| 1 | 0.1 | UCIPSPDCI001 | IPS | Cisco | IPS possible unauthorized vulnerability scan | event1 : ( Device Product = Cisco Intrusion Prevention System AND ( Name Contains Exploit [ignore case] OR Category Technique = /Exploit/Vulnerability ) AND Type != Correlation ) 5 matches in 1 min | Detection of multiple IPS signature trigger by a single source | Medium | P2 | X | X | |
| 2 | 0.1 | UCIPSPDCI002 | IPS | Cisco | IPS possible unauthorized host scan | Detection of multiple IPS signature trigger on a single target | Medium | P2 | X | X | ||
| 3 | 0.1 | UCIPSPDCI003 | IPS | Cisco | IPS possible exploit of vulnerability | event1 : ( AND Device Product = Cisco Intrusion Prevention System AND Name Contains Exploit [ignore case] ) 3 matches in 1 min | Detection of Medium/High/Critical Signature trigger on IPS | Simple | P3 | |||
| 4 | 0.1 | UCIPSPDCI003 | IPS | Cisco | IPS Successful attack detected | Detection of IPS signature from a source allowed by firewall and IPS | Complex | P1 | ||||
| 5 | 0.1 | UCIPSPDSF001 | Sourcefire Management Console eStreamer | SourceFire | Sourcefire IPS possible unauthorized vulnerability scan | Detection of multiple IPS signature trigger by a single source | Medium | P2 | X | X | ||
| 6 | 0.1 | UCIPSPDSF002 | Sourcefire Management Console eStreamer | SourceFire | Sourcefire IPS possible unauthorized host scan | Detection of multiple IPS signature trigger on a single target | Medium | P2 | X | X | ||
| 7 | 0.1 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Sourcefire IPS possible exploit of vulnerability | Detection of Medium/High/Critical Signature trigger on IPS | Simple | P3 | ||||
| 8 | 0.1 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Sourcefire IPS Successful attack detected | Detection of IPS signature from a source allowed by firewall and IPS | Complex | P1 | ||||
| 9 | 0.1 | UCAVPDSEP001 | Antivirus | Symantec | Antivirus detection of virus outbreak | Detection of multiple host being infected by Virus(cleaned/ not cleaned) in short span of time | Medium | P2 | X | |||
| 10 | 0.1 | UCAVPDSEP002 | Antivirus | Symantec | Antivirus Update Unsuccessful | event1 : ( Message Like %AV Update Unsucessful% [ignore case] OR Name Like %AV Update Unsucessful% [ignore case] ) ) # of Matches: 1 Time Frame: 1 min | Detects any outdated antivirus engine in network | Simple | P3 | |||
| 11 | 0.1 | UCAVPDSEP003 | Antivirus | Symantec | Conficker Found | event1 : (Name Contains conficker [ignore case] AND Type != Correlation ) # of Matches: 1 Time Frame: 1 min | Detection of Conficker worm in a machine(cleaned/not cleaned) | Simple | P2 | X | ||
| 12 | 0.1 | UCAVPDSEP004 | Antivirus | Symantec | Infected machines | event : ( ( Device Custom String2 = Virus OR Device Custom String2 = Trojan OR Device Custom String2 = Worm ) AND NotInActiveList("Infected machines") AND Device Action != deleted [ignore case] AND Device Product = Endpoint Protection [ignore case] AND Device Custom String1 Is NOT NULL ) # of Matches: 1 Time Frame: 1 min | Detects possible infected host in network which is not cleaned by Anti virus | Simple | P3 | X | ||
| 13 | 0.1 | UCROPDCIS001 | Router | CISCO | Router configuration was change | ( Device Product = CiscoRouter AND Category Behavior = /Modify/Configuration AND Device Event Class ID = SYS:CONFIG_I ) | Detects any changes made in configuration for Router | Simple | P3 | |||
| 14 | 0.1 | UCROPDCIS002 | Router | CISCO | Router Interface Down | ( Device Product = CiscoRouter AND Name = Interface changed state to down [ignore case]) | Detects if the router interface is down or not available | Simple | P2 | |||
| 15 | 0.1 | UCROPDCIS003 | Router | CISCO | Router Power Supply Down | ( Device Product = CiscoRouter AND Message Contains Power supply 2 failure ) | Detects power failure in Router | Simple | P2 | |||
| 16 | 0.1 | UCFWPDCI001 | Firewall | CISCO ASA | Firewall default admin account usage Detection | ( Device Product = ASA AND Category Behavior = /Authentication/Verify AND ( Target User Name = root OR Target User Name = admin ) ) # of Matches: 1 Time Frame: 2 min | Detection of login activity with default admin account | Simple | P3 | X | ||
| 17 | 0.1 | UCFWPDCI002 | Firewall | CISCO ASA | Firewall detection of privileged login attempt using administrator ID has failed | ( Device Product = ASA AND Device Event Class ID Contains 308001 # of Matches: 2 Time Frame: 1 min | Detection of failed login from admin acocunt | Medium | P3 | X | ||
| 18 | 0.1 | UCFWPDCI003 | Firewall | CISCO ASA | Firewall detection of shutdown reboot and failover | Device Product = ASA AND ( Device Event Class ID Contains 199001 OR Device Event Class ID Contains 199001 OR Device Event Class ID Contains 199002 OR Device Event Class ID Contains 199005 OR Device Event Class ID Contains 101002 OR Device Event Class ID Contains 101003 OR Device Event Class ID Contains 101004 OR Device Event Class ID Contains 101005 OR Device Event Class ID Contains 103001 OR Device Event Class ID Contains 103003 OR Device Event Class ID Contains 103004 OR Device Event Class ID Contains 102001 OR Device Event Class ID Contains 104001 OR Device Event Class ID Contains 104002 OR Device Event Class ID Contains 105032 OR Device Event Class ID Contains 103005 ) # of Matches: 1 Time Frame: 2 min | Detection of firewall reboot or failover activity | Simple | P3 | |||
| 19 | 0.1 | UCFWPDCI004 | Firewall | CISCO ASA | Firewall successful connection from blacklisted IPs | ( Device Product = ASA AND InActiveList("threat_feed_master_ip_list") AND Category Outcome = /Success AND Category Behavior = /Access ) # of Matches: 1 Time Frame: 2 min Source Address Need to be mapped to threat_feed_master_ip_list | Detection of allowed traffic from known malicious IPs in Threat feed | Medium | P2 | |||
| 20 | 0.1 | UCFWPDCI005 | Firewall | CISCO ASA | Firewall successful connection internal source to blacklisted Ips | ( Device Product = ASA AND InActiveList("threat_feed_master_ip_list") AND Category Outcome = /Success AND Category Behavior = /Access ) # of Matches: 1 Time Frame: 2 min Target Address Need to be mapped to threat_feed_master_ip_list | Detection of traffic from internal network towards known malicious IPs in Threat feed | Medium | P2 | |||
| 21 | 0.1 | UCFWPDCI006 | Firewall | CISCO ASA | Successful Connection On Trojan Port from external source | Device Product = ASA AND Target Port In (31,41,48,50,59,79,81,99,110,113,119,121,123,133,142,146,170,180,334,420,421,456,513,531,555,559,605,666,667,669,692,777,808,911,999,1000,1001,1010,1011,1012,1015,1016,1020,1024,1026,1042,1045,1049,1050,1054,1080,1081,1082,1083,1090,1095,1097,1098,1099,1170,1200,1201,1207,1212,1234,1243,1245,1255,1256,1269,1313,1338,1349,1434,1492,1524,1600,1777,1807,1966,1969,1981,1999,2000,2001,2023,2080,2115,2140,2155,2234,2255,2283,2300,2339,2345,2565,2583,2600,2716,2773,2801,2989,3000,3024,3127,3128,3129,3150,3456,3459,3700,3791,3801,4000,4092,4242,4321,4444,4567,4590,4950,5000,5001,5002,5010,5011,5025,5031,5032,5321,5343,5400,5401,5402,5512,5550,5555,5556,5557,5569,5637,5638,5742,5760,5882,5888,6000,6006,6272,6346,6400,6666,6667,6669,6670,6711,6712,6713,6723,6771,6776,6838,6883,6912,6939,6969,6970,7000,7001,7215,7300,7301,7306,7307,7308,7424,7597,7777,7789,7983,8787,8988,8989,9000,9325,9400,9872,9873,9874,9875,9876,9878,9989,9999,10067,10085,10086,10101,10167,10520,10528,10607,10666,11000,11050,11051,11223,12076,12223,12345,12346,12349,12361,12362,12623,12624,12631,12754,13000,13010,14500,15092,15104,15858,16484,16660,16772,16969,17166,17300,17449,17499,17777,18753,19864,20000,20001,20002,20023,20034,20203,20331,20432,20433,21544,21554,22222,23005,23023,23032,23432,23456,23476,23477,26274,26681,27374,27444,27573,27665,29104,29891,30001,30003,30029,30100,30101,30102,30103,30133,30303,30947,30999,31335,31336,31337,31338,31339,31666,31785,31788,31789,31790,31791,31792,32001,32100,32418,33270,33333,33577,33777,33911,34324,34444,34555,35555,37651,40412,40421,40422,40423,40426,41666,44444,47262,50505,50766,51966,52317,53001,54283,54320,54321,57341,58339,60000,60068,60411,61348,61466,61603,63485,64101,65000,65432,65534,65535) AND ( Source Zone URI StartsWith /All Zones/ArcSight System/Public Address Space Zone OR Destination Zone URI StartsWith /All Zones/ArcSight System/Public Address Space Zone ) # of Matches: 3 Time Frame: 1 min Identical : Attacker Address, Target Port | Detection of possible attacker connecting on trojan ports to spread infection | Complex | P2 | X | ||
| 22 | 0.1 | UCFWPDCI007 | Firewall | CISCO ASA | Connection On Trojan Port from internal host | same as "UCFWPDCI006" only source IP = Internal source subnet | Detection of possible infected machine connecting on trojan ports | Complex | P3 | X | ||
| 23 | 0.1 | UCFWPDCI008 | Firewall | CISCO ASA | Firewall successful traffic on microsoft and netbios ports from external source | ( Device Product = ASA AND Destination Port In (135,137,138,139,445,1433) AND Source Zone URI StartsWith /All Zones/ArcSight System/Public Address Space Zones AND ( Category Outcome = /Sucess [ignore case] OR Category Outcome = /Failure ) # of Matches: 20 Time Frame: 1 min | Detection of Successful Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 24 | 0.1 | UCFWPDCI009 | Firewall | CISCO ASA | Firewall traffic on microsoft and netbios ports from internal source | same as "UCFWPDCI006" only source IP = Internal source subnet | Detection of allowed/blocked Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 25 | 0.1 | UCFWPDCI010 | Firewall | CISCO ASA | Firewall successful pass after repetitive blocks from same internet source address | ( Device Product = ASA [ignore case] AND Category Outcome = /Success AND Category Behavior StartsWith /Access AND InActiveList("firewall_repetitive_blocks_source_address") # of Matches: 1 Time Frame: 1 min | Detection of similar allowed traffic by firewall which was earlier denied by the same firewall. This could be a successful compromise. | Complex | P2 | X | ||
| 26 | 0.1 | UCFWPDCI011 | Firewall | CISCO ASA | Telnet command executed from firewall | Device Product = ASA AND Device Action Contains permit [ignore case] AND Destination Port = 23 ) # of Matches: 5 Time Frame: 1 min | Detection of telnet command executed from the firewall console. | Simple | P3 | X | ||
| 27 | 0.1 | UCFWPDCI012 | Firewall | CISCO ASA | Firewall successfull connection to blacklisted URLs | ( Device Product = ASA AND Category Behavior StartsWith /Access AND Category Outcome = /Success AND InActiveList("threat_feed_master_url_list") ) # of Matches: 1 Time Frame: 1 min | Detection of allowed traffic towards known malicious URLs | Medium | P2 | X | ||
| 28 | 0.1 | UCFWPDCI013 | Firewall | CISCO ASA | ASA Host Port Scan | Device Product = ASA AND Device Event Class ID = 710005 ) # of Matches: 20 Time Frame: 1 min | Detects port scan activity for same machine on multiple ports | Simple | P3 | X | ||
| 29 | 0.1 | UCFWPDCI014 | Firewall | CISCO ASA | Accessing URL in Domain Watchlist | Detect traffic towards URL added to watchlist based on business policy | Medium | P3 | X | |||
| 30 | 0.1 | UCFWPDCI015 | Firewall | CISCO ASA | Firewall high number of failed login | Detection of multiple failed login from user accounts | Simple | P3 | X | X | ||
| 31 | 0.1 | UCFWPDCI016 | Firewall | CISCO ASA | Port Sweep Activity | Device Product = ASA AND Category Behavior StartsWith /Access AND Target Port Is NOT NULL AND Category Outcome = /Failure # of Matches: 100 Time Frame: 2 min Unique : event1.Target Port Identical: event1.Target Address, event1.Attacker Address event1.Attacker Host Name, event1.Target Host Name | Detects port scan activity on multiple machine on same port | Simple | P3 | X | ||
| 32 | 0.1 | UCFWPDCI017 | Firewall | CISCO ASA | Possible Outbound Network Sweep | Detection of network sweep/scan activty from an internal source towards external zone | Medium | X | ||||
| 33 | 0.1 | UCFWPDCI018 | Firewall | CISCO ASA | Possible Network Sweep | Detection of Network sweep from same source on multiple internal target and ports | Medium | P3 | X | |||
| 34 | 0.1 | UCFWPDCI019 | Firewall | CISCO ASA | Botnet activity detected | To capture traffic on blacklisted/grey-listed(botnet,trojan,spyware) domains as detected by the firewall. | Simple | P2 | X | |||
| 35 | 0.1 | UCFWPDCI020 | Firewall | CISCO ASA | Firewall critical services failed down | Detects alerts generated on the firewall for mission critical servcies such as interfaces,failover cables etc. | Simple | P2 | ||||
| 36 | 0.1 | UCFWPDCI021 | Firewall | CISCO ASA | Potentinal Policy violation IPs | Detect traffic towards restricted IPs by policy | Medium | P3 | X | |||
| 37 | 0.1 | UCFWPDCI022 | Firewall | CISCO ASA | User Trying to enter privileged mode but failed | Detects authentication failure for user trying to enter priviledged mode on the firewall.The maximum is three attempts. | Simple | P3 | X | |||
| 38 | 0.1 | UCFWPDCI022 | Firewall | CISCO ASA | Repetitive Block from Internet | Detection of high volume of blocked traffic at the firewall from the same source | Simple | P3 | X | |||
| 39 | 0.1 | UCFWPDJU001 | Firewall | JUNIPER | Host Port Scan | ( Device Product = JUNOS AND Device Event Class ID = RT_FLOW_SESSION_CLOSE ) # of Matches: 20 Time Frame: 1 min | Detects port scan activity for same machine on multiple ports | Simple | P3 | X | ||
| 40 | 0.1 | UCFWPDJU002 | Firewall | JUNIPER | High Number of Denied Connections from a Source Host | Category Behavior = /Access AND Category Device Group = /Firewall AND Category Object = /Host/Application/Service AND Category Outcome = /Failure AND Type = Base ) # of Matches: 50 Time Frame: 1 min | Detects abnormal high denied traffic from same source | Simple | P3 | |||
| 41 | 0.1 | UCFWPDJU003 | Firewall | JUNIPER | Port Sweep Activity | event1 : ( Device Vendor = Juniper AND Device Product = JUNOS AND Category Behavior StartsWith /Access AND Target Port Is NOT NULL AND Category Outcome = /Failure) # of Matches: 100 Time Frame: 2 min | Detects port scan activity on multiple machine on same port | Simple | P3 | X | ||
| 42 | 0.1 | UCFWPDJU004 | Firewall | JUNIPER | Successful Connection On Trojan Port from external source | event1 : ( Device Product = JUNOS AND Category Outcome = /Success AND Type = Base ) AND InActiveList("Battlecat_Trojan_ports") ) # of Matches: 3 Time Frame: 1 min | Detection of possible attacker connecting on trojan ports to spread infection | Complex | P2 | X | ||
| 43 | 0.1 | UCFWPDJU005 | Firewall | JUNIPER | Connection On Trojan Port from internal host | same as | Detection of possible infected machine connecting on trojan ports | Complex | P3 | X | ||
| 44 | 0.1 | UCFWPDJU006 | Firewall | JUNIPER | Firewall successful traffic on microsoft and netbios ports from external source | event1 : ( Device Product = JUNOS AND Source Zone URI StartsWith /All Zones/ArcSight System/Public Address Space Zones AND Destination Port In (135,137,138,139,445,1433) AND Category Outcome = /Success [ignore case] # of Matches: 20 Time Frame: 1 min | Detection of Successful Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 45 | 0.1 | UCFWPDJU007 | Firewall | JUNIPER | Firewall traffic on microsoft and netbios ports from internal source | event1 : ( Device Product = JUNOS AND Destination Port In (135,137,138,139,445,1433) AND Category Outcome = /Success [ignore case] AND Attacker Zone URI NOT StartsWith /All Zones/ArcSight System/Public Address Space Zones ) # of Matches: 5 Time Frame: 1 min | Detection of allowed/blocked Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 46 | 0.1 | UCFWPDJU008 | Firewall | JUNIPER | Default admin account usage Detection | event1 : ( MatchesFilter("customer name") AND Device Vendor = NetScreen AND ( Destination User Name Contains netscreen [ignore case] OR Destination User Name Contains (Administrator name ) | Detection of default admin account being used for logging into firewall | Medium | P3 | X | ||
| 47 | 0.1 | UCFWPDJU009 | Firewall | JUNIPER | Successful traffic observed from suspicious source | event1 : ( Device Product = JUNOS AND Category Behavior = /Access AND Category Device Group = /Firewall AND Category Outcome = /Success AND ( InActiveList("Host_Port_Scan_1d_delay") OR InActiveList("Port_Sweep_Activity_1d_delay") ) # of Matches: 1 Time Frame: 2 min | Detection of successful connection from a malicious host in threat feed. | Medium | P2 | |||
| 48 | 0.1 | UCFWPDJU010 | Firewall | JUNIPER | Firewall successful connection internal source to blacklisted IPs | Matching event : ( InActiveList("threat_feed_master_ip_list") AND Category Behavior StartsWith /Access AND Device Product = JUNOS AND Category Outcome = /Success AND Type = Base # of Matches: 1 Time Frame: 2 min | Detection of traffic from internal network towards known malicious IPs in Threat feed | Medium | P2 | |||
| 49 | 0.1 | UCFWPDPA001 | Firewall | PALO ALTO | Palo-Alto Host Port Scan | event1 : ( Device Product = PAN-OS AND MatchesFilter("ENABLE") AND Device Event Class ID Contains scan [ignore case] AND Name = THREAT ) # of Matches: 5 Time Frame: 2 min | Detects port scan activity for same machine on multiple ports | Simple | P3 | X | ||
| 50 | 0.1 | UCFWPDPA002 | Firewall | PALO ALTO | Firewall successful traffic on microsoft and netbios ports from external source | event1 : ( Type = Base AND Destination Port In (135,137,138,139,445,1433) AND Device Product = PAN-OS AND MatchesFilter("Enable_production") AND Source Zone URI StartsWith /All Zones/ArcSight System/Public Address Space Zones AND NotInActiveList("Enable_Palo-Alto_successful_or_unsuccessful_traffic_on_microsoft_and_netbios_ports_delay_8h") AND ( Device Action = allow [ignore case] OR Device Action = alert [ignore case] ) AND Not( Source Address = 10.5.178.42 OR Source Address = 10.1.17.42 ) ) | Detection of Successful Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 51 | 0.1 | UCFWPDPA003 | Firewall | PALO ALTO | Firewall traffic on microsoft and netbios ports from internal source | same as "UCFWPDPA002" only source IP = Internal source subnet | Detection of allowed/blocked Traffic on Microsoft Ports (445, 1433), netBios Ports (135,137,139,138) Observed on Perimeter Firewall from external source | Complex | P2 | X | ||
| 52 | 0.1 | UCFWPDPA004 | Firewall | PALO ALTO | Malicious file download | Detects firewall alert on malicious content downloads from internet | Simple | P2 | ||||
| 53 | 0.1 | UCFWPDPA005 | Firewall | PALO ALTO | Malware detected in the network | Detection on any malware attempt from internal source | Simple | P2 | X | |||
| 54 | 0.1 | UCFWPDPA006 | Firewall | PALO ALTO | Successful connection from blacklisted IPs | same as "UCFWPDCI012" and only source type = Palo-Alto | Detection of allowed traffic from known malicious IPs | Medium | P2 | |||
| 55 | 0.1 | UCFWPDPA007 | Firewall | PALO ALTO | Successfull connection to blacklisted URLs | same as "UCFWPDCI012" and only source type = Palo-Alto | Detection of allowed traffic towards known malicious URLs | Medium | P2 | X | ||
| 56 | 0.1 | UCFWPDPA008 | Firewall | PALO ALTO | Telnet Command Executed on Firewall | event1 : ( MatchesFilter("Enable_production") AND Destination Port = 23 AND Device Action = allow [ignore case] AND Device Product = PAN-OS [ignore case] # of Matches: 1 Time Frame: 2 min | Detection of successful telnet attempt toward firewall. | Simple | P3 | X | ||
| 57 | 0.1 | UCFWPDPA009 | Firewall | PALO ALTO | TCP-UDP Flood Detection | Detects alert generated on firewall for TCP_UDP flooding. | Simple | P2 | ||||
| 58 | 0.1 | UCFWPDPA010 | Firewall | PALO ALTO | Brute Force Attack Detected | event1 : ( Device Product = PAN-OS AND MatchesFilter("ENABLE") AND Name = THREAT AND Device Event Category Contains Brute [ignore case] ) # of Matches: 5 Time Frame: 2 min | Detection of alert generated on firewall for bruteforce attack | Simple | P3 | X | ||
| 59 | 0.1 | UCFWPDPA011 | Firewall | PALO ALTO | Connection attempts from blacklisted IPs on trojan ports | same as "UCFWPDCI006" only source type is Palo-Alto | Detect connection attempts from known malicious IPs on known trojan ports | Medium | P3 | X | ||
| 60 | 0.1 | UCFWPDPA012 | Firewall | PALO ALTO | Default admin account usage Detection | Detection of default admin account being used for logging into firewall | Medium | P3 | X | |||
| 61 | 0.1 | UCFWPDPA013 | Firewall | PALO ALTO | High Number of Denied Connections from Source Host | Detection of unusually high volume of traffic from a single source | Simple | P3 | ||||
| 62 | 0.1 | UCFWPDPA014 | Firewall | PALO ALTO | Possible Exploit of Vulnerability | event1 : ( Device Product = PAN-OS AND MatchesFilter("ENABLE") AND Name = THREAT AND Device Event Class ID = vulnerability AND NotInActiveList("Enable_Palo-Alto_Possible_Exploit_of_Vulnerability - 4hr") ) # of Matches: 5 Time Frame: 2 min | Detection of vulnerability exploit attempt between internal host and external attacker | Complex | P2 | |||
| 63 | 0.1 | UCFWPDPA015 | Firewall | PALO ALTO | Successful pass after repetitive block from same source | event1 : ( Device Product = PAN-OS AND Device Action = allow [ignore case] AND InActiveList("firewall_repetitive_blocks_source_address") # of Matches: 1 Time Frame: 1 min | Detection of similar allowed traffic by firewall which was earlier denied by the same firewall. This could be a successful compromise. | Complex | P2 | X | ||
| 64 | 0.1 | UCFWPDPA016 | Firewall | PALO ALTO | Successful connection internal source to blacklisted IPs | same as "UCFWPDCI006" only source type is Palo-Alto and source IP = Internal IP Subnet | Detection of allowed traffic from internal network to mailicious IPs | Medium | P2 | |||
| 65 | 0.1 | UCFWPDPA017 | Firewall | PALO ALTO | Successful Connection On Trojan Port from external source | same as "UCFWPDCI006" only source type is Palo-Alto | Detection of possible attacker connecting on trojan ports to spread infection | Complex | P2 | X | ||
| 66 | 0.1 | UCFWPDPA018 | Firewall | PALO ALTO | Connection On Trojan Port from internal host | same as "UCFWPDCI006" only source type is Palo-Alto | Detection of possible infected machine connecting on trojan ports | Complex | P3 | X | ||
| 67 | 0.1 | UCFWPDCH001 | Firewall | Check Point | Default admin account usage Detection | Detection of default admin account being used for logging into firewall | Medium | P3 | X | |||
| 68 | 0.1 | UCFWPDCH002 | Firewall | Check Point | High number denied connection | Detection of unusually high volume of traffic from a single source | Simple | P3 | ||||
| 69 | 0.1 | UCFWPDCH003 | Firewall | Check Point | Network Host Scan | Detects port scan activity for same machine on multiple ports | Simple | P3 | X | |||
| 70 | 0.1 | UCFWPDCH004 | Firewall | Check Point | Network Port Scan | Detects port scan activity on multiple machine on same port | Simple | P3 | X | |||
| 71 | 0.1 | UCFWPDCH005 | Firewall | Check Point | Successfull connection to blacklisted URLs | same as "UCFWPDCI012" and only source type = Check Point | Detection of allowed traffic towards known malicious URLs | Medium | P2 | X | ||
| 72 | 0.1 | UCFWPDCH006 | Firewall | Check Point | Traffic on FTP Telnet Ports | Detection of on port 20,21,23 | Simple | P3 | X | |||
| 73 | 0.1 | UCFWPDCH007 | Firewall | Check Point | Successful connection internal source to blacklisted IPs | same as "UCFWPDCI012" and only source type = Check Point | Detection of allowed traffic from internal network to mailicious IPs | Medium | P2 | |||
| 74 | 0.1 | UCFWPDCH008 | Firewall | Check Point | Unsuccessful connection internal source to blacklisted IPs | same as "UCFWPDCI012" and only source type = Check Point | Detection of blocked traffic from internal network to mailicious IPs | Medium | P3 | |||
| 75 | 0.1 | UCOSPDWIN001 | Server | Windows | Windows administrator account usage | Device Event Class ID = Microsoft-Windows-Security-Auditing:4624 AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Detection of system activity from default Administrator account | Medium | P3 | X | ||
| 76 | 0.1 | UCOSPDWIN002 | Server | Windows | Windows detection of privileged user activity | Device Product = Microsoft Windows AND Category Behavior = /Modify/Configuration Additional Info: List of privileged Users # of Matches: 1 Time Frame: 2 min | Detects configuration changes made from a priviledged user account | Medium | P3 | X | ||
| 77 | 0.1 | UCOSPDWIN003 | Server | Windows | Windows detection of user login from multiple source within specified time interval | Device Product = Microsoft Windows AND Device Event Class ID = Microsoft-Windows-Security-Auditing:4624 # of Matches: 5 Time Frame: 1 min | Detection of usage of same account from more than one source within a specific time interval. Could be possible account sharing activity. | Medium | P3 | X | ||
| 78 | 0.1 | UCOSPDWIN004 | Server | Windows | Windows group accounts modified by admins | Device Product = Microsoft Windows AND ( Device Event Class ID = Microsoft-Windows-Security-Auditing:4732 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4733) # of Matches: 1 Time Frame: 2 min | Detection of group account modification activity by Admin | Medium | P3 | X | ||
| 79 | 0.1 | UCOSPDWIN005 | Server | Windows | Windows modification or deletion of audit logs | Device Product = Microsoft Windows AND Device Event Class ID = Microsoft-Windows-Security-Auditing:1102 # of Matches: 1 Time Frame: 2 min | Detection of Modification or Deletion of Audit/Security Logs from the system | Simple | P2 | |||
| 80 | 0.1 | UCOSPDWIN006 | Server | Windows | Windows multiple failed login from same source address | Device Product = Microsoft Windows AND Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 AND Not( Source Address Is NULL And Destination User Name EndsWith $ ) # of Matches: 5 Time Frame: 1 min Identical : SourceAddress, Source HostName | Detection of multiple failed login attempts for multiple users from same source IPs | Simple | P3 | |||
| 81 | 0.1 | UCOSPDWIN007 | Server | Windows | Windows multiple failed login from same source user | Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 AND Target User Name Is NOT NULL AND Device Product = Microsoft Windows AND NotDestination User Name EndsWith $ ) # of Matches: 5 Time Frame: 1 min Identical : DestinationUserName | Detection of multiple failed login attempts from a single user | Simple | P3 | |||
| 82 | 0.1 | UCOSPDWIN008 | Server | Windows | Windows successful bruteforce login | Device Product = Microsoft Windows AND Device Event Class ID = Microsoft-Windows-Security-Auditing:4624 AND ( InActiveList("Windows_Brute_Force_Failed_Attacker") OR InActiveList("Windows_Brute_Force_Failed_User_destination") # of Matches: 1 Time Frame: 1 min | Detection of a successful login after a number of failed login by the same account within a specified time | Complex | P2 | |||
| 83 | 0.1 | UCOSPDWIN009 | Server | Windows | Windows system shutdown reboot | Device Product = Microsoft Windows AND ( Device Event Class ID = Microsoft-Windows-Security-Auditing:4608 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4609 ) # of Matches: 1 Time Frame: 1 min | Detection of Windows server shutdown or reboot | Simple | P3 | |||
| 84 | 0.1 | UCOSPDWIN010 | Server | Windows | Windows system time changed | Device Event Class ID = Microsoft-Windows-Security-Auditing:4616 AND Device Product = Microsoft Windows ) # of Matches: 1 Time Frame: 1 min | Detects windows system time changes which are not done by a local service or a service account | Simple | P3 | |||
| 85 | 0.1 | UCOSPDWIN011 | Server | Windows | Windows user account added or removed from admin groups | Device Product = Microsoft Windows AND Target User Name Contains admin [ignore case] AND ( Device Event Class ID = Microsoft-Windows-Security-Auditing:4732 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4733 ) # of Matches: 1 Time Frame: 2 min | User is added to or removed from an admin security level group on Windows server. | Simple | P3 | X | ||
| 86 | 0.1 | UCOSPDWIN012 | Server | Windows | Windows user account created and given admin rights | Device Product = Microsoft Windows AND ( Device Event Class ID = Microsoft-Windows-Security-Auditing:4732 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4733 ) AND InActiveList("windows_user_account_created") # of Matches: 1 Time Frame: 1 min | A new user account is created and is added to security enabled group(Admin group) | Complex | P3 | X | ||
| 87 | 0.1 | UCOSPDWIN013 | Server | Windows | Windows probable successful attack configuration changes | Detection of Configuration changes as a part of previous successful attack by the same attacker | Complex | P2 | X | |||
| 88 | 0.1 | UCOSPDWIN014 | Server | Windows | Windows User Account Enabled | Detect Windows previously disabled user account enable event. | Simple | P3 | X | |||
| 89 | 0.1 | UCOSPDWIN015 | Server | Windows | Windows configuration changes outside business hours | Detection of configuration changes done on system outside of usual working hours. | Complex | P3 | X | |||
| 90 | 0.1 | UCOSPDWIN016 | Server | Windows | Window Sensitive file Access | Detect access to sensitive files on a Windows server. A list of sensitive filesis to be maintained. | Medium | P3 | ||||
| 91 | 0.1 | UCOSPDWIN016 | Server | Windows | Windows account lockout policy | Detects user accounts getting locked out as a result of multiple failed login | Simple | P3 | X | |||
| 92 | 0.2 | UCROPDCIS004 | Router | CISCO | Router login failed from same source | ( Device Product = CiscoRouter AND Name = Login failed) | Dectection of failed login on Router | Simple | P3 | |||
| 93 | 0.2 | UCIPSPDCI004 | IPS | Cisco | Malicious_code_Propagation | event1 : ( Type != Correlation AND ( Device Product = Cisco Intrusion Prevention System OR Device Product = ASA ) AND ( InActiveList(apacSensitive_URLs") OR Name In (../,"..\\",..%5c,.%2e,.asp::$DATA,.asp.,a%5c.aspx,root.exe?/c+dir,winnt/system32/cmd.exe?/c+dir,..%5c../winnt/system32/cmd.exe?/c+dir,..,"xc1\\x1c../winnt/system32/cmd.exe?/c+dir","..\\xc0/../winnt/system32/cmd.exe?/c+dir","..\\xc0\\xaf../winnt/system32/cmd.exe?/c+dir","..\\xc1\\x9c../winnt/system32/cmd.exe?/c+dir",..%35c../winnt/system32/cmd.exe?/c+dir,..%5c../winnt/system32/cmd.exe?/c+dir,..%2f../winnt/system32/cmd.exe?/c+dir,NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN%u9090%,javascript:alert,JaVaScRiPt:alert,document.write,javascript:document.write,alert,alert(String.fromCharCode(88,83,83)) ) ) | Detection of malicous code on IPS traffic | Complex | ||||
| 94 | 0.2 | UCOSPOUNI001 | Server | Unix | unix_successful_bruteforce_attack | Device Vendor = Unix AND Name = Accepted password AND Category Behavior = /Authentication/Verify AND Category Outcome = /Success AND InActiveList("Unix_bruteforce_failed_user_add_to_list") # of Matches: 1 Time Frame: 2 min | Detection of bruteforce login attempts | Medium | P2 | |||
| 95 | 0.2 | UCOSPOUNI002 | Server | Unix | unix_multiple_failed_login_from_same_user | Device Vendor = Unix AND Destination User Name Is NOT NULL AND Category Behavior = /Authentication/Verify AND Category Outcome = /Failure # of Matches: 5 Time Frame: 1 min Identical : event1.Destination User Name | Detection of failed login from same user | Medium | P3 | |||
| 96 | 0.2 | UCOSPOUNI003 | Server | Unix | unix_multiple_failed_login_from_same_source_address | Device Vendor = Unix AND Category Behavior = /Authentication/Verify AND Category Outcome = /Failure AND Target User Name Is NOT NULL # of Matches: 5 Time Frame: 1 min Identical : event1.Source Address | Detection of failed login from same Source IP adddress | Medium | P3 | |||
| 97 | 0.2 | UCOSPOUNI004 | Server | Unix | unix_login_with_root_account | Device Vendor = Unix AND Name = session opened AND Target User Name = root AND Device Custom String1 != su ) # of Matches: 1 Time Frame: 2 min | Detection of login attempts from root account | Simple | P3 | |||
| 98 | 0.2 | UCOSPOUNI005 | Server | Unix | unix_detection_of_user_login_from_multiple_source_within_specified_time_interval | Device Product = Unix AND Category Behavior = /Authentication/Verify AND Category Outcome = /Success # of Matches: 5 Time Frame: 2 min Identical : event1.Destination Address, event1.Destination Host Name event1.Destination Zone Resource, event1.Target User Name Unique : event1.Attacker Address, event1.Attacker Zone Resource | Detection of user login from different source in short interval of time | Complex | P2 | |||
| 99 | 0.2 | UCOSPOUNI006 | Server | Unix | u | unix_detection_of_user_failed_login_via_ssh | MatchesFilter("ENABLE") ) AND Device Process Name Contains sshd [ignore case] AND Device Product = Unix AND Target User Name Is NOT NULL AND ( Name = authentication failure [ignore case] OR Name = failed password [ignore case] ) # of Matches: 5 Time Frame: 2 min Identical : event1.Target User Name, event1.Target Address event1.Target Zone Resource | Detection of user login from different source in short interval of time | Simple | P3 | ||
| 100 | 0.2 | UCOSPOUNI007 | Server | Unix | unix_detection_of_privileged_user_activity | Device Vendor = Unix AND Category Behavior = /Modify/Configuration AND InActiveList("Unix_privileged_user_account") ) # of Matches: 1 Time Frame: 2 min | Detection of privileged user activity | Simple | P3 | |||
| 101 | 0.2 | UCPRPOF5001 | Proxy | F5 | Admin Login Failure over Internet | Device Vendor = F5 AND Message Contains authentication failure AND ( Destination User Name Contains admin [ignore case] OR Target User Name Contains root [ignore case] OR Target User Name Contains admin [ignore case] OR Destination User Name Contains root [ignore case] ) | Detection of admin account login over internet | Simple | P2 | |||
| 102 | 0.2 | UCPRPOF5002 | Proxy | F5 | F5 Node Down | event1 : ( Device Vendor = F5 AND ( Name Contains monitor status down OR Name Contains Server state change green to red ) | F5 system is going down | Simple | P3 | |||
| 103 | 0.2 | UCPRPOF5003 | Proxy | F5 | Multiple login attempt observed from same source address | Device Vendor = F5 AND Device Product = Big IP AND ( Name Contains User logins attempts OR Name Contains Login attempts OR Name Contains Failed to login attempts | Detection of high login attempts from same source | Medium | P3 | |||
| 104 | 0.2 | UCPRPOF5004 | Proxy | F5 | Multiple login attempt observed from same user | Device Product = Big IP AND Device Vendor = F5 AND ( Name Contains User logins attempts OR Name Contains Login attempts OR Name Contains Failed to login attempts ) | Detection of high login attempts from same user | Medium | P3 | |||
| 105 | 0.2 | UCAVPOSOP001 | Antivirus | Sophos Anti-Virus | antivirus_machine_infected_with_virus_and_not_cleaned_by_Sophos | Device Product = Sophos Anti-Virus AND ( Name = Security risk found OR Name = Virus found ) AND NotDevice Action In (cleaned up,blocked,acknowledged,No longer present) | Detection of left alone/not cleaned machine from AV | Medium | P2 | |||
| 106 | 0.2 | UCEMGPDPF001 | Email gateway | Postfix | smtp_possible_spam_attack | ( Customer Name = POL_CDP AND Device Vendor = Postfix AND Device Product = Email Gateway ) # of Matches: 75 Time Frame: 5 min | Dectection of spam email sending | Medium | ||||
| 107 | 0.3 | UCOSPDWIN016 | Server | Windows | Dectection Run registy value change | Device Event Class ID = Microsoft-Windows-Security-Auditing:4657 AND FileName InActiveList(Registry_List) AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min Pre-Requiste : Active list of Run Registry | Dectection Run registy value change | Medium | P2 | |||
| 108 | 0.3 | UCOSPDWIN016 | Server | Windows | Windows Security Log Full | Device Event Class ID = Microsoft-Windows-Security-Auditing:1104 AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Windows Security Log Full | Simple | P3 | |||
| 109 | 0.3 | UCOSPDWIN016 | Server | Windows | Interactive use of Service Account | (Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4624 ) AND Attacker Username StartsWith Srv AND DeviceCustomNumber1 = 2 AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Interactive use of Service Account | Simple | P3 | |||
| 110 | 0.3 | UCOSPDWIN016 | Server | Windows | Privilege escalation of local Account | Device Event Class ID = Microsoft-Windows-Security-Auditing:4704 AND AttackerDomain != Domain Name Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Privilege escalation of local Account | Medium | P3 | |||
| 111 | 0.3 | UCOSPDWIN016 | Server | Windows | Multiple password changes in short period | Device Event Class ID = Microsoft-Windows-Security-Auditing:4723 AND Device Product = Microsoft Windows # of Matches: 3 Time Frame: 2 min Identical : Attacker Username | Multiple password changes in short period | Medium | P3 | |||
| 112 | 0.3 | UCOSPDWIN016 | Server | Windows | User account created and deleted within short duration | JOIN CNDITION: Event1.TargetUsername = Event2.TargetUsername Event1.DeviceReceiptTime <Event2.DeviceReceiptTime Event1 :Device Event Class ID = Microsoft-Windows-Security-Auditing: 4720 AND Device Product = Microsoft Windows Event2: Device Event Class ID = Microsoft-Windows-Security-Auditing: 4726 AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 5 min | User account created and deleted within short duration | Medium | P3 | |||
| 113 | 0.3 | UCOSPDWIN016 | Server | Windows | Detection of Scheduled task from non-service account | Device Event Class ID = Microsoft-Windows-Security-Auditing:4698 AND Attacker Username NotStartsWith Srv AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Detection of Scheduled task from non-service account | Medium | P2 | |||
| 114 | 0.3 | UCOSPDWIN016 | Server | Windows | Detection of Local user created | Device Event Class ID = Microsoft-Windows-Security-Auditing:4720 AND TargetNTDomain!= DomainName AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Detection of Local user created (from non admin or unauthourized user) - PCI compliance | Simple | P1/P2 | |||
| 115 | 0.3 | UCOSPDWIN016 | Server | Windows | Login Activity from Expired /Disabled Account | Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 AND (FlexString1 = 0xC0000072 OR FlexString1 = 0xC0000193) AND Device Product = Microsoft Windows # of Matches: 1 Time Frame: 2 min | Login Activity from Expired /Disabled Account | Simple | P2 | |||
| 116 | 0.3 | UCAVPDSEP005 | AntiVirus | Symantec | Detection of USB device on machine | Name = usb_registry_access AND Device Product = Critical System Protection # of Matches: 1 Time Frame: 2 min | Detection of USB Devices | Simple | P2 | |||
| 117 | 0.3 | UCAVPDSEP006 | AntiVirus | Symantec | Detection of attempt to stop scan module on machine | na | NA | Simple | P3 | |||
| 118 | 0.3 | UCAVPDSEP007 | AntiVirus | Symantec | Detection of multiple Infections on same machine | Device Event Class ID = activelist:103 AND Device Custom Number1 >=3 AND Name = Infected_Machine_List # of Matches: 1 Time Frame: 2 min Identical : Attacker Address Pre-requiste : List of Infected Machine of last month | Detection of recurring AV detection on same machine | Complex | P2 | |||
| 119 | 0.3 | UCAVPDSEP008 | AntiVirus | Symantec | Detection of Uncleaned action from AV | Device Event Category = Failed Remediation Action AND Device Product = Endpoint Protection # of Matches: 1 Time Frame: 2 min | Detection of Uncleaned action from AV | Simple | P2 | |||
| 120 | 0.3 | UCAVPDSEP009 | AntiVirus | Symantec | Detection of Aborted scan | (DeviceEventClassID= Scan Aborted OR Scan Delayed) AND Device Product = Endpoint Protection # of Matches: 1 Time Frame: 2 min | Detection of Aborted scan | Simple | P3 | |||
| 121 | 0.3 | UCAVPDSEP010 | AntiVirus | Symantec | Detection of recurring AV detection on same machine | Device Event Class ID = activelist:103 AND Device Custom Number1 >=2 AND Name = Infected_Machine_FILE_List # of Matches: 1 Time Frame: 2 min Identical : Attacker Address;File Name Pre-requiste : List of Infected Machine with virus name of last month | Multiple Occurrence of same file on same machine | Complex | P3 | |||
| 122 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Exploit Activity from IP with Reconnaissance History | Attacker Address InActiveList( Reconnaissance List) AND Device Vendor = SourceFire # of Matches: 1 Time Frame: 2 min Pre-requiste : Reconnaissance List with TTL=14 days | Exploit Activity from IP with Reconnaissance History | Complex | P2 | |||
| 123 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Detection of P2P or other non-business application | DeviceCustomNumber1 = SNORTID AND Device Vendor = SourceFire # of Matches: 1 Time Frame: 2 min Individual Snort ID would be added | Detection of P2P or other non-business application | Simple | P3 | |||
| 124 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Detection of Virus/Worm Alert | (Device Event Category = trojan-activity OR Device Event Category = suspicious-filename-detect )AND Device Vendor = SourceFire # of Matches: 1 Time Frame: 2 min | Detection of Virus/Worm Alert | Simple | P2 | |||
| 125 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Detection of layer 7 DDos /Dos | (Device Event Category = denial-of-service OR Device Event Category=attempted-dos ) AND Device Vendor = SourceFire # of Matches: 1 Time Frame: 2 min Individual Snort ID would be added | Detection of layer 7 DDos /Dos | Medium | P2 | X | ||
| 126 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Detection of Anamoly traffic | na | na | Medium | P3 | |||
| 127 | 0.3 | UCIPSPDSF003 | Sourcefire Management Console eStreamer | SourceFire | Detection of new/specific Vulnerability | Device Event Category = NEWSNORTID AND Device Vendor = SourceFire # of Matches: 1 Time Frame: 2 min Pre-requiste : New Vulnerability Snort ID | Detection of new/specific Vulnerability | Medium | P2 | |||
| 128 | 0.3 | UCFWPDCI022 | Firewall | Cisco ASA | Detection of DDOS attack | " Name= Possible DOS attack AND Type = Correlation # of Matches: 3 Time Frame: 1min " Identical : Target Address ; Distinct : Source address | Detection of DDOS attack (Layer 3 DDOS) | Complex | P2 | X | ||
| 129 | 0.3 | UCFWPDCI023 | Firewall | Cisco ASA | Possible DOS attack | " Device Product = ASA AND Category Outcome = /Success # of Matches: 999 Time Frame: 15sec " Identical : Attacker Address; Target Address | Possible DOS attack (Child rule for Detection of DDOS attack & DOS attack ) | Complex | P2 | x | ||
| 130 | 0.3 | UCFWPDCI024 | Firewall | Cisco ASA | Detection of DOS attack | " Name= Possible DOS attack AND Type = Correlation # of Matches: 3 Time Frame: 1min " Identical : Target Address ; Source address | Detection of DOS attack | Complex | P3 | x | ||
| 131 | 0.3 | UCFWPDCI025 | Firewall | Cisco ASA | Detection of Spike in traffic | " Name= Moving Average Monitor AND Device Event ID = datamonitor:103 AND Device Custom Number1 >=50 % # of Matches: 1 Time Frame: 2min " Pre-requiste : Moving Average Monitor with filter of Firewall of last hour | Detection of Spike in traffic | Medium | P3 | |||
| 132 | 0.3 | UCFWPDCI026 | Firewall | Cisco ASA | Outbound Traffic from Server to Internet | " Device Product = ASA AND Category Outcome = /Failure AND Attacker Address INSUBNET 10.0.0.0/8 AND (Target Address NOTINSUBNET 10.0.0.0/8 OR Target Address NOTINSUBNET 172.16.0.0/12 OR Target Address NOTINSUBNET 192.168.0.0/16) # of Matches: 1 Time Frame: 1 min " Identical : Attacker Address; | Outbound Traffic from Server to Internet - Denied outbound traffic | Medium | P2 | |||
| 133 | 0.3 | UCFWPDCI027 | Firewall | Cisco ASA | Excessive Firewall Denies (Internal reconnaissance) | " Device Product = ASA AND Category Outcome = /Failure AND Attacker Address INSUBNET 10.0.0.0/8 AND (Target Address INSUBNET 10.0.0.0/8 OR Target Address INSUBNET 172.16.0.0/12 OR Target Address INSUBNET 192.168.0.0/16) # of Matches: 20 Time Frame: 1 min " Identical : Attacker Address; Distinct : Target Address | Excessive Firewall Denies (Internal reconnaissance) | Medium | P2 | |||
| 134 | 0.3 | UCPRPOBLC001 | Proxy | BlueCoat | Connection to Malicious URLs | " Device Product = Proxy SG AND ( Device Custom String 4 = Malicious Sources/Malnets OR Device Custom String 4 = Suspicious # of Matches: 1 Time Frame: 2 min " | Connection to Malicious URLs | Medium | P2 | |||
| 135 | 0.3 | UCPRPOBLC002 | Proxy | BlueCoat | Detection to Proxy Avoidance URLs | " Device Product = Proxy SG AND Device Custom String 4 = Proxy Avoidance # of Matches: 1 Time Frame: 2 min " | Detection to Proxy Avoidance URLs | Medium | P3 | |||
| 136 | 0.3 | UCPRPOBLC003 | Proxy | BlueCoat | Accesss to Phishing URLs | " Device Product = Proxy SG AND Device Custom String 4 = Phishing # of Matches: 1 Time Frame: 2 min " | Accesss to Phishing URLs | Medium | P3 | |||
| 137 | 0.3 | UCPRPOBLC004 | Proxy | BlueCoat | Access to File Storage URLs | " Device Product = Proxy SG AND Device Custom String 4 = File Storage/Sharing # of Matches: 1 Time Frame: 2 min " | Access to File Storage URLs | Medium | P3 | |||
| 138 | 0.3 | UCPRPOBLC005 | Proxy | BlueCoat | Detection of access to Uncategorized Site | " Device Product = Proxy SG AND Device Custom String 4 = Uncategorized AND ( Request Method = Get OR Request Method = Post # of Matches: 1 Time Frame: 2 min " | Detection of access to Uncategorized Site | Medium | P3 | |||
| 139 | 0.3 | UCPRPOBLC006 | Proxy | BlueCoat | Detection of BOTNET traffic | " Device Product = Proxy SG AND Device Custom String 4 = Malicious Outbound Data/Botnets # of Matches: 1 Time Frame: 2 min " | Detection of BOTNET traffic | Medium | P2 | |||
| 140 | 0.3 | UCPRPOBLC007 | Proxy | BlueCoat | Detection of Dynamic DNS traffic | " Device Product = Proxy SG AND Device Custom String 4 = Dynamic DNS Host # of Matches: 1 Time Frame: 2 min " | Detection of Dynamic DNS traffic | Medium | P3 | |||
| 141 | 0.3 | UCCMPRWBS001 | Websense Content monitoring | Websense | Policy Violation | Log Source group contains Web sense Event QID contains 51500002 Event Count : 5 events in 15 minutes | users who are most frequently violation organzation internet policy | Simple | P3 | |||
| 142 | 0.3 | UCCMPRWBS002 | Websense Content monitoring | Websense | Spyware Monitoring | Log Source group contains Web sense Payload Contains Threshold exceeded for Permitted Category - Spyware Event Count : 5 events in 15 minutes | Possible infection of spyware in organisation | Medium | P3 | |||
| 143 | 0.3 | UCCMPRWBS003 | Websense Content monitoring | Websense | Possible Data Leakage | Log Source group contains Web sense Payload Contains Threshold exceeded for Permitted Category - Personal Network Storage and Backup Event Count : 5 events in 15 minutes | Detection of Data Leakage in the network | Medium | P3 | |||
| 144 | 0.3 | UCFMPRVER001 | File Integrity Monitoring | Verdasys | Sensitive File Deletion | Name = File Delete AND Device Product = Digital Guardian AND Attacker Host Name != NULL # of Matches : 2 Time Frame: 1 min | Detection of Data Leakage in the network | Medium | P3 | |||
| 145 | 0.3 | UCFMPRVER002 | File Integrity Monitoring | Verdasys | Information Gathering - Print Screen | Name = ADE Print Screen AND Device Product = Digital Guardian AND Attacker Host Name != NULL # of Matches : 2 Time Frame: 1 min | Detection of Data Leakage in the network | Medium | P3 | |||
| 146 | 0.3 | UCFWPRACS001 | CISCO ACS | Failed Authentication on CISCO ACS | Device Product = "Cisco Secure ACS" AND Name = "Authentication failed" Matches = 3 in Time= 2min | Detection of failed login attempts | Simple | P3 | ||||
| 147 | 0.3 | UCFWPRACS002 | CISCO ACS | Interface is down | Device Product = "Cisco Secure ACS" AND Name = "Changed state to administratively down" Matches = 1 in Time= 2min | Detection of Interface down | Simple | P3 | ||||
| 148 | 0.3 | UCFWPRACS003 | CISCO ACS | System failure with fatal errtor | Device Product = "Cisco Secure ACS" AND Name = "system experienced fatal error" Matches = 1 in Time= 2min | Detection of System failure due to fatal errtor | Simple | P3 | ||||
| 157 | 0.4 | UCOFPRAD001 | Office 365 | Azure Active Directory | Suspicious login attempt from non-business location | event1 : ( Device Product = Azure Active Directory AND Name = PasswordLogonInitialAuthUsingPassword AND Attacker Geo Country Name != Non-Business Location AND Type != Correlation ) 1 match in 1 min | login from untrusted locations | Simple | P3 | X | ||
| 158 | 0.4 | UCOFPRAD002 | Office 365 | Azure Active Directory | Login activity for same account from different geographic locations within short time | event1 : ( Device Product = Azure Active Directory AND Name = PasswordLogonInitialAuthUsingPassword AND Attacker User ID InActiveList("Login Tracking") AND Attacker Attacker Geo Country Name NotInActiveList("Login Tracking") AND Type != Correlation ) 1 match in 1 min | Tracking login attempts from two locations in a time period that implies impossible travel | Medium | P3 | X | ||
| 159 | 0.4 | UCOFPRSP001 | Office 365 | SharePoint Online | Possible modification to Sensitive file/folder | event1 : ( Device Product = SharePoint Online AND Type != Correlation AND File Path = "Path to Sensitive File" OR (Name = FileCopied OR FileDeleted OR FileModified ) 1 match in 1 min | Deletion/Modification Confidential File | Simple | P3 | |||
| 160 | 0.4 | UCOFPRSP002 | Office 365 | SharePoint Online | Multiple Files Deletion within short span | event1 : ( Device Product = SharePoint Online AND Type != Correlation AND Name = FileDeleted ) 5 matches in 2 min | Multiple Files Deletion within short span | Simple | P3 | |||
0 Comments