Infrastructure Content Package
Common infrastructure data sources (e.g. Windows Security Events, Syslog, etc.)
For a quickstart guide on how to enable Data Connectors / Analytics Rules / Workbooks, click here.
Connectors
- Amazon Web Services
- DNS
- Security Events
- Syslog
- Windows Firewall
- Azure Active Directory
Analytics
- Advanced Multistage Attack Detection
- Known Phosphorus group domains/IP
- Known IRIDIUM IP
- Known GALLIUM domains and hashes
- Known Strontium group domains
- Full Admin policy created and then attached to Roles, Users or Groups
- Monitor AWS Credential abuse or hijacking
- Changes to internet facing AWS RDS Database instances
- Anomalous sign-in location by user account and authenticating application
- Suspicious application consent similar to PwnAuth
- Distributed Password cracking attempts in AzureAD
- Sign-ins from IPs that attempt sign-ins to disabled accounts
- Time series anomaly for data size transferred to public internet
- High count of connections by client IP on many ports
- Potential DGA detected
- Rare client observed with high reverse DNS lookup count
- Process execution frequency anomaly
- RDP Nesting
- Security Event log cleared
- Group added to built in domain local or global group
- Powershell Empire cmdlets seen in command line
- User account enabled and disabled within 10 mins
- Rare RDP Connections
- Network endpoint to host executable correlation
- AD account with don't expire password - disabled
- New internet-exposed SSH endpoints
- Anomalous SSH Login Detection
Workbooks
- Security Operations Efficiency
- Azure AD Audit, Activity and Sign-in logs
- AWS Network Activities
- AWS User Activities
- DNS
- Event Analyzer
- Identity & Access
- Insecure Protocols
- Security Status