which use cases should be considered in during the adoption phase
PRT03-PeerAdoption-Phase1-Essentials
PRT03-PeerAdoption-Phase2-Maturing
PRT03-PeerAdoption-Phase3-Mature
PRT03-PeerAdoption-Phase4-Edge
PRT03-PeerAdoption-Phase1-Essentials
Use case narratives adopted during the initial deployment phase of , monitoring, and response program.
UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt
to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016
UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center)
External IDS devices reporting an attack using a signature not previously encountered are more likely be
successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ...
Apr 08, 2016
UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to
identify which server may generate email and what recipients are permitted. Identify servers receiving email from
the internet without approval Identify ...
Apr 19, 2016
UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
PRT03-PeerAdoption-Phase2-Maturing
Use case narratives adopted during the second deployment phase of a security operations, monitoring, and response program.
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and
Use Case Center)
Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016
UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)
Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016
UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016
UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016
UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016
UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)
Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016
UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)
human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016
UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)
user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016
UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success
DE002IdentityInformation Adoption ...
Apr 08, 2016
UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)
Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016
UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016
UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative
UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0005 System modification to insecure state (Narrative and Use Case Center)
Authorized or unauthorized users may attempt to modify the system such that hardened configuration policies are
removed or security monitoring tools are disabled. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess
RV6Misconfiguration DS TBD ...
Apr 08, 2016
UC0021 Communication outbound to regions without business relationship (Narrative and Use Case Center)
Outbound communication with servers hosted in regions where the organization does not expect to have
employees, customers, or suppliers. Exclude authorized DNS servers communicating on a standard DNS port
Exclude destination DNS servers on the ICANN root list Exclude authorized ...
Apr 08, 2016
UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)
Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016
UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)
Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016
UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016
UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016
UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)
Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016
UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016
UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware
PRT03-PeerAdoption-Phase3-Mature
Use case narratives adopted during the third deployment phase of a security operations, monitoring, and response program.
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5
minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and
the domain is not in the corporate web domain lookup ...
Aug 14, 2016
PRT03-PeerAdoption-Phase4-Edge
Use case narratives adopted based on specific circumstances in the organization. Specific capabilities and complexities will dictate the
appropriate time for adoption of these narratives.
UC0065 Malware detected compliance asset (Narrative and Use Case Center)
Malware detection on a asset designated as compliance such as PCI, CIP or HIPPA requires review even
when automatic clean has occurred Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DDE001 ...
Aug 29, 2016
UCESS013 Cleartext Password At Rest Detected (Narrative and Use Case Center)
Detects cleartext passwords being stored at rest (such as in the Unix password file). Looking across a realtime
window of /5 minutes, search for Last Time, Original Raw Event Data, tag and count grouped by
destination(host, IP, name), user ...
Aug 14, 2016
UCESS044 Personally Identifiable Information Detected (Narrative and Use Case Center)
Looking across a realtime window of /5 minutes, find integer sequences and lookup against luhnlikelookup and
output fields pii and piiclean. Lookup iinissuer in the iinlookup table based on the piiclean string and length of
the string. Output event id (macro that creates ...
Aug 14, 2016
UCESS052 Substantial Increase In Port Activity (Narrative and Use Case Center)
Alerts when a statistically significant increase in events on a given port is observed. For the past hour, using all
summary data even if the model has changed, generate a count by destination port and compare that count
against the previous hour and trigger if the destination ...
Aug 14, 2016
UCESS002 Abnormally High Number of Endpoint Changes By User (Narrative and Use Case Center)
Detects an abnormally high number of endpoint changes by user account, as they relate to restarts, audits,
filesystem, user, and registry modifications. For the past 24 hours starting on the hour, using all summary data
even if the model has changed, generate a count ...
Aug 14, 2016
UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center)
Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA
limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig
DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ...
Apr 28, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0051 Excessive physical access failures to CIP assets (Narrative and Use Case Center)
user with continuous physical access failures could be someone searching for a physical vulnerability within the
organization. When this occurs in an area that is protecting CIP assets, it is something that should be followed
up on immediately. Problem Types Addressed Risk Addressed Event Data ...
Apr 27, 2016
UCESS003 Abnormally High Number of HTTP Method Events By Src (Narrative and Use Case Center)
Alerts when a host has an abnormally high number of HTTP requests by http method. For the past 24 hours
starting on the hour, using all summary data even if the model has changed, generate a count of the source of
the network traffic and the HTTP ...
Jul 22, 2016
UCESS010 Anomalous New Listening Port (Narrative and Use Case Center)
Alerts a series of hosts begin listening on a new port within 24 hours. This may be an indication that the
devices have been compromised or have had new (and potentially vulnerable) software installed. Listening
ports tracker contains destination IP and port ...
Aug 14, 2016
PRT04-ProcessEffectivness
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT04-ProcessEffectivness-HuntPaths
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT04-ProcessEffectivness".
UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains
via web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and
potentially identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware
PRT04-ProcessEffectivness-HuntPaths
Utilizing searches and automated prompts the analyst will investigate selected events that are considered low fidelity to identify using analytic
process potential security weakness or previously unknown threats.
PRT05-Tactical Threat
In the constantly evolving threat landscape organizations often must set aside strategic plans and react to specific threats. Tactical threat
motivations support the urgent on boarding of missing critical data sources.
PRT05-TacticalThreat-InsiderThreat
PRT05-TacticalThreat-Ransomeware
PRT05-TacticalThreat-SpearphishingCampaign
PRT05-TacticalThreat-InsiderThreat
Insiders, defined as employees, contractors, partners, or anyone else with AUTHORIZED internal access often have the knowledge and access
necessary to allow them to bypass security measures to critical systems through legitimate means. The nature of the insider threat is different
from external threats, and therefore require a different strategy for preventing and addressing them. The following use cases and data sources
are helpful in detecting and mitigating potential insider threat activity.
Domain
Description
Enrichment
Data Sources
Status
Data
Exfiltration
DDE001 Asset
Information
DS001Mail-ET03Send
Adoptable:
ES Product
UC
DDE001 Asset
Information
DS001Mail-ET03Send
Draft
Narrative
DDE002 Identity
Information
Windows Security
Logs
Draft
Narrative
Auditing: File/Directory
Object Access
(EventCodes 4656,
4663)
Data
Exfiltration
Data
Exfiltration
DDE002 Identity
Information
DDE023 CIM Corporate
Email Domains
Malicious
Insider
UCESS060 Vulnerability
Scanner Detected (by events)
DDE001 Asset
Information
IDS/IPS
Adoptable:
ES Product
UC
Malicious
Insider
UCESS061 Vulnerability
Scanner Detected (by targets)
DDE001 Asset
Information
IDS/IPS
Adoptable:
ES Product
UC
Unauthorized
Access
DDE001 Asset
Information
Authentication
Adoptable:
ES Product
UC
DDE001 Asset
Information
Authentication
In
Development
DDE001 Asset
Information
Authentication
Adoptable
Narrative Custom
Web
In
Development
Unauthorized
Access
Unauthorized
Access
DDE002 Identity
Information
DDE002 Identity
Information
DDE002 Identity
Information
DDE002 Identity
Information
Watchlisted Sites
Potential
Threat
(various
categories)
DDE002 Identity
Information
Insider Threat "Content
Pack"
Insider Threat
Content Pack
Correlation Rules
In
Development
PRT05-TacticalThreat-Ransomeware
Ransomware includes multiple broad categories including denial of service by encryption and extortion by data ex filtration. The following
collection of data sources and use cases highlight strategies found useful in mitigation of this threat.
DS001MAIL
DS002DNS
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case
Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer
excluding known cloud hosting domains, Alexa TOP 1 M domains and domains with long established
communication with the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may
indicate the presence of malicious code. Assets communicating with external services excluding Alexa
TOP 1M whose reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
DS004EndPointAntiMalware
UC0087 Malware signature not updated by SLA for compliance asset (Narrative and Use Case Center)
Malware signature last updated on a asset designated as compliance such as PCI, CIP or Hippa beyond SLA
limits Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET02UpdatedSig
DDE001 Asset Information https://securitykit.atlassian.net/wiki/display/GD/DDE001AssetInformation ...
Apr 28, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
DS010NetworkCommunication
Found 2 search result(s) for contentBody:DS010* title:UC* PRT05-TacticalThreat-Ransomeware.
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
DS012NetworkIntrusionDetection-ET01SigDetection
Found 1 search result(s) for contentBody:DS012* title:UC* PRT05-TacticalThreat-Ransomeware.
UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
PRT05-TacticalThreat-SpearphishingCampaign
PRT06-SecureConfigurationMgmt
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
PRT06-SecureConfigurationMgmtUpdateManagement
PRT06-SecureConfigurationMgmtVulnerability
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
PRT06-SecureConfigurationMgmtUpdateManagement
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
PRT06-SecureConfigurationMgmtVulnerability
High level security visibility problems speak to a need to a unified system for the collection and analysis of event data from many types of systems
in the enterprise and in the cloud.
Maturing
PRT07-SpecialRequests
A set of curated use case collections based on specific field requests
PRT07-SpecialRequests-Creative
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"PRT02-SecurityVisibility".
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
PRT07-SpecialRequests-Creative
A set of curated use case collections based on specific field requests
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is
less than 48 ...
Jun 24, 2016
Labels: creative
UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise
by comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as
a network or batch ...
Jun 24, 2016
Labels: creative
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
PRT08-ProductAdoption
Use cases provided by the Splunk Enterprise Security Application are mapped to the Adoption Phase and grouped by Supporting Data Source to
assist the customer and consultant in the selection of use cases for implementation based on the likely readiness of the customer.
PRT08-ProductAdoption-ES
PRT08-ProductAdoption-ES-Essentials
PRT08-ProductAdoption-ES-Mature
PRT08-ProductAdoption-ES-Maturing
PRT08-ProductAdoption-ES
PRT08-ProductAdoption-ES-Essentials
DS010NetworkCommunication
Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016
DS004EndPointAntiMalware
Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.
UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even
if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is
MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if
the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user
priority ...
Aug 14, 2016
the past 24 hours, using all summary data even if the model has changed, generate a distinct count of the system
that was affected by the malware ...
Apr 26, 2016
UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should
be evaluated to determine why they are not updating their malware signatures.Execute the malware operations
tracker macro and calculate the timesignatureversion and return results that the day difference between ...
Apr 26, 2016
UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against
the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016
UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past
10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016
DS005WebProxyRequest
Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.
DS002DNS
Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.
DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful
brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications,
count of failures ...
Aug 14, 2016
UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of
the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw
Event Data, user ...
Aug 14, 2016
DS001MAIL
Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.
UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the
past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate
...
May 02, 2016
DS007AuditTrail
Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.
DS012NetworkIntrusionDetection-ET01SigDetection
Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
DS014WebServer-ET01Access
Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.
DS006UserActivity
User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.
PRT08-ProductAdoption-ES-Maturing
DS010NetworkCommunication
Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
DS004EndPointAntiMalware
Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.
DS005WebProxyRequest
Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.
DS002DNS
Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.
DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016
UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016
DS001MAIL
Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.
DS007AuditTrail
Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.
UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016
DS012NetworkIntrusionDetection-ET01SigDetection
Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.
DS014WebServer-ET01Access
Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.
User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.
UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016
PRT08-ProductAdoption-ES-Mature
DS010NetworkCommunication
Network communication data is often the last chance available to identify the movement of an attacker in, into or out of the organization's network.
All firewalls protecting systems in the DMZ, Public internet, segmenting private network from the public internet and segmenting the private
network from third party network peers that are not part of the public internet should be included.
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
DS004EndPointAntiMalware
Endpoint Antimalware logs such as Mcafee Antivirus, Symantec Endpoint Protection, or Microsoft Forefront collected from the central reporting
database. Events including, detected, definition update and scheduled scan execution should be indexed.
DS005WebProxyRequest
Web client request from internal endpoints processed by a proxy server, scope should include a endpoints including enduser devices and servers
however guest wifi should not be included unless the guest network is abled to access to organizations internal trusted zone.
DS002DNS
Domain name resolution logs covering all internal clients querying for hosts outside of the organizations network should contain in a single event
the source ip, query and response. The scope should be confirmed using the firewall communication logs where destination port is 23.
5 minutes ago, using all summary data even if the model has changed, provide a count where ...
Aug 14, 2016
DS003Authentication
Authentication logs covering all central authentication systems such as Active Directory, ADFS, Cyber Ark, WebSeal, and Siteminder as well as
all local authentication logs from host operating systems identified as compliance targeted, or priority High/Critical.
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016
UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016
DS001MAIL
Email logs covering all inbound and outbound mail systems permitting the identification of the internal authenticated user or host where
authentication is not used causing an email to be sent or which received a specific email. The scope should be confirmed by using firewall
communication logs where destination port is 25.
DS007AuditTrail
Audit trail information from internal endpoints providing logs supporting use cases in this adoption phase should be included in the initial scope.
UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016
DS012NetworkIntrusionDetection-ET01SigDetection
Network Intrusion detection logs often must be indexed for compliance purposes, all IDS/IPS sensors should be included except those which
monitor unfiltered inbound public internet communications, unfiltered meaning may detect attacks that would be blocked by the border firewall
based on destination port.
DS014WebServer-ET01Access
Web serve logs from all web servers serving authenticated organization users from the public internet, should contain the authenticated user
account, (actual) source ip, reverse proxy ip, site, url, and port.
User activity related to the creation, modification or deletion of users, groups, access controls and policies should be indexed for all systems
inscope for logging and monitoring within this phase.
UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
to the organization
RV2-Access Access addressed the risk of unauthorized access in such a way as to cause harm to the organization
RV3-MaliciousCode Malicious code addressed the risk of processes used against the organization, these risks include
"malware" as well as authorized software used for malicious intent.
RV4-ScanProbe Risk of activities that could discover a weakness in the organizations systems, controls, or configuration
that could latter be used to harm the organization
RV5-DenialofService Risk of denial of service includes such concerns as load based and destructive change to the
infrastructure.
RV6-Misconfiguration Modification of a system that results in a misconfiguration defined as insecure or unreliable
impacting the compliance, security, or availability of the system. Such configuration may increase the likelihood or impact
of other adverse events.
RV1-AbuseofAccess
Abuse of access addressed the risk of authorized or entitled access in such a way as to cause harm to the organization
UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016
UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016
UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016
UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016
UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV1-AbuseofAccess".
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5
minutes after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and
the domain is not in the corporate web domain lookup ...
Aug 14, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies
no explicit permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016
RV2-Access
Access addressed the risk of unauthorized access in such a way as to cause harm to the organization
UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
... Following a successful authentication, an attacker will attempt to determine what resources may be accesse
d without causing host intrusion or DLP technologies to detect activity. Commonly the attacker ...
Apr 08, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV2-Access".
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case
Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
... Identify accounts no longer in use with access to high/critical or enclave systems and remove access when
no longer required. Implement a tracking list of accounts and the accessed enclave or business service
identifier, maintain the last accessed time and alert when the last access ...
Jun 24, 2016
UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
... indicate an adversary has identified a specific high value account and is attempting to gain access. Problem
Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity ...
Jun 08, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
... RV6Misconfiguration DS003AuthenticationET01Success
DS010NetworkCommunicationET01TrafficAppAware DE001AssetInformation Categorization providing
information to identify authorized remote access systems DE002IdentityInformation Categorization providing
information on which users may access an individual remote access technology Adoption Phase Customer
Adoption Phase SME Adoption ...
Apr 08, 2016
UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
... Detection of a new key should be investigated to determine the owner of the key and validate authorization
to access the resource. Problem Types Addressed Risk Addressed Event Data Sources Enrichment ...
Apr 11, 2016
RV3-MaliciousCode
Malicious code addressed the risk of processes used against the organization, these risks include "malware" as well as authorized software used
for malicious intent.
UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016
UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016
UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016
UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV3-MaliciousCode".
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UC0031 Non human account starting processes not associated with the purpose of the account (Narrative
and Use Case Center)
Accounts designated for use by services and batch process should start a limited set of child processes.
Creation of new child processes other than the process name defined in the service or batch definition may
indicate compromise. Problem Types Addressed ...
Apr 08, 2016
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is
less than 48 ...
Jun 24, 2016
Labels: creative
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more
than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible
worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how
many hosts are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
RV4-ScanProbe
Risk of activities that could discover a weakness in the organizations systems, controls, or configuration that could latter be used to harm the
organization
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large
number of unique targets. Vulnerability scanners generally trigger events against a high number of unique
hosts when they are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique
events. Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
UC0037 Network Intrusion External - New Signatures (Narrative and Use Case Center)
External IDS devices reporting an attack using a signature not previously encountered are more likely be
successful as new signatures are prompted by newly know attacks in the wild. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware OR is this something ...
Apr 08, 2016
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Click here to expand...
Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV4-ScanProbe".
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe
...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation
of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return
values ...
Aug 14, 2016
RV5-DenialofService
Risk of denial of service includes such concerns as load based and destructive change to the infrastructure.
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV5-DenialofService".
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
RV6-Misconfiguration
Modification of a system that results in a misconfiguration defined as insecure or unreliable impacting the compliance, security, or availability of
the system. Such configuration may increase the likelihood or impact of other adverse events.
UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used
to identify which server may generate email and what recipients are permitted. Identify servers receiving email
from the internet without approval Identify ...
Apr 19, 2016
UCESS022 Expected Host Not Reporting (Narrative and Use Case Center)
Discovers hosts that are longer reporting events but should be submitting log events. This rule is used to
monitor hosts that you know should be providing a constant stream of logs in order to determine why the host
has failed to provide log data.Every 15 ...
Aug 14, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"RV6-Misconfiguration".
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
... Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
databases and logs are some of the most important business records. Email messages and activity logs can be required
to maintain compliance with an organization's information security, retention, and regulatory compliance processes, and
may be subpoenaed or legally held as part of civil or criminal investigations.
DS002DNS The domain name system (DNS) is the Internet's phone book, providing a mapping between system or
network resource names and IP addresses. DNS has a hierarchical name space that typically includes three levels: a
top-level domain (TLD) such as .com, .edu or .gov; a second-level domain such as "google" or "Whitehouse;" and a
system level such as "www" or "mail." DNS nameservers operate in this hierarchy either by acting as authoritative sources
for particular domains, such as a company or governme
DS003Authentication Authentication systems establish the identity of an actor using one or more secret values i.e.
password and one time pin. The authentication system typically issues a new secret which can be provided to
applications i.e. Kerberos token or web cookie to permit access to a secured resource.
DS004EndPointAntiMalware The weakest link in corporate security are individuals, and antivirus is one way to protect
them from performing inadvertently harmful actions. Whether it is clicking on an untrustworthy web link, downloading
malicious software or opening a booby-trapped document (often one sent to them by an unsuspecting colleague),
antivirus can often prevent, mitigate or reverse the damage.
DS005WebProxyRequest Web Proxies and some next generation firewalls may act in transparent or explicit mode
communicating with (s) servers on behalf of a client. Using a number of related technologies the request and response
can and permitted or blocked based on users role, site or resource category or attack indicator. Data logged in the events
can potentially be used in detective correlation.
DS006UserActivity User activity within the organization environment such as Create Read(display), update, delete,
search events must include critical data such as action, result, app, and a locator uri allowing normalized search on the
targets of activity.
DS007AuditTrail Audit trail events represent a special class of events which can be triggered based on automated or
user interaction with systems and indicate a condition has occurred where the integrity of the source is suspect at a point
in time.
DS008HRMasterData Master Data system for Human Resources may publish an event indicating critical changes
impacting people in an organization. Human Resources records include the entire employee lifecycle including
recruitment, selection, hiring, job position and classification, promotion, salary, and bonuses, performance and ratings,
disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR data often
includes time and attendance records. HR systems often feed payr
DS009EndPointIntel In this context, endpoint refers to the security client software or agent installed on a client device that
logs security-related activity not otherwise generated by the host operating system from the client OS, login, logout,
shutdown events and various applications such as the browser (Explorer, Edge), mail client (Outlook) and Office
applications. Endpoints also log their configuration and various security parameters (certificates, local anti-malware
signatures, etc.), all of which is useful
DS010NetworkCommunication Network communication data is a record of communication between two system commonly
using TCP version 4 or TCP version 6. Network communication can be recorded by a number of technologies including
host operating systems, firewalls, switches, routers, deep packet inspection, and intrusion detection systems.
DS011MalwareDetonation Malware detonation systems also are known as sandboxing systems execute potentially
malicious code in a clean environment for the purpose of collecting events related to their actions. Using automated and
manual analysis indicators can be determined which can inform additional breach detection and prevention capability
DS012NetworkIntrusionDetection What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel
security systems that supplement firewalls IDS by exposing successful network and server attacks that penetrate a
firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at the
network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typic
DS013TicketManagement Ticket management from tracking systems responsible for the security, and operational health
of the environment(s) provides a rich resource for evaluating the effectiveness of the security program, as well as the
detective, and preventive controls in place.
DS014WebServer Web server logs allow attribution of activity to a specific source ip and user when authenticated. The
logs are detailed records of every transaction: every time a browser requests a web page, Apache logs details include
items such as the time, remote IP address, browser type and page requested. Web Servers also log various error
conditions such as a request for a missing file, attempts to access a file without appropriate permissions or problems with
extension modules. Web Server logs are criti
DS015ConfigurationManagement Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef,
System Center Configuration Manager, and System Center Virtualization Manager. Events generated by these systems
can provide valuable security investigations by providing information about who and what changes have been applied to
systems. Additional information such as the base image utilized, birth and death timestamps provide data useful to
identify windows of vulnerability.
DS016DataLossPrevention Data loss prevention solutions can identify human and automated activities as they interact
with restricted information creating an audit trail of attempted actions and the systems response such as allow or block.
DS017PhysicalSecurity Most organizations use automated systems to secure physical access to facilities. Historically,
these have been simple magnetic strips affixed to employee badges; however, locations with stringent security
requirements may use some form of a biometric reader or digital key. Regardless of the technology, the systems compare
an individual's identity with a database and activate doors when the user is authorized to enter a particular location. As
digital systems, badge readers record information su
DS018VulnerabilityDetection An effective way to find security holes is to examine one's infrastructure from the attacker's
point of view. Vulnerability scans probe an organization's network for known software defects that provide entry points for
external agents. The scans yield data about open ports and IP addresses that can be used by malicious agents to gain
entry to a particular system or entire network. Systems often keep network services running by default, even when they
aren't required for a particular server. The
DS019PatchManagement Keeping operating systems and applications updated with the latest bug fixes and security
patches is an essential task that can prevent unplanned downtime, random application crashes and security breaches.
Although commercial apps and OSs often have embedded patching software, some organizations use independent patch
management software to consolidate patch management and ensure the consistent application of patches across their
software fleet and to build patch jobs for custom, internal applic
DS020HostIntrustionDetection Host based Intrusion Detection events provide signature based detection of changes that
could weaken the security posture of the host based on changes to entire files or specific configuration. Such data can be
very valuable in identifying when critical changes have occurred in the environment.
DS021Telephony Real-time business communications no longer are limited to voice calls provided by Plain Old
Telephone Service (POTS); instead, voice, video, text messaging and web conferences are IP applications delivered over
existing enterprise networks. Unlike traditional client-server or web applications, telephony and other communications
applications have strict requirements on network quality of service, latency and packet loss, making service quality and
reliability much more sensitive to network condi
DS022Performance Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT
equivalent of EKGs to a doctor: the vital signs that show system health. Recording these measures provides a record of
system activity over time that shows normal, baseline levels and unusual events. By registering myriad system
parameters, performance logs also can highlight mismatches between system capacity and application requirements,
such as a database using all available system memory and frequ
DS023CrashReporting Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at
exploitation of processes by malicious code or significant programing errors allowing possible future exploitation or failure
of business services.
DS024ApplicationServer Application server logs, considering the actual business application, middleware such as Tomcat,
and run time logs such as java runtime. contain a wealth of information created when users and systems interact.
Anomalies in the logs can indicate potential failures or compromise attempts.
Provider Types
Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases
identified.
DS001MAIL
Introduction
Email remains the primary form of formal communication in most organizations. As such, mail server databases and logs are some of the most
important business records. Email messages and activity logs can be required to maintain compliance with an organization's information security,
retention, and regulatory compliance processes, and may be subpoenaed or legally held as part of civil or criminal investigations.
Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, IP and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation
Utilize email log events in contribution of other events to identify potential actors involved in targeted activity
Utilize email log events to identify additional possible victims of email based attacks
Utilize email log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize email logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For the
past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed, calculate
...
May 02, 2016
UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used to
identify which server may generate email and what recipients are permitted. Identify servers receiving email from
the internet without approval Identify ...
Apr 19, 2016
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-*".
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-*".
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of spam
sending, abusing company resources, or attempting to solve a business problem using a technique not approved
by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Providing Technologies
Found 3 search result(s) for title:PT* contentBody:"DS001MAIL".
DS002DNS
The domain name system (DNS) is the Internet's phone book, providing a mapping between system or network resource names and IP
addresses. DNS has a hierarchical name space that typically includes three levels: a top-level domain (TLD) such as .com, .edu or .gov; a
second-level domain such as "google" or "Whitehouse;" and a system level such as "www" or "mail." DNS nameservers operate in this hierarchy
either by acting as authoritative sources for particular domains, such as a company or government agency or by acting as caching servers that
store DNS query results for subsequent lookup by users in a specific location or organization; for example, a broadband provider caching
addresses for its customers.
Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify potential
command and control systems
Forensic Investigation
Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize communication log events to identify additional ingress and egress points
Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize communication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain. Search
for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain portion is not a
company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
endpoint utilizing DNS as a transmission method for data exfiltration, command and control, or evasion of security
controls can be detected by either a large volume or high number of unique DNS queries. Problem Types
Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies
Found 3 search result(s) for title:PT* contentBody:"DS002DNS".
DS003Authentication
Authentication systems establish the identity of an actor using one or more secret values i.e. password and one time pin. The authentication
system typically issues a new secret which can be provided to applications i.e. Kerberos token or web cookie to permit access to a secured
resource.
Enterprise Directory is a central system containing information about accounts such as name, phone, public certificates, email addresses,
and group membership. Common enterprise directories such as Microsoft Active Directory, Tivoli Directory Server or Oracle Directory
Server are widely distributed systems across multiple geographies and may involve thousands of servers.
Application Authentication logs are a subset of application telemetry focused on user identity and login attempts.
Network access (or admission, if you are a Cisco customer) control is a form of client/endpoint security that uses a locally installed
software agent to pre-authorize connections to a protected network. NAC screens client devices for contamination by known malware and
adherence to security policies such as running an approved OS with the most recent patches. Clients failing NAC screens are rerouted to
an isolated quarantine network until any detected problems are corrected.
Network appliances, including switches, routers, firewalls, proxies and performance monitoring tools have access to read and modify
significant amounts of enterprise data and their modification could weaken the security posture of the organization.
Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches
work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a
two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine
switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber
Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch.
Network proxies are used in several ways in IT infrastructure: as Web application accelerators and intelligent traffic direction,
application-level firewalls and content filters. By acting as a transparent, 'bump-in-the-wire' intermediary, proxies see the entire Layer 7
network protocol stack, which allows them to implement application-specific traffic management and security policies.
Hosting platforms including on-prem physical systems such as Cisco UCS, HP Insights, Virtual systems such as Vmware, and cloud
providers such as AWS, Azure, and Digital Ocean contain significant critical infrastructure.
Online and Backup storage systems contain all enterprise raw data. While all logical access is otherwise monitored frequently the ability
of the actor to clone and read data from storage is unmonitored.
Midrange and Mainframe systems such as IBM system Z, HP Nonstop Server (tandem), IBM system I, VAX, and Stratus are often
overlooked.
Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP and source host increasing identify actors and
potential victims of account takeover based attacks
Monitoring evidence of password guessing in single factor authentication schemes.
Forensic Investigation
Utilize authentication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize authentication log events to identify additional ingress and egress points
Utilize authentication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize authentication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.
Adoption Phase
APC-Essential
All central authentication solutions
All authentication points for systems of elevated risk such as those with confidential information or identified as critical
All border authentication points such as:
Webmail
VPN
Single sign on
Employee external portal
APC-Maturing
All servers
All network devices
All network authentication
APC-Mature
All endpoint local authentication
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Essentials
Found 6 search result(s) for title:UC* contentBody:"APC-Essential" contentBody:"DS003Authentication".
UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago, search for
application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a successful
brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags, applications,
count of failures ...
Aug 14, 2016
UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end date of
the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time, Original Raw
Event Data, user ...
Aug 14, 2016
UC0036 Compromised account access testing (Critical/Sensitive Resource) (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)
human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016
...
Aug 14, 2016
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016
UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016
UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016
UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016
UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016
UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016
UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)
Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016
UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)
user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016
UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success
DE002IdentityInformation Adoption ...
Apr 08, 2016
UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016
UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016
UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016
UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative
UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)
Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016
UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)
Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016
UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016
UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)
Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016
UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016
UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
Mature
Found 31 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS003Authentication".
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted (Narrativ
e and Use Case Center)
human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted,
we should expect no further activity from any other account owned by the user. Problem Types Addressed Risk
Addressed Event ...
Apr 08, 2016
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default passwords
and are therefore commonly targeted by attackers using brute force attack tools. Looking across a realtime window
of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext (unencrypted). Looking
across a realtime window of /5 minutes, calculate the max time and return time, original raw, tags and count
grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs without
the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be remediated
Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0018 Unauthorized access SSO brute force (Narrative and Use Case Center)
Single IP address attempting authentication of more than two valid users within ten minutes where one or more
unique accounts is successful, and one or more accounts is not successful against an approved SSO System.
Problem Types Addressed ...
Apr 08, 2016
UC0034 Brute force successful authentication (Narrative and Use Case Center)
source IP identified by a brute force use case authenticates successfully OR an account identified by a brute use
case successfully logins after failing once from the same source address. Problem Types Addressed Risk
Addressed Event Data ...
Apr 27, 2016
UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016
UC0033 Brute force authentication attempt distributed (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur for a single account from more than 2
IP addresses in 60 minutes. This could indicate an adversary has identified a specific high value account and is
attempting ...
Jun 08, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should be
investigated to determine the owner of the key and validate authorization to access the resource. Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016
UC0044 Network authentication using password auth (Narrative and Use Case Center)
Even using SSH encryption, allowing password authentication to Linux/Unix systems over the network increases
the attack surface and the possible impact of a compromised account. Investigate and resolve all instances of
network authentication utilizing password. Problem Types Addressed ...
Apr 11, 2016
UC0032 Brute force authentication attempt (Narrative and Use Case Center)
When more than 10 failed authentication attempts for known accounts occur from single endpoint Problem Types
Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET02Failure DE001AssetInformation DE002IdentityInformation Adoption Phase Customer ...
Apr 08, 2016
UC0017 Unauthorized access or risky use of NHA (Narrative and Use Case Center)
Detect the use of a Windows account designated by the organization as a non human account (NHA) outside of
the normal usage of such an account. Login where the interactive indicator is set Login where the caller computer
is a workstation or terminal server Problem Types Addressed Risk ...
Apr 08, 2016
UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)
user on leave, vacation, sabbatical, or other types of leave should not access business systems. This could
indicate malicious activity by the employee or a compromised account. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success ...
Apr 08, 2016
UC0008 Activity on previously inactive account (Narrative and Use Case Center)
Excluding computer accounts in active directory, an account with new activity that has not been active in the
previous thirty days is suspicious. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode DS003AuthenticationET01Success
UCESS037 Inactive Account Activity Detected (Narrative and Use Case Center)
Discovers previously inactive accounts that are now being used. This may be due to an attacker that successfully
gained access to an account that was no longer being used. Execute the inactiveaccountusage macro and look
across the time range of less than 90 days ago and greater ...
Aug 14, 2016
UCESS023 Alerts on access attempts that are improbably based on time and geography. (Narrative and Use
Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this
could indicate a successful brute force attack)For the past 18 hours starting 5 minutes after realtime, list the
application, user ...
Aug 14, 2016
UC0009 Authenticated communication from a risky source network (Narrative and Use Case Center)
Internet facing authentication system has allowed authenticated access from a risky source network. Always
Anonymizing services such as VPN providers, Proxy systems Threat list identification of IP B2B communications
consider the following sources risky Dial ...
Apr 08, 2016
UC0007 Account logon successful method outside of policy (Narrative and Use Case Center)
logon event properties could indicate account misuse in violation of policy OR as an indication of compromise by
comparing the identified purpose of the account to the context of the logon to determine if the account is
authorized for such usage. Accounts provisioned for human access should NOT be identified as logging on as a
network or batch ...
Jun 24, 2016
Labels: creative
UC0079 Use of accountable privileged identity to access new or rare sensitive resource (Narrative and Use Case
Center)
Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger
a notable event for review of access reason. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT01Compliance PRT02SecurityVisibilityPriviledgeUserMonitoring RV1AbuseofAccess ...
Apr 08, 2016
UC0015 Privileged user accessing more than expected number of machines in period (Narrative and Use Case
Center)
Privileged user authenticates to more than X number of new targets successfully or is denied access to more than
Y targets in the prior Z hours. For example: More than 5 new targets More than 3 failures In the last ...
Apr 08, 2016
UC0071 Improbably short time between Remote Authentications with IP change (Narrative and Use Case Center)
employers that allow remote external connectivity the detection of two or more distinct values of external source IP
address for successful authentications to a remote access solution in a short period of time indicates a likely
compromise of credentials. The short period of time value ...
Apr 25, 2016
UC0016 Successfully authenticated computer accounts accessing network resources (Narrative and Use Case
Center)
Batch, Windows Services, App Pools, and specially constructed Windows shells can access network resources. A
small number of technical solutions will require this type of behavior, however, after excluding a white list of hosts
or shares (such as sysvol or netlogon), such access ...
Apr 08, 2016
UC0011 Improbable distance between logins (Narrative and Use Case Center)
Utilizing source IP address, geolocation data, and where available for company owned mobile devices, GPS for
mobile devices. Using the Haversine algorithm, calculate the distance between the authenticated successful
connections. Detect where: Total distance is greater than ...
Apr 08, 2016
UC0035 Compromised account access testing (Narrative and Use Case Center)
Following a successful authentication, an attacker will attempt to determine what resources may be accessed
without causing host intrusion or DLP technologies to detect activity. Commonly the attacker will enumerate and
browse to shares, access email, access web applications, or connect to databases ...
Apr 08, 2016
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication" NOT contentBody:"DS003Authentication-*".
DS004EndPointAntiMalware
The weakest link in corporate security are individuals, and antivirus is one way to protect them from performing inadvertently harmful actions.
Whether it is clicking on an untrustworthy web link, downloading malicious software or opening a booby-trapped document (often one sent to them
by an unsuspecting colleague), antivirus can often prevent, mitigate or reverse the damage.
Security Value
Continuous Monitoring
Monitoring for detection of malicious code using signatures to maintain a clean environment and react to newly identified
weakness as exploited by attackers
Forensic Investigation
Identification of point of origin and potentially involved hosts in targeted and untargeted attacks
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if the
model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert when the
count is greater ...
Aug 14, 2016
UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data even
if the model has changed, return and estimated distinct count of destination (host, IP, name) where nodename is
MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data even if
the model has changed, search for user over a 60 minute window starting 5 minutes after realtime where user
priority ...
Aug 14, 2016
UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts should
be evaluated to determine why they are not updating their malware signatures.Execute the malware operations
tracker macro and calculate the timesignatureversion and return results that the day difference between ...
Apr 26, 2016
UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup against
the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016
UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the past
10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016
UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or capability
of other controls are deficient. Review the sequence of events leading to the infection to determine if additional
preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 6 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware".
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware
Mature
Found 6 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS004EndPointAntiMalware".
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets identified
as loaner ...
May 16, 2016
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more than
5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible worm.
Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how many hosts
are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor
for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed Event Data
Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external URL.
Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat prevention. Use
the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware".
DS005WebProxyRequest
Web Proxies and some next generation firewalls may act in transparent or explicit mode communicating with (s) servers on behalf of a client.
Using a number of related technologies the request and response can and permitted or blocked based on users role, site or resource category or
attack indicator. Data logged in the events can potentially be used in detective correlation.
Security Value
Continuous Monitoring
Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP, and domain
increasing identify actors and potential victims of web-based attacks
Monitor user agent strings in relation to websites and categories for potential indication of malware command and control.
Monitor user agent strings and change in requests for a resource for potential indication of data exfiltration
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of related attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes
after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain
is not in the corporate web domain lookup ...
Aug 14, 2016
UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016
UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Mature
Found 4 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS005WebProxyRequest".
UCESS063 Web Uploads to Non-corporate Sites by Users (Narrative and Use Case Center)
Alerts on high volume web uploads by a user to noncorporate domains. For the past 60 minutes starting 5 minutes
after realtime, sum the total number of bytes transferred where the HTTPmethod is POST or PUT and the domain
is not in the corporate web domain lookup ...
Aug 14, 2016
UC0001 Detection of new/prohibited web application (Narrative and Use Case Center)
prohibited web application such as Box or a game on the Facebook platform can be detected and filtered by
modern web proxy solutions and next generation firewalls. Allowed prohibited applications or New application
instances should be reviewed to ensure proper use. Problem Types ...
Apr 08, 2016
UC0047 Communication with newly seen domain (Narrative and Use Case Center)
Newly seen domain's may indicated interaction with risky or malicious servers. Identification of new domains via
web proxy logs without other IOCs allows the analyst/threat hunter to explore the relevant data and potentially
identify weaknesses or risky ...
Jul 20, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate the
presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies
Found 6 search result(s) for title:PT* contentBody:"DS005WebProxyRequest".
DS010NetworkCommunicationET01TrafficAppAware providertype
Apr 06, 2016
Labels: provider-type
DS006UserActivity
User activity within the organization environment such as Create Read(display), update, delete, search events must include critical data such as
action, result, app, and a locator uri allowing normalized search on the targets of activity.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016
UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)
Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016
UC0040 Use of Shared Secret for or by automated process with risky attributes (Narrative and Use Case Center)
Usage (checkout) by an automated process such as software installation of a shared secret or service account
where the source of the retrieval is new or outside of the change window. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess RV2Access ...
Apr 11, 2016
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior of
other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity
RV2Access DS006UserActivityET04Update DE002IdentityInformation Identity category terminated Identity
category reductioninforce ...
Apr 08, 2016
UC0038 Excessive use of Shared Secrets (Narrative and Use Case Center)
Usage of greater than X number of unique shared/secret credentials or more than 1 standard deviation from peers
Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UC0039 Use of Shared Secret for access to critical or sensitive system (Narrative and Use Case Center)
Use of a secret/shared secret account for access to such a system rather than accountable credentials could
indicate an attempt to avoid detection. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityUserActivity RV1AbuseofAccess RV2Access
DS006UserActivityET07ExecuteAs ...
Apr 11, 2016
UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return values
where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS006UserActivity".
DS007AuditTrail
Audit trail events represent a special class of events which can be triggered based on automated or user interaction with systems and indicate a
condition has occurred where the integrity of the source is suspect at a point in time.
Security Value
Continuous Monitoring - Identification of conditions which may impact the trustworthiness of a log source
Forensic Investigation - Identification of point in time where trust in the log source may be suspect
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to establish a time sequence
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an attempt
to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016
UC0046 Endpoint failure to sync time (Narrative and Use Case Center)
Failure to synchronize time will impact the usefulness of security log data from the endpoint, and potentially
prevent valid authentication. Exclude virtual machine guests as their time is synchronized with the virtual host.
Problem Types Addressed Risk Addressed Event Data Sources ...
Apr 25, 2016
UCESS022 Expected Host Not Reporting (Narrative and Use Case Center)
... Types Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware
RV6Misconfiguration DS007AuditTrail DE001AssetInformation Adoption Phase Customer Adoption Phase SME
Adoption Phase Industry ...
Aug 14, 2016
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-*".
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016
UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016
Mature
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log files
in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking across a
realtime window of /5 minutes, search for action ...
Aug 14, 2016
UCESS050 Should Timesync Host Not Syncing (Narrative and Use Case Center)
Detects when hosts that are required to synchronize their clocks have failed to do so. Time synchronization is
important because it ensures that the event logs are stamped with the proper time. Additionally, this is required by
some regulatory compliance standards (such as PCI). For the past 30 days ...
Aug 14, 2016
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail".
DS008HRMasterData
Master Data system for Human Resources may publish an event indicating critical changes impacting people in an organization. Human
Resources records include the entire employee lifecycle including recruitment, selection, hiring, job position and classification, promotion, salary,
and bonuses, performance and ratings, disciplinary actions, training and certifications, and separation or retirement. For hourly employees, HR
data often includes time and attendance records. HR systems often feed payroll and finance systems for processing salary and benefits. HR
records provide the definitive source of employee information for identity management systems and enterprise directories, making them an
important source for authentication and authorization data. Although HR data traditionally has been textual, it increasingly includes images and
biometric information such as an employee's portrait, fingerprints, and iris scans.
Security Value
Continuous Monitoring - Identification of events which could increase the risk of a user
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-*".
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)
... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation
Adoption Phase Customer Adoption Phase SME Adoption Phase ...
Apr 08, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS008HRMasterData-*".
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and Use
Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an indication of
adverse separation, include but are not limited to the following: User has entered a remediation program with
human resources User has been identified as included in a reduction ...
Apr 08, 2016
UC0019 User authenticated to routine business systems while on extended absense (Narrative and Use Case
Center)
... Addressed Risk Addressed Event Data Sources Enrichment PRT02SecurityVisibilityUserActivity RV2Access
DS003AuthenticationET01Success DS008HRMasterData DE001AssetInformation DE002IdentityInformation
Adoption Phase Customer Adoption Phase SME Adoption Phase ...
Apr 08, 2016
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData".
DS009EndPointIntel
In this context, endpoint refers to the security client software or agent installed on a client device that logs security-related activity not otherwise
generated by the host operating system from the client OS, login, logout, shutdown events and various applications such as the browser
(Explorer, Edge), mail client (Outlook) and Office applications. Endpoints also log their configuration and various security parameters (certificates,
local anti-malware signatures, etc.), all of which is useful in posthoc forensic security incident analysis. Sources of endpoint data vary in their
coverage consider Microsoft EMET, Microsoft Symon, Tripwire, Bit9, SolidCore, or Mcafee HIDs as examples.
Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including sender, recipient, IP
and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation
Utilize email log events in contribution of other events to identify potential actors involved in targeted activity
Utilize email log events to identify additional possible victims of email based attacks
Utilize email log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize email logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and
Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016
UC0031 Non human account starting processes not associated with the purpose of the account (Narrative and
Use Case Center)
Accounts designated for use by services and batch process should start a limited set of child processes. Creation
of new child processes other than the process name defined in the service or batch definition may indicate
compromise. Problem Types Addressed ...
Apr 08, 2016
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel".
DS010NetworkCommunication
Network communication data is a record of communication between two system commonly using TCP version 4 or TCP version 6. Network
communication can be recorded by a number of technologies including host operating systems, firewalls, switches, routers, deep packet
inspection, and intrusion detection systems.
Firewalls demarcate zones of different security policy. By controlling the flow of network traffic, firewalls act as gatekeepers collecting
valuable data that might not be captured in other locations due to the firewall's unique position as the gatekeeper to network traffic.
Firewalls also execute security policy and thus may break applications using unusual or unauthorized network protocols.
Deep Package Inspection Data (DPI) is a fundamental technique used by firewalls to inspect headers and the payload of network packets
before passing them down the network subject to security rules. DPI provides information about the source and destination of the packet,
the protocol, other IP and TCP/UDP header information and the actual data.
Virtual private networks (VPNs) are a way of building a secure extension of a private network over an insecure, public one. VPNs can be
established either between networks, routing all traffic between two sites, or between a client device and a network. Network-to-network
VPNs typically are created using strong credentials such as certificates on each end of the connection. Client-to-network VPNs rely on
user authentication, which can be as simple as a username and password. VPNs use network tunneling
IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing successful network and server
attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS is typically placed at
the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to provide greater
intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at other
points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges. Though this type of source can provide this data it is rare to implement at scale due to performance and
placement constraints in the enterprise network
Switches are network intersections, places where packets move from one network segment to another. In their purest form, switches
work within a particular IP subnet and can't route Layer 3 packets on to another network. Modern data center designs typically use a
two-tier switch hierarchy: top-of-rack (ToR) switches connecting servers and storage arrays at the edge and aggregation or spine
switches connecting to the network core. Although Ethernet switches are far more widespread, some organizations also use Fiber
Channel or Infiniband for storage area networks or HPC interconnects, each of which has its own type of switch.
Routers are devices responsible for ensuring that traffic goes to the right network segment. Unlike switches that operate at Layer 2,
routers work at Layer 3, directing traffic based on TCP/IP address and protocol (port number). Routers are responsible for particular
Layer 3 address spaces and manage traffic using information in routing tables and configured policies. Routers exchange information and
update their forwarding tables using dynamic routing protocols.
Netflow is a network monitoring protocol originally developed by Cisco but now supported by most equipment vendors, that provides a
detailed record of network traffic organized by packet flow. A flow is defined as a set of IP packets sharing a set of five to seven
attributes, namely IP source and destination address, source and destination port, Layer 3 protocol type, class of service (CoS) and
router or switch interface (physical port). Flow records can be exported and aggregated to show traffic movement, statistics, and historical
trends.
Security Value
Continuous Monitoring
Monitoring using analytic concepts such as new, rare, extremely over fields IP port and protocols increasing identify actors and
potential victims of network based attacks
Monitoring for blocked communication activity by intermediate defensive systems such as firewalls and intrusion detection
systems
Forensic Investigation
Utilize communication log events in contribution of other events to identify potential actors involved in targeted activity
Utilize communication log events to identify additional ingress and egress points
Utilize communication log events to identify pivot points utilized by attackers to move into controlled network segments
Utilize communication log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize communication logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Providing Technologies
DS011MalwareDetonation
Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of
collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach
detection and prevention capability
Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, ip and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Mature
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".
DS012NetworkIntrusionDetection
What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing
successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS
is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at
other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges.
Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature
increasing identify actors and potential victims network vulnerability based attacks
Forensic Investigation
Identify compromised or potentially compromised hosts based on exploitation data
Legal compliance
Utilize email logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".
Providing Technologies
DS013TicketManagement
Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for
evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.
Security Value
Continuous Monitoring - Monitoring the effective execution of triage and remediation activities.
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Establish a timeline of what was known, when and by whom
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".
UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016
UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".
DS014WebServer
Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every
transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and
page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate
permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are
also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Security Value
Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and IP
increasing identify actors and potential victims of attacks
Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or
specific resource
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify scope of exploitation
Utilize log events to identify scope of time for an incident
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)
Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)
Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".
DS015ConfigurationManagement
Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center
Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and
what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data
useful to identify windows of vulnerability.
Security Value
Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration
values or modification to critical controls
Forensic Investigation
Establish a time line of activities of a privileged user
Establish when controls were placed or removed on a specific host
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".
DS016DataLossPrevention
Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of
attempted actions and the systems response such as allow or block.
Security Value
Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring.
Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise
Forensic Investigation
Utilize events in contribution of other events to identify potential actors involved in targeted activity
Utilize events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to support documentation of compliance
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".
DS017PhysicalSecurity
Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to
employee badges; however, locations with stringent security requirements may use some form of a biometric reader or digital key. Regardless of
the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular
location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access
attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.
Security Value
Forensic Investigation
Utilize log events to place a badge (single factor) or person (two-factor bio/pin) in a specific location
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".
DS018VulnerabilityDetection
An effective way to find security holes is to examine one's infrastructure from the attacker's point of view. Vulnerability scans probe an
organization's network for known software defects that provide entry points for external agents. The scans yield data about open ports and IP
addresses that can be used by malicious agents to gain entry to a particular system or entire network. Systems often keep network services
running by default, even when they aren't required for a particular server. These running, yet orphaned, i.e. unmonitored services are a common
means of external attack since they may not be patched with the latest OS security updates. Broadscale vulnerability scans can reveal security
holes that could be leveraged to access an entire enterprise network.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS018VulnerabilityDetection-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection".
DS019PatchManagement
Keeping operating systems and applications updated with the latest bug fixes and security patches is an essential task that can prevent
unplanned downtime, random application crashes and security breaches. Although commercial apps and OSs often have embedded patching
software, some organizations use independent patch management software to consolidate patch management and ensure the consistent
application of patches across their software fleet and to build patch jobs for custom, internal applications. Patch management software keeps a
patch inventory using a database of available updates and can match these against an organizations installed software. Other features include
patch scheduling, post-install testing and validation and documentation of required system configurations and patching procedures.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS019PatchManagement-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS019PatchManagement-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS019PatchManagement".
DS020HostIntrustionDetection
Host based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on
changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the
environment.
Security Value
Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of email based attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".
DS021Telephony
Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video,
text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web
applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss,
making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned
people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony;
as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP
protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional
phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are
interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes
features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their
delivery through the network.
Security Value
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".
DS022Performance
Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs
that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and
unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and
application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance
management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end
user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or
error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or
performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to
remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis
of complex application problems that may involve subtle interactions between multiple machines and/or network devices.
Security Value
Continuous Monitoring
Monitor system resources for increased utilization or exhaustion as possible indication of denial of service attack
Monitor system resources for increased utilization or exhaustion as possible indication of brute force attack.
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS022Performance".
DS023CrashReporting
Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or
significant programing errors allowing possible future exploitation or failure of business services.
Security Value
Continuous Monitoring
Monitor and triage occurrences as possible indication of attack
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".
DS024ApplicationServer
Application server logs, considering the actual business application, middleware such as Tomcat, and run time logs such as java runtime. contain
a wealth of information created when users and systems interact. Anomalies in the logs can indicate potential failures or compromise attempts.
Security Value
Continuous Monitoring
Develop implementation specific monitoring to alert security operations to potential issues created by external interaction
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a timeline of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Event Types are generic types of records typically available within the data source with known reproducible use cases. The list of event types is
subject to expansion and clarification over time.
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".
DS001Mail-ET01Access
Event indicates a specific message has been accessed by a user from a specific source system
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET01Send".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET01Send".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01Send".
DS001Mail-ET02Receive
An event indicates a message has been received one or more user.
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
Mature
Found 1 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS001MAIL-ET02Receive".
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET02Receive".
DS001Mail-ET03Send
Indicates a authorized user or system has sent a message to one or more recipients.
UCESS031 Host Sending Excessive Email (Narrative and Use Case Center)
Alerts when an host not designated as an email server sends excessive email to one or more target hosts.For
the past 60 minutes starting 5 minutes after realtime, using all summary data even if the model has changed,
calculate ...
May 02, 2016
UC0003 Server generating email outside of approved usage (Narrative and Use Case Center)
Server operating systems often generate email for routine purposes. Configuration management can be used
to identify which server may generate email and what recipients are permitted. Identify servers receiving email
from the internet without approval Identify ...
Apr 19, 2016
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS001MAIL-ET03Send".
UC0004 Excessive number of emails sent from internal user (Narrative and Use Case Center)
Excessive email generation by an authorized user could indicate the presence of malware for the purpose of
spam sending, abusing company resources, or attempting to solve a business problem using a technique not
approved by policy. For this use case, email generated from endpoint networks ...
Apr 08, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS001MAIL-ET03Send".
DS002DNS-ET01Query
DNS request and response reassembled into a single event
Maturing
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS002DNS-ET01Query".
UC0089 Detection of Communication with Algorithmically Generated Domain (Narrative and Use Case Center)
Using an algorithm determine text of the registration domain is likely to be generated by a computer excluding
known cloud hosting domains, Alexa TOP 1 M domains and domains with long established communication with
the organization. Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
Labels: prt05-tacticalthreat-ransomeware, creative
Providing Technologies
Click here to expand...
Found 2 search result(s) for title:PT* contentBody:"DS002DNS-ET01Query".
providertype
Apr 25, 2016
Labels: provider-type
DS002DNS-ET01QueryRequest
DNS Request from a client, response reassembly is not required
Maturing
UC0072 Detection of unauthorized using DNS resolution for WPAD (Narrative and Use Case Center)
Detection of an endpoint utilizing DNS as a method of proxying by querying for wpad.registrationdomain.
Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare host) and wpad. where the domain
portion is not a company owned domain. Problem Types Addressed Risk Addressed Event ...
Apr 25, 2016
UC0081 Communication with unestablished domain (Narrative and Use Case Center)
Egress communication with a newly seen, newly registered, or registration date unknown domain may indicate
the presence of malicious code. Assets communicating with external services excluding Alexa TOP 1M whose
reputation score exceeds acceptable norms will be flagged ...
Apr 25, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryRequest".
DS002DNS-ET01QueryResponse
Reassembled request response as a single event containing the original client ip
Maturing
Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS002DNS-ET01QueryResponse".
DS003Authentication-ET01Success
Indicates the authentication system validated the factors provided
UCESS005 Activity from Expired User Identity (Narrative and Use Case Center)
Alerts when an event is discovered from a user associated with identity that is now expired (that is, the end
date of the identity has been passed). Looking across a realtime window of /5 minutes, search for Last Time,
Original Raw Event Data, user ...
Aug 14, 2016
UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016
Maturing
Click here to expand...
Found 10 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET01Success".
UCESS016 Default Account Activity Detected (Narrative and Use Case Center)
Discovers use of default accounts (such as admin, administrator, etc.). Default accounts have default
passwords and are therefore commonly targeted by attackers using brute force attack tools. Looking across a
realtime window of /5 minutes, return lastTime, tag ...
Aug 14, 2016
UCESS038 Insecure Or Cleartext Authentication Detected (Narrative and Use Case Center)
Detects authentication requests that transmit the password over the network as cleartext
(unencrypted). Looking across a realtime window of /5 minutes, calculate the max time and return time, original
raw, tags and count grouped by the application and destination (host, IP, name ...
Aug 14, 2016
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
UC0094 Insecure authentication method detected (Narrative and Use Case Center)
each authentication technology in the network identify the values of authentication events that positively ensure
that secure authentication is in use. Alert per authentication technology where a successful event occurs
without the required indicators Problem Types Addressed Risk Addressed Event ...
Jun 24, 2016
UC0090 User account cross enclave access (Narrative and Use Case Center)
Detection of logon with the same account to a production and a non production environment. If an account (not
user) has logged into more than one account access management controls have failed and must be
remediated Problem Types Addressed Risk Addressed Event Data ...
Jun 24, 2016
UC0093 Previously active account has not accessed enclave/lifecycle (Narrative and Use Case Center)
Identify accounts no longer in use with access to high/critical or enclave systems and remove access when no
longer required. Implement a tracking list of accounts and the accessed enclave or business service identifier,
maintain the last accessed time and alert when the last ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016
UC0042 SSH Authentication using unknown key (Narrative and Use Case Center)
public key utilized for authentication is recorded in the SSHD authentication log. Detection of a new key should
be investigated to determine the owner of the key and validate authorization to access the resource. Problem
Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance ...
Apr 11, 2016
Providing Technologies
Click here to expand...
Found 2 search result(s) for title:PT* contentBody:"DS003Authentication-ET01Success".
DS003Authentication-ET02Failure
The authentication system did not approve the attempted based on invalid factors
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS003Authentication-ET02Failure" NOT
contentBody:"DS003Authentication-ET02Failure*".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02Failure" NOT
contentBody:"DS003Authentication-ET02Failure*".
DS003Authentication-ET02FailureBadFactor
Indicates the authentication system determined the factors provided were invalid
UCESS012 Brute Force Access Behavior Detected Over One Day (Narrative and Use Case Center)
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period
(this could indicate a successful brute force attack)Looking across the prior 24 hours starting 1 hour ago,
search for application ...
Aug 14, 2016
UCESS011 Brute Force Access Behavior Detected (Narrative and Use Case Center)
Detects excessive number of failed login attempts along with a successful attempt (this could indicate a
successful brute force attack)Looking across the prior 60 minute period starting 5 minutes ago, search for tags,
applications, count of failures ...
Aug 14, 2016
Maturing
UCESS015 Concurrent Login Attempts Detected (Narrative and Use Case Center)
Alerts on concurrent access attempts to an app from different hosts. These are good indicators of shared
passwords and potential misuse.Looking across the prior 65 minutes starting 5 minutes ago, search for time,
application, source (host, IP, name) and user ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureBadFactor".
DS003Authentication-ET02FailureError
Indicates the authentication system encountered and error and was unable to authenticate the user.
Maturing
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureError".
DS003Authentication-ET02FailureUnknownAccount
Indicates the authentication system was unable to locate the account, factors were not evaluated
Maturing
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS003Authentication-ET02FailureUnknownAccount".
DS004EndPointAntiMalware-ET01SigDetected
Endpoint product detected based on a signature or specified heuristics class
UCESS035 Host With Multiple Infections (Narrative and Use Case Center)
Alerts when a host with multiple infections is discovered.For the past 24 hours, using all summary data even if
the model has changed, return a distinct count of signatures and group by destination (host, IP, name). Alert
when the count is greater ...
Aug 14, 2016
UCESS025 High Number Of Infected Hosts (Narrative and Use Case Center)
Alerts when a high total number of infected hosts is discovered.For the past 15 days, using all summary data
even if the model has changed, return and estimated distinct count of destination (host, IP, name) where
nodename is MalwareAttacks ...
Aug 14, 2016
UCESS026 High Or Critical Priority Host With Malware Detected (Narrative and Use Case Center)
Alerts when an infection is noted on a host with high or critical priority.Looking across a realtime window of /5
minutes, search for destination priority (assigned in asset table) of high or critical and return most recently seen
time, original raw log, destination ...
Aug 14, 2016
UCESS027 High or Critical Priority Individual Logging into Infected Machine (Narrative and Use Case Center)
Detects users with a high or critical priority logging into a malware infected machineUsing all summary data
even if the model has changed, search for user over a 60 minute window starting 5 minutes after realtime
where user priority ...
Aug 14, 2016
UCESS024 High Number of Hosts Not Updating Malware Signatures (Narrative and Use Case Center)
Alerts when a high number of hosts not updating malware signatures have been discovered. These hosts
should be evaluated to determine why they are not updating their malware signatures.Execute the malware
operations tracker macro and calculate the timesignatureversion and return results that the day difference
between ...
Apr 26, 2016
UCESS036 Host With Old Infection Or Potential Re-Infection (Narrative and Use Case Center)
Alerts when a host with an old infection is discovered (likely a reinfection).For the past 60 minutes starting 5
minutes after realtime, calculate the max time (lastTime) by signature and destination. Perform a lookup
against the malwaretracker and match on destination and signature. If a match ...
Apr 26, 2016
UCESS032 Host With A Recurring Malware Infection (Narrative and Use Case Center)
Alerts when a host has an infection that has been reinfected remove multiple times over multiple days.For the
past 10080 minutes (7 days) starting 5 minutes after realtime, using all summary data even if the model ...
Apr 26, 2016
UC0030 Endpoint uncleaned malware detection (Narrative and Use Case Center)
Endpoint with malware detection where anti malware product attempted to and was unable to clean, remove or
quarantine. Problem Types Addressed Risk Addressed Event Data Sources Enrichment PRT01Compliance
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DDE007 Signature Special Processing List ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0029 Endpoint new malware detected by signature (Narrative and Use Case Center)
When a new malware variant is detect by endpoint antivirus technology it is possible the configuration or
capability of other controls are deficient. Review the sequence of events leading to the infection to determine if
additional preventive measures can be put in place. Problem Types Addressed Risk ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Click here to expand...
Found 5 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET01SigDetected".
UC0025 Endpoint Multiple devices in 48 hours in the same site (Narrative and Use Case Center)
Multiple infected devices in the same site could indicate a successful watering hole attack. Monitor for more
than 5% of the hosts in a site. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode DS004EndPointAntiMalwareET01SigDetected
DE001AssetInformation ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0026 Endpoint Multiple devices in 48 hours in the same subnet (Narrative and Use Case Center)
Multiple infected devices in the same subnet could indicate lateral movement of an adversary or a possible
worm. Monitor for more than 5% of the host addresses on a subnet as it is not readily possible to know how
many hosts are active on a subnet. Problem Types Addressed ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit (Narrative and
Use Case Center)
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack.
Monitor for more than 5% of the hosts in an organizational unit. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0028 Endpoint Multiple infections over short time (Narrative and Use Case Center)
Multiple infections detected on the same endpoint in a short period of time could indicate the presence of a
undetected loader malware component (apt). Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS004EndPointAntiMalwareET01SigDetected DE001AssetInformation DDE007 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
UC0073 Endpoint detected malware infection from url (Narrative and Use Case Center)
Endpoint antimalware detection event occurred where the malicious content was retrieved from an external
URL. Possible indication of gaps in protection by web proxy, intrusion prevention, or advanced threat
prevention. Use the information available for the event and determine how existing ...
Apr 11, 2016
Labels: prt05-tacticalthreat-ransomeware
Providing Technologies
DS004EndPointAntiMalware-ET02UpdatedSig
Update occurrence for the signature data used by the anti malware engine, in a multiple engine/database relationship the database updated
should be specified
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET02UpdatedSig".
UC0088 User account sharing detection by source device ownership (Narrative and Use Case Center)
Detection of logon device by asset name (may require resolution from IP) when logon user does not match the
owner and the number of unique owned devices is greater than two in the prior 24 hours. Exclude assets
identified as loaner ...
May 16, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006EndPointAntiMalware-ET02UpdatedSig".
DS004EndPointAntiMalware-ET03UpdatedEng
Update occurrence for the engine used by the anti malware product, in a multiple engine/database relationship the engine updated should be
specified
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET03UpdatedEng".
DS005WebProxyRequest-ET01Requested
Tradditional HTTP request from a client
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET01Requested".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET01Requested".
DS005WebProxyRequest-ET01RequestedWebAppAware
Indicates a traditional web application request with additional context provided by the generating system detecting the "application" implied by the
request such as Facebook/Farmvile or Teamviewer
Maturing
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS001MAIL-ET01RequestedWebAppAware".
DS005WebProxyRequest-ET02Connect
Connect (tunnel) request from an http clienthttp
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS005WebClientRequest-ET02Connect".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS005WebClientRequest-ET02Connect".
DS006UserActivity-ET01List
User activity listing the contents of a container
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET01List".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET01List".
DS006UserActivity-ET02Read
User activity Reading the contents of a object
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET02Read".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET02Read".
DS006UserActivity-ET03Create
User activity creating a new object
Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET03Create".
UCESS042 New User Account Created On Multiple Hosts (Narrative and Use Case Center)
Useraccountstracker returns destination (host, IP, name), user, firstTime, lastTime and isinteractive. Create
earliestQual based on 24 hours ago, snapped to the top of the hour and latestQual which is now. Return
values where firstTime is greater than or equal to earliestQual ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET03Create".
DS006UserActivity-ET04Update
User activity updating an object
Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET04Update".
UC0013 Monitor change for high value groups (Narrative and Use Case Center)
Detection of change for groups used to control access for sensitive, regulated, or critical infrastructure systems.
Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityUserActivity RV2Access DS006UserActivityET04Update DE002IdentityInformation
Identity category terminated Identity category reductioninforce ...
Apr 08, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET04Update".
DS006UserActivity-ET05Delete
User activity deleting an object
Maturing
Click here to expand...
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET05Delete".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET05Delete".
DS006UserActivity-ET06Search
User activity searching for additional content
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".
DS006UserActivity-ET07ExecuteAs
User activity searching for additional content
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS006UserActivity-ET06Search".
UC0080 Trusted Individual exceeds authorization in observation of other users (Narrative and Use Case
Center)
Evaluate queries executed by authorized trusted individuals to determine if the user is observing the behavior
of other users for reasons not authorized as part of the user's job function. Problem Types Addressed Risk
Addressed Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityUserActivity
RV1AbuseofAccess ...
Apr 25, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS006UserActivity-ET06Search".
DS007AuditTrail-ET01Clear
Events such as Clear, Delete, Purge or Rotate should record the controlling user, target of the action and result
UC0006 Windows security event log purged (Narrative and Use Case Center)
Manually clearing the security event log on a windows system is a violation of policy and could indicate an
attempt to cover malicious actions. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV1AbuseofAccess DS007AuditTrailET01Clear
DE001AssetInformation Adoption ...
Apr 08, 2016
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET01Clear".
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET01Clear".
DS007AuditTrail-ET02Alter
Where possible identify the acting user, current and new log retention parameters
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".
DS007AuditTrail-ET03TimeSync
Where possible identify the acting user where not result is included success must be assumed due to limitations of common time sync software
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS007AuditTrail-ET02Alter".
UCESS006 Anomalous Audit Trail Activity Detected (Narrative and Use Case Center)
Discovers anomalous activity such as the deletion of or clearing of log files. Attackers oftentimes clear the log
files in order to hide their actions, therefore, this may indicate that the system has been compromised. Looking
across a realtime window of /5 minutes, search for action ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS007AuditTrail-ET02Alter".
DS008HRMasterData-ET01Joined
Information regarding a new person in the organization
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET01Joined".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET01Joined".
DS008HRMasterData-ET02SeperationNotice
Advanced notice of separation for a human in the organization
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET02SeperationNotice".
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated (Narrative and
Use Case Center)
Increase the risk score of users who have indication of adverse separation. Examples of users with an
indication of adverse separation, include but are not limited to the following: User has entered a remediation
program with human resources User has been identified as included in a reduction ...
Apr 08, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET02SeperationNotice".
DS008HRMasterData-ET03SeperationImmediate
Final notice of separation for a human in the organization
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS008HRMasterData-ET03SeperationImmediate".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS008HRMasterData-ET03SeperationImmediate".
DS009EndPointIntel-ET01ObjectChange
Change to an object such as file, registry, service or configuration
Maturing
Click here to expand...
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ObjectChange".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS009EndPointIntel-ET01ObjectChange".
DS009EndPointIntel-ET01ProcessLaunch
Endpoint product record of process launch
Maturing
Click here to expand...
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS009EndPointIntel-ET01ProcessLaunch".
UC0031 Non human account starting processes not associated with the purpose of the account (Narrative
and Use Case Center)
Accounts designated for use by services and batch process should start a limited set of child processes.
Creation of new child processes other than the process name defined in the service or batch definition may
indicate compromise. Problem Types Addressed ...
Apr 08, 2016
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS004EndPointAntiMalware-ET01SigDetected".
DS010NetworkCommunication-ET01Traffic
Communication event including a result (allowed/denied) logged at the time the connection is created
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate
that the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all
summary data even ...
Apr 26, 2016
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case
Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could
indicate either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions
(bypassing the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Click here to expand...
Found 9 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET01Traffic".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category
verify communication (accept or reject) has occurred with origination from one or more authorized vulnerability
scanners, Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Communication filtered by the default rule implies
no explicit permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security
posture of the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by
dvc alert when a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB
devices ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe
...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port
with the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation
of new software (potentially unapproved) or a successful compromise of a host (such as the presence of a
backdoor or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return
values ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 1 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01Traffic".
DS010NetworkCommunication-ET01TrafficAppAware
Communication event including a result (allowed/denied) logged at the time the connection is created
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
Maturing
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious
activity or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources
Enrichment PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access
RV3MaliciousCode RV6Misconfiguration ...
Apr 08, 2016
Providing Technologies
Click here to expand...
Found 3 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET01TrafficAppAware".
DS010NetworkCommunication-ET02State
Event indicating the state of the firewall has changed (start/stop block/noblock)
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-ET02State".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS010NetworkCommunication-ET02State".
DS011MalwareDetonation-ET01Detection
Malware detonation systems also are known as sandboxing systems execute potentially malicious code in a clean environment for the purpose of
collecting events related to their actions. Using automated and manual analysis indicators can be determined which can inform additional breach
detection and prevention capability
Security Value
Continuous Monitoring - Monitoring email server logs using analytic concepts such as new, rare, extremely over fields including sender,
recipient, ip and domain increasing identify actors and potential victims of email based attacks
Forensic Investigation - Logs can be utilized to determine if actions from a user/host may indicate control by a third party
Event Types
UCESS030 High Volume of Traffic from High or Critical Host Observed (Narrative and Use Case Center)
Alerts when a host of high or critical severity generates a high volume of outbound traffic. This may indicate that
the host has been compromised.For the past 60 minutes starting 5 minutes after realtime, using all summary data
even ...
Apr 26, 2016
UC0002 Detection of prohibited protocol (application) (Narrative and Use Case Center)
prohibited protocol such as IRC, FTP, or gopher could indicate malicious activity or the implementation of an
insecure system on the network. Consider intranetwork communication and accepted communications from the
internet Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware ...
Apr 08, 2016
UC0020 Attempted communication through external firewall not explicitly granted (Narrative and Use Case Center)
Any attempted communication through the firewall not previously granted by ingress/egress policies could indicate
either a misconfiguration (causing systems behind the firewall to be vulnerable) or malicious actions (bypassing
the firewall). Legacy Command and Control (a.k.a. C&C or C2 ...
Apr 08, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 12 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Mature
Found 12 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS010NetworkCommunication-*".
UCESS039 Multiple Primary Functions Detected (Narrative and Use Case Center)
primaryfunctionstracker macro gathers all local procceses, services and listening ports from their trackers and
associates identity and asset information with each. Looking back over the past 24 hours, return values of the
function and their distinct count grouped by destination (host ...
Aug 14, 2016
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0082 Communication with enclave by default rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Communication filtered by the default rule implies no explicit
permission for communication has been granted and should be reviewed. Consider ingress ...
Apr 27, 2016
UC0086 Detect Multiple Primary Functions (Narrative and Use Case Center)
Using network communication fingerprinting detect distinct primary functions such as SQL, HTTP, DNS by
destination asset. Alert if more than one primary function excluding administrative protocols (RDP,SSH, iDrac).
Problem Types Addressed Risk Addressed ...
Apr 28, 2016
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall
rule (Narrative and Use Case Center)
Communication from a enclave network may indicate a misconfiguration that could weaking the security posture of
the organization or actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when
a rule is named in a allowed communication where the reviewed ...
Apr 27, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
UC0010 Detect unauthorized use of remote access technologies (Narrative and Use Case Center)
Identify users gaining access via an unapproved or unknown access control. This could indicate malicious activity
or an internal control failure. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT02SecurityVisibilityEndpointMalware PRT02SecurityVisibilityUserActivity RV2Access RV3MaliciousCode
RV6Misconfiguration ...
Apr 08, 2016
UC0022 Endpoint communicating with an excessive number of unique hosts (Narrative and Use Case Center)
Endpoints attempting to communicate with an excessive number of unique hosts over a given time period may
indicate malicious code. Exclude category svcnetworkscanner Problem Types Addressed Risk Addressed Event
Data Sources Enrichment PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode RV4ScanProbe ...
Apr 08, 2016
of accepted SSHv1 sessions indicate a misconfigured system. Attempted and denied sessions indicate system
probing or scanning. Problem Types Addressed Risk ...
Apr 11, 2016
UC0023 Endpoint communicating with an excessive number of unique ports (Narrative and Use Case Center)
Endpoints communicating with an excessive number of unique destination ports could indicate malicious code
probing for vulnerabilities. Certain server applications will arrange for communication on a high number port with
the client such as ftp in passive mode and RPC on windows server. Utilize category ...
Apr 08, 2016
UCESS059 Unusual Volume of Network Activity (Narrative and Use Case Center)
Detects unusual network traffic that may be indicative of a DoS attack as indicated by a high number of unique
sources or a high volume of firewall packets. For the past 30 minutes starting 5 minutes after realtime, using all
summary data even ...
Aug 14, 2016
UCESS056 Unapproved Port Activity Detected (Narrative and Use Case Center)
Detects the use of ports that are not approved. Unapproved port detection is useful for detecting the installation of
new software (potentially unapproved) or a successful compromise of a host (such as the presence of a backdoor
or a system communicating with a botnet). Looking across a realtime window of /5 minutes, return values ...
Aug 14, 2016
Providing Technologies
Click here to expand...
Found 4 search result(s) for title:PT* contentBody:"DS010NetworkCommunication".
DS012NetworkIntrusionDetection-ET01SigDetection
What is Intrusion Detection/Prevention? IDS and IPS are complementary, parallel security systems that supplement firewalls IDS by exposing
successful network and server attacks that penetrate a firewall, and IPS by providing more advanced defenses against sophisticated attacks. IDS
is typically placed at the network edge, just inside a perimeter firewall, although some organizations also put a system outside the firewall to
provide greater intelligence about all attacks. Likewise, IPS is typically placed at the network perimeter, although it also may be used in layers at
other points inside the network or on individual servers. IPS usually works by dropping packets, resetting network connections and blacklisting
specific IP addresses or ranges.
Security Value
Continuous Monitoring - Monitoring logs using analytic concepts such as new, rare, extremely over fields including ip and signature
increasing identify actors and potential victims network vulnerability based attacks
Forensic Investigation
Identify comproised or potentially compromised hosts based on exploitation data
Legal compliance
Utilize email logs to support discovery and defense of legal claims.
Event Types
UCESS061 Vulnerability Scanner Detected (by targets) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered events against a large number of
unique targets. Vulnerability scanners generally trigger events against a high number of unique hosts when they
are scanning a network for vulnerable hosts.For the past ...
Aug 14, 2016
UCESS060 Vulnerability Scanner Detected (by events) (Narrative and Use Case Center)
Detects a potential vulnerability scanner by detecting devices that have triggered a large number of unique events.
Vulnerability scanners generally trigger a high number unique events when scanning a host since each
vulnerability check tends to trigger a unique ...
Aug 14, 2016
UC0074 Network Intrusion Internal Network (Narrative and Use Case Center)
IDS/IPS detecting or blocking an attack based on a known signature. Problem Types Addressed Risk Addressed
Event Data Sources Enrichment PRT01Compliance PRT02SecurityVisibilityEndpointMalware RV3MaliciousCode
DS012NetworkIntrusionDetectionET01SigDetection DE001AssetInformation Adoption Phase Customer Adoption
Phase SME Adoption Phase ...
May 09, 2016
Labels: prt05-tacticalthreat-ransomeware
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS012NetworkIntrusionDetection-*".
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS012NetworkIntrusionDetection-*".
Providing Technologies
Found 2 search result(s) for title:PT* contentBody:"DS012NetworkIntrusionDetection".
DS013TicketManagement-ET01
Ticket management from tracking systems responsible for the security, and operational health of the environment(s) provides a rich resource for
evaluating the effectiveness of the security program, as well as the detective, and preventive controls in place.
Security Value
Continuous Monitoring - Monitoring the effective execution of triage and remediation activities.
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Establish a timeline of what was known, when and by whom
Event Types
Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS013TicketManagement-*".
UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS013TicketManagementET01 TBD Adoption
Phase ...
Apr 27, 2016
UC0084 Monitor Execution of Triage Activtity (Narrative and Use Case Center)
Define and maintain eventypes for unsuppressed notable events separately identifying review work flow, and
triage SLA required. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS013TicketManagement".
DS014WebServer-ET01Access
Web server logs allow attribution of activity to a specific source ip and user when authenticated. The logs are detailed records of every
transaction: every time a browser requests a web page, Apache logs details include items such as the time, remote IP address, browser type and
page requested. Web Servers also log various error conditions such as a request for a missing file, attempts to access a file without appropriate
permissions or problems with extension modules. Web Server logs are critical in debugging both web application and server problems but are
also used to generate traffic statistics, track user behavior and flag security attacks such as attempted unauthorized entry or DDoS.
Event Types
Security Value
Continuous Monitoring Monitoring server logs using analytic concepts such as new, rare, extremely over fields including site, resource, and ip increasing
identify actors and potential victims of attacks
Monitoring server logs using analytic concepts to identify potential DOS attacks by increasing number of requests for sites or
specific resource
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify scope of exploitation
Utilize log events to identify scope of time for an incident
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Maturing
Found 3 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS014WebServer-*".
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
Aug 16, 2016
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)
Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Mature
Found 3 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS014WebServer-*".
UCESS021 Excessive HTTP Failure Responses (Narrative and Use Case Center)
Alerts when a host generates a lot of HTTP failures in a short span of time. Looking across the prior 60 minute
period starting 5 minutes ago, using all summary data even if the model has changed, provide a count ...
UC0077 Detection Risky Referral Domains (Narrative and Use Case Center)
Maintain a tracking list of public domain suffix and data source "seen" by first epoch. Identify where one of the
following sequence occurs New domain in http referrer field First occurrence of domain as sender domain is less
than 48 ...
Jun 24, 2016
Labels: creative
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF (Narrative and Use
Case Center)
Communication to any web application server without filtering by a network web application firewall indicates a
security misconfigration. Problem Types Addressed Risk Addressed Event Data Sources Enrichment
PRT01Compliance RV1AbuseofAccess RV6Misconfiguration DS014WebServerET01Access DDE001 Asset
Information ...
Apr 27, 2016
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer".
DS015ConfigurationManagement-ET01General
Configuration management solution such as VMware Vcenter, MAAS, Puppet, Chef, System Center Configuration Manager, and System Center
Virtualization Manager. Events generated by these systems can provide valuable security investigations by providing information about who and
what changes have been applied to systems. Additional information such as the base image utilized, birth and death timestamps provide data
useful to identify windows of vulnerability.
Security Value
Continuous Monitoring - Monitoring of privileged user activity such as change outside of windows, access to sensitive configuration
values or modification to critical controls
Forensic Investigation
Establish a time line of activities of a privileged user
Establish when controls were placed or removed on a specific host
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 1 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS015ConfigurationManagement*".
Providing Technologies
Found 1 search result(s) for title:PT* contentBody:"DS014WebServer" NOT contentBody:"DS015ConfigurationManagement-*".
DS016DataLossPrevention-ET01Violation
Data loss prevention solutions can identify human and automated activities as they interact with restricted information creating an audit trail of
attempted actions and the systems response such as allow or block.
Security Value
Continuous Monitoring Monitoring alerts indicating policy violation or attempted policy violation to prompt immediate action by security monitoring.
Monitoring alerts indicating excessive interaction with restricted information as possible indication of compromise
Forensic Investigation
Utilize events in contribution of other events to identify potential actors involved in targeted activity
Utilize events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Utilize logs to support documentation of compliance
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS016DataLossPrevention-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS016DataLossPrevention-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS016DataLossPrevention".
DS017PhysicalSecurity-ET01Access
Most organizations use automated systems to secure physical access to facilities. Historically, these have been simple magnetic strips affixed to
employee badges; however, locations with stringent security requirements may use some form of biometric reader or digital key. Regardless of
the technology, the systems compare an individual's identity with a database and activate doors when the user is authorized to enter a particular
location. As digital systems, badge readers record information such as user ID, date and time of entry and perhaps a photo for each access
attempt. Motion and sensor indicators may also be useful in extreme situations where physical access is limited tightly.
Security Value
Forensic Investigation
Utilize log events to place a badge (single factor) or person (two factor bio/pin) in a specific location
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS017PhysicalSecurity-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS017PhysicalSecurity-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS017PhysicalSecurity".
DS018VulnerabilityDetection-ET01SigDetected
Vulnerability by signature detected based on a signature or specified heuristics class
Maturing
Click here to expand...
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS018VulnerabilityDetection-ET01SigDetected".
Providing Technologies
Click here to expand...
Found 0 search result(s) for title:PT* contentBody:"DS018VulnerabilityDetection-ET01SigDetected".
DS019PatchManagement-Applied
DS019PatchManagement-Eligable
DS019PatchManagement-Failed
DS020HostIntrustionDetection-ET01SigDetected
Host-based Intrusion Detection events provide signature based detection of changes that could weaken the security posture of the host based on
changes to entire files or specific configuration. Such data can be very valuable in identifying when critical changes have occurred in the
environment.
Security Value
Continuous Monitoring - Monitoring of alerts generated to ensure the SOC triages events in a timely manor
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of email based attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 2 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS020HostIntrustionDetection-*".
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Mature
Found 2 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS020HostIntrustionDetection-*".
UC0091 Validate Execution of Vulnerability Scan (Narrative and Use Case Center)
Using host based logs such as firewall or host intrusion detection for each asset with a governance category verify
communication (accept or reject) has occurred with origination from one or more authorized vulnerability scanners,
Problem Types Addressed Risk Addressed ...
Jul 12, 2016
UC0092 Exception to Approved Flow for Web Applications (Narrative and Use Case Center)
Using web application access logs for assets deemed high/crticial or with the governace attributed ensure the
source IP address is one of the approved NLB or WAF devices. If WAF devices are placed in front of NLB devices
ensure the first "xforwardedfor" entry ...
Jun 24, 2016
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS020HostIntrustionDetection".
DS021Telephony-ET01CDR
Real-time business communications no longer are limited to voice calls provided by Plain Old Telephone Service (POTS); instead, voice, video,
text messaging and web conferences are IP applications delivered over existing enterprise networks. Unlike traditional client-server or web
applications, telephony and other communications applications have strict requirements on network quality of service, latency and packet loss,
making service quality and reliability much more sensitive to network conditions and server responsiveness. Traditional POTS has conditioned
people to expect immediate dial tone when picking up the phone and be intolerant of noise, echo or other problems that can plague IP telephony;
as such, the systems and supporting infrastructure require careful monitoring and management to assure quality and reliability. Voice over IP
protocol refers to several methods for transmitting real-time audio (and now video) information over an IP-based data network. Unlike traditional
phone systems using dedicated, point-to-point circuits, VoIP applications use packet-based networks to carry real-time audio streams that are
interspersed with other Ethernet data traffic. Since TCP packets may be delivered out of order due to data loss and retransmission, VoIP includes
features to buffer and reassemble a stream. Similarly, VoIP packets are usually tagged with quality of service (QoS) headers to prioritize their
delivery through the network.
Security Value
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS021Telephony-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS021Telephony-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS021Telephony".
DS022Performance-ET01General
Measures of system activity such as CPU load, memory and disk usage, and I/O traffic are the IT equivalent of EKGs to a doctor: the vital signs
that show system health. Recording these measures provides a record of system activity over time that shows normal, baseline levels and
unusual events. By registering myriad system parameters, performance logs also can highlight mismatches between system capacity and
application requirements, such as a database using all available system memory and frequently swapping to disk. Application performance
management (APM) software provides end-to-end measurement of complex, multitier applications to provide performance metrics from an end
user's perspective. APM logs also provide event traces and diagnostic data that can assist developers in identifying performance bottlenecks or
error conditions. The data from APM software provides both a baseline of typical application performance and record of anomalous behavior or
performance degradation. Carefully monitoring APM logs can provide early warning to application problems and allow IT and developers to
remediate issues before users experience significant degradation or disruption. APM logs also are required to perform post-hoc forensic analysis
of complex application problems that may involve subtle interactions between multiple machines and/or network devices.
Security Value
Continuous Monitoring
Monitor system resources for increased utilization or exaustion as possible indication of denial of service attack
Monitor system resources for increased utilization or excaustion as possible indication of brute force attack.
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS022Performance-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS022Performance-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS022Performance".
DS023CrashReporting-ET01General
Crash reports including summary of dumps, exceptions, and hangs can indicate attempts at exploitation of processes by malicious code or
significant programing errors allowing possible future exploitation or failure of business services.
Security Value
Continuous Monitoring
Monitor and triage occurances as possible indication of attack
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS023CrashReporting-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS023CrashReporting-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS023CrashReporting".
DS024ApplicationServer-ET01General
Application server logs, considering the actual business application, middle ware such as Tomcat, and run time logs such as java runtime. contain
a wealth of information created as users and systems interact. Anomolies in the logs can indicate potential failures or compromise attempts.
Security Value
Continuous Monitoring
Develop implementation specific monitoring to alert security operations to potential issues created by external interaction
Forensic Investigation
Utilize log events in contribution of other events to identify potential actors involved in targeted activity
Utilize log events to identify additional possible victims of social engineering attacks
Utilize log events to establish a time line of who, when and what when investigating internal activity
Legal compliance
Utilize logs to support discovery and defense of legal claims.
Event Types
Maturing
Found 0 search result(s) for title:UC* contentBody:"APC-Maturing" contentBody:"DS024ApplicationServer-*".
Mature
Found 0 search result(s) for title:UC* contentBody:"APC-Mature" contentBody:"DS024ApplicationServer-*".
Providing Technologies
Found 0 search result(s) for title:PT* contentBody:"DS024ApplicationServer".
PT001-Microsoft-Exchange
The Microsoft Exchange collaboration platform is a significant information resource to many organizations. Representing both a information
storage solution and channel of communication useful in various attacks access monitoring is imperative.
Provides
DS001MAIL
DS001Mail-ET01Access
DS001MAIL-ET02Receive
DS001Mail-ET03Send
DS003Authentication Authentication occurs for
Administrative action
Active Sync
Exchange Web Services
Outlook Web Access
RPC (Deprecated)
Key Facts
Impact to index/license
Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2)
nm= number of emails sent recommend 40
nu= weighted number of users
Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2)
Based on log files
total size of message tracking log file over 7 days from all exchange servers
total size of iis logs over 7 days from all exchange servers
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files. This can result in a
large historical load impacting or exceeding the license utilization for that day. If implementing over multiple days prepare
with a license reset key.
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer
[serverClass:seckit_all_2_msexchange2013_cas_0]
whitelist.0 = ^-
[serverClass:seckit_all_2_msexchange2013_1]
whitelist.0 = ^-
[serverClass:seckit_all_2_msexchange2013_cas_1]
whitelist.0 = ^-
[serverClass:seckit_all_2_msexchange2013_mailbox_1]
whitelist.0 = ^-
PT002-Splunk-Stream
Splunk App for Stream is a scalable and easy-to-configure software solution that captures real-time streaming wire data from anywhere in your
datacenter or from any public Cloud infrastructure.
Provides
PT002-Splunk-Stream-DHCP
PT002-Splunk-Stream-DNS
PT002-Splunk-Stream-SMTP
Key Facts
Impact to index/license - Variable based on collection configuration see child pages
LOAD-Low - Variable based on collection configuration see child pages
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
TAP
Dedicated deployment requires the addition of a capture server and availability of a TAP on the desired network.
Coexistance deployment is possible with common open source IDS solutions such as BRO, Suritcata, and Snort
HOST
Deployment on host such as common DNS and DHCP servers may only require deployment via Splunk Deployment
server
Opposition: Low
Skills: SKILLI-Customer
PT002-Splunk-Stream-DHCP
PT002-Splunk-Stream-DNS
Provides
DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest
PT002-Splunk-Stream-SMTP
Provides
DS001MAIL
PT003-ExtraHop
PT003-ExtraHop-DNS
Provides
DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest
PT003-ExtraHop-SMTP
Provides
DS001MAIL
PT005-Microsoft-Windows
Provides
DS003Authentication Authentication occurs for
User Authentication
Computer Authentication
DS007AuditTrail
DS007AuditTrail-ET01Clear
DS007AuditTrail-ET02Alter
Key Facts
Impact to index/license
Based on log files
total size of change in oswin* indexes over 7 days
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows
event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting
or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key.
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <4 hours
Change Control Process 3-4 hours (Possibly require multiple iterations)
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer
[serverClass:seckit_all_2_os_windows_dc]
whitelist.0 = ^-
[serverClass:seckit_all_2_os_windows_dc_admon_sync]
whitelist.0 = ^-
Wait until "sync" events are no longer streaming into index=appmsad expect on 30-90 min
Replace SecKit_all_deploymentserver_2_oswin/local/serverclass.conf entry above as follows including 2-6 Active Directory
servers per domain
[serverClass:seckit_all_2_os_windows_dc_admon]
machineTypesFilter = windows-*
whitelist.0 = ^-
PT006-PaloAlto Firewall
Provides
DS003Authentication
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware
PT008-Snort
Provides
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware
PT009-SourceFire
Provides
DS005WebProxyRequest-ET01RequestedWebAppAware
DS010NetworkCommunication-ET01TrafficAppAware
PT010-Websense
Provides
DS003Authentication
DS005WebProxyRequest
PT011-Bluecoat
Provides
DS003Authentication
DS005WebProxyRequest
PT012-Splunk-InternalLogging
The Splunk Enterprise Application includes extensive internal logging covering performance and usage.
Provides
DS003Authentication
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS006UserActivity
Key Facts
Impact to index/license
None
LOAD-Low
Work Estimates
None
Meetings None
Opposition: Low
Skills: SKILLI-Customer
PT013-ISCBIND-DNS
Provides
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest
PT014-PhysicalAccessControl
PT015-Linux-Deb/RH
Provides
DS003Authentication Authentication occurs for
User Authentication
Key Facts
Impact to index/license
Based on log files
average size of change in osnix* indexes over 7 days
Day 0 Impact, Customers frequently have no or poor retention policy in place on the monitored files and very large windows
event logs to support problem resolution when no central solution exists. This can result in a large historical load impacting
or exceeding the license utilization for that day. If implementing over multiple days prepare with a license reset key.
LOAD-Low additional impact to authentication datamodels
Work Estimates. Note presumption that no deviation from OS default configuration os the syslog service.
Splunk Core Resource <4 hours
Change Control Process 3-4 hours (Possibly require multiple iterations)
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer
Data Acquisition Procedure Supported versions of RedHat and Debian based OSes
Bitbucket Link https://bitbucket.org/rfaircloth-splunk/securitykit/src/8304061fc8c6f4a87f3a26adf51710f58b8fd375/base/ds/?at=maste
Nix Deployment Servers and Cluster Masters
Deploy the following apps from base/ds/deployment-servers
Splunk_TA_nix
TA-linux_auditd
SA-LinuxAuditd
Index app (one of)
SecKit_splunk_index_1_splunk_vol
SecKit_splunk_index_1_splunk_home
Splunk_TA_nix_SecKit_0_all_inputs
Splunk_TA_nix_SecKit_1_all_inputs
Stage the following apps to deployment-apps
Splunk_TA_nix
TA-linux_auditd
SA-LinuxAuditd
Index app (one of)
SecKit_splunk_index_1_splunk_vol
SecKit_splunk_index_1_splunk_home
Splunk_TA_nix_SecKit_0_all_inputs
Splunk_TA_nix_SecKit_1_all_inputs
PT016-Cisco-ASA/PIX/FWSM
The Cisco ASA is a multi function firewall, VPN, reverse proxy device
Provides
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
DS003Authentication-ET02FailureBadFactor
DS010NetworkCommunication-ET01Traffic
DS012NetworkIntrusionDetection-ET01SigDetection
DS014WebServer-ET01Access
Key Facts
Impact to index/license
Educated 3k * nm * nu = Total K per Day (average over at least 7 days dropping lowest 2)
nm= number of emails sent recommend 40
nu= weighted number of users
Educated option 2: 3k * actual message count = Total K per Day (average over at least 7 days dropping lowest 2)
Based on log files
total size of message tracking log file over 7 days from devices where local log collection is enabled
Day 0 Impact, none no prior logs can be collected
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer
Step-by-step guide
1. Deploy TA
a. Deployment Server
i. Unzip Splunk_TA_cisco-asa.zip to $SPLUNK_HOME/etc/deployment-apps
ii. Create Splunk_TA_cisco-asa/local/props.conf
2.
3.
4.
5.
iii. Update
b. Cluster Master(s)
i. Apply Cluster Bundle
Deploy Syslog inputs.conf
Deploy syslog-ng configuration
Deploy VIP
Configure the ASA
a.
logging
logging
logging
logging
logging
logging
enable
host interface_name ip_address tcp 514
permit-hostdown
trap 6
buffered 6
facility 20
PT017-Trend-TippingPoint
The Trend Micro tippingpoint IPS product
Provides
DS012NetworkIntrusionDetection-ET01SigDetection
Key Facts
Impact to index/license
Based on log files
total size of message tracking log file over 7 days from devices where local log collection is enabled
Day 0 Impact, none no prior logs can be collected
LOAD-Low additional impact to mail and web data models in general is minimal inclusion will motivate additional search activity
increasing utilization on IT Ops and Security search heads.
Work Estimates
Splunk Core Resource <2 hours
Change Control Process 3-4 hours
Meetings 1-2
Opposition: Low
Skills: SKILLI-Customer
critical for a security team to know what it is defending before there can be any hope of securing it. Indeed, many
attackers succeed because they have a deeper understanding of the target environment than the teams who are tasked
with defending them thus increasing their attack surface. The Assets and Identities framework in Splunk Enterprise
Security provides a simple yet very useful way to store ass
DE002IdentityInformation
Provider Types
Provider types are linkages to vendor and customer technologies which are believed or have been field validated to support the use cases
identified.
DE001AssetInformation
Creating or having access to a robust asset inventory is a foundational activity because it is critical for a security team to know what it is defending
before there can be any hope of securing it. Indeed, many attackers succeed because they have a deeper understanding of the target
environment than the teams who are tasked with defending them thus increasing their attack surface. The Assets and Identities framework in
Splunk Enterprise Security provides a simple yet very useful way to store asset data and correlate it with activity observed across the
environment. An asset for the purpose of security monitoring is an authorized presence on the internal network which may be identified as a
source or destination network address by IP address, MAC address, hostname, or fully qualified domain name.
Prioritization
The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a desktop
machine is less urgent than the same issue against an externally facing web server that processes credit card information. Asset management
allows an urgency to be computed based on the priority of hosts and assign higher urgency to high priority assets.
Categorization
Asset management allows information about the assets to be added to events. For example, identity management can look up the source of an
event and find the location of the asset, indicate whether the source is subject to PCI compliance or identify the owner.
Normalization
Asset management allows hosts to be normalized and determine whether two events relate to the same host. For example, two events may use
different information to refer to the host; one event may use an IP address and another event may use a DNS name. Identity management can
determine that both of the events are for the same host by recognizing that the IP address and DNS name are for the same host.
Description
Example
ip
2.0.0.0/8,1.2.3.4, 192.168.15.9-192.169.15.27
mac
00:25:bc:42:f4:60, 00:25:bc:42:f4:60-00:25:bc:42:f4:6F
nt_host
ACME-0005
dns
acme-0005.corp1.acmetech.com
owner
priority
lat
41.040855.
long
28.986183.
city
Chicago
country
USA
bunit
emea
category
server
pci_domain
trust
trust|wireless
trust|cardholder
trust|dmz
untrust (not this value is the default when left
blank)
is_expected
should_timesync
should_update
requires_av
A-C
D-M
N-T
U-Z
access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative
data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer
nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng
ucd-access
DE002IdentityInformation
An identity (for the purpose of security monitoring) is an authorized or previously authorized presence on the network which may be identified as a
source or destination account. Multiple records are grouped together by account to identify one human identity or nonhuman application.
Prioritization
The same type of events on two different systems may not deserve the same level of attention; a medium severity event against a marketing user
is less urgent than the same issue against an assistant to the CEO. Identity management allows an urgency to be computed based on the priority
of identities.
Categorization
Identity management allows information about the assets to be added to events. For example, categories such as executive, legal, pic, or hr can
inform the analyst of the types of information at risk should the user's access be used maliciously.users
Normalization
Identity management allows accounts to be normalized; regardless of the account name or format used in a specific log, the identity will be
available for evaluation in the rule or by the analyst.
The following table describes the fields:
Column
Description
Examples
Identity (key)
prefixprefix
nick
firstfirst
Gordon
lastlast
Trisler
suffixsuffix
emailemail
accounting@acmetech.com, gntrisler@acmetech.com
phone
+1 (800)555-8924
phone2
+1 (800)555-7152
managedBy
lietzow.tim, a.koskitim
prioritypriority
bunit
emea, americas
categorycategory
watchlist
startDate
endDate
Adoption Narratives
Create a new UC
UC0001 Detection of new/prohibited web application A prohibited web application such as Box or a game on the Facebook
platform can be detected and filtered by modern web proxy solutions and next generation firewalls. Allowed prohibited
applications or New application instances should be reviewed to ensure proper use.
UC0002 Detection of prohibited protocol (application) A prohibited protocol such as IRC, FTP, or gopher could indicate
malicious activity or the implementation of an insecure system on the network. Consider intranetwork communication and
accepted communications from the internet
UC0003 Server generating email outside of approved usage Server operating systems often generate email for routine
purposes. Configuration management can be used to identify which server may generate email and what recipients are
permitted.
UC0004 Excessive number of emails sent from internal user Excessive email generation by an authorized user could indicate
the presence of malware for the purpose of spam sending, abusing company resources, or attempting to solve a business
problem using a technique not approved by policy. For this use case, email generated from endpoint networks and
operating systems should be considered. Servers often can impersonate users for the purpose of email transmission;
when this is allowed in an environment, these could generate false positives.
UC0005 System modification to insecure state Authorized or unauthorized users may attempt to modify the system such that
hardened configuration policies are removed or security monitoring tools are disabled.
UC0006 Windows security event log purged Manually clearing the security event log on a windows system is a violation of
policy and could indicate an attempt to cover malicious actions.
UC0007 Account logon successful method outside of policy The logon event properties could indicate account misuse in
violation of policy OR as an indication of compromise by comparing the identified purpose of the account to the context of
the logon to determine if the account is authorized for such usage.
UC0008 Activity on previously inactive account Excluding computer accounts in active directory, an account with new activity
that has not been active in the previous thirty days is suspicious.
UC0009 Authenticated communication from a risky source network An Internet facing authentication system has allowed
authenticated access from a risky source network.
UC0010 Detect unauthorized use of remote access technologies Identify users gaining access via an unapproved or unknown
access control. This could indicate malicious activity or an internal control failure.
UC0011 Improbable distance between logins Utilizing source IP address, geolocation data, and where available for
company owned mobile devices, GPS for mobile devices. Using the Haversine algorithm, calculate the distance between
the authenticated successful connections.
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated Increase the risk score of users
who have indication of adverse separation.
UC0013 Monitor change for high value groups Detection of change for groups used to control access for sensitive,
regulated, or critical infrastructure systems.
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted A human user may own
multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no further
activity from any other account owned by the user.
UC0015 Privileged user accessing more than expected number of machines in period Privileged user authenticates to more than
X number of new targets successfully or is denied access to more than Y targets in the prior Z hours.
UC0016 Successfully authenticated computer accounts accessing network resources Batch, Windows Services, App Pools, and
specially constructed Windows shells can access network resources. A small number of technical solutions will require
this type of behavior, however, after excluding a white list of hosts or shares (such as sysvol or netlogon), such access
attempts (success or fail) could indicate the presence of malware or attempts to elevate access. Exclude infrastructure file
servers.
UC0017 Unauthorized access or risky use of NHA Detect the use of a Windows account designated by the organization as a
non human account (NHA) outside of the normal usage of such an account.
UC0018 Unauthorized access SSO brute force Single IP address attempting authentication of more than two valid users
within ten minutes where one or more unique accounts is successful, and one or more accounts is not successful against
an approved SSO System.
UC0019 User authenticated to routine business systems while on extended absense A user on leave, vacation, sabbatical, or
other types of leave should not access business systems. This could indicate malicious activity by the employee or a
compromised account.
UC0020 Attempted communication through external firewall not explicitly granted Any attempted communication through the
firewall not previously granted by ingress/egress policies could indicate either a misconfiguration (causing systems behind
the firewall to be vulnerable) or malicious actions (bypassing the firewall).
UC0021 Communication outbound to regions without business relationship Outbound communication with servers hosted in
regions where the organization does not expect to have employees, customers, or suppliers.
UC0022 Endpoint communicating with an excessive number of unique hosts Endpoints attempting to communicate with an
excessive number of unique hosts over a given time period may indicate malicious code. Exclude category
svc_network_scanner
UC0023 Endpoint communicating with an excessive number of unique ports Endpoints communicating with an excessive
number of unique destination ports could indicate malicious code probing for vulnerabilities. Certain server applications
will arrange for communication on a high number port with the client such as ftp in passive mode and RPC on windows
server. Utilize category wl_hv_open_client_ports
UC0024 Endpoint communicating with external service identified on a threat list. Superceded by UCESS053 Threat Activity
Detected
UC0025 Endpoint Multiple devices in 48 hours in the same site Multiple infected devices in the same site could indicate a
successful watering hole attack. Monitor for more than 5% of the hosts in a site.
UC0026 Endpoint Multiple devices in 48 hours in the same subnet Multiple infected devices in the same subnet could indicate
lateral movement of an adversary or a possible worm. Monitor for more than 5% of the host addresses on a subnet as it is
not readily possible to know how many hosts are active on a subnet.
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit Multiple infected devices in the
same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the hosts in an
organizational unit.
UC0028 Endpoint Multiple infections over short time Multiple infections detected on the same endpoint in a short period of
time could indicate the presence of a undetected loader malware component (apt).
UC0029 Endpoint new malware detected by signature When a new malware variant is detect by endpoint antivirus
technology it is possible the configuration or capability of other controls are deficient. Review the sequence of events
leading to the infection to determine if additional preventive measures can be put in place.
UC0030 Endpoint uncleaned malware detection Endpoint with malware detection where anti malware product attempted to
and was unable to clean, remove or quarantine.
UC0031 Non human account starting processes not associated with the purpose of the account Accounts designated for use by
services and batch process should start a limited set of child processes. Creation of new child processes other than the
process name defined in the service or batch definition may indicate compromise.
UC0032 Brute force authentication attempt When more than 10 failed authentication attempts for known accounts occur
from single endpoint
UC0033 Brute force authentication attempt distributed When more than 10 failed authentication attempts for known accounts
occur for a single account from more than 2 IP addresses in 60 minutes. This could indicate an adversary has identified a
specific high value account and is attempting to gain access.
UC0034 Brute force successful authentication If a source IP identified by a brute force use case authenticates successfully
OR an account identified by a brute use case successfully logins after failing once from the same source address.
UC0035 Compromised account access testing Following a successful authentication, an attacker will attempt to determine
what resources may be accessed without causing host intrusion or DLP technologies to detect activity. Commonly the
attacker will enumerate and browse to shares, access email, access web applications, or connect to databases yet
perform minimal or no activity.
UC0036 Compromised account access testing (Critical/Sensitive Resource) Following a successful authentication, an attacker
will attempt to determine what resources may be accessed without causing host intrusion or DLP technologies to detect
activity. Commonly the attacker will enumerate and browse to shares, access email, access web applications, or connect
to databases yet not perform any or minimal activity. Critical and Sensitive systems during routine use should not log
access denied events.
UC0037 Network Intrusion External - New Signatures External IDS devices reporting an attack using a signature not
previously encountered are more likely be successful as new signatures are prompted by newly know attacks in the wild.
UC0038 Excessive use of Shared Secrets Usage of greater than X number of unique shared/secret credentials or more
than 1 standard deviation from peers
UC0039 Use of Shared Secret for access to critical or sensitive system Use of a secret/shared secret account for access to
such a system rather than accountable credentials could indicate an attempt to avoid detection.
UC0040 Use of Shared Secret for or by automated process with risky attributes Usage (checkout) by an automated process
such as software installation of a shared secret or service account where the source of the retrieval is new or outside of
the change window.
UC0041 SSH v1 detected Authentication using insecure protocol SSH v1 detected. The legacy SSH protocol is inherently
insecure indication of accepted SSHv1 sessions indicate a mis-configured system. Attempted and denied sessions
indicate system probing or scanning.
UC0042 SSH Authentication using unknown key The public key utilized for authentication is recorded in the SSHD
authentication log. Detection of a new key should be investigated to determine the owner of the key and validate
authorization to access the resource.
UC0043 Direct Authentication to NHA Direct authentication via SSH or console session to a non human account indicates a
violation of security policy by recording the password of a non human account for later use or by association of a SSH key
to a non human account.
UC0044 Network authentication using password auth Even using SSH encryption, allowing password authentication to
Linux/Unix systems over the network increases the attack surface and the possible impact of a compromised account.
Investigate and resolve all instances of network authentication utilizing password.
UC0045 Local authentication server Following provisioning, nix servers seldom require local administration. Investigate any
use of local authentication as it may indicate an attempt to compromise the host via KVM or virtual console.
UC0046 Endpoint failure to sync time Failure to synchronize time will impact the usefulness of security log data from the
endpoint, and potentially prevent valid authentication.
UC0047 Communication with newly seen domain Newly seen domain's may indicated interaction with risky or malicious
servers. Identification of new domains via web proxy logs without other IOCs allows the analyst/threat hunter to explore
the relevant data and potentially identify weaknesses or risky behavior than could be identified. The daily number of new
domains will be substantial in a typical organization the search will select a subset of those for triage.
UC0049 Detection of DNS Tunnel Endpoint utilizing DNS as a method of transmission for data exfiltration, command and
control, or evasion of security controls. Detected by large total size of DNS traffic OR large number of unique queries.
UC0051 Excessive physical access failures to CIP assets A user with continuous physical access failures could be someone
searching for a physical vulnerability within the organization. When this occurs in an area that is protecting CIP assets, it
is something that should be followed up on immediately.
UC0052 Non-CIP user attempts to access CIP asset CIP assets require special protections; therefore, users that have not
been vetted for CIP access, or should have had their access removed, should not have access. System owners should
be notified immediately should a non-CIP user attempt to access a CIP asset.
UC0065 Malware detected compliance asset Malware detection on a asset designated as compliance such as PCI, CIP or
HIPPA requires review even when automatic clean has occurred
UC0071 Improbably short time between Remote Authentications with IP change For employers that allow remote external
connectivity the detection of two or more distinct values of external source IP address for successful authentications to a
remote access solution in a short period of time indicates a likely compromise of credentials.
UC0072 Detection of unauthorized using DNS resolution for WPAD Detection of an endpoint utilizing DNS as a method of
proxying by querying for wpad.registrationdomain. Search for reply NXDOMAIN replies for A/AAA queries for wpad (bare
host) and wpad.* where the domain portion is not a company owned domain.
UC0073 Endpoint detected malware infection from url Endpoint antimalware detection event occurred where the malicious
content was retrieved from an external URL. Possible indication of gaps in protection by web proxy, intrusion prevention,
or advanced threat prevention. Use the information available for the event and determine how existing prevention controls
can be modified to prevent future infections.
UC0074 Network Intrusion Internal Network IDS/IPS detecting or blocking an attack based on a known signature.
UC0075 Network Malware Detection Internal malware detection system such as fire eye devices reporting an attack.
UC0076 Excessive DNS Failures An endpoint utilizing DNS as a transmission method for data exfiltration, command and
control, or evasion of security controls can be detected by either a large volume or high number of unique DNS queries.
UC0077 Detection Risky Referral Domains Maintain a tracking list of public domain suffix and data source "seen" by first
epoch. Identify where one of the following sequence occurs
UC0079 Use of accountable privileged identity to access new or rare sensitive resource Use of an identity identified as privileged
to access a system for the first time within a rolling time period will trigger a notable event for review of access reason.
UC0080 Trusted Individual exceeds authorization in observation of other users Evaluate queries executed by authorized trusted
individuals to determine if the user is observing the behavior of other users for reasons not authorized as part of the user's
job function.
UC0081 Communication with unestablished domain Egress communication with a newly seen, newly registered, or
registration date unknown domain may indicate the presence of malicious code. Assets communicating with external
services excluding Alexa TOP 1M whose reputation score exceeds acceptable norms will be flagged.
UC0082 Communication with enclave by default rule Communication from a enclave network may indicate a misconfiguration
that could weaking the security posture of the organization or actual/attempted compromise. Communication filtered by
the default rule implies no explicit permission for communication has been granted and should be reviewed. Consider
ingress communication allowed by the default rule, and egress communication allowed or blocked.
UC0083 Communication from or to an enclave network permited by previously unknown or modified firewall rule Communication
from a enclave network may indicate a misconfiguration that could weaking the security posture of the organization or
actual/attempted compromise. Maintain a dynamic list of firewall rule names by dvc alert when a rule is named in a
allowed communication where the reviewed time is null or prior to the last known modification time.
UC0084 Monitor Execution of Triage Activtity Define and maintain eventypes for unsuppressed notable events separately
identifying review work flow, and triage SLA required.
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF Communication to any web
application server without filtering by a network web application firewall indicates a security misconfigration.
UC0086 Detect Multiple Primary Functions Using network communication fingerprinting detect distinct primary functions
such as SQL, HTTP, DNS by destination asset. Alert if more than one primary function excluding administrative protocols
(RDP,SSH, iDrac).
UC0087 Malware signature not updated by SLA for compliance asset Malware signature last updated on a asset designated as
compliance such as PCI, CIP or Hippa beyond SLA limits
UC0088 User account sharing detection by source device ownership Detection of logon device by asset name (may require
resolution from IP) when logon user does not match the owner and the number of unique owned devices is greater than
two in the prior 24 hours. Exclude assets identified as loaner, and public or shared.
UC0089 Detection of Communication with Algorithmically Generated Domain Using an algorithm determine text of the
registration domain is likely to be generated by a computer excluding known cloud hosting domains, Alexa TOP 1 M
domains and domains with long established communication with the organization.
UC0090 User account cross enclave access Detection of logon with the same account to a production and a non production
environment. If an account (not user) has logged into more than one account access management controls have failed
and must be remediated
UC0091 Validate Execution of Vulnerability Scan Using host based logs such as firewall or host intrusion detection for each
asset with a governance category verify communication (accept or reject) has occurred with origination from one or more
authorized vulnerability scanners,
UC0092 Exception to Approved Flow for Web Applications Using web application access logs for assets deemed high/crticial
or with the governace attributed ensure the source IP address is one of the approved NLB or WAF devices. If WAF
devices are placed in front of NLB devices ensure the first "x-forwardedfor" entry is the address of the WAF
UC0093 Previously active account has not accessed enclave/lifecycle Identify accounts no longer in use with access to
high/critical or enclave systems and remove access when no longer required. Implement a tracking list of accounts and
the accessed enclave or business service identifier, maintain the last accessed time and alert when the last access time is
more than 90 days from current date.
UC0094 Insecure authentication method detected For each authentication technology in the network identify the values of
authentication events that positively ensure that secure authentication is in use. Alert per authentication technology where
a successful event occurs without the required indicators
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS005WebProxyRequest-ET01RequestedWebAppAware
RV4-ScanProbe
APC-Maturing
APS-ProposedField
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Related articles
Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE005 Prohibited
Network
Protocol/Application List
DDE006 Acceptable
Network
Protocol/Application List
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS010NetworkCommunication-ET01TrafficAppAware
RV4-ScanProbe
APC-Essential
APS-ProposedField
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Related articles
Enrichment
DE001AssetInformation
DDE005 Prohibited
Network
Protocol/Application List
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
RV6-Misconfiguration
DS001Mail-ET03Send
Enrichment
APC-Essential
APS-ProposedField
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Related articles
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS001Mail-ET03Send
PRT02-SecurityVisibilityUserActivity
RV3-MaliciousCode
APC-Maturing
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Enrichment
DE001AssetInformation
CAT-svc:mailgw Exclude from detection
DE002IdentityInformation
CAT-nha Exclude from detection
CAT-svc:mail Exclude from detection
Context Gen
Email sent count by account in 10 min
Using context, create a notable event when number of email sent is sharply increasing over two 10 min blocks
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
RV6-Misconfiguration
PRT02-SecurityVisibilityEndpointMalware
APC-Mature
APS-ProposedField
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
TBD
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Related articles
Enrichment
DE001AssetInformation
DDE012 Service State by
platform
DDE013 Critical Policy
Objects
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS007AuditTrail-ET01Clear
PRT02-SecurityVisibilityEndpointMalware
APC-Essential
APS-RFC
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Related articles
Enrichment
DE001AssetInformation
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityUserActivity
RV2-Access
RV3-MaliciousCode
APC-Mature
APS-TBD
API-TBD
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Enrichment
DE001AssetInformation
DE002IdentityInformation
Category indicating exception list listing
accounts to exclude from this search
Response
1. RP010 Contain potentially compromised account
2. RP012 Contain potentially compromised non human account
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend time to resolve
Metrics Review
1. Review time to resolve trends
2. Review exception list to determine if entries may be invalid and remove as required.
Artifacts
TBD
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE002IdentityInformation
RV3-MaliciousCode
APC-Mature
APS-RFC
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV2-Access
DS003Authentication-ET01Success
RV3-MaliciousCode
Enrichment
DE002IdentityInformation
DDE003 Public Network attributes
DDE004 Threat List
VPN logs
email server logs
instance messaging logs
file transfer servers
APC-Mature
APS-RFC
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Response RP003 Authentication on Internet facing system with potentially compromised account
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer vs business)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Quarterly review thresholds and monitoring statistics determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV2-Access
DS003Authentication-ET01Success
PRT02-SecurityVisibilityUserActivity
RV3-MaliciousCode
DS010NetworkCommunication-ET01TrafficAppAware
RV6-Misconfiguration
APC-Mature
APS-RFC
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtityEnabled
Related articles
Enrichment
DE001AssetInformation
Categorization
providing
information to
identify authorized
remote access
systems
DE002IdentityInformation
Categorization
providing
information on which
users may access
an individual remote
access technology
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
network authentication only
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Enrichment
DDE TBD (Customer)
Can manage account
Can admin users
DE002IdentityInformation (Employee)
Related articles
UC0012 Increase risk score of employees once adverse seperation is identified or anticipated
Increase the risk score of users who have indication of adverse separation.Examples of users with an indication of adverse separation,
include but are not limited to the following:
User has entered a remediation program with human resources
User has been identified as included in a reduction in force
User has announced voluntary separation
User has been identified in a reorganization program
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV1-AbuseofAccess
DS008HRMasterData-ET02SeperationNotice
RV2-Access
APC-Mature
APS-Proposed
API-TBD
Initial Severity
Occurrence/Fidelity
Fidelity
SV - TBD
RATED0-Rare
TBD
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Response RP TBD
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
N/A
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS006UserActivity-ET04Update
Enrichment
APC-Maturing
APS-Accepted
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Related articles
DE002IdentityInformation
Identity category terminated
Identity category reduction_in_force
Identity category org_change
Identity termination date (including future)
Identity category access_admin
DDE0016 List of risky groups.
UC0014 Monitor use attempts of human accounts once primary account is expired disabled or deleted
A human user may own multiple accounts. When the primary account of the human is expired, disabled, or deleted, we should expect no
further activity from any other account owned by the user.
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE002IdentityInformation
DS003AUTHENTICATION-ET02Failure
APC-Maturing
APS-Accepted
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtityEnabled
Related articles
UC0015 Privileged user accessing more than expected number of machines in period
Privileged user authenticates to more than X number of new targets successfully or is denied access to more than Y targets in the prior Z
hours.For example:
More than 5 new targets
More than 3 failures
In the last 4 hours
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
APC-Maturing
APS-Accepted
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Enrichment
DE002IdentityInformation
DDT002 Logon Tracker
Detection Activities
1. Search Logic
index=wineventlog user_priority=critical Source_Workstation=* | stats dc(Source_Workstation) as systemcount
values(Source_Workstation) as systems by user | where systemcount>5
2. Drilldown
| datamodel Authentication Authentication search | search Authentication.user=$user$
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
APC-Maturing
APS-RFC
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Low
SKILLI-PS-General
Response
Determine appropriate response based on information available in the event.
1. RP007 Potentially Unauthorized change detected on endpoint
2. RP009 Unauthorized (actual or attempted) access by employees or contractors
3. RP011 Unwanted/Unauthorized Code detected on endpoint
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend positive vs false positive rate
2. Trend time to resolve
Metrics Review
1. Review thresholds and adjust for risk tolerance
Artifacts
TBD
Related articles
Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE015 Share Access exclusion list
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE001AssetInformation
DE002IdentityInformation
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
SSO Systems, Active Directory, Customer SSO
DS003Authentication-ET02Failure
Enrichment
Customer
Can manipulate accounts
Can admin users
Employee
Privileged
APC-Mature
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
<note on "Urgency">
Urgency:
Customer
No fraud = Low
Fraud = High
Employee
Privileged user = High
All others = Low
</note>
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE001AssetInformation
DE002IdentityInformation
DS008HRMasterData
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityEndpointMalware
RV4-ScanProbe
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED2-Frequent
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Related articles
Enrichment
DE001AssetInformation
DDE005 Prohibited Network
Protocol/Application List
DDE006 Acceptable Network
Protocol/Application List
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
PRT02-SecurityVisibilityEndpointMalware
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Enrichment
DE001AssetInformation
DDE010 Alexa TOP 1 million sites
DDE011 External Known systems list
DDE021 Commercially maintained Geo
IP Database
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS010NetworkCommunication-ET01Traffic
RV4-ScanProbe
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Related articles
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS010NetworkCommunication-ET01Traffic
RV4-ScanProbe
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Related articles
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS001Mail-ET02Receive
Enrichment
DE001AssetInformation
DDE010 Alexa TOP 1 million sites
DS002DNS-ET01Query
DS002DNS-ET01QueryResponse
DS002DNS-ET01QueryRequest
DS005WebProxyRequest
DS010NetworkCommunication-ET01Traffic
APC-Superceded
APS-Obsolete
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-High
SKILLI-PS-SecurtityEnabled
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Related articles
Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtityEnabled
Related articles
Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details
UC0027 Endpoint Multiple devices in 48 hours owned by users in the same organizational unit
Multiple infected devices in the same organizational unit could indicate a successful spear phishing attack. Monitor for more than 5% of the
hosts in an organizational unit.
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Related articles
Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
DDE008 Network CIDR Details
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtityEnabled
Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
Detection Activities
Rule Name - UC0027-S01-V001 Multiple infections for host
Notable Title - UC0027-S01 $gov$ Multiple infections ($count$) occurred on $dest$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0027
Search Logic
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
APC-Essential
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-General
Enrichment
DDE007 Signature Special
Processing List
DDT001 Signature Tracker
Response
RP005 Malicious Code detected on endpoint
Open investigation to determine method of infection and possible preventive measure
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
Rule Name - UC0029-S01-V001 New malware signature detected
Notable Title - UC0029-S01 $gov$ First detection for $signature$ occurred on $dest$ user $user$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0029
Search Logic
Compliance YES
Rabbit hole
+/- 60 min web activity by fqdn
Did this infection occur from materials accessed on the internet?
Did this infection lead to additional activity based on a remote access tool?
+/- 60 min emails accessed
Did this infection occur from materials accessed via email?
Did this infection lead to additional email activity (ie to spread the infection)?
+/- 60 min new processes started
If not email/web origin, did this malware get added by an automated process on the machine (lateral movement)?
Did this malware (whatever this infection was) also unpack and install more stuff?
Container App DA-ESS-SecKit-EndpointProtection
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
PRT02-SecurityVisibilityEndpointMalware
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED2-Frequent
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-High
SKILLI-PS-General
Enrichment
DDE007 Signature Special
Processing List
DDT001 Signature Tracker
Related articles
UC0031 Non human account starting processes not associated with the purpose of the account
Accounts designated for use by services and batch process should start a limited set of child processes. Creation of new child processes
other than the process name defined in the service or batch definition may indicate compromise.
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS009EndPointIntel-ET01ProcessLaunch
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Related articles
Enrichment
DDE014 Service Account process
name/hash
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET02Failure
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED1-Common
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
DE002IdentityInformation
Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend false positive vs positive
Metrics Review
1. Review trending determine if changes should be made to threshold
Artifacts
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET02Failure
APC-Mature
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
DE002IdentityInformation
Response internal source IP RP009 Unauthorized (actual or attempted) access by employees or contractors
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend false positive vs positive
Metrics Review
1. Review trending determine if changes should be made to threshold
Artifacts
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
DS003Authentication-ET02Failure
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
DE002IdentityInformation
Assets
Identities
Brute force watchlist
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE002IdentityInformation
Session Start,
Session End,
Share access
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Related articles
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET02Failure
Enrichment
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
DE001AssetInformation
DE002IdentityInformation
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
RV4-ScanProbe
Enrichment
DE001AssetInformation
(IDS or equivalent)
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET07ExecuteAs
PRT02-SecurityVisibilityUserActivity
RV2-Access
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Enrichment
DE002IdentityInformation
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET07ExecuteAs
PRT02-SecurityVisibilityUserActivity
RV2-Access
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
LOAD-Moderate
SKILLI-PS-SecurtityEnabled
Enrichment
DE002IdentityInformation
Related articles
UC0040 Use of Shared Secret for or by automated process with risky attributes
Usage (checkout) by an automated process such as software installation of a shared secret or service account where the source of the
retrieval is new or outside of the change window.
Problem Types Addressed
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET07ExecuteAs
PRT02-SecurityVisibilityUserActivity
RV2-Access
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Related articles
Enrichment
DE002IdentityInformation
Risk Addressed
PRT01-Compliance
RV4-ScanProbe
DS003Authentication-ET01Success
PRT02-SecurityVisibilityEndpointMalware
RV6-Misconfiguration
DS010NetworkCommunication-ET01TrafficAppAware
APC-Maturing
APS-Proposed
API-Dated
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response:
RP008 Unauthorized service detected on an endpoint
RP002 Endpoint generating suspicious network activity
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD
Related articles
Enrichment
DE001AssetInformation
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityUserActivity
RV2-Access
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-General
Response:
RP015 New SSH Private key
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD
Related articles
Enrichment
DE002IdentityInformation
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityEndpointMalware
RV2-Access
PRT02-SecurityVisibilityUserActivity
RV6-Misconfiguration
PRT02-SecurityVisibilityPriviledgeUserMonitoring
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Related articles
Enrichment
DE002IdentityInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV2-Access
DS003Authentication-ET01Success
DE002IdentityInformation
RV6-Misconfiguration
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
<note>
rare in a tuned environment after the migration
</note>
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Response:
RP010 Contain potentially compromised account
RP007 Potentially Unauthorized change detected on endpoint
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend closed false positive
2. Trend time to close
Metrics Review
1. Evaluate white list for additional removal based on risk tolerance.
Artifacts
TBD
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityEndpointMalware
RV2-Access
PRT02-SecurityVisibilityUserActivity
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Related articles
Enrichment
DE002IdentityInformation
Risk Addressed
PRT01-Compliance
RV6-Misconfiguration
DS007AuditTrail-ET03TimeSync
PRT02-SecurityVisibilityEndpointMalware
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Related articles
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-IdentifyPatientZero
RV3-MaliciousCode
DS005WebProxyRequest-ET01Requested
PRT04-ProcessEffectivness-HuntPaths
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV1 - Low
RATED2-Frequent
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DDE001 Asset Information
DDE010 Alexa TOP 1 million sites
DDT004 New Domain Tracker
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS002DNS-ET01Query
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Enrichment
DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites
Related articles
Risk Addressed
Enrichment
PRT01-Compliance
RV2-Access
PT014-PhysicalAccessControl
TBD
PRT02-SecurityVisibilityUserActivity
APC-Edge
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Response
Investigate identity - add to watchlist for successful authentication
<note>
This needs to be merged with OR added to a new Response Plan pertaining to Physical access responses
</note>
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trending vs False positives
Metrics Review
1. Review legitimate badge access attempts/failures (security officers, vulnerability assessments, etc); add to false positive
database
Artifacts
TBD
Related articles
Risk Addressed
PRT01-Compliance
RV2-Access
DS003Authentication-ET01Success
PRT02-SecurityVisibilityUserActivity
RV6-Misconfiguration
DS003Authentication-ET02Failure
APC-Edge
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Enrichment
DE001AssetInformation
CAT-gov:CIP
DDE002 Identity Information
CAT-gov:CIP
Response
Alert and Investigate cause of identity access attempt
document disposition (examples below)
administrative process error - user access incorrectly removed after review cycle due to inactivity; user needs to go
through the process to be added back to the list
employee training error - new employee without CIP access mistakenly tried to connect before completing the CIP
training and vetting process; user needs to complete process to get on the list
suspicious / malicious behavior - unjustified actions (including no explanation); incident response team to investigate
the asset, and identify actors and follow up with management / HR / legal actions, and file relevant compliance
paperwork
<note>
This needs to be merged with OR added to a new Response Plan pertaining to electronic access responses
</note>
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
PRT02-SecurityVisibilityEndpointMalware
APC-Edge
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
Risk Addressed
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS003Authentication-ET01Success
Enrichment
DE001AssetInformation
SRC IP not found in the asset information
DE002IdentityInformation
Employee
Customer
Can manage account
Can admin users
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
RATED0-Rare
FIDELITY-Moderate
well tuned
RATED1-Common
poorly tuned
System Load
Analyst Load
LOAD-Moderate
AnalystLoad-High
Implementation Skill
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Trend Reporting by account type (employee vs customer)
2. Trend Reporting by result of investigation
3. Trend Reporting of call center impact (customer)
Metrics Review
1. Review thresholds and monitoring statistics quarterly to determine if the tolerances should be modified relative to risk acceptance
Artifacts
TBD
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS002DNS-ET01QueryRequest
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Automation
SKILLI-Customer
Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. N/A
Artifacts
Detection Activities
Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution
Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072
Search Logic - TBD
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS004EndPointAntiMalware-ET01SigDetected
RV6-Misconfiguration
APC-Maturing
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
TBD
TBD
TBD
Enrichment
DE001AssetInformation
DDE007 Signature Special
Processing List
Detection Activities
Rule Name - UC0073-S01-V001 Endpoint malware infection from url
Dependency
Notable Title - UC0073-S01 Endpoint malware infection from $domain$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0073
Search Logic
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS012NetworkIntrusionDetection-ET01SigDetection
Enrichment
DE001AssetInformation
PRT02-SecurityVisibilityEndpointMalware
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
Detection Activities
Rule Name - UC0074-S01-V001 Network Intrusion Internal Network
Notable Title - UC0074-S01 $gov$-$src$ Network Intrusion Internal Network $signature$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0074
Search Logic
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS011MalwareDetonation-ET01Detection
Enrichment
DE001AssetInformation
PRT02-SecurityVisibilityEndpointMalware
APC-Essential
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
TBD
TBD
Response RP004 Network intrusion system (IDS/IPS, WAF, DAM, etc) observes attack without blocking
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
Detection Activities
Rule Name - UC0075-S01-V001 FireEye detection unblocked
Notable Title - UC0075-S01 $gov$-$src$ Fire Eye APT detection $signature$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0075
Search Logic
eventtype=fe
action=notified
NOT "169.250.0.1"
| table src dvc_ip dest product signature severity impact ext_ref
| `get_asset(src)`
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection
Windows -65m@m to now
Cron */2 * * * *
Compliance YES
Container App SecKit-DA-ESS-NetworkProtection
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS002DNS-ET01Query
PRT02-SecurityVisibilityUserActivity
RV3-MaliciousCode
Enrichment
APC-Maturing
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Indicator value
Metrics Review
Per Quarter review indicator values impacting false positive resolutions and determine if thresholds should be adjusted
Artifacts
Detection Activities
Rule Name - UC0076-S01-V001 Excessive DNS Failures
Notable Title - UC0076-S01 $gov$-$asset_name$ Excessive DNS Failures $count$
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0076
Search Logic
Drilldown
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection
Related articles
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS001Mail-ET02Receive
Enrichment
DS014WebServer-ET01Access
APC-Mature
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
System LoadAnalystLoad-Low
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
Detection Activities
Rule Name - UC0072-S01-V001 Potential unauthorized device detected by wpad resolution
Notable Title - UC0072-S01 $gov$-$src_ip$ Unauthorized device detected by wpad resolution
Notable Description - See above + https://securitykit.atlassian.net/wiki/dosearchsite.action?queryString=UC0072
Search Logic - TBD
Compliance YES
Container App DA-ESS-SecKit-NetworkProtection
Related articles
UC0079 Use of accountable privileged identity to access new or rare sensitive resource
Use of an identity identified as privileged to access a system for the first time within a rolling time period will trigger a notable event for review
of access reason.
Problem Types Addressed
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityPriviledgeUserMonitoring
APC-Mature
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-High
TBD
TBD
Enrichment
DE001AssetInformation
CAT-gov_identifier
DE002IdentityInformation
CAT-privileged
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Time to investigate
2. Time to close
3. Number of re-portable incidents
Metrics Review
1. Review thresholds determine if adjustments to reduce thresholds should be made
Artifacts
Dependencies
DDT002 Logon Tracker
Correlation Search
"New/Rare Login"
|inputlookup logon_tracker
| `get_asset(dest_dns)`
| `get_identity(user_nick)`
| search user_category="privlidged"
| where _time<24hours OR isnotnull(mvfind("gov\:",dest_category)
Suppress by dest_dns,user_nick time 86400
Dashboard
Conditions
nick
time
Display
Distinct hosts
Distinct gov categories involved (word cloud)
Time chart of access count and dc(dest_dns)
Map of access sources geo coded
Reporting
Daily produce report by managed_by
Roll up of users and systems accessed
Roll up of critical changes by user
Time of day by user
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET06Search
PRT02-SecurityVisibilityUserActivity
APC-Mature
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
TBD
TBD
Response TBD
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DE002IdentityInformation
Actor Title
List values for user_category requiring review
when observed
List of eventtypes on access logs requiring
review
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS002DNS-ET01QueryRequest
DS005WebProxyRequest-ET01Requested
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command
and control domains
DDE010 Alexa TOP 1 million sites
DDE022 Domain Reputation Score
Provider
DDT004 New Domain Tracker
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS010NetworkCommunication-ET01Traffic
Enrichment
DDE001 Asset Information
RV6-Misconfiguration
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS010NetworkCommunication-ET01Traffic
Enrichment
DDE001 Asset Information
RV6-Misconfiguration
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS013TicketManagement-ET01
Enrichment
TBD
RV6-Misconfiguration
APC-Mature
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
UC0085 Alert per host where web application logs indicate a source IP not classified as WAF
Communication to any web application server without filtering by a network web application firewall indicates a security misconfigration.
Problem Types Addressed
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS014WebServer-ET01Access
Enrichment
DDE001 Asset Information
CAT-svc:waf
RV6-Misconfiguration
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS010NetworkCommunication-ET01TrafficAppAware
RV6-Misconfiguration
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Enrichment
DDE001 Asset Information
List of accepted administrative
functions
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Count notables generated
Count resolution
Metrics Review
1. Monthly review threshold score where false positive resolution was noted to determine if tolerance should be adjusted
Artifacts
Detection Activities
Related articles
Risk Addressed
PRT01-Compliance
RV3-MaliciousCode
DS004EndPointAntiMalware-ET02UpdatedSig
PRT02-SecurityVisibilityEndpointMalware
APC-Edge
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET02UpdatedSig
PRT02-SecurityVisibilityUserActivity
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV3-MaliciousCode
DS002DNS-ET01Query
APC-Maturing
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Enrichment
DE001AssetInformation
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control domains
DDE010 Alexa TOP 1 million sites
Related articles
Risk Addressed
PRT01-Compliance
RV6-Misconfiguration
DS003Authentication-ET01Success
PRT02-SecurityVisibilityUserActivity
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
net_enclave:value
Risk Addressed
PRT01-Compliance
RV6-Misconfiguration
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityUserActivity
DS020HostIntrustionDetection-ET01SigDetected
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
CAT-svc:scanvuln
Risk Addressed
PRT01-Compliance
RV6-Misconfiguration
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityUserActivity
DS020HostIntrustionDetection-ET01SigDetected
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
CAT-svc:waf
CAT-svc:nlb
Risk Addressed
PRT01-Compliance
RV2-Access
DS003Authentication-ET01Success
PRT02-SecurityVisibilityPriviledgeUserMonitoring
RV6-Misconfiguration
APC-Maturing
APS-Proposed
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
Enrichment
DDE001 Asset Information
CAT-gov
Risk Addressed
PRT01-Compliance
RV2-Access
DS003Authentication-ET01Success
Enrichment
RV6-Misconfiguration
APC-Maturing
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. N/A
Metrics Review
1. N/A
Artifacts
TBD
Related articles
none
How-to article
Provide step-by-step guidance for completing a task.
D-M
N-T
U-Z
access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative
data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer
nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng
ucd-access
How-to article
Provide step-by-step guidance for completing a task.
D-M
N-T
U-Z
access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative
data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer
nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng
ucd-access
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS009EndPointIntel
DE001AssetInformation
RV3-MaliciousCode
DS009EndPointIntel-ET01ObjectChange
DE002IdentityInformation
APC-Edge
APS-Productized
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED2-Frequent
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-High
SKILLI-PS-SecurtitySpecialist
Artifacts
Correlation Search - Abnormally High Number of Endpoint Changes By User
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpoint
RV1-AbuseofAccess
DS005WebClientRequest-ET01Requested
RV3-MaliciousCode
RV4-ScanProbe
APC-Edge
APS-Productized
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Artifacts
Correlation Search - Concurrent Login Attempts Detected
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET05Delete
RV2-Access
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS003Authentication-ET01Success
DE002IdentityInformation
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS007AuditTrail-ET01Clear
PRT02-SecurityVisibilityEndpoint
RV2-Access
DS007AuditTrail-ET02Alter
RV3-MaliciousCode
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV3-MaliciousCode
DS009EndPointIntel-ET01ProcessLaunch
PRT02-SecurityVisibilityEndpoint
RV4-ScanProbe
APC-Edge
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-General
Risk Addressed
Enrichment
RV3-MaliciousCode
DS009EndPointIntel
RV6-Misconfiguration
DS009EndPointIntel-ET01ServiceChange
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Undetermined
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Risk Addressed
Enrichment
PRT01-Compliance
RV6-Misconfiguration
DS015ConfigurationManagement-ET01General
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Undetermined
AnalystLoad-Moderate
SKILLI-PS-General
Risk Addressed
Enrichment
PRT01-Compliance
RV3-MaliciousCode
DS010NetworkCommunication
PRT02-SecurityVisibilityEndpoint
RV6-Misconfiguration
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-General
Artifacts
TBD
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS003Authentication-ET01Success
DE002IdentityInformation
RV3-MaliciousCode
DS003Authentication-ET02FailureBadFactor
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS003Authentication-ET01Success
DE002IdentityInformation
RV3-MaliciousCode
DS003Authentication-ET02FailureBadFactor
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS009EndPointIntel
RV2-Access
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED9-Undetermined
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
RV2-Access
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Undetermined
System Load
Analyst Load
Implementation Skill
LOAD-Low
LOAD-Low
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibilityPriviledgeUserMonitoring
RV1-AbuseofAccess
DS003Authentication-ET01Success
RV3-MaliciousCode
DS003Authentication-ET02FailureBadFactor
APC-Mature
APS-Productized
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
DE002IdentityInformation
DDE021 Commercially
maintained Geo IP
Database
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
RV2-Access
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Undetermined
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS009EndPointIntel
RV2-Access
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Undetermined
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS002DNS-ET01QueryResponse
PRT02-SecurityVisibilityUserActivity
RV3-MaliciousCode
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains
Risk Addressed
PRT01-Compliance
RV1-AbuseofAccess
DS002DNS-ET01QueryRequest
PRT02-SecurityVisibilityUserActivity
RV3-MaliciousCode
APC-Maturing
APS-Proposed
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Enrichment
DDE001 Asset Information
CAT-svc:dnsresolver
CAT-svc:mailgw
CAT-svc:webproxy
DDE017 Legitimate DNS command and control
domains
DDE010 Alexa TOP 1 million sites
DDE019 CIM Corporate Web Domains
Risk Addressed
PRT02-SecurityVisibilityPriviledgeUserMonitoring
RV1-AbuseofAccess
DS003Authentication-ET01Success
RV3-MaliciousCode
DS003Authentication-ET02FailureBadFactor
APC-Maturing
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Undetermined
SKILLI-Customer
Enrichment
DDE001 Asset Information
DDE002 Identity
Information
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpoint
RV1-AbuseofAccess
DS014WebServer-ET01Access
RV3-MaliciousCode
RV4-ScanProbe
APC-Mature
APS-Proposed
API-Socializing
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV6-Misconfiguration
DS007AuditTrail
DE001AssetInformation
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Automation
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Expected Host Not Reporting
UCESS023 Alerts on access attempts that are improbably based on time and geography.
Detects an excessive number of failed login attempts, along with a successful attempt, over a one day period (this could indicate a successful
brute force attack)For the past 18 hours starting 5 minutes after realtime, list the application, user business unit and group by user, source
(host, IP, name) and time with a time span of 1 second. Generate a distinct count of source by user, and return if count is greater than 1.
Sort the output by time. Execute the macro get_asset based on the source to collects values from the asset list that maps to the source and
perform an IP lookup on the source. Gather latitude, longitude and city and populate from event or asset. Take the last two events with the
same user where the source does not match and calculate the distance, time difference and speed between and return values where the
speed is greater than 500
Problem Types Addressed
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS003Authentication-ET01Success
RV3-MaliciousCode
APC-Mature
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE002IdentityInformation
DDE021 Commercially maintained Geo IP
Database
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Number of Hosts Not Updating Malware Signatures
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Number Of Infected Hosts
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High Or Critical Priority Host With Malware Detected
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High or Critical Priority Individual Logging into Infected Machine
Enrichment
DE002IdentityInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV3-MaliciousCode
DS009EndPointIntel-ET01ProcessLaunch
PRT02-SecurityVisibilityEndpoint
RV6-Misconfiguration
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS010NetworkCommunication-ET01Traffic
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - High or Critical Priority Individual Logging into Infected Machine
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS001Mail-ET03Send
Enrichment
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host Sending Excessive Email
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host With A Recurring Malware Infection
Enrichment
DE001AssetInformation
Risk
Addressed
Enrichment
PRT01-Compliance
RV4-ScanProbe
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityEndpoint
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV4-ScanProbe
DS009EndPointIntel-ET01ObjectChange
PRT02-SecurityVisibilityEndpoint
RV6-Misconfiguration
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Host With Multiple Infections
Enrichment
DE001AssetInformation
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS003Authentication-ET01Success
PRT02-SecurityVisibilityEndpoint
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV2-Access
DS003Authentication-ET01Success
PRT02-SecurityVisibilityEndpoint
RV4-ScanProbe
RV6-Misconfiguration
APC-Mature
APS-Proposed
API-Known
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED9-Undetermined
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS010NetworkCommunication-ET01Traffic
RV6-Misconfiguration
APC-Mature
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV4 - Critical
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-PS-SecurtitySpecialist
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET04Update
PRT02-SecurityVisibilityEndpoint
RV4-ScanProbe
APC-Maturing
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT02-SecurityVisibility
RV2-Access
DS015ConfigurationManagement
RV3-MaliciousCode
RV4-ScanProbe
APC-Edge
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET03Create
RV2-Access
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS004EndPointAntiMalware-ET01SigDetected
RV3-MaliciousCode
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Enrichment
DE001AssetInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
ALL
PRT01Compliance-PCI
RV2-Access
PRT04-FFIEC
APC-Edge
APS-Accepted
API-Distinctive
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Excessive
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track all instances of unencrypted PII on endpoints
Metrics Review
1. If PII is unencrypted open an investigation
Artifacts
TBD
Risk Addressed
PRT01-Compliance
RV6-Misconfiguration
DS006UserActivity-ET06Search
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED0-Rare
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Potential Gap in Data
Enrichment
DE002IdentityInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS009EndPointIntel-ET01ProcessLaunch
PRT02-SecurityVisibilityEndpoint
RV3-MaliciousCode
APC-Maturing
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Undetermined
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Low
SKILLI-PS-SecurtityEnabled
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS009EndPointIntel-ET01ObjectChange
PRT02-SecurityVisibilityEndpoint
RV3-MaliciousCode
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Risk Addressed
Enrichment
PRT01-Compliance
RV3-MaliciousCode
ALL
PRT02-SecurityVisibilityEndpoint
RV4-ScanProbe
PRT02-SecurityVisibilityZeroDayAttacks
RV5-DenialofService
APC-Edge
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Undetermined
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-PS-SecurtityEnabled
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS006UserActivity-ET03Create
PRT02-SecurityVisibilityUserActivity
RV2-Access
DS006UserActivity-ET05Delete
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT06-SecureConfigurationMgmtUpdateManagement
RV6-Misconfiguration
DS007AuditTrail-ET03TimeSync
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-High
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
Enrichment
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS013TicketManagement-ET01
PRT06-SecureConfigurationMgmtUpdateManagement
RV3-MaliciousCode
RV6-Misconfiguration
APC-Maturing
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT01-Compliance
RV1-AbuseofAccess
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityEndpoint
RV3-MaliciousCode
RV4-ScanProbe
DDE006 Acceptable Network Protocol/Application
List
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibilityEndpointMalware
RV1-AbuseofAccess
DS001Mail-ET03Send
RV3-MaliciousCode
DS001Mail-ET02Receive
RV4-ScanProbe
DS002DNS-ET01Query
DS003Authentication-ET01Success
DS005WebProxyRequest-ET01Requested
DS009EndPointIntel-ET01ProcessLaunch
DS010NetworkCommunication-ET01Traffic
DS011MalwareDetonation-ET01Detection
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED2-Frequent
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Threat Activity Detected
Enrichment
DE001AssetInformation
DE002IdentityInformation
Risk Addressed
Enrichment
PRT01-Compliance
RV3-MaliciousCode
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityEndpointMalware
RV4-ScanProbe
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Risk Addressed
Enrichment
PRT06-SecureConfigurationMgmt
RV4-ScanProbe
DS010NetworkCommunication
RV5-DenialofService
RV6-Misconfiguration
APC-Edge
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD
Risk Addressed
Enrichment
PRT01-Compliance
RV6-Misconfiguration
DS013TicketManagement-ET01
APC-Mature
APS-Proposed
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Low
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
1. Track and trend positive versus false positive rate
Metrics Review
1. Review prohibited protocol list and determine if new protocols should be added
Artifacts
TBD
Risk Addressed
Enrichment
PRT02-SecurityVisibility
RV4-ScanProbe
DS010NetworkCommunication-ET01Traffic
PRT02-SecurityVisibilityLateralMovement
RV5-DenialofService
DDE008 Network CIDR
Details
APC-Maturing
APS-Accepted
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Moderate
AnalystLoad-Moderate
SKILLI-Customer
Risk Addressed
PRT02-SecurityVisibility
RV4-ScanProbe
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED0-Rare
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Vulnerability Scanner Detected (by events)
Enrichment
DE001AssetInformation
DE002IdentityInformation
Risk Addressed
PRT02-SecurityVisibility
RV4-ScanProbe
DS012NetworkIntrusionDetection-ET01SigDetection
APC-Essential
APS-Productized
API-Expected
Initial Severity
Occurrence/Fidelity
Fidelity
SV1 - Low
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Low
SKILLI-Customer
Response
Implementation Details
Effectiveness Monitoring
Metrics Captured
Metrics Review
Artifacts
Correlation Search - Vulnerability Scanner Detected (by targets)
Enrichment
DE001AssetInformation
DE002IdentityInformation
Risk Addressed
PRT01-Compliance RV3-MaliciousCode
Enrichment
APC-Edge
APS-Rejected
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV3 - High
RATED9-Undetermined
FIDELITY-Undetermined
System Load
Analyst Load
Implementation Skill
LOAD-High
AnalystLoad-Low
SKILLI-PS-SecurtitySpecialist
Risk Addressed
Enrichments Required
PRT02-SecurityVisibilityPriviledgeUserMonitoring
RV1-AbuseofAccess
DS005WebProxyRequest-ET01Requested
DE002IdentityInformation
APC-Mature
APS-Productized
API-Accepted
Initial Severity
Occurrence/Fidelity
Fidelity
SV2 - Medium
RATED1-Common
FIDELITY-Moderate
System Load
Analyst Load
Implementation Skill
LOAD-Low
AnalystLoad-Moderate
SKILLI-Customer
The repository will be segmented into domains aligning with those defined within Splunk Enterprise Security.
Access - Use cases related to the use of access, authorized or unauthorized activity which may identify a threat to the organization.
Endpoint - Use cases related to the use or modification of an endpoint device in such a way that may be a threat to the organization.
Network - Use cases utilizing data from network communications to identify a threat to the organization.
User/Identity - Use cases using information about an asset or identity to assign the priority, risk level, impact, and categorization for the
object to better inform analysts with context when reviewing notable events.
How-to article
Provide step-by-step guidance for completing a task.
D-M
N-T
U-Z
access
asa
cim-authentication
cim-network-communication
cim-network-session
cisco
creative
data-definition
data-source
data-source-event
ha
kb-detect
kb-detect-network
kb-how-to-article
kb-troubleshooting-article
loadbalancer
nlb
provider-type
prt05-tacticalthreat-ransomeware
response
risk-abuse
sev-critical
superceded
syslog
syslog-ng
ucd-access