Workbooks by Author
Author | Count |
---|---|
DNIF | 413 |
community | 129 |
Total | 542 |
Workbooks by Directory
Directory | Count |
---|---|
/Basic Security Monitoring/Network Traffic Analysis | 25 |
/Basic Security Monitoring/Authentication Attacks | 8 |
/Basic Security Monitoring/Threat Alerts | 7 |
/Basic Security Monitoring/Configuration Monitoring | 1 |
/Investigate/User | 5 |
/Investigate/Host | 7 |
/Investigate/Object | 4 |
/Cloud Security/Amazon Web Services | 13 |
/Cloud Security/Azure | 31 |
/Advanced Threat Detection/Windows Process Monitoring | 131 |
/Advanced Threat Detection/IAM Monitoring | 3 |
/Advanced Threat Detection/Network Traffic Analysis | 24 |
/Advanced Threat Detection/Windows Audit Monitoring | 2 |
/Advanced Threat Detection/Webserver Exploits | 13 |
/Advanced Threat Detection/Windows Registry Monitoring | 5 |
/Advanced Threat Detection/Email Monitoring | 1 |
/Advanced Threat Detection/DNS Monitoring | 6 |
/Advanced Threat Detection/Threat Monitoring | 2 |
/Advanced Threat Detection/Linux Process Monitoring | 36 |
/Advanced Threat Detection/Documents Monitoring | 4 |
/Advanced Threat Detection/Proxy Monitoring | 31 |
/Advanced Threat Detection/Windows Network Monitoring | 1 |
/Visualization/OFFICE Monitoring | 13 |
/Visualization/IAM Monitoring | 6 |
/Visualization/NTA Monitoring | 17 |
/Visualization/Firewall Monitoring | 13 |
/Visualization/Threat Alerts Monitoring | 9 |
/Visualization/Cloud Monitoring | 16 |
/Visualization/Signal Monitoring | 8 |
/Visualization/Authentication Monitoring | 8 |
/Reports/FIREWALL | 29 |
/Compliance/Common/Monthly | 6 |
/Compliance/Common/Weekly | 8 |
/Compliance/Common/Daily | 6 |
/Compliance/SOX/Monthly | 1 |
/Compliance/SOX/Daily | 1 |
/Compliance/HIPAA/Monthly | 4 |
/Compliance/HIPAA/Weekly | 4 |
/Compliance/HIPAA/Daily | 4 |
/Compliance/FISMA/Monthly | 4 |
/Compliance/FISMA/Weekly | 3 |
/Compliance/FISMA/Daily | 7 |
/Compliance/PCI/Monthly | 5 |
/Compliance/PCI/Weekly | 5 |
/Compliance/PCI/Daily | 5 |
Total | 542 |
/Basic Security Monitoring/Network Traffic Analysis
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
RPC from the Internet | DNIF | Initial Access | Exploit Public-Facing Application | 5 | Low |
RDP from the Internet | DNIF | Lateral Movement | Remote Services | 5 | Low |
SSH from the Internet | DNIF | Initial Access | Exploit Public-Facing Application | 5 | Low |
Outlier FTP connection patterns by a user | DNIF | Lateral Movement | Lateral Tool Transfer | 4 | Medium |
High Denied Traffic Within Short Span Of Time | DNIF | Impact | Network Denial of Service | 8 | High |
SMTP to the Internet | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
VNC from the Internet | DNIF | Initial Access | Exploit Public-Facing Application | 5 | Low |
FTP Activity to the Internet | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
SMTP on Port 26 TCP | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
TCP Port 8000 Activity to the Internet | DNIF | Command and Control | Commonly Used Port | 5 | Low |
PPTP Activity | DNIF | Command and Control | Commonly Used Port | 5 | Low |
IPSEC NAT Traversal Port Activity | DNIF | Command and Control | Commonly Used Port | 5 | Low |
IRC Protocol Activity to the Internet | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
Telnet Port Activity | DNIF | Lateral Movement | Remote Services | 5 | Low |
Detect Outbound SMB Traffic | DNIF | Command and Control | Protocol Tunneling | 5 | Low |
Suspicious Remote Desktop Network Activity | DNIF | Lateral movement | Remote Services | 5 | Low |
Clients Connecting to Multiple DNS Servers | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 3 | Low |
Distributed DOS Attack | DNIF | Impact | Network Denial of Service | 8 | High |
Proxy Port Activity to the Internet | DNIF | Command and Control | Commonly Used Port | 5 | Low |
Protocol or Port Mismatch | DNIF | Command and Control | Non-Standard port | 5 | Low |
Detect Large Outbound ICMP Packets | DNIF | Command and Control | Non-Application Layer Protocol | 5 | Low |
Anomalous DNS Bytes Observed From Same Source | DNIF | Impact | Network Denial of Service | 6 | Medium |
Cryptocurrency mining network communication | DNIF | Impact | Resource Hijacking | 3 | Medium |
RDP to the Internet | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
Tor Activity to the Internet | DNIF | Command and Control | Proxy | 5 | Low |
/Basic Security Monitoring/Authentication Attacks
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
User Connected to Large Number of Systems | DNIF | Persistence | Valid Accounts | 6 | Medium |
User Created and Deleted in Short Time | DNIF | Persistence | Account Manipulation | 7 | High |
Brute Force Access | DNIF | Credential Access | Brute Force | 5 | High |
Abnormal VPN Login Attempts for a User | DNIF | Initial Access | External Remote Services | 7 | High |
Slow Bruteforce Attack | DNIF | Credential Access | Brute Force | 5 | Medium |
Concurrent Logins from multiple Sources | DNIF | Initial Access | Valid Accounts | 5 | Low |
Logins to Same System from Multiple Sources | DNIF | Initial Access | Valid Accounts | 7 | High |
Abnormal SSH Login Attempts for a User | DNIF | Initial Access | External Remote Services | 7 | High |
/Basic Security Monitoring/Threat Alerts
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Threat Detected on Web | DNIF | Unclassified | Unclassified | 5 | Medium |
Threat Detected on Authentication | DNIF | Credential Access | Brute Force | 7 | Medium |
Threat Detected on Host - File | DNIF | Execution | User Execution | 5 | Medium |
Threat Detected on Host - URL | DNIF | Execution | User Execution | 5 | Medium |
Threat detected on Network | DNIF | Unclassified | Unclassified | 5 | Medium |
Threat Detected on IAM | DNIF | Persistence | Account Manipulation | 7 | Medium |
Threat Detected on Email | DNIF | Initial Access | Phishing | 5 | Medium |
/Basic Security Monitoring/Configuration Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Failed Config Changes by Same User | DNIF | Defense Evasion | Impair Defenses | 6 | Medium |
/Investigate/User
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Recent Login Failures | DNIF | ||||
Systems Accessed by User | DNIF | ||||
Source Countries for User | DNIF | ||||
Recent Logins | DNIF | ||||
Accounts Created by User | DNIF |
/Investigate/Host
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Recent Login Failures | DNIF | ||||
Traffic Volume to IP | DNIF | ||||
Host accessed by Users | DNIF | ||||
Sources talking to IP | DNIF | ||||
Traffic Volume from IP | DNIF | ||||
Recent Threats on Host | DNIF | ||||
Login Failures from IP | DNIF |
/Investigate/Object
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Domain accessed by Users | DNIF | ||||
File Hash seen on Hosts | DNIF | ||||
URL accessed by Users | DNIF | ||||
Executable seen on Hosts | DNIF |
/Cloud Security/Amazon Web Services
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
AWS GuardDuty Important Change | community | Defense Evasion | Impair Defenses | 5 | Low |
Changes made to AWS CloudTrail logs | DNIF | Defense Evasion | Indicator Removal on Host | 5 | Medium |
AWS RDS Master Password Change | community | Exfiltration | Automated Exfiltration | 5 | Low |
AWS IAM Backdoor Users Keys | community | Persistence | Account Manipulation | 5 | Low |
AWS Config Disabling Channel Recorder | community | Defense Evasion | Impair Defenses | 5 | Low |
Restore Public AWS RDS Instance | community | Exfiltration | Automated Exfiltration | 5 | Low |
Monitor AWS Credential abuse or hijacking | DNIF | Discovery | Account Discovery | 5 | Medium |
AWS EC2 Download Userdata | community | Exfiltration | Automated Exfiltration | 5 | Medium |
AWS EC2 VM Export Failure | community | Exfiltration | Transfer Data to Cloud Account | 5 | Low |
AWS EC2 Startup Shell Script Change | community | Execution | Command and Scripting Interpreter | 5 | Medium |
AWS CloudTrail Important Change | community | Defense Evasion | Impair Defenses | 5 | Medium |
AWS Root Credentials | community | Defense Evasion | Valid Accounts | 5 | Medium |
Changes to internet facing AWS RDS Database instances | DNIF | Persistence | Account Manipulation | 5 | Medium |
/Cloud Security/Azure
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Azure Event Hub Deletion | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Azure Diagnostic Settings Deletion | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Security Rule has been Created or Updated | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Azure Privilege Identity Management Role Modified | DNIF | Persistence | Valid Accounts | 5 | Low |
Azure Automation Account Created | DNIF | Persistence | Valid Accounts | 5 | Low |
Azure Key Vault Modified | DNIF | Credential Access | Unsecured Credentials | 5 | Low |
Azure Automation Runbook Deleted | DNIF | Impact | Unclassified | 5 | Low |
Network Security Group was Deleted | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Azure Automation Webhook Created | DNIF | Persistence | Unclassified | 5 | Low |
Azure Blob Container Access Level Modification | DNIF | Discovery | Exploit Public-Facing Application | 5 | Low |
Azure Command Execution on Virtual Machine | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Network Security Group has been Created or Updated | DNIF | Persistence | Valid Accounts | 5 | Low |
Azure Application Credential Modification | DNIF | Defense Evasion | Use Alternate Authentication Material | 5 | Low |
Virtual Network Subnet Deleted | DNIF | Impact | Data Destruction | 5 | Low |
Possible Consent Grant Attack via Azure-Registered Application | DNIF | Credential Access | Steal Application Access Token | 5 | Low |
Azure Service Principal Addition | DNIF | Defense Evasion | Use Alternate Authentication Material | 5 | Low |
Azure Resource Group Deletion | DNIF | Impact | Data Destruction | 5 | Low |
Azure Firewall Policy Deletion | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Azure Storage Account Key Regenerated | DNIF | Credential Access | Steal Application Access Token | 5 | Low |
Local Network Gateway Deleted | DNIF | Impact | Data Destruction | 5 | Low |
User Added as Owner for Azure Application | DNIF | Persistence | Account Manipulation | 5 | Low |
Azure Network Watcher Deletion | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
User Added as Owner for Azure Service Principal | DNIF | Persistence | Account Manipulation | 5 | Low |
Azure Automation Runbook Created or Modified | DNIF | Persistence | Unclassified | 5 | Low |
Multi-Factor Authentication Disabled for an Azure User | DNIF | Persistence | Account Manipulation | 5 | Low |
Virtual Network Peering Deleted | DNIF | Impact | Data Destruction | 5 | Low |
Azure Conditional Access Policy Modified | DNIF | Persistence | Account Manipulation | 5 | Low |
Virtual Network Deleted | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Virtual Network Gateway Connection Deleted | DNIF | Impact | Data Destruction | 5 | Low |
Security Rule was Deleted | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Azure Event Hub Authorization Rule Created or Updated | DNIF | Collection | Data from Cloud Storage Object | 5 | Low |
/Advanced Threat Detection/Windows Process Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Renamed SysInternals Debug View | community | Defense Evasion | Masquerading | 5 | Low |
Suspicious Csc.exe Source File Folder | community | Execution | User Execution | 5 | Low |
DTRACK Process Creation | community | Execution | User Execution | 5 | Low |
Suspicious Csc exe Source File Folder | community | Execution | User Execution | 5 | Medium |
ZOHO Dctask64 Process Injection | community | Defense Evasion | Process Injection | 5 | Low |
Suspicious Process Start Locations | community | Defense Evasion | Masquerading | 5 | Medium |
Renamed SysInternals Debug View | community | Defense Evasion | Masquerading | 5 | Low |
Devtoolslauncherexe Executes Specified Binary | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Medium |
Detect PsExec With accepteula Flag | DNIF | Execution | System Services | 5 | Low |
Suspicious Outbound RDP Connections | community | Lateral Movement | Remote Services | 5 | Medium |
Deleting Shadow Copies | DNIF | Impact | Inhibit System Recovery | 8 | High |
Suspicious wevtutil Usage | DNIF | Defense Evasion | Indicator Removal on Host | 5 | Low |
Ping Hex IP | community | Defense Evasion | Obfuscated Files or Information | 3 | Medium |
Malicious PowerShell Process - Connect To Internet With Hidden Window | DNIF | Execution | Command and Scripting Interpreter | 5 | Medium |
WMI Modules Loaded | community | Execution | Windows Management Instrumentation | 5 | Medium |
Certutil Encode | community | Defense Evasion | Obfuscated Files or Information | 5 | Low |
RedMimicry Winnti Playbook Execute | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
PowerShell Encoded Character Syntax | community | Defense Evasion | Obfuscated Files or Information | 5 | Medium |
Screen Capture using Scripting Interpretor | DNIF | Collection | Screen Capture | 5 | Medium |
Possible Applocker Bypass | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
Remote Process Instantiation via WMI | DNIF | Execution | Windows Management Instrumentation | 5 | Low |
Modification of Boot Configuration | community | Impact | Inhibit System Recovery | 5 | Medium |
Lazarus Session Highjacker | community | Defense Evasion | Masquerading | 5 | Low |
DNS Tunnel Technique from MuddyWater | community | Command and Control | Application Layer Protocol | 5 | Low |
Process Execution via WMI | DNIF | Execution | Windows Management Instrumentation | 5 | Low |
Fireball Archer Install | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Medium |
VBA DLL Loaded Via Microsoft Word | community | Execution | User Execution | 5 | Medium |
Remote Access Software Usage with Powershell | DNIF | Command and Control | Remote Access Software | 5 | Medium |
Windows Security Account Manager Stopped | DNIF | Impact | Service Stop | 5 | Low |
Net exe Execution | community | Lateral Movement | Remote Services | 6 | Medium |
SMOKEDHAM Backdoor | DNIF | Initial Access | Supply Chain Compromise | 4 | Low |
Processes launching netsh | DNIF | Defence Evasion | Impair Defences | 5 | Low |
Bypass UAC via Fodhelper exe | community | Privilege Escalation | Abuse Elevation Control Mechanism | 5 | Medium |
Suspicious Rundll32 Activity | community | Defense Evasion | Masquerading | 6 | Medium |
Modify Registry To Store Logon Credentials | DNIF | Defense Evasion | Modify Registry | 5 | Medium |
Hiding Files And Directories With Attrib exe | DNIF | Defence Evasion | Hide Artifacts | 5 | Low |
System Information Discovery Detection | DNIF | Discovery | System Information Discovery | 5 | Low |
USN Journal Deletion | DNIF | Defense Evasion | Indicator Removal on Host | 5 | Low |
Detect mshta exe running scripts in command-line arguments | DNIF | Defense Evasion | Signed Binary Proxy Execution | 5 | Medium |
Advanced IP Scanner | community | Discovery | Network Service Scanning | 5 | Medium |
Windows Network Enumeration | community | Discovery | Remote System Discovery | 5 | Low |
Suspicious Esentutl Use | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
In-memory PowerShell | community | Execution | Command and Scripting Interpreter | 5 | Low |
Stop Windows Service | community | Impact | Service Stop | 5 | Low |
Schtasks scheduling job on remote system | DNIF | Privilege Escalation | Scheduled Task/Job | 5 | Low |
Audio Capture via PowerShell | community | Collection | Audio Capture | 5 | Medium |
Impacket Lateralization Detection | community | Lateral Movement | Remote Services | 5 | Low |
Trickbot Malware Recon Activity | community | Discovery | Domain Trust Discovery | 5 | Low |
Child Processes of Spoolsv exe | DNIF | Privilege Escalation | Exploitation for Privilege Escalation | 5 | Medium |
Reconnaissance Activity with Net Command | community | Discovery | System Information Discovery | 5 | Low |
Mimikatz Detection LSASS Access | community | Credential Access | OS Credential Dumping | 5 | Medium |
WMI Persistence - Command Line Event Consumer | community | Privilege Escalation | Event Triggered Execution | 5 | Medium |
Suspicious Use of CSharp Interactive Console | community | Defense Evasion | Trusted Developer Utilities Proxy Execution | 5 | Low |
Squirrel Lolbin | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
Suspicious XOR Encoded PowerShell Command Line | community | Execution | Command and Scripting Interpreter | 5 | Low |
CLR DLL Loaded Via Office Applications | community | Execution | User Execution | 5 | Medium |
Shadow Copies Deletion Using Operating Systems Utilities | community | Impact | Inhibit System Recovery | 5 | Medium |
Command Line Execution with Suspicious URL and AppData Strings | community | Execution | Command and Scripting Interpreter | 5 | Medium |
Enumeration of Local Shares | DNIF | Discovery | Network Share Discovery | 3 | Low |
Tap Installer Execution | community | Exfiltration | Exfiltration Over Alternative Protocol | 3 | Medium |
RDP Over Reverse SSH Tunnel | community | Lateral Movement | Remote Services | 5 | Low |
Load of dbghelp or dbgcore DLL from Suspicious Process | community | Credential Access | OS Credential Dumping | 5 | Medium |
Script Execution via WMI | DNIF | Execution | Windows Management Instrumentation | 5 | Low |
Executable Masquerading as a Document | DNIF | Defense Evasion | Masquerading | 5 | Low |
Suspicious Commandline Escape | community | Defense Evasion | Deobfuscate/Decode Files or Information | 5 | Low |
Suspicious Program Location Process Starts | community | Defense Evasion | Masquerading | 4 | Medium |
Windows Mangement Instrumentation DLL Loaded Via Microsoft Word | community | Execution | Windows Management Instrumentation | 5 | Medium |
Domain Trust Discovery | community | Discovery | Domain Trust Discovery | 5 | Low |
Active Directory Parsing DLL Loaded Via Office Applications | community | Execution | User Execution | 5 | Medium |
Malicious PowerShell Process - Execution Policy Bypass | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Sc exe Manipulating Windows Services | DNIF | Persistence | Create or Modify System Process | 5 | Low |
Unload Sysmon Filter Driver | DNIF | Defense Evasion | Impair Defenses | 5 | Low |
Detect Use of cmd exe to Launch Script Interpreters | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Suspicious Eventlog Clear or Configuration Using Wevtutil | community | Defense Evasion | Indicator Removal on Host | 5 | Medium |
Enumeration using SMB and Powershell | DNIF | Discovery | Network Share Discovery | 5 | Medium |
Executables Started in Suspicious Folder | community | Defense Evasion | Masquerading | 5 | Medium |
Activity Related to NTDS Domain Hash Retrieval | community | Credential Access | OS Credential Dumping | 5 | Medium |
Suspicious writes to System Volume Information | DNIF | Defense Evasion | Masquerading | 5 | Low |
Detection Of Malicious Automated Collection | DNIF | Collection | Automated Collection | 5 | Medium |
Windows hosts file modification | DNIF | Discovery | Remote System Discovery | 5 | Low |
Ryuk Ransomware Files Detected | DNIF | Impact | Data Encrypted for Impact | 5 | Low |
PowerShell DownloadFile | community | Command and Control | Ingress Tool Transfer | 5 | Low |
Process Dump via Comsvcs DLL | community | Credential Access | OS Credential Dumping | 6 | Medium |
Netsh Program Allowed with Suspcious Location | community | Defense Evasion | Impair Defenses | 4 | Medium |
Harvesting of Wifi Credentials Using netsh exe | community | Credential Access | Network Sniffing | 5 | Medium |
Suspicious LNK file launching a process | DNIF | Initial Access | Phishing | 5 | Medium |
Suspicious Double Extension | community | Initial Access | Phishing | 5 | Low |
Dump LSASS via comsvcs DLL | DNIF | Credential Access | OS Credential Dumping | 5 | Medium |
Renamed PowerShell | community | Defense Evasion | Masquerading | 5 | Medium |
Malicious PowerShell Process - Encoded Command | DNIF | Execution | Command and Scripting Interpreter | 6 | Low |
Create local admin accounts using net exe | DNIF | Persistence | Create Account: Local Account | 10 | High |
Microsoft Office Product Spawning Windows Shell | community | Execution | User Execution | 5 | Low |
XSL Script Processing | community | Defense Evasion | XSL Script Processing | 5 | Medium |
Possible App Whitelisting Bypass via WinDbg CDB as a Shellcode Runner | community | Defense Evasion | Trusted Developer Utilities Proxy Execution | 5 | Low |
Schtasks used for forcing a reboot | DNIF | Execution | Scheduled Task/Job | 5 | Low |
Suspicious AdFind Execution | community | Discovery | Domain Trust Discovery | 5 | Medium |
DTRACK Process Creation | community | Persistence | Create or Modify System Process | 5 | Low |
Possible Compromised PasswordState Software | DNIF | Initial Access | Supply Chain Compromise | 5 | Medium |
Create or delete windows shares using net exe | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Judgement Panda Exfil Activity | community | Collection | Archive Collected Data | 5 | Low |
WMI Backdoor Exchange Transport Agent | community | Privilege Escalation | Event Triggered Execution | 5 | Low |
Reg exe Manipulating Windows Services Registry Keys | DNIF | Persistence | Hijack Execution Flow | 5 | Low |
DNS RCE CVE-2020-1350 | community | Execution | System Services | 5 | Medium |
Koadic Execution | community | Execution | Command and Scripting Interpreter | 5 | Low |
Svchost DLL Search Order Hijack | community | Persistence | Hijack Execution Flow | 5 | Low |
Creation of Shadow Copy with wmic and powershell | DNIF | Impact | Inhibit System Recovery | 8 | High |
Explorer Root Flag Process Tree Break | community | Defense Evasion | Masquerading | 5 | Medium |
Detect Outlook exe writing a zip file | DNIF | Initial access | Phishing | 5 | Medium |
In Browser Crypto Mining | DNIF | Impact | Resource Hijacking | 5 | Medium |
File with Samsam Ransomware Extension | DNIF | Impact | Data Encrypted for Imapact | 5 | Low |
Rundll32 Internet Connection | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
Batch File Write to System32 | DNIF | Execution | User Execution | 5 | Medium |
Registry Keys for Creating SHIM Databases | DNIF | Persistence | Event Triggered Execution | 5 | Low |
Creation of Shadow Copy using ntdsutil or vsadmib | DNIF | Impact | Inhibit System recovery | 8 | High |
Unsigned Image Loaded Into LSASS Process | community | Credential Access | OS Credential Dumping | 5 | Low |
Create Remote Thread into LSASS | DNIF | Credential Access | OS Credential Dumping: LSASS Memory | 7 | Medium |
Possible Process Hollowing Image Loading | community | Persistence | Hijack Execution Flow | 5 | Low |
dotNET DLL Loaded Via Office Applications | community | Execution | User Execution | 5 | Medium |
Copying Sensitive Files with Credential Data | community | Credential Access | OS Credential Dumping | 5 | Medium |
Grabbing Sensitive Hives via Reg Utility | community | Credential Access | OS Credential Dumping | 5 | Medium |
Fax Service DLL Search Order Hijack | community | Persistence | Hijack Execution Flow | 5 | Medium |
Suspicious Rundll32 Activity | community | Defense Evasion | Masquerading | 6 | Medium |
Enumeration of Remote Shares | DNIF | Discovery | Network Share Discovery | 3 | Low |
Suspicious writes to Windows Recycle Bin | DNIF | Defense Evasion | Masquerading | 5 | Low |
Suspicious Debugger Registration Cmdline | community | Privilege Escalation | Event Triggered Execution | 5 | Low |
Remote PowerShell Session | community | Execution | Command and Scripting Interpreter | 6 | Medium |
PowerShell Execution | community | Execution | Command and Scripting Interpreter | 5 | Low |
Remote Email collection detection via Powershell | DNIF | Collection | Email Collection | 5 | Medium |
ZxShell Malware | community | Defense Evasion | Signed Binary Proxy Execution | 5 | Low |
Active Directory Kerberos DLL Loaded Via Office Applications | community | Execution | User Execution | 5 | Medium |
Detect Credential Dumping through LSASS access | DNIF | Credential Access | OS Credential Dumping | 10 | High |
/Advanced Threat Detection/IAM Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Account Deletion Anomaly | DNIF | ||||
Same User Enabled And Disabled In A Short Time | DNIF | Persistence | Account Manipulation | 7 | High |
Account Creation Anomaly | DNIF | Persistence | Create Account | 5 | Low |
/Advanced Threat Detection/Network Traffic Analysis
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Publicly Accessible RDP Service | DNIF | Initial Access | External Remote Services | 6 | Medium |
Multiple Compressed Files sent over HTTP with abnormal requests | DNIF | Collection | Archive Collected Data | 6 | Medium |
Credential access detected from DCE-RPC | DNIF | Credential Access | Exploitation for Credential Access | 6 | Medium |
Kerberos Network Traffic RC4 Ticket Encryption | DNIF | Credential Access | Steal or Forge Kerberos Tickets | 6 | Medium |
DCE-RPC Group Discovery | DNIF | Discovery | Permission Groups Discovery | 5 | Medium |
DCE-RPC Account Discovery detection | DNIF | Discovery | Account Discovery | 5 | Medium |
Executable from Webdav | DNIF | Command and Control | Ingress Tool Transfer | 6 | Medium |
External SMB Communication detected | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 3 | Low |
Outlier Pattern Detected on Data Transfers | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 6 | Medium |
SMB Connections to Admin Shares | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 7 | High |
Suspicious PsExec Execution | DNIF | Lateral Movement | Remote Services | 6 | Medium |
DCE-RPC Network Discovery Detection | DNIF | Discovery | Network Sniffing | 5 | Medium |
Port scanning detection | DNIF | Discovery | Network Service Scanning | 6 | Medium |
Executable Download Directly From IP | DNIF | Execution | User Execution | 6 | Medium |
Remote Task Creation via ATSVC Named Pipe | DNIF | Persistence | Scheduled Task/Job | 5 | Medium |
Transferring Files with Credential Data via Network Shares | DNIF | Credential Access | OS Credential Dumping | 7 | High |
Possible Impacket SecretDump Remote Activity | DNIF | Credential Access | OS Credential Dumping | 6 | Medium |
FTP Bruteforcing | DNIF | Credential Access | Brute Force | 6 | Medium |
WebDav Put Request | DNIF | Exfiltration | Exfiltration Over Alternative Protocol | 6 | Medium |
Suspicious Access to Sensitive File Extensions | DNIF | Collection | Data from Local System | 6 | Medium |
Detection of Expired Certificates | DNIF | Unclassified | Unclassified | 6 | Medium |
DCE-RPC Domain Discovery detection | DNIF | Discovery | Domain Trust Discovery | 5 | Medium |
Domain User Enumeration Network Recon | DNIF | Discovery | Account Discovery | 4 | Medium |
Potential Exfiltration of Compressed Files | DNIF | Collection | Data from Local System | 6 | Medium |
/Advanced Threat Detection/Windows Audit Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Suspicious Network Shares Accessed from SrcIP | DNIF | Collection | Data from Network Shared Drive | 5 | Medium |
Suspicious Network Shares Accessed by User | DNIF | Collection | Data from Network Shared Drive | 6 | Medium |
/Advanced Threat Detection/Webserver Exploits
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Multiple Suspicious Resp Codes Caused by Single Client | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
CVE-2020-0688 Exchange Exploitation via Web Log | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Citrix Netscaler Attack CVE-2019-19781 | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Valid Request Forbidden | DNIF | Unclassified | Unclassified | 6 | Medium |
SQL Query Injection in UserAgent OR URL | DNIF | Initial Access | Exploit Public-Facing Application | 7 | High |
Oracle WebLogic Exploit | community | Persistence | Server Software Component | 5 | Low |
Citrix ADS Exploitation CVE-2020-8193 CVE-2020-8195 | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Pulse Secure Attack CVE-2019-11510 | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
CVE-2020-0688 Exploitation Attempt | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Confluence Exploitation CVE-2019-3398 | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Unusual URL Redirection | DNIF | Execution | User Execution | 7 | High |
CVE-2020-5902 F5 BIG-IP Exploitation Attempt | community | Initial Access | Exploit Public-Facing Application | 5 | Low |
Script Injection Dectected In UserAgent | DNIF | Initial Access | Exploit Public-Facing Application | 8 | High |
/Advanced Threat Detection/Windows Registry Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Registry Keys Used For Persistence | DNIF | Persistence | Boot or Logon Autostart Execution | 5 | Low |
Suspicious MS Office Registry Modifications | DNIF | Defense Evasion | Modify Registry | 2 | Low |
Disabling Remote User Account Control | DNIF | Privilege Escalation | Abuse Elevation Control Mechanism | 5 | Low |
Suspicious Reg Modified on a System | DNIF | Defense Evasion | Modify Registry | 5 | Medium |
Suspicious Changes to File Associations | DNIF | Persistence | Event Triggered Execution | 5 | Low |
/Advanced Threat Detection/Email Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Outlier Pattern Detected for Outbound Emails | DNIF | Exfiltration | Exfiltration Over Web Service | 4 | Medium |
/Advanced Threat Detection/DNS Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Cobalt Strike DNS Beaconing | community | Command and Control | Application Layer Protocol | 5 | Low |
Telegram Bot API Request | community | Command and Control | Web Service | 5 | Low |
Wannacry Killswitch Domain | community | Command and Control | Application Layer Protocol | 5 | Low |
High DNS requests From Same Source | DNIF | Impact | Network Denial of Service | 8 | High |
DNS NXDOMAIN Flood | DNIF | Impact | Network Denial of Service | 5 | Medium |
Suspicious DNS Query with B64 Encoded String | community | Command and Control | Application Layer Protocol | 5 | Low |
/Advanced Threat Detection/Threat Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Multiple Threat Detected From Same Source | DNIF | Unclassified | Unclassified | 8 | High |
Same Threat Detected on Multiple Hosts | DNIF | Unclassified | Unclassified | 8 | High |
/Advanced Threat Detection/Linux Process Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Hping Process Activity | DNIF | Discovery | System Information Discovery | 4 | Low |
Netcat Network Activity | DNIF | Discovery | System Network Connections Discovery | 5 | Low |
Setuid Bit Set via chmod | DNIF | Privilege Escalation | Abuse Elevation Control Mechanism | 5 | Low |
Virtual Machine Fingerprinting | DNIF | Discovery | System Information Discovery | 5 | Low |
Persistence via Kernel Module Modification | DNIF | Persistence | Kernel Modules and Extensions | 5 | Low |
Network Sniffing via Tcpdump | DNIF | Credential Access | Network Sniffing | 5 | Low |
Enumeration of Kernel Modules | DNIF | Discovery | System Information Discovery | 5 | Low |
Base64 Encoding-Decoding Activity | DNIF | Defense Evasion | Obfuscated Files or Information | 5 | Low |
Attempt to Disable IPTables or Firewall | DNIF | Defense Evasion | Disabling Security Tools | 5 | Low |
Attempt to Disable Syslog Service | DNIF | Defense Evasion | Disabling Security Tools | 5 | Low |
Interactive Terminal Spawned via Python | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Unusual Process Execution - Temp | DNIF | Defense Evasion | Masquerading | 5 | Low |
File Deletion via Shred | DNIF | Defense Evasion | File Deletion | 5 | Low |
Hex Encoding-Decoding Activity | DNIF | Defense Evasion | Obfuscated Files or Information | 5 | Low |
System Log File Deletion | DNIF | Defense Evasion | Indicator Removal on Host | 5 | Low |
Sudoers File Modification | DNIF | Privilege Escalation | Abuse Elevation Control Mechanism | 5 | Low |
Creation of Hidden Files and Directories | DNIF | Defense Evasion | Hidden Files and Directories | 5 | Low |
Strace Process Activity | DNIF | Privilege Escalation | Exploitation for Privilege Escalation | 3 | Low |
Setgid Bit Set via chmod | DNIF | Privilege Escalation | Abuse Elevation Control Mechanism | 3 | Low |
Kernel Module Removal | DNIF | Defense Evasion | Kernel Modules and Extensions | 5 | Low |
Timestomping using Touch Command | DNIF | Defense Evasion | Timestomp | 5 | Low |
Connection to External Network via Telnet | DNIF | Lateral Movement | Remote Services | 5 | Low |
Interactive Terminal Spawned via Perl | DNIF | Execution | Command and Scripting Interpreter | 5 | Low |
Nping Process Activity | DNIF | Discovery | System Network Connections Discovery | 3 | Low |
Deletion of Bash Command Line History | DNIF | Defense Evasion | Clear Command History | 5 | Low |
Potential Disabling of SELinux | DNIF | Defense Evasion | Disabling Security Tools | 5 | Low |
User Discovery via Whoami | DNIF | Discovery | System Owner/User Discovery | 5 | Low |
Connection to Internal Network via Telnet | DNIF | Lateral Movement | Remote Services | 5 | Low |
Base64 Encoding or Decoding Activity | DNIF | Defense Evasion | Obfuscated Files or Information | 5 | Low |
Nmap Process Activity | DNIF | Discovery | System Network Connections Discovery | 3 | Low |
Socat Process Activity | DNIF | Persistence | Event Triggered Execution | 5 | Low |
Base16 or Base32 Encoding or Decoding Activity | DNIF | Defense Evasion | Obfuscated Files or Information | 5 | Low |
File Permission Modification in Writable Directory | DNIF | Defense Evasion | File and Directory Permissions Modification | 5 | Low |
Potential DNS Tunneling via Iodine | DNIF | Command and Control | Application Layer Protocol | 5 | Low |
Potential Shell via Web Server | DNIF | Persistence | Web Shell | 5 | Low |
Mknod Process Activity | DNIF | Privilege Escalation | Process Injection | 5 | Low |
/Advanced Threat Detection/Documents Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Suspicious File Download Activity by IP | DNIF | Exfiltration | Exfiltration Over Web Service | 5 | Medium |
Suspicious File Access Activity by User | DNIF | Discovery | File and Directory Discovery | 5 | Medium |
Suspicious File Delete Activity by User | DNIF | Impact | Data Destruction | 5 | Medium |
Suspicious File Download Activity by User | DNIF | Exfiltration | Exfiltration Over Web Service | 5 | Medium |
/Advanced Threat Detection/Proxy Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
APT40 Dropbox Tool User Agent | community | Exfiltration | Exfiltration Over Alternative Protocol | 5 | Low |
Windows WebDAV User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Malware User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Empire UserAgent URI Combo | community | Command and Control | Application Layer Protocol | 5 | Low |
Empty User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Windows PowerShell User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
CobaltStrike Malleable (OCSP) Profile | community | Command and Control | Application Layer Protocol | 5 | Low |
Download from Suspicious TLD | community | Execution | User Execution | 5 | Low |
iOS Implant URL Pattern | community | Credential Access | Unsecured Credentials | 5 | Low |
Suspicious User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Download from Suspicious Dyndns Hosts | community | Command and Control | Dynamic Resolution | 5 | Low |
PwnDrp Access | community | Command and Control | Web Service | 5 | Low |
APT User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Telegram API Access | community | Command and Control | Web Service | 5 | Low |
Possible FIN7 DGA Command and Control Behavior | DNIF | Command and Control | Application Layer Protocol | 5 | Low |
CobaltStrike Malleable OneDrive Browsing Traffic Profile | community | Command and Control | Application Layer Protocol | 5 | Low |
Crypto Miner User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
Hack Tool User Agent | community | Credential Access | Brute Force | 5 | Low |
Download EXE from Suspicious TLD | community | Execution | User Execution | 5 | Low |
Bitsadmin to Uncommon TLD | community | Defense Evasion | BITS Jobs | 5 | Low |
Turla ComRAT | community | Command and Control | Application Layer Protocol | 5 | Low |
Solarwinds backdoor C2 host name detected | DNIF | Initial Access | Supply Chain Compromise | 3 | Low |
Halfbaked Command and Control Beacon | DNIF | Command and Control | Application Layer Protocol | 5 | Low |
Ingress Tool Transfer | DNIF | Command and Control | Ingress Tool Transfer | 5 | Low |
Excessive Failed URL Access From A Single Source | DNIF | Execution | User Execution | 4 | Medium |
Flash Player Update from Suspicious Location | community | Defense Evasion | Masquerading | 5 | Low |
Raw Paste Service Access | community | Command and Control | Web Service | 5 | Low |
Chafer Malware URL Pattern | community | Command and Control | Application Layer Protocol | 5 | Low |
Exploit Framework User Agent | community | Command and Control | Application Layer Protocol | 5 | Low |
CobaltStrike Malleable Amazon Browsing Traffic Profile | community | Command and Control | Application Layer Protocol | 5 | Low |
Public IP Reconnaissance Activity | DNIF | Discovery | System Network Configuration Discovery | 5 | Low |
/Advanced Threat Detection/Windows Network Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Data writes from SMB shares | DNIF | Collection | Data from Network Shared Drive | 6 | Medium |
/Visualization/OFFICE Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Mailbox Permission Changes | DNIF | ||||
Office Email Activity Timeline | DNIF | ||||
Multiple Account password reset detected by the same user | DNIF | ||||
Top Senders | DNIF | ||||
Executable File Uploaded OR Downloaded | DNIF | ||||
Inbox Rule Changes | DNIF | ||||
Top Users For IAM Activity | DNIF | ||||
Policy Added And Deleted | DNIF | ||||
Delegated Permission Grant To User | DNIF | ||||
Top Threat Detected In Office | DNIF | ||||
Top users Modifying files | DNIF | ||||
Top Recipients | DNIF | ||||
Office Authentication By Source Country | DNIF |
/Visualization/IAM Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Systems | DNIF | ||||
Top Users Creating Accounts | DNIF | ||||
Account Modification Activity | DNIF | ||||
IAM Activity | DNIF | ||||
Accounts Creation Activity | DNIF | ||||
Account Deletion Activity | DNIF |
/Visualization/NTA Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
MySQL Arguments | DNIF | ||||
Traffic Destination by Country | DNIF | ||||
TLS protocol version | DNIF | ||||
Top NTA Signals | DNIF | ||||
Connection activity | DNIF | ||||
DNS Destination Ports | DNIF | ||||
Top DNS Query | DNIF | ||||
Top Network Transport | DNIF | ||||
Data Transfer Acitivty | DNIF | ||||
Top Ports Accessed | DNIF | ||||
SSL Activity By Country Over Last Week | DNIF | ||||
Top Http Hosts | DNIF | ||||
FTP Activity | DNIF | ||||
Traffic Sources by Country | DNIF | ||||
Top 10 Applications | DNIF | ||||
Top Files accessed | DNIF | ||||
File MIME Type | DNIF |
/Visualization/Firewall Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Allowed Traffic by App | DNIF | ||||
Traffic Destinations by Country | DNIF | ||||
FTP Port Activity by Time | DNIF | ||||
RDP Destinations | DNIF | ||||
RDP Sources | DNIF | ||||
Top Destination Ports | DNIF | ||||
Total Outbound Traffic | DNIF | ||||
Total Inbound Traffic | DNIF | ||||
Blocked Traffic by Port | DNIF | ||||
FTP Destinations | DNIF | ||||
FTP Sources | DNIF | ||||
Traffic Sources by Country | DNIF | ||||
RDP WMI Port Activity by Time | DNIF |
/Visualization/Threat Alerts Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Systems Affected | DNIF | ||||
Top Web Threats | DNIF | ||||
Top Network Threats | DNIF | ||||
Alerts by SourceName | DNIF | ||||
Alerts by SourceType | DNIF | ||||
Top Threats | DNIF | ||||
Top Email Threats | DNIF | ||||
Top Host Threats | DNIF | ||||
Threats by Time | DNIF |
/Visualization/Cloud Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top AWS Failed Login Attempts | DNIF | ||||
Network Gateway Changes | DNIF | ||||
Unique Traffic Sources | DNIF | ||||
Top Eventsource Distribution | DNIF | ||||
S3 Bucket Policy changes | DNIF | ||||
Top AWS Signals | DNIF | ||||
Multiple Failed API Requests From Different Source IPs | DNIF | ||||
Cloudtrail Activity | DNIF | ||||
AWS Regions | DNIF | ||||
Network And Security Activity Timeline | DNIF | ||||
Critical EC2 Instance Has Been Stopped OR Terminated | DNIF | ||||
Detected A Successful Login To AWS Console From Different Geographies | DNIF | ||||
Key Pair Management configuration changes | DNIF | ||||
Top Security Group Configuration changes | DNIF | ||||
Created And Deleted Network And Security Events | DNIF | ||||
VPC Configuration Changes | DNIF |
/Visualization/Signal Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Suspects Hosts | DNIF | ||||
Total Signal Count -Weekly | DNIF | ||||
Top Hit Targets | DNIF | ||||
High Severity Signals | DNIF | ||||
Signal Stream Wise Distribution | DNIF | ||||
Detection Technique and Tactic | DNIF | ||||
Top Signals | DNIF | ||||
Signal Weekly Activity | DNIF |
/Visualization/Authentication Monitoring
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Users | DNIF | ||||
Authentication: Passed v Failed | DNIF | ||||
Top System for Authentication Failures | DNIF | ||||
Top Systems for Authentication Activity | DNIF | ||||
Authentication Activity from Source | DNIF | ||||
Authentication Failures by Source Country | DNIF | ||||
Net Failed Logins | DNIF | ||||
Authentication Activity | DNIF |
/Reports/FIREWALL
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Configuration Changes On Firewall | DNIF | ||||
Top Threat Sources | DNIF | ||||
Traffic Sources by Country | DNIF | ||||
Firewall Threats Trend | DNIF | ||||
All Destination Ports | DNIF | ||||
Blocked Traffic By Port | DNIF | ||||
Firewall Authentication: Passed v Failed | DNIF | ||||
SSH From Internet | DNIF | ||||
Threat Detected On Firewall | DNIF | ||||
Communication Observed From An Unusual Geo Location Source | DNIF | ||||
Top Common Firewall Events | DNIF | ||||
Top Targeted IPs | DNIF | ||||
Tor Activity To The Internet | DNIF | ||||
Non Https Url Accessed | DNIF | ||||
Unsuccessful Logins Summary | DNIF | ||||
Allowed Traffic by App | DNIF | ||||
Denied Traffic | DNIF | ||||
Data Egress From Top Source | DNIF | ||||
Data Ingress from Top Sources | DNIF | ||||
Inbound Traffic | DNIF | ||||
Traffic Destinations by Country | DNIF | ||||
Outbound SMB Traffic Detected | DNIF | ||||
Top IAM Activity On Firewall | DNIF | ||||
Top Threat Destinations | DNIF | ||||
Unsuccessful Remote Login Attempts | DNIF | ||||
FTP Activity to the Internet | DNIF | ||||
Top Talkers | DNIF | ||||
Top Users | DNIF | ||||
Outbound Traffic | DNIF |
/Compliance/Common/Monthly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Virus Sources Monthly | DNIF | ||||
Top Targeted IPs Monthly | DNIF | ||||
Top Virus Destinations Monthly | DNIF | ||||
Unsuccessful Mail Logins Monthly | DNIF | ||||
Unsuccessful Web Service Logins Monthly | DNIF | ||||
Remote Access Activity Monthly | DNIF |
/Compliance/Common/Weekly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Unsuccessful SSH Logins Weekly | DNIF | ||||
Unsuccessful Logins Summary Weekly | DNIF | ||||
Top Virus Sources Weekly | DNIF | ||||
Top Virus Destinations Weekly | DNIF | ||||
Unsuccessful Web Services Logins Weekly | DNIF | ||||
Unsuccessful Mail Logins Weekly | DNIF | ||||
Top Targeted IPs Weekly | DNIF | ||||
Successful Login Attempts Weekly | DNIF |
/Compliance/Common/Daily
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Unsuccessful Mail Logins Daily | DNIF | ||||
Top Users by Remote Access Activity Daily | DNIF | ||||
Top Virus Sources Daily | DNIF | ||||
Top Targeted IPs Daily | DNIF | ||||
Unsuccessful Web Services Logins Daily | DNIF | ||||
Top Virus Destinations Daily | DNIF |
/Compliance/SOX/Monthly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Users for Remote Access Activity Monthly | DNIF |
/Compliance/SOX/Daily
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Users for Remote Access Activity Daily | DNIF |
/Compliance/HIPAA/Monthly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Virus Sources And Destinations Monthly | DNIF | ||||
Outbound Traffic Monthly | DNIF | ||||
Denied Traffic Monthly | DNIF | ||||
Inbound Traffic Monthly | DNIF |
/Compliance/HIPAA/Weekly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Denied Traffic Weekly | DNIF | ||||
Top Virus Sources And Destinations Weekly | DNIF | ||||
Inbound Traffic Weekly | DNIF | ||||
Outbound Traffic Weekly | DNIF |
/Compliance/HIPAA/Daily
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Top Virus Sources And Destinations Daily | DNIF | ||||
Outbound Traffic Daily | DNIF | ||||
Inbound Traffic Daily | DNIF | ||||
Denied Traffic Daily | DNIF |
/Compliance/FISMA/Monthly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Unsuccessful TELNET Logins Monthly | DNIF | ||||
Unsuccessful Logins Summary Monthly | DNIF | ||||
Successful Login Attempts Monthly | DNIF | ||||
Unsuccessful SSH Logins Monthly | DNIF |
/Compliance/FISMA/Weekly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Successful Logins Weekly | DNIF | ||||
Unsuccessful Logins Weekly | DNIF | ||||
Unsuccessful TELNET Logins Weekly | DNIF |
/Compliance/FISMA/Daily
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
Unsuccessful Logins Daily | DNIF | ||||
Successful Logins Daily | DNIF | ||||
Remote Access Activity Summary Daily | DNIF | ||||
Unsuccessful SSH Logins Daily | DNIF | ||||
Unsuccessful Logins Summary Daily | DNIF | ||||
Unsuccessful Telnet Logins Daily | DNIF | ||||
Successful Login Attempts Daily | DNIF |
/Compliance/PCI/Monthly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
PCI 5-2 Top Malware Activity Monthly | DNIF | ||||
PCI 1-2-1b - Inbound Traffic Monthly | DNIF | ||||
PCI 1-2-1b -Outbound Traffic Monthly | DNIF | ||||
PCI 8-1 - User Account Changes Monthly | DNIF | ||||
PCI 10-2 - User Accounts Additions Monthly | DNIF |
/Compliance/PCI/Weekly
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
PCI 1-2-1b - Inbound Traffic Weekly | DNIF | ||||
PCI 8-1 - User Account Changes Weekly | DNIF | ||||
PCI 10-2 - User Accounts Additions Weekly | DNIF | ||||
PCI 1-2-1b -Outbound Traffic Weekly | DNIF | ||||
PCI 5-2 Top Malware Activity Weekly | DNIF |
/Compliance/PCI/Daily
Workbook | Author | Tactic | Technique | Severity | Confidence |
---|---|---|---|---|---|
PCI 1-2-1b - Inbound Traffic Daily | DNIF | ||||
PCI 1-2-1 Outbound Traffic Daily | DNIF | ||||
PCI 5-2 Top Malware Activity Daily | DNIF | ||||
PCI 10-2 - User Accounts Additions Daily | DNIF | ||||
PCI 8-1 - User Account Changes Daily | DNIF |