Product: Cisco ISE
Use-Case: Account Switch
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 6 | 5 | 2 | 9 | 9 |
| Event Type | Rules | Models |
|---|---|---|
| remote-logon | T1078 - Valid Accounts ↳ AS-PV-UHWoPC: Access to Password Vault managed asset with no password checkout for user ↳ DC18-new: Account switch by new user |
• AS-PV-OA: Password retrieval based accounts |
| vpn-logout | T1003 - OS Credential Dumping ↳ AS-PV-USCOUNT-A: Abnormal number of password safes used by user ↳ AS-PV-OSize-A: Abnormal number of password retrievals in the organization ↳ AS-PV-GSize-A: Abnormal number of password retrievals in the peer group ↳ AS-PV-USize-A: Abnormal number of password retrievals in the user |
• AS-PV-USize: Count of password retrievals in a session for the user • AS-PV-GSize: Count of password retrievals in a session for the peer group • AS-PV-OSize: Count of password retrievals in a session for the organization • AS-PV-USCOUNT: Count of safe values accessed in a session |