Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd Logo
Upload

Welcome to Scribd!

  • 64 views

    General Rule

    Uploaded by

    Shreyas Tamhan
    The document contains details of various cyber security events detected from different sources like web servers, network firewalls, IDS/IPS systems, antivirus software etc. categorized under subcategories like web attacks, network attacks, system attacks, access and authorization violations, malware detection etc. The sources include web servers, firewalls, IDS/IPS, antivirus, DNS logs, email servers, routers etc. and events detected include vulnerabilities, attacks, malware infections, unauthorized access attempts, network anomalies etc.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd

    General Rule

    Uploaded by

    Shreyas Tamhan
    64 views29 pages
    The document contains details of various cyber security events detected from different sources like web servers, network firewalls, IDS/IPS systems, antivirus software etc. categorized under subcategories like web attacks, network attacks, system attacks, access and authorization violations, malware detection etc. The sources include web servers, firewalls, IDS/IPS, antivirus, DNS logs, email servers, routers etc. and events detected include vulnerabilities, attacks, malware infections, unauthorized access attempts, network anomalies etc.

    Original Title

    General rule.xlsx

    Copyright

    © © All Rights Reserved

    Available Formats

    XLSX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    The document contains details of various cyber security events detected from different sources like web servers, network firewalls, IDS/IPS systems, antivirus software etc. categorized under subcategories like web attacks, network attacks, system attacks, access and authorization violations, malware detection etc. The sources include web servers, firewalls, IDS/IPS, antivirus, DNS logs, email servers, routers etc. and events detected include vulnerabilities, attacks, malware infections, unauthorized access attempts, network anomalies etc.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    64 views29 pages

    General Rule

    Uploaded by

    Shreyas Tamhan
    The document contains details of various cyber security events detected from different sources like web servers, network firewalls, IDS/IPS systems, antivirus software etc. categorized under subcategories like web attacks, network attacks, system attacks, access and authorization violations, malware detection etc. The sources include web servers, firewalls, IDS/IPS, antivirus, DNS logs, email servers, routers etc. and events detected include vulnerabilities, attacks, malware infections, unauthorized access attempts, network anomalies etc.

    Copyright:

    © All Rights Reserved
    Download as XLSX, PDF, TXT or read online from Scribd
    Download as xlsx, pdf, or txt
    of 29

    S. No.

    Sub Category Applicable Event Sources


    1 Web Attacks Web Server
    2 Web Attacks Web Server
    3 Web Attacks Web Server
    4 Web Attacks Web Server
    5 Web Attacks Web Server
    6 Web Attacks Web Server
    7 Web Attacks Web Server
    8 Web Attacks Web Server
    9 Web Attacks Web Server
    10 Web Attacks Web Server
    11 Web Attacks Web Server
    12 Web Attacks Web Server
    Web Attacks Web Server
    13 Network Attacks Network Firewall
    14 Network Attacks Network Firewall
    15 Network Attacks Network Firewall
    16 Network Attacks Network Firewall
    17 Network Attacks Network Firewall
    18 Network Attacks Network Firewall
    19 Network Attacks Network Firewall
    20 Network Attacks Network Firewall
    21 Network Attacks Network Firewall
    22 Network Attacks Network Firewall
    23 Network Attacks Network Firewall
    24 Network Attacks Network Firewall
    25 Network Attacks Network Firewall
    26 Network Attacks Network Firewall
    27 Network Attacks Network Firewall
    28 Network Attacks Network Firewall
    29 Network Attacks Network Firewall
    30 Network Attacks Network Firewall
    31 Network Attacks Network Firewall
    32 Network Attacks Network Firewall
    33 Network Attacks Network Firewall
    34 Network Attacks Network Firewall
    35 Network Attacks Network Firewall
    36 Network Attacks Network Firewall
    37 Network Attacks Network Firewall
    38 Network Attacks Network Firewall
    39 Network Attacks Network Firewall
    40 Network Attacks Network Firewall
    41 Network Attacks Network Firewall
    42 Network Attacks Network Firewall
    43 Network Attacks Network Firewall
    44 Network Attacks Network Firewall
    45 Network Attacks Network Firewall
    46 Network Attacks Network Firewall
    47 Network Attacks DNS Logs
    48 Network Attacks IDS/IPS
    49 Network Attacks IDS/IPS
    50 Network Attacks HIPS
    51 Network Attacks IDS/IPS
    52 Network Attacks IDS/IPS
    53 Network Attacks IDS/IPS
    54 Network Attacks IDS/IPS
    55 Network Attacks IDS/IPS
    56 Network Attacks IDS/IPS
    57 Network Attacks IDS/IPS
    58 Network Attacks IDS/IPS
    59 Network Attacks IDS/IPS
    60 Network Attacks IDS/IPS
    61 Network Attacks IDS/IPS
    62 Network Attacks IDS/IPS
    63 Network Attacks Router
    64 Network Attacks Router
    65 Network Attacks Email/SMTP Server
    66 Network Attacks Email/SMTP Server
    67 Network Attacks Network Devices
    68 Network Attacks Wireless
    69 Network Attacks DHCP
    Network Attacks Network Firewall, OS
    Network Attacks Network Firewall
    Network Attacks Network Firewall
    Network Attacks Network Firewall, OS
    Network Attacks Network Firewall, OS
    Network Attacks Network Firewall
    Network Attacks IDS/IPS
    Network Attacks Network Firewall
    Network Attacks Network Firewall
    Network Attacks Network Firewall
    Network Attacks Network Firewall
    Network Attacks Network Firewall
    70 System Attacks Windows
    71 System Attacks Windows
    72 System Attacks Windows
    73 System Attacks Windows
    74 System Attacks Windows
    75 System Attacks Windows
    76 System Attacks Windows
    77 System Attacks Windows
    78 System Attacks Windows
    79 System Attacks Windows
    80 System Attacks Windows
    System Attacks Windows, VA Scanner
    System Attacks Network Firewall, VA Scanner
    System Attacks Network Firewall, VA Scanner
    System Attacks Windows
    System Attacks Network Firewall, VA Scanner
    System Attacks Network Firewall
    System Attacks Network Firewall, VA Scanner
    System Attacks Network Firewall, VA Scanner
    System Attacks Network Firewall
    System Attacks Network Firewall
    System Attacks Network Firewall
    System Attacks Network Firewall, VA Scanner
    System Attacks Network Firewall
    System Attacks Web Proxy
    System Attacks OS, Devices
    System Attacks IDS/IPS, VA Scanner
    System Attacks IDS/IPS, OS
    System Attacks OS, Devices
    System Attacks OS
    System Attacks IDS/IPS, OS
    System Attacks OS, Devices
    System Attacks OS, Devices
    81 Access & Authorization Violation Windows
    82 Access & Authorization Violation Windows
    83 Access & Authorization Violation Windows
    84 Access & Authorization Violation Windows
    85 Access & Authorization Violation Windows
    86 Access & Authorization Violation Windows
    87 Access & Authorization Violation Windows
    88 Access & Authorization Violation Unix
    89 Access & Authorization Violation Unix
    90 Access & Authorization Violation Unix
    91 Access & Authorization Violation Unix
    92 Access & Authorization Violation Network Firewall
    93 Access & Authorization Violation Proxy Server
    94 Access & Authorization Violation Proxy Server
    95 Access & Authorization Violation Proxy Server
    96 Access & Authorization Violation VPN
    97 Access & Authorization Violation VPN
    98 Access & Authorization Violation VPN
    99 Access & Authorization Violation Database
    100 Access & Authorization Violation Database
    101 Access & Authorization Violation Database
    102 Access & Authorization Violation Database
    103 Access & Authorization Violation Wireless
    104 Access & Authorization Violation Wireless
    105 Malware Detection Network Firewall
    106 Malware Detection Network Firewall
    107 Malware Detection Network Firewall
    108 Malware Detection Network Firewall
    109 Malware Detection IDS/IPS
    110 Malware Detection IDS/IPS
    111 Malware Detection IDS/IPS
    112 Malware Detection IDS/IPS
    113 Malware Detection Anti Virus
    114 Malware Detection Anti Virus
    115 Malware Detection Anti Virus
    116 Malware Detection Anti Virus
    117 Malware Detection Anti Virus
    118 Malware Detection Proxy Server
    119 Malware Detection URL Filter
    120 Malware Detection Anti Virus
    121 Malware Detection Firewall
    122 Malware Detection Firewall
    123 Malware Detection Firewall
    124 Malware Detection URL Filter
    125 Advanced Target Attacks Detection Cross Correlation
    126 Data Security Windows
    127 Data Security Windows
    128 Data Security Email/SMTP Server
    129 Data Security Email/SMTP Server
    130 Data Security Email/SMTP Server
    131 Data Security URL Filter
    132 Unauthorized or Insecure Configurations Network Firewall
    133 Unauthorized or Insecure Configurations IDS/IPS
    134 Suspicious communication with blackliste Network Firewall
    135 Suspicious communication with blackliste Web Server
    136 Suspicious communication with blackliste URL Filter
    137 Suspicious communication with blackliste DNS Logs
    138 Suspicious communication with blackliste DNS Logs
    139 Suspicious communication with blackliste Email/SMTP Server
    140 Network Attacks Firewall
    141 Network Attacks Firewall
    142 Network Attacks Firewall
    143 Network Attacks Firewall
    144 Network Attacks Firewall
    145 Network Attacks Firewall
    146 Network Attacks Firewall
    147 Network Attacks Firewall
    148 Network Attacks Firewall
    149 Malware Detection Firewall
    150 Malware Detection Firewall
    151 Network Attacks Firewall
    152 Suspicious communication with blackliste Firewall
    153 Network Attacks Firewall
    154 Network Attacks Firewall
    155 Network Attacks Firewall
    156 Network Attacks Firewall
    157 Malware Detection Firewall
    158 Malware Detection Firewall
    159 Malware Detection Firewall
    Use Case
    Google Hacking attempts
    Web Attacks like URL Guessing, Man in the middle detected.
    Server Error codes detected in Webserver logs
    Vulnerability scanning using scanners such as Nessus or Qualys
    SQL Injection attempts
    Malware injections attempts on web servers using XSS
    Phishing Site detection using Referer Logs
    Script injection attack
    Monitoring directory traversal attempts
    Web server –availability tracking alerts
    Suspicious HTTP return codes
    Suspicious Web Methods used
    Probable Successful Attack – Probable Redirect Attack
    Port Scan followed by Exploit
    Sudden surge in volume of accepts to a destination
    Sudden surge in volume of deny to a destination
    Firewall repetitive block from a source.
    Firewall accept after repetitive blocks
    DoS attempt detected by firewall
    IRC-Bot net Infected System
    DOS attempt on hosts/network/services behind Firewall
    Scanning for Multiple Ports on single host
    Scanning for Multiple Hosts on single /different ports
    ICMP traffic spike
    SYN traffic spike
    TCP traffic spike
    UDP traffic spike
    Confirmed Skype Activity
    Traffic to external NetBIOS ports
    ZBot P2P Command and Control
    Possible DNSChanger Infection
    Multiple Firewall Accesses from Same Source to Multiple Countries
    Attempt to contact external DNS provider
    Possible HTTP POST exfiltration attempt
    Possible FTP data exfiltration attempt
    RDP successful connection to foreign country
    SSH successful connection to foreign country
    Communication To CC server detected
    Possible DDoS attack on Email Gateway
    BOTNET Detected in the network
    Malicious Port Activity - External to Internal - Allowed
    Malicious Port Activity - Internal to External
    ROGUE DNS Server Traffic
    RDP successful connection from foreign country
    Possible uTorrent Activity
    Traffic to/from suspicious geographies
    FTP Zero byte file upload
    Single Internal Machine Trying to resolve Multiple External IP
    Denial of Service attack
    P2P traffic detected in the network
    Possible SAM Service brute force sourced from client
    Blackhole Exploit Kit
    Trojan.ZeroAccess and Rogue TLD
    Possible W32. Dasher
    Possible Flashback.Trojan
    Backdoor Activity Detected In the Network
    IP Spoof attack detected
    Multiple IPS signatures triggered for same target IP
    Multiple IPS signatures triggered from same IP
    HTTPS Tunnel Activity detected in the Network
    Network Attacks -Man in the Middle
    Syn flood attack
    Network Port Scan
    High number of denied traffic from particular source-IP
    DOS attacks on routers
    High number of mails to unique Internal address with same From: address
    High number of rejected mails from single From: address
    Brute Force Network Device Login
    Wireless insecure AP detected
    High number of DHCP request from same MAC address
    Attack from Source having Reconnaissance History
    Possible Internal Network Sweep
    Possible Outbound Network Sweep
    Suspicious Communication From Attacked Target
    Attack From Suspicious Source
    Suspicious Activity - Packet Manipulation
    High Number of IDS Alerts for Backdoor
    Firewall – Pass After Repetitive Blocks
    Firewall – Repetitive Block – In Progress
    Firewall – Host Port Scan
    Firewall – Application Protocol Scan
    Firewall - Network Port Scan
    Security software has been disabled
    User attempted to install a service
    Windows Audit Log Cleared
    Windows user account created and deleted in 1 hour
    Windows account created and high account activity within 1 hour
    High number of new users added within 1 hour
    High number of user accounts deleted/disabled within 1 hour
    Multiple password changes for different user-ids from same IP address
    Password reset soon after login
    Password reset not preceded by lockout
    Hose Port Scan
    SANS Top 20 OS (v6.01) - Microsoft Task Scheduler Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft WINS Vulnerabilities
    SANS Top 20 OS (v6.01) - Microsoft SMB Service Vulnerabilities
    SANS Top 20 Email (v6.01) – Microsoft Office XP Buffer Overflow Vulnerabilities
    SANS Top 20 OS (v6.01) - Microsoft Plug and Play Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft NetDDE Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft NNTP Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft License Logging Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft Exchange SMTP Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft MSDTC and COM Service Vulnerabilities
    SANS Top 20 OS (v6.01) – Microsoft Message Queuing Service Vulnerabilities
    SANS Top 20 Email (v6.01) – Microsoft OLE and COM Remote Code Execution Vulnerabilities
    Blaster Infected Host
    Blaster DDOS From Infected Host
    Multi Host Application Brute Force Logins
    Open Vulnerability Exploit
    Probable Successful Attack – DoS
    Application Brute Force Logins
    Probable Attack – Script Attack
    Probable Successful Attack – Exploit
    Brute force attempt on multiple devices, servers, DBs, applications
    High severity events on multiple devices, servers, DBs, applications from the same source
    Windows Multiple Login Failures for same account
    Windows Multiple Login Failures for different accounts
    Windows multiple login by same account from different desktops
    The account was locked at the time of logon attempt was made
    Multiple login attempt to locked windows account
    Multiple login attempt to expired windows account
    Activity from employees logged out of physical security system
    Multiple password changes for different user ids from same IP address
    Password reset soon after login
    Linux brute Force Login Attempt from Single source
    Root logins from untrusted Network
    Multiple login failures on firewall
    Access to Remote-Desktop-Access Site
    Anonymous proxy access
    Hacker tool website access
    Multiple Login failure for same VPN user-id
    Multiple login attempt for different user-id from same IP
    Password change attempt for multiple user-id from same IP
    Multiple failed database access attempts
    Multiple commands executed on the same DB server with in short span
    Database brute force login success
    Unauthorized access to critical databases
    Wireless unauthorized login attempts
    Anonymous login from unknown IP address
    Detect Malware Beacons
    Bozori Infected System
    IRC Botnet Detection
    Traffic on known malware ports
    Virus/Worm propagation - Internal network scans on a single port
    Virus/Worm propagation - Multiple AD account lockouts
    Worm activity detected
    High number of IDS alerts detected for Malware
    System with virus detected but not cleaned
    Conficker Worm Found
    System with high number of virus infection within 1 hour
    Malicious code detected not quarantined
    Malicious code Outbreak on multiple systems
    Access attempts by BOTNET identified by HTTP Request header
    Web filtering-Spyware traffic in the network
    Shamoon Virus detected by AV
    W32.ChangeUp Firewall Communication Detected (Outbound)
    W32.ChangeUp detection
    Traffic from or to Shamoon Virus Server
    Web filtering-Detection of Phishing, key logger and malicious code
    IE Zero Day Suspicious Communication
    Windows sensitive file access
    Excessive file deletion/modification with 1 hour
    Employees responding to Email Outbreak
    EMAIL Discovery Attack Detected
    High number of outbound emails from Internal address during after business hours
    Web filtering-Data leakage detected
    Firewall rule base change allows traffic on insecure protocols
    IDS mis -configuration alerts
    Traffic from/towards blacklisted IP address listed by Dshield/other feeds.
    Web request from blacklisted IP address
    Traffic towards malicious domain
    Malicious DNS Domain Query Request
    Multiple PC trying to resolve same Malicious Hostname/IP
    Email Gateway accepting Traffic from Malicious Source
    Aggressive ICMP scan start detected
    Aggressive UDP scan start detected
    Aggressive_TCP_Scan_Started
    Analyzer FTP Brute Force
    Analyzer_DirectConnect-Client-To-Client-Handshake-DDoS
    Analyzer_Executable-Upload-After-Attack
    Analyzer_FTP-Brute-Force-Attack-Success
    Anti-Virus Buffering Limit Exceeded
    Attack followed by executable upload
    BackDoor program request
    BD-TCP_BackDoor-Response
    DNS additional record cache poisoning
    Malicious URI request accepted by the server
    Reverse shell after an attack
    Reverse shell after suspected attack
    Shell after attack
    Suspected attack followed by executable upload
    Trojan FakeAV checkin
    Trojan FakeAV file download detected
    Username SQL Injection allows unauthorized login
    Threshold
    1 in 2 minutes
    5 in 5 minutes
    5 in 5 minutes

    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    5 in 5 minutes
    1 in 2 minutes

    1 in 5 minutes

    10 in 3 minutes
    1 in 1 minutes
    20 in 2 minutes

    2 in 3 minutes
    30 in 2 minutes
    200 in 1 minute
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes

    5 in 1 Minute

    1 in 1 second
    10 Matches in 2 Minutes
    1 in 1 second
    1 in 1 second
    1 in 1 second
    1 in 1 minutes
    1 in 1 minutes
    1 in 1 minutes
    500 in 10 seconds
    10 in 15 minutes
    1 in 2 minutes
    5 in 5 minutes
    1 in 2 minutes
    1 in 1 minutes
    5 in 1 minutes
    10 in 5 minutes
    3 in 2 minutes
    5 in 2 Minutes

    5 in 5 minutes

    20 in 2 minutes
    5 in 3 minutes
    10 in 2 minutes

    40 in 1 minute
    40 in 1 minute

    5 in 5 minutes
    10 in 1 minute
    2000 in 1 minute
    30 in 2 minutes

    200 in 1 minute

    1 in 2 minutes
    1 in 2 minutes
    1 in 1 minutes

    5 in 10 minutes
    100 in 30 minutes

    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes

    100 in 5 minutes

    100 in 5 minutes
    5 in 15 minutes

    100 in 30 minutes

    1 in 2 minutes

    3 in 5 minutes
    3 in 5 minutes

    1 in 2 minutes

    1 in 2 Minutes

    1 in 2 minutes
    1 in 1 minutes

    10 in 5 minutes

    5 in 2 Minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes

    1 in 2 Minutes
    10 in 2 Minutes
    1 in 2 minutes
    30 in 1 hour
    150 in 1 minute

    20 in 5 Minutes
    1 in 2 minutes
    2 in 5 minutes
    1 in 2 minutes
    10 in 2 Minutes
    5 in 2 Minutes
    1 in 2 minutes
    10 in 5 minutes
    5 in 2 Minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    1 in 2 minutes
    Applicable Event
    S. No. Sub Category Sources
    1 Change Management/Configuration Violations Windows
    2 Change Management/Configuration Violations Windows
    3 Change Management/Configuration Violations Windows
    4 Change Management/Configuration Violations Windows
    5 Change Management/Configuration Violations Windows

    6 Change Management/Configuration Violations Windows


    7 Change Management/Configuration Violations Windows
    8 Change Management/Configuration Violations Network Firewall
    9 Change Management/Configuration Violations Anti Virus
    10 Change Management/Configuration Violations Anti Virus
    11 System Access Violations Windows
    12 System Access Violations Windows

    13 System Access Violations Windows


    14 System Access Violations Windows
    15 System Access Violations Windows
    16 System Access Violations Windows

    17 System Access Violations Windows


    18 System Access Violations Unix
    19 System Access Violations Unix
    20 System Access Violations Network Firewall
    21 System Access Violations Database

    22 System Access Violations Database


    23 Data Access Violations Email/SMTP Server
    24 Data Access Violations Email/SMTP Server
    25 Data Access Violations Email/SMTP Server
    27 Data Access Violations Database
    28 Data Access Violations Proxy Server
    29 Network Access Violations Network Firewall
    30 Network Access Violations Windows
    31 Network Access Violations DHCP Logs
    32 Network Access Violations URL Filter
    33 Application Access Violations
    34 Standards & Regulations (PCI, ISO 27001, RBI) Windows
    35 Standards & Regulations (PCI, ISO 27001, RBI) Windows
    36 Data Access Violations Database
    37 Data Access Violations Database
    38 Data Access Violations Database
    39 Data Access Violations Database
    40 Data Access Violations Database
    41 Data Access Violations Database
    42 Data Access Violations Database
    43 Data Access Violations Database
    44 Data Access Violations Database

    45 Data Access Violations Database


    46 System Access Violation Windows
    47 User Access Violation Windows
    48 User Access Violation Windows
    49 User Access Violation Windows
    50 User Access Violation Windows
    51 User Access Violation Windows
    52 Network Access Violations Antivirus
    53 Network Access Violations Antivirus
    54 Network Access Violations Antivirus
    Use Case Threshold
    Created User Does Not Match Naming Policy 1 in 1 second
    Administrative Group Membership changed 1 in 1 second
    An audit policy was changed 1 in 2 minutes
    USB Device Attached to High value System 1 in 1 Second
    System restart at unscheduled time 1 in 1 second

    Non-privileged user-id added to privileged administrator group. 1 in 2 minutes


    Security Log is Full 1 in 2 minutes
    Unauthorized firewall rule base changes 1 in 2 minutes
    Anti-virus agent uninstalled
    Anti-virus agent disabled 1 in 1 Minute
    Access using built in default guest account 1 in 1 second
    Authentication Attempted to Non-Existing Account 1 in 1 minute

    Login attempt from differnt desktops for the same user account 2 in 10 minutes
    Insider Threat - Deleted User Account Access Attempt 1 in 1 minute
    User connecting with two different user names 2 in 5 minutes
    Interactive or RDP Login using SERVICE ACCOUNT detected 1 in 2 minutes
    A logon attempt was made by a user who is not allowed to log on
    to this computer
    SUDO Privilege escalation Failed
    Direct login using root user id 1 in 1 minute
    Firewall access from non-admin IPs 1 in 1 minute
    Access to database from unauthorized terminals

    Logins using non standard user-id as per organization policy


    Large emails to competition organization 5 in 2 Minutes
    Traffic from competition organisation 5 in 2 Minutes
    Large emails to public webmail servers 5 in 2 Minutes
    DBA user updating Customer name and address 1 in 2 minutes
    Content access violation
    Traffic on insecure protocols: FTP, VNC, Telnet, etc 1 in 1 Minute
    Windows - ClearText Password Shared Over Network 1 in 1 Minute
    Unauthorized PC connected to corporate Network 1 in 1 Minute
    Users violating organization internet policy

    Dormant Computer Detected 1 in 2 minutes


    Dormant Account Detected 1 in 2 minutes
    Database Admin Changed Card Number 1 in 2 min
    Database Admin Changed Credit Limit 1 in 2 min
    Database Admin Changing CVV Number 1 in 2 min
    Database Admin Changed Expiry Date 1 in 2 min
    Database Admin Changed Mobile Number 1 in 2 min
    Database Admin Changed User Name Field in Banking Database 1 in 2 min
    Database Admin Changing Address 1 in 2 min
    Alert:Database Admin Changing Card Status 1 in 2 min
    Database Admin Changing Track Data 1 in 2 hours
    Database Critical Command Executed on Internet Banking
    Databases 1 in 2 hours
    Detection of server shutdown- reboot after office hours 1 in 2 min
    Failed Login with Admin ID's 25 in 10 min
    Failed Login with disabled account 1 in 2 min
    High no of users created within a short period of time 10 in 20 min
    High no of users removed within short period of time. 10 in 5 min
    High No. Of Windows Login Failure 50 in 10 min
    Detection of Backdoor traffic 1 in 5 min
    Detection of Virus Outbreak 50 in 15 min
    Detection of Worm Outbreak 1 in 5 min
    S. No. Sub Category Applicable Event Sources
    1 Privileged User Activity Monitorin Windows
    2 Privileged User Activity Monitorin Windows
    3 Privileged User Activity Monitorin Windows
    4 Privileged User Activity Monitorin Windows
    5 Privileged User Activity Monitorin Unix
    6 Privileged User Activity Monitorin Unix
    7 Privileged User Activity Monitorin Unix
    8 Privileged User Activity MonitoringNetwork Firewall
    9 Privileged User Activity MonitoringNetwork Firewall
    10 Privileged User Activity MonitoringDatabase
    11 Privileged User Activity MonitoringDatabase
    12 Privileged User Activity MonitoringDatabase
    13 Privileged User Activity MonitoringDatabase
    14 Privileged User Activity MonitoringDatabase
    15 System & Application ManagemenWindows
    16 System & Application ManagemenWindows
    17 System & Application ManagemenWindows
    18 System & Application ManagemenWindows
    19 System & Application ManagemenWindows
    20 System & Application ManagemenWindows
    21 System & Application ManagemenUnix
    22 System & Application ManagemenUnix
    23 System & Application ManagemenUnix
    24 System & Application ManagemenUnix
    25 System & Application ManagemenUnix
    26 System & Application ManagemenUnix
    27 System & Application ManagemenUnix
    28 System & Application ManagemenUnix
    29 System & Application ManagemenUnix
    30 System & Application ManagemenNetwork Firewall
    31 System & Application ManagemenNetwork Firewall
    32 System & Application ManagemenNetwork Firewall
    33 System & Application ManagemenNetwork Firewall
    34 System & Application ManagemenNetwork Firewall

    35 System & Application ManagemenNetwork Firewall


    36 System & Application ManagemenNetwork Firewall
    37 System & Application ManagemenNetwork Firewall
    38 System & Application ManagemenNetwork Firewall
    39 System & Application ManagemenNetwork Firewall
    40 System & Application ManagemenRouter
    41 System & Application ManagemenRouter
    42 System & Application ManagemenRouter
    43 System & Application ManagemenRouter
    44 System & Application ManagemenSwitch
    45 System & Application ManagemenSwitch
    46 System & Application ManagemenAnti Virus
    47 System & Application ManagemenAnti Virus
    48 System & Application ManagemenEmail/SMTP Server
    49 System & Application ManagemenEmail/SMTP Server
    50 System & Application ManagemenDatabase
    51 System & Application ManagemenWireless
    52 System & Application ManagemenWireless
    53 System & Application ManagemenWireless
    54 System & Application ManagemenDHCP
    55 System & Application ManagemenDHCP
    56 System & Application ManagemenCitrix
    57 System & Application ManagemenCitrix
    58 User Management Windows
    59 User Management Windows
    60 User Management Windows
    61 User Management Windows
    62 User Management Network Firewall
    63 User Management Network Firewall
    64 Configuration Management Windows
    65 Configuration Management Network Firewall
    66 Configuration Management Network Firewall
    67 Configuration Management Network Firewall
    68 Configuration Management Router
    69 Configuration Management Router
    70 Configuration Management Router
    71 Configuration Management Router
    72 Configuration Management Switch
    73 Configuration Management Switch
    74 Configuration Management Proxy Server
    75 Configuration Management VPN
    76 Configuration Management VPN
    77 Configuration Management Database
    78 Configuration Management Database
    79 Configuration Management DHCP
    80 Configuration Management Citrix
    81 System Access Windows
    82 System Access Windows
    83 System Access Windows
    84 System Access Windows
    85 System Access Unix
    86 System Access Router
    87 System Access Switch
    88 System Access Switch
    89 System Access Proxy Server
    90 System Access Database
    91 System Access Citrix
    92 Network Access Network Firewall
    93 Network Access Network Firewall
    94 Web Access Proxy Server
    95 Data Access Windows
    96 Data Access Windows
    Use Case Threshold
    Login failure for user account in administrators group 1 in 2 minutes
    Password Changed for administrator 1 in 2 minutes
    New member added to domain admin group 1 in 2 minutes
    New Local admin account created 1 in 1 minutes
    SU Login Failures 3 in 5 minutes
    Root login failure 5 in 2 Minutes
    Password change for root user
    Firewall administrator login failures 1 in 2 minutes
    Admin user added-deleted
    DBA login failure
    Grant of Role and Privilages
    Password change for DBA
    Successful Login by DBA after business hours
    Non DBA users added to DBA role
    Windows Shutdown and Reboot 1 in 2 minutes
    Windows abnormal shutdown 1 in 2 minutes
    A user attempted to install a service 1 in 1 Minutes
    Critical Service Stopped on Windows Hosts 1 in 2 minutes
    SNMP Authentication Failure
    Low disk space warning
    Unix service stop 1 in 2 minutes
    Linux NIC has gone down 1 in 1 minutes
    Unix Machine Not added to OU 1 in 1 minutes
    Linux Power Down 1 in 1 minutes
    RAID failure 1 in 1 minutes
    Linux device left promiscuous mode 1 in 1 minutes
    Linux SCSI USB attached to Linux System 1 in 1 Minutes
    Unix Shutdown and Reboot 1 in 2 minutes
    SNMP Authentication Failure
    Firewall Interface Status Change 1 in 2 minutes
    Firewall critical errors 3 Matches in 5 Minutes
    Firewall interface disconnected 1 in 2 minutes
    Firewall service stops 1 in 2 minutes
    Firewall low disk space alert 1 in 2 minutes

    Firewall CPU usage alert 1 in 10 minutes


    Firewall rebooted 1 in 2 minutes
    Firewall service restart 1 in 2 minutes
    SNMP Authentication Failure
    Top triggered firewall rules
    Router interface down 1 in 1 Minutes
    Router BGP neighbor down 1 in 1 minutes
    SNMP Authentication Failure
    Router power supply failure 1 in 2 minutes
    Switch interface change
    Switch booted up
    System with update attempted but failed
    System Errors detected in Anti-virus DAT deployment
    Email attachment near to the upper threshold defined
    SMTP gateway sudden spike in Incoming mails
    Critical commands executed on database 1 in 2 minutes
    Rogue AP detected.
    Wireless AP rebooted
    Wireless authorization server is down.
    DHCP logs stopped
    DHCP request for statically allocated IP range
    Citrix internal errors alerts
    Policy violation in citrix alerts
    User accounts created 1 in 2 minutes
    User accounts deleted 1 in 2 minutes
    Groups created
    Groups deleted
    Firewall user added 1 in 2 minutes
    Firewall use deleted 1 in 2 minutes
    The system time was changed
    Firewall Rule base change/install 1 in 2 minutes
    Firewall log settings changed
    Firewall mis-configuration alerts
    Changes to ACL
    Changes to Router Logging level and syslog settings
    Cisco IOS configuration changes
    Router mis-configuration alerts
    Switch configuration change. 1 in 2 minutes
    Switch mis-configuration alerts
    Proxy configuration changes
    VPN configuration changes alerts 1 in 2 minutes
    VPN misconfiguration alerts
    Database configuration changes
    Database password changes alert
    DHCP mis-configuration alerts
    Configuration changes in citrix 1 in 2 minutes
    Windows login failure 10 in 1 Minute
    A user account was locked out 1 in 2 minutes
    User attempting excessive printing activity
    User attempting printing after office hours
    SSH login failure 3 in 2 Minutes
    Login failure
    Switch successful login
    Switch failed login.
    Proxy failed login attempt
    After office hour access to database system. 1 in 1 minutes
    Citrix login failure 1 in 2 minutes
    Top bandwidth users
    Traffic distribution by protocol
    Pastebin site access
    Windows File-Folder permission changes 1 in 1 minutes
    Windows File-Folder has been Deleted 1 in 1 minutes
    S. No. Sub Category Applicable Event Sources
    1 Segregation of Duties Violations Business Application
    2 Access Violations Business Application
    3 Access Violations Business Application
    4 Access Violations Business Application

    5 User Management & Authorization Violations Business Application

    6 User Management & Authorization Violations Business Application


    7 Changes to Critical Business Parameters Business Application
    8 Changes to Critical Business Parameters Business Application
    9 Changes to Critical Business Parameters Business Application
    Changes to Critical Application Management
    10 Parameters Business Application
    Changes to Critical Application Management
    11 Parameters Business Application
    Changes to Critical Application Management
    12 Parameters Business Application
    13 Changes to Audit Parameters Business Application
    Use Case
    Maker/Checker logins from same IP
    Logins during odd working hours from critical application IDs
    Successful login from dormant user IDs
    Password brute force on super user accounts

    Administrative user additions, deletions

    Changes to dormant , blocked account status


    Interest rate changes
    Limit changes
    Changes to value dates

    Creation, deletion & modification of critical application roles/groups

    Changes to authorizations for critical application roles/groups

    Changes to account & password policies in the application


    Auditing disabled
    S. No. Sub Category Applicable Event Sources
    1 Access from Blacklisted/Suspicious Geographies Internet Banking
    2 Access from Blacklisted/Suspicious Geographies Internet Banking
    3 Access from Blacklisted/Suspicious Geographies Internet Banking
    4 Access from Blacklisted/Suspicious Geographies Internet Banking
    5 Access Violation ATM Channel
    6 Transaction Anomalies Internet Banking
    7 Transaction Anomalies Internet Banking

    8 Transaction Anomalies Internet Banking


    9 Transaction Anomalies Internet Banking

    11 Transaction Anomalies Internet Banking


    12 Transaction Anomalies ATM Channel
    13 Beneficiary Anomalies Internet Banking

    14 Beneficiary Anomalies Internet Banking


    15 Transaction Velocity Anomalies Internet Banking
    16 Transaction Velocity Anomalies Internet Banking
    17 Transaction Velocity Anomalies Internet Banking
    18 Transaction Velocity Anomalies Internet Banking
    19 Transaction Velocity Anomalies Internet Banking
    20 Transaction Velocity Anomalies Internet Banking

    21 Transaction Velocity Anomalies ATM Channel


    22 Transaction Velocity Anomalies ATM Channel
    23 Transaction Velocity Anomalies ATM Channel
    Use Case Threshold
    Internet banking logins from anonymous proxies 1 in 1 Minutes
    Phishing IP's logging to Internet Banking 1 in 1 Minutes
    Multiple account lockouts from same IP
    Transactions from suspicious/blacklisted countries 1 in 2 Minutes
    ATM location not matching customers profile of access.
    Transfer/withdrawal beyond specified limits 1 in 1 Second
    Transfer/withdrawal beyond specified limits during night time 1 in 1 Second

    Transfer/payment amounts used in previous fraud. Sometimes the transfer


    amounts are kept below the limits of bank and automated using scripts
    New payee registration followed by high value transaction 2 in 2 Hrs
    Transfers/payments that “empty accounts,” which could be automated
    transfers driven by scripts
    ATM withdrawals that are higher than average for the user
    Money transfer to beneficiary on blacklist Account

    New destination accounts or payees that have recently been used by many
    “customers” over a short period of time. The destination accounts are
    potential mule accounts
    Logins/transactions from different cities in short period 2 in 1 Hrs
    Multiple low value transactions in short period 3 in 2 hours
    User Changed password or mobile No followed by transaction 1 in 10 minutes
    Top 10 money transfers (Daily report) Report
    Top 10 payees by value (Daily report) Report
    Top 10 payees by count (Daily report Report
    Same ATM card being used for transactions in geographically dispersed
    ATMs within a short time
    ATM hood opening during odd hours.
    ATM cash chest opening during odd hours.

    You might also like