Product: IIS
Use-Case: Malware
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 30 | 8 | 7 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| network-connection-failed | T1071 - Application Layer Protocol ↳ A-NET-TI-H-Outbound: Outbound connection to a known malicious host ↳ A-NETF-TI-H-Outbound: Outbound failed connection to a known malicious host |
|
| web-activity-allowed | T1189 - Drive-by Compromise ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1204.001 - T1204.001 ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1566.002 - Phishing: Spearphishing Link ↳ WEB-URank-Binary: Executable download from first low ranked web domain T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ A-WEB-Reputation-Domain: Asset attempted access to a domain with bad reputation ↳ A-WEB-Reputation-IP: Asset attempted to connect to IP address with bad reputation ↳ A-WEB-IOC: Indicator of Compromise (IOC) found in asset's web activity ↳ A-WEB-ALERT: Asset attempted access to a domain with malicious reputation ↳ A-WEB-IP-Country-F: Asset has directly browsed to an IP address in a country never before accessed ↳ A-WEB-IP-Country-A: Abnormal direct access to an IP address by the asset belonging to an abnormal country for the asset to access ↳ WEB-UUa-Browser-F: First activity using this web browser for this user to a new domain ↳ WEB-UU-Reputation: User attempted access to a url with bad reputation ↳ WEB-UD-Reputation-F: First access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-A: Abnormal access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UD-Reputation-N: Common access to this web domain which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-F: First access to this internet IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-A: Abnormal access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-UI-Reputation-N: Common access to this IP address which has been identified as risky by a reputation feed. ↳ WEB-IOC: Indicator of Compromise (IOC) found in user's web activity ↳ WEB-UD-ALERT-F: First security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-A: Abnormal security alert accessing this malicious domain for user ↳ WEB-UD-ALERT-N: Common security alert on this malicious domain for user ↳ WEB-OZ-F: First web activity from this zone for the organization ↳ WEB-URank-F: First web activity to this low ranked web domain ↳ WEB-URank-A: Abnormal web activity to this low ranked web domain T1090.003 - Proxy: Multi-hop Proxy ↳ WEB-UU-Tor: User has accessed a URL containing '/tor/server' T1568.002 - Dynamic Resolution: Domain Generation Algorithms ↳ A-WEB-Reputation-URL: Asset attempted access to a url with bad reputation ↳ WEB-UD-DGA-F: First access to this domain which has been identified as DGA ↳ WEB-UD-DGA-A: Abnormal access to this domain which has been identified as DGA ↳ WEB-UD-DGA-N: Common access to this domain which has been identified as DGA T1071 - Application Layer Protocol ↳ A-WEB-UU-Tor: Asset has accessed a URL containing '/tor/server' |
• WEB-URank: Web activity to low ranked domains for the user • WEB-OZ: Network zones where users performs web activity in the organization • WEB-UD-ALERT: Top malicious web domain accessed by the user • WEB-UI-Reputation: Top ip addresses flagged by a reputation service that have been accessed by the user • WEB-UD-Reputation: Top web domain flagged by a reputation service that have been accessed by the user • WEB-UUa-Browser-New: Top web browsers being used by user • WEB-UD-DGA: Top web domains per user that seem to be DGA generated during web activity • A-WEB-IP: IPs an asset has directly browsed to |