Product: macOS
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 11 | 5 | 2 | 1 | 1 |
| Event Type | Rules | Models |
|---|---|---|
| local-logon | T1078 - Valid Accounts ↳ AL-F-F-CS: First logon to a critical system for user ↳ AL-F-A-CS: Abnormal logon to a critical system for user ↳ AL-UH-CS-NC: Logon to a critical system for a user with no information ↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed ↳ AL-HT-PRIV: Non-Privileged logon to privileged asset ↳ AL-HT-EXEC-new: New user logon to executive asset T1078.002 - T1078.002 ↳ AL-F-F-DC-G: First logon to a Domain Controller for peer group ↳ AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group ↳ AL-UH-F-DC: First logon to this Domain Controller for user ↳ AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously ↳ AL-UH-DC-NC: Logon to a Domain Controller for user with no information |
• AL-HT-EXEC: Executive Assets • AL-HT-PRIV: Privilege Users Assets • RA-UH: Assets accessed by this user remotely • AL-UH-DC: Logons to Domain Controllers • AL-OU-CS: Logon to critical servers |