Product: IBM Sterling B2B Integrator
Use-Case: Abnormal User Activity
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 23 | 13 | 5 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| failed-logon | T1078 - Valid Accounts ↳ SEQ-UH-03: Failed logon to a top failed logon asset by user ↳ SEQ-UH-06: Abnormal failed logon to asset by user ↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed ↳ SEQ-UH-14: Failed logon due to bad credentials T1110 - Brute Force ↳ SEQ-UH-08: Abnormal number of failed logons for this user ↳ SEQ-UH-09: Abnormal time of the week for a failed logon for user ↳ SEQ-UH-10: Failed logons had multiple reasons |
• FL-UH: All Failed Logons per user • FL-OH: All Failed Logons in the organization |
| remote-logon | T1021 - Remote ServicesT1078 - Valid Accounts ↳ A-AL-DhU-A: Abnormal user per asset ↳ RL-UH-sZ-F: First remote logon to asset from new or abnormal source network zone ↳ RL-UH-sZ-A: Abnormal remote logon to asset from new or abnormal source network zone ↳ RLA-UsZ-F: First source network zone for user ↳ RLA-UsZ-A: Abnormal source network zone for user ↳ RLA-dZsZ-F: First inter-zone communication from destination to source ↳ RLA-sZdZ-F: First inter-zone communication from source to destination ↳ RLA-sZdZ-A: Abnormal inter-zone communication ↳ AE-UA-F: First activity type for user ↳ AL-F-MultiWs: Multiple workstations in a single session ↳ NEW-USER-F: User with no event history ↳ RL-HU-F-new: Remote logon to private asset for new user T1078 - Valid AccountsT1133 - External Remote Services ↳ UA-UC-A: Abnormal activity from country for user ↳ UA-GC-F: First activity from country for group ↳ UA-OC-F: First activity from country for organization T1078.003 - Valid Accounts: Local Accounts ↳ AL-HLocU-F: First local user logon to this asset |
• RL-HU: Remote logon users • UA-OC: Countries for organization • UA-GC: Countries for peer groups • UA-UC: Countries for user activity • AE-UA: All activity for users • RLA-sZdZ: Destination zone communication • RLA-dZsZ: Source zone communication • RLA-UsZ: Source zones for user • RL-UH: Remote logons • NKL-HU: Users logging into this host remotely • A-AL-DhU: Users per Host |