| SL No | Alert Source | Alert Name | Description | ArcSight Condition | Aggregation | Filter | Day 1 |
| 1 | Proxy | Bluecoat Configuration change | This rule triggers when there is a configuration change on Bluecoat proxy. Please verify the configuration changes and see if proper approval has been taken for the same and was carried out within the proposed time window. | event1 : ( Device Vendor = Blue Coat AND Name StartsWith Config admin AND Device Severity = CONFIGURATION_EVENT ) | Aggregate if at least 1 matching conditions are found within 1 Minutes | NA | |
| 2 | IPS | IPS High Severity Signature | This rule is triggered when there is a high severity signature is triggered in the IPS. Kindly veirfy the signature for any false positives and the legitimacy of the source from which the traffic is being observed to confirm any ongoing attack or false positives. | event1 : ( MatchesFilter("Cisco IPS") AND Device Severity = high ) | Aggregate if at least 1 matching conditions are found within 2 Minutes | event1 : ( Device Vendor = CISCO AND Device Product = Cisco Intrusion Prevention System ) | |
| 3 | IPS | rapid SSH connection from the same source to the same destination | This signature fires when there are rapid success SSH connection from the same source to the same destination is observed. | event1 : ( Device Vendor = CISCO AND Device Product = Cisco Intrusion Prevention System AND Name Contains Multiple Rapid SSH Connections AND Category Outcome Contains Success AND Device Event Class ID = 3653 ) | Aggregate if at least 5 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Attacker Zone Resource, event1.Attacker Address) | NA | |
| 4 | Correlated | FW Allowed Traffic from Suspected Attacker | This rule triggered when a source IP passed through the Firewall but denied on IPS. | Matching Event: IPSALERT.Source Address = FWEVENT.Source Address IPSALERT : ( MatchesFilter("IPS Alerts") AND Device Severity = high ) FWEVENT : MatchesFilter("ASA Permitted Events") | Aggregate if at least 1 matching conditions are found within 30 Seconds AND these event fields are unique (IPSALERT.Source Address, IPSALERT.Source Zone Resource) | event1 : ( Device Event Category = evAlert AND Device Product = Cisco Intrusion Prevention System ) event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) | |
| 5 | Tuning | High Number of Denied traffic from same source | This alert triggers when there is high number of denied traffic is observed from the same source address on ASA firewall | event1 : ( Source Address NOT InSubnet 10.0.0.0/8 AND Source Address NOT InSubnet 192.168.0.0/16 AND Source Address NOT Between (172.16.0.0,172.31.255.255) AND MatchesFilter("Firewall Deny Events") ) | Aggregate if at least 999 matching conditions are found within 5 Seconds AND these event fields are the same (event1.Source Address, event1.Source Zone Resource) | event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = traffic:0 OR Device Event Class ID = 313001 OR Device Event Class ID = 106015 OR Device Event Class ID = 710005 OR Device Event Class ID = 305005 OR Device Event Class ID = 106001 OR Device Event Class ID = 106023 OR Device Event Class ID = 106007 OR Device Event Class ID = 110001 OR Device Event Class ID = 710003 OR Device Event Class ID = 106014 OR Device Event Class ID = 106006 OR Device Event Class ID = 106021 OR Device Event Class ID = 710006 OR Device Event Class ID = 419001 ) ) | |
| 6 | Correlated | Host Scanning Detected | The Host scan is a port scan that targets the same port on several hosts. Most often the source/attacker is aware of particular vulnerability and wishes to find suspected machines. | event1 : MatchesFilter("Firewall Allow Events") | Aggregate if at least 80 matching conditions are found within 1 Minutes AND these event fields are unique (event1.Destination Address, event1.Destination Zone Resource) AND these event fields are the same (event1.Source Address, event1.Source Zone Resource) | event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) | |
| 7 | Correlated | IPS Allowed Traffic from Suspected Attacker | This rule triggered when a source IP passed through the IPS but denied on Firewall. | Matching Event: IPSALERT.Source Address = FWEVENT.Source Address IPSALERT : ( MatchesFilter("IPS Alerts") AND Device Action = Permitted ) FWEVENT : MatchesFilter("Firewall Deny Events") | Aggregate if at least 1 matching conditions are found within 5 Seconds AND these event fields are unique (IPSALERT.Source Address, IPSALERT.Source Zone Resource) | event1 : ( Device Event Category = evAlert AND Device Product = Cisco Intrusion Prevention System ) event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = traffic:0 OR Device Event Class ID = 313001 OR Device Event Class ID = 106015 OR Device Event Class ID = 710005 OR Device Event Class ID = 305005 OR Device Event Class ID = 106001 OR Device Event Class ID = 106023 OR Device Event Class ID = 106007 OR Device Event Class ID = 110001 OR Device Event Class ID = 710003 OR Device Event Class ID = 106014 OR Device Event Class ID = 106006 OR Device Event Class ID = 106021 OR Device Event Class ID = 710006 OR Device Event Class ID = 419001 ) ) | |
| 8 | Correlated | Port Scanning Detected | This rule triggers when an attacker tries to scan multiple ports on a host to find vulnerable open port. | event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) | Aggregate if at least 50 matching conditions are found within 1 Minutes AND these event fields are unique (event1.Destination Port) AND these event fields are the same (event1.Destination Address, event1.Destination Zone Resource, event1.Source Address, event1.Source Zone Resource) | event1 : Device Product = ASA | |
| 9 | Tuning | Probable DDOS Attack detected | This rule triggers when multiple source IPs flood the bandwidth or resources of a targeted system. Such an attack is often result of multiple compromised system(example botnet) flooding the targeted system with unwanted traffic. | event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) | Aggregate if at least 80 matching conditions are found within 1 Minutes AND these event fields are unique (event1.Source Address, event1.Source Zone Resource) AND these event fields are the same (event1.Destination Address, event1.Destination Zone Resource, event1.Destination Port) | event1 : Device Product = ASA | |
| 10 | Correlated | Probable DOS Attack detected | This rule triggers when huge amount of connection attempt traffic is observed from same source to same destination. | event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) | Aggregate if at least 80 matching conditions are found within 1 Minutes AND these event fields are the same (event1.Destination Address, event1.Destination Zone Resource, event1.Source Address, event1.Source Zone Resource, event1.Destination Port) | event1 : Device Product = ASA | |
| 11 | Correlated | Public Systems reaching internal systems | |||||
| 12 | Correlated | Successful login after repeated failed logins | This rule triggeres when there is a successful event followed by multiple failed logins. This could be a compromised bruteforce attack. Kindly verify source user and its legitimacy. | Matching Event: event1.Destination User Name = Login.Destination User Name event1 : ( Name = Windows - Brute Force Attempt AND Type = Correlation ) Login : MatchesFilter("Windows - Successful Logins (Non Admin)") | Aggregate if at least 1 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Destination User Name) | event1 : ( NotInActiveList("Windows - Administrators") AND Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:528 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4624 OR Device Event Class ID = Security:540 ) AND Source User Name Is NOT NULL AND Source User Name != - ) | |
| 13 | Correlated | Traffic from Suspicious Country Detected | This rule triggers when we observed any traffic from suspected countries(e.g. China, Seria etc ) or the countries which does not belongs to our bussiness relivence. | event1 : ( InActiveList("Suspicious Countries") AND ( MatchesFilter("Firewall Allow Events") OR ( MatchesFilter("IPS Alerts") AND Device Action = Permitted ) ) ) | Aggregate if at least 1 matching conditions are found within 5 Minutes AND these event fields are unique (event1.Source Address, event1.Source Zone Resource) | Active List "Suspicious Countries" event1 : ( MatchesFilter("Firewall Events") AND ( Device Event Class ID = 302020 OR Device Event Class ID = 710002 OR Device Event Class ID = 303002 OR Device Event Class ID = 302015 OR Device Event Class ID = 302003 OR Device Event Class ID = 302013 ) ) event1 : ( Device Event Category = evAlert AND Device Product = Cisco Intrusion Prevention System ) | |
| 14 | DB | Brute Force Login Attempt | This rule triggers when a Source user tries to login multiple time on a device but failed to login. Kindly check the authorization and legitimacy. | event1 : ( Category Behavior = /Authentication/Verify AND Category Object = /Host/Application/Database AND Category Outcome = /Failure ) | Aggregate if at least 5 matching conditions are found within 1 Minutes AND these event fields are unique (event1.Destination User Name) | NA | |
| 15 | DB | DB - Commands Executed on the Critical Tables | This rule triggers when a user executed a command on a secured, important or in a critical table. | event1 : ( ( Name Contains DROP [ignore case] OR Name Contains REVOKE [ignore case] OR Name Contains GRANT [ignore case] OR Name Contains AUDIT [ignore case] OR Name Contains TRUNCATE [ignore case] OR Name Contains CREATE [ignore case] OR Name Contains ALTER [ignore case] OR Name Contains EXECUTE [ignore case] ) AND ( Device Product = Oracle OR Device Product = SQL Server ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | Active List "Critical Tables" | |
| 16 | DB | DB - Critical Commands executed on DB | The rule is triggers when any critical command executed (e.g. ALTER, DROP etc) on Oracle Database. Kindly verify the source user and its legitimacy. | event1 : ( ( Name Contains DROP [ignore case] OR Name Contains REVOKE [ignore case] OR Name Contains GRANT [ignore case] OR Name Contains AUDIT [ignore case] OR Name Contains TRUNCATE [ignore case] OR Name Contains CREATE [ignore case] OR Name Contains ALTER [ignore case] OR Name Contains EXECUTE [ignore case] ) AND ( Device Product = Oracle OR Device Product = SQL Server ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 17 | DB | DB - Multiple Failed Logins followed by Successful Login | This rule triggeres when there is a successful event followed by multiple failed logins. This can be a compromised bruteforce attack. Kindly verify source user and its legitimacy. | event1 : ( Nottime Between (14,23) AND MatchesFilter("Critical Commands Executed on DB") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | event1 : ( ( Name Contains DROP [ignore case] OR Name Contains REVOKE [ignore case] OR Name Contains GRANT [ignore case] OR Name Contains AUDIT [ignore case] OR Name Contains TRUNCATE [ignore case] OR Name Contains CREATE [ignore case] OR Name Contains ALTER [ignore case] OR Name Contains EXECUTE [ignore case] ) AND ( Device Product = Oracle OR Device Product = SQL Server ) ) | |
| 18 | DB | DB - User Created | This rule is triggeres if any user created on SQL server Database | event1 : ( Name Contains add DB user [ignore case] AND Device Product = SQL Server ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 19 | Firewall | Cisco - ASA Reboot-Startup | This rule will triggered when Cisco ASA system restart or reboot. Kindly check the command executed and legitimacy of source user. | event1 : ( ( Device Event Class ID = 199001 OR Device Event Class ID = 199005 OR Device Event Class ID = 199002 OR Device Event Class ID = 199006 OR Device Event Class ID = 199007 OR Device Event Class ID = 199009 ) AND MatchesFilter("Firewall Events") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | event1 : Device Product = ASA | |
| 20 | Firewall | Cisco - Firewall failed to allocate RAM Memory | This rule will triggered when Cisca ASA system Failed to allocate RAM system memory. | event1 : ( Device Event Class ID = 211001 AND MatchesFilter("Firewall Events") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | event1 : Device Product = ASA | |
| 21 | Firewall | Cisco - High Cpu Utilisation | This rule will triggered when if the percentage of CPU usage is greater than 100 percent for the number of seconds. | event1 : ( Device Event Class ID = 211003 AND MatchesFilter("Firewall Events") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | event1 : Device Product = ASA | |
| 22 | Firewall | Cisco - Login Failure using SSH or Telnet | This rule will triggered after an incorrect login attempt or a failed login to the security appliance. For all logins, three attempts are allowed per session, and the session is terminated after three incorrect attempts. For SSH and TELNET logins, this message is generated after the third failed attempt or if the TCP session is terminated after one or more failed attempts. | event1 : ( Device Event Class ID = 605004 AND MatchesFilter("Firewall Events") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | event1 : Device Product = ASA | |
| 23 | UNIX | UNIX - Brute Force Attempt | This rule triggers when a Source user tries to login multiple time on a Unix device but failed to login. Kindly check the authorization and legitimacy. | event1 : ( Device Product = Unix AND Category Behavior = /Authentication/Verify AND Category Outcome = /Failure AND Category Device Group = /Operating System AND Target User Name Is NOT NULL ) | Aggregate if at least 5 matching conditions are found within 1 Minutes AND these event fields are the same (event1.Destination User Name) | NA | |
| 24 | UNIX | UNIX - Successful Login after multiple failed Logins | This rule triggeres when there is a successful event fillowed by multiple failed logins. This could be a compromised bruteforce attack. Kindly verify source user and its legitimacy. | Matching Event: ( event1.Destination User Name = Login.Destination User Name AND event1.End Time < Login.End Time ) event1 : ( Name = UNIX - Brute Force Attempt AND Type = Correlation ) Login : MatchesFilter("Successful Login") | Aggregate if at least 1 matching conditions are found within 10 Seconds AND these event fields are the same (event1.Destination User Name) | event1 : ( Category Device Group = /Operating System AND Category Behavior = /Authentication/Verify AND Category Outcome = /Success AND Device Vendor = Unix AND Target User Name Is NOT NULL ) | |
| 25 | UNIX | UNIX - Syslog Restart | This rule will be triggered when process syslogd restarted on unix server. | event1 : ( Name Contains restart [ignore case] AND Device Process Name = syslogd [ignore case] AND Device Product = unix [ignore case] ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 26 | Windows | A directory service object was created | This rule is triggered when creation of AD objects, kindly identify the object created and user who created it. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND Device Event Class ID = Microsoft-Windows-Security-Auditing:5137 ) | Aggregate if at least 1 matching conditions are found within 2 Minutes | NA | |
| 27 | Windows | A directory service object was deleted | This rule is triggered when deletion of AD objects, identifying the object deleted and user who deleted it. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND Device Event Class ID = Microsoft-Windows-Security-Auditing:5141 ) | Aggregate if at least 1 matching conditions are found within 2 Minutes | NA | |
| 28 | Windows | A directory service object was modified | This rule will triggered when modifications to AD objects, identifying the object, user, attribute modified, the new value of the attribute if applicable and the operation performed. | event1 : ( Device Vendor = Microsoft AND Device Product = Microsoft Windows AND Device Event Class ID = Microsoft-Windows-Security-Auditing:5136 ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 29 | Windows | A directory service object was moved | This rule will triggered when move of an AD objects from one OU to another, identifying the object moved and user who moved it and its old and new location. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND Device Event Class ID = Microsoft-Windows-Security-Auditing:5139 ) | Aggregate if at least 1 matching conditions are found within 2 Minutes | NA | |
| 30 | Windows | A directory service object was undeleted | This rule will triggered when a directory service object was undeleted. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND Device Event Class ID = Microsoft-Windows-Security-Auditing:5138 ) | Aggregate if at least 1 matching conditions are found within 2 Minutes | NA | |
| 31 | Windows | High Number of failed logins from the same source | This rule will captures all failed logins on windows devices. The event details could indicate possible brute force attack. The events should be further investigated to know the root cause of the failed logins and the same should be validated. | event1 : ( Source User Name != SYSTEM AND Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:529 OR Device Event Class ID = Security:530 OR Device Event Class ID = Security:531 OR Device Event Class ID = Security:532 OR Device Event Class ID = Security:533 OR Device Event Class ID = Security:534 OR Device Event Class ID = Security:535 OR Device Event Class ID = Security:536 OR Device Event Class ID = Security:537 OR Device Event Class ID = Security:539 OR Device Event Class ID = Security:681 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 ) AND Source User Name != SYSTEM AND Source User Name != - ) | Aggregate if at least 5 matching conditions are found within 1 Minutes AND these event fields are the same (event1.Source Address, event1.Source Host Name, event1.Source Zone Resource) | NA | |
| 32 | Windows | High Number of failed logins from the same user | This rule is captures all failed logins on windows devices. The event details could indicate possible brute force attack. The events should be further investigated to know the root cause of the failed logins and the same should be validated. | event1 : ( Source User Name != SYSTEM AND Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:529 OR Device Event Class ID = Security:530 OR Device Event Class ID = Security:531 OR Device Event Class ID = Security:532 OR Device Event Class ID = Security:533 OR Device Event Class ID = Security:534 OR Device Event Class ID = Security:535 OR Device Event Class ID = Security:536 OR Device Event Class ID = Security:537 OR Device Event Class ID = Security:539 OR Device Event Class ID = Security:681 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 ) AND Source User Name != SYSTEM AND Source User Name != - ) | Aggregate if at least 5 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Source User Name) | NA | |
| 33 | Windows | Lockout Policy Changed | This rule will triggered when computer's Security Settings\Account Policy or Account Lockout Policy policy was modified - either via Local Security Policy or Group Policy in Active Directory. | event1 : ( MatchesFilter("Windows Events") AND ( Device Event Class ID = Security:643 [ignore case] OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4739 [ignore case] ) AND Message StartsWith Lockout Policy AND Type = Base AND Category Outcome = /Success ) | Aggregate if at least 1 matching conditions are found within 1 Seconds AND these event fields are the same (event1.Attacker_User, event1.Device Custom String6, event1.Target_HostName, event1.Target_NTDomain, event1.Target Nt Domain, event1.Name, event1.Target Zone Resource, event1.Attacker_NTDomain, event1.Target Host Name) | event1 : Device Product = Microsoft Windows | |
| 34 | Windows | Login attempts with same account from different source | This rule will triggered when multiple failed login attempts on a device from multiple source user. | Matching Event: ( Login1.Source Address != Login2.Source Address AND Login1.Destination Address = Login2.Destination Address AND Login1.Destination User Name = Login2.Destination User Name ) Login1 : MatchesFilter("Windows - Failed Logins") Login2 : MatchesFilter("Windows - Failed Logins") | Aggregate if at least 1 matching conditions are found within 10 Seconds AND these event fields are unique (Login1.Destination User Name) | event1 : ( Source User Name != SYSTEM AND Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:529 OR Device Event Class ID = Security:530 OR Device Event Class ID = Security:531 OR Device Event Class ID = Security:532 OR Device Event Class ID = Security:533 OR Device Event Class ID = Security:534 OR Device Event Class ID = Security:535 OR Device Event Class ID = Security:536 OR Device Event Class ID = Security:537 OR Device Event Class ID = Security:539 OR Device Event Class ID = Security:681 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 ) AND Source User Name != SYSTEM AND Source User Name != - ) | |
| 35 | Windows | Password Policy Changed | This rule will triggered when computer's Security Settings\Account password Policy modified - either via Local Security Policy or Group Policy in Active Directory. | event1 : ( MatchesFilter("Windows Events") AND ( Device Event Class ID = Security:643 [ignore case] OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4739 [ignore case] ) AND Message StartsWith Password Policy AND Type = Base AND Category Outcome = /Success ) | Aggregate if at least 1 matching conditions are found within 1 Seconds AND these event fields are the same (event1.Attacker_User, event1.Device Custom String6, event1.Target_HostName, event1.Target_NTDomain, event1.Target Nt Domain, event1.Name, event1.Target Zone Resource, event1.Attacker_NTDomain, event1.Target Host Name) | event1 : Device Product = Microsoft Windows | |
| 36 | Windows | Suspicious Activity - Windows User Account was created and delted within 1 Hr | This rule is triggered when an window user account created and deleted wihin 1 hour. Kindly verify the the activity done by the acccount which was created and source user. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:630 OR Device Event Class ID Contains 4726 ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds AND these event fields are the same (event1.Destination User Name) | Active List "Account Created & Deleted within 1 Hour" | |
| 37 | Windows | Windows - Admin Login Failure | This rule triggered when failed attempt to logon to the local computer regardless of logon type, location of the user or type of account. | event1 : ( Device Product = Microsoft Windows AND ( Device Event Class ID = Security:529 OR Device Event Class ID = Security:4625 ) AND InActiveList("Windows - Administrators") ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | Active List "Windows - Administrators" | |
| 38 | Windows | Windows - Audit Log Cleared | This rule triggered when the system's audit policy was modified. | event1 : ( Device Vendor = Microsoft AND ( Device Event Class ID = Security:517 OR Name Contains The audit log was cleared ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 39 | Windows | Windows - Audit Policy change | This rule data indicates the system's audit policy was modified. | event1 : ( Device Product = Microsoft Windows AND ( Device Event Class ID = Security:612 OR Device Event Class ID Contains 4719 ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 40 | Windows | Windows - Brute Force Attempt | This rule triggers when a Source user tries to login multiple time on a device but failed to login. Kindly check the authorization and legitimacy. | event1 : ( MatchesFilter("Windows - Failed Logins") AND NotDestination User Name EndsWith $ ) | Aggregate if at least 5 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Destination User Name) | event1 : ( Source User Name != SYSTEM AND Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:529 OR Device Event Class ID = Security:530 OR Device Event Class ID = Security:531 OR Device Event Class ID = Security:532 OR Device Event Class ID = Security:533 OR Device Event Class ID = Security:534 OR Device Event Class ID = Security:535 OR Device Event Class ID = Security:536 OR Device Event Class ID = Security:537 OR Device Event Class ID = Security:539 OR Device Event Class ID = Security:681 OR Device Event Class ID = Microsoft-Windows-Security-Auditing:4625 ) AND Source User Name != SYSTEM AND Source User Name != - ) | |
| 41 | Windows | Windows - Login Failure with unauthorized user | This rule will triggered when an unauthorized user want to access the system multiple times. Kindly verify the user legitimacy. | event1 : ( Device Product = Microsoft Windows AND Device Event Class ID = Security:533 ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 42 | Windows | Windows - Shut Down | This rule triggered when all the Windows devices that were either Shutdown/Restarted. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:513 OR Device Event Class ID Contains 4609 ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds | NA | |
| 43 | Windows | Windows - User Account Created - Update AL | This rule is triggered when all events related to creation or updation of user ID to administrator groups. The alert could indicate privilege escalation attacks, creation of backdoor accounts etc. The alert should be further investigated and validated against approved change requests to identify deviations. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Security:624 OR Device Event Class ID Contains 4720 ) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds AND these event fields are the same (event1.Destination User Name) | NA | |
| 44 | Windows | Windows - User Account disabled - Update AL | This rule is triggered when all events related to Updation or Disabled account. The reported details could indicate privilege escalation attacks, creation of backdoor accounts etc. The reports should be further investigated and validated against approved change requests to identify deviations. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND ( Device Event Class ID = Microsoft-Windows-Security-Auditing:4725 OR Device Event Class ID = Security:629 ) ) | Aggregate if at least 1 matching conditions are found within 1 Minutes AND these event fields are the same (event1.Destination User Name) | NA | |
| 45 | Windows | Windows - User Account enabled - Update AL | This rule is triggered when all events related to Updation or enable of account. The reported details could indicate privilege escalation attacks, creation of backdoor accounts etc. The events should be further investigated and validated against approved change requests to identify deviations. | event1 : ( Device Product = Microsoft Windows AND Device Vendor = Microsoft AND Device Event Class ID = Security:626 ) | Aggregate if at least 1 matching conditions are found within 1 Minutes AND these event fields are the same (event1.Destination User Name) | NA | |
| 46 | IPS | TCP SYN::FIN Packet- From Internal IP | This rule triggers when the Cisco ASA firewall detects both SYN and FIN Flags in the TCP header packet at the same time. This rule triggers when this is observed from Private IP addresses. | event1 : ( MatchesFilter("Firewall Events") AND Name = TCP SYN/FIN Packet [ignore case] AND Type != Correlation AND Source Address InSubnet 10.0.0.0/8 AND Source Address InSubnet 192.168.0.0/16 AND Source Address Between (172.16.0.0,172.31.255.255) ) | Aggregate if at least 1 matching conditions are found within 10 Seconds AND these event fields are the same (event1.Destination Address, event1.Destination Zone Resource, event1.Source Address, event1.Source Zone Resource) | event1 : Device Product = ASA | |
| 47 | Threat Intelligence | Torrentz Traffic | This rule triggered when any traffic observed from Torrentz. | event1 : ( Device Product = Snort [ignore case] AND Name Contains torrent ) | Aggregate if at least 2 matching conditions are found within 1 Minutes | ||
| 48 | Threat Intelligence | Traffic From Blacklisted IP | This rule detetca any traffic coming from blacklisted IP as source. For this rule to trigger there should be atleast 5 events in 2 minutes from the same source to the same destination. | event1 : ( MatchesFilter("Firewall Events") AND Type != Correlation AND Category Outcome != /Failure AND InActiveList("BlackListed IP's") ) | Aggregate if at least 5 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Destination Address, event1.Device Host Name, event1.Destination Zone Resource, event1.Source Address, event1.Device Product, event1.Device Zone Resource, event1.Device Address, event1.Device Vendor, event1.Source Zone Resource, event1.Destination Port) | Active List "BlackListed IP's" event1 : Device Product = ASA | |
| 49 | Threat Intelligence | Traffic To Blacklisted IP | This rule will trigger if a SYN packet is initiated from inside the network towards any blacklisted IP. | event1 : ( MatchesFilter("Firewall Events") AND Type != Correlation AND Device Custom String3 = SYN AND InActiveList("BlackListed IP's") ) | Aggregate if at least 5 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Destination Address, event1.Device Host Name, event1.Destination Zone Resource, event1.Source Address, event1.Device Product, event1.Device Zone Resource, event1.Device Address, event1.Device Vendor, event1.Source Zone Resource, event1.Destination Port) | Active List "BlackListed IP's" event1 : Device Product = ASA | |
| 50 | UNIX | Unix failed logins | This rule triggers when a Source user tries to login multiple time on a device but failed to login. Kindly check the authorization and legitimacy. | event1 : ( Device Product = unix [ignore case] AND Category Behavior = /Authentication/Verify AND Category Outcome = /Failure AND Destination User Name Is NOT NULL AND Type != Correlation ) | Aggregate if at least 3 matching conditions are found within 2 Minutes AND these event fields are the same (event1.Device Host Name, event1.Destination User Name, event1.Device Zone Resource, event1.Device Address) | ||
| 51 | Firewall/IPS | External Permitted Traffic on Firewall and high severity on IPS | External traffic permitted via Firewall but high severity IDS signature triggered | Matching Event: ASA.Attacker Address = IPS.Attacker Address ASA : ( Device Product = ASA AND Category Outcome = /Success AND Attacker Address NOT InSubnet 10.0.0.0/8 AND Attacker Address NOT InSubnet 192.168.0.0/16 AND Attacker Address NOT Between (172.16.0.0,172.31.255.255) AND Type != Correlation ) IPS : ( Device Product = Cisco Intrusion Prevention System AND Device Severity = high ) | Aggregate if at least 1 matching conditions are found within 2 Minutes AND these event fields are the same (ASA.Attacker Address) | ||
0 Comments