Question more?? Blue Team in your Organisation

security essentials examples

Hacker Flair
Sep 3, 2018 · 2 min read

Web Server (Apache or IIS)

  • HTTP Brute Force Activity Detected
  • External Website Attack
  • Potential Webshell Activity
  • QL Injection with Long URLs
  • Unusually Long Content-Type Length
  • Detect Excessive Increase in HTTP Error Codes by Src

VPN

  • Unusually Long VPN Session
  • Unusual VPN Login Geo-location

Email

  • Email Attachments With Lots Of Spaces
  • Threat Activity Detected
  • Emails from Outside the Organization with Company Domains
  • User with Increase in Outgoing Email
  • Emails with Lookalike Domains
  • High Volume Email Activity to Non-corporate Domains by User

Logs (system and security logs)

  • Recurring Infection on Host
  • Expected Host Not Reporting — in Category
  • Same Error On Many Servers Detected
  • Geographically Improbable Access Detected against Category
  • Increase in # of Hosts Logged into
  • Newly Seen Authentication Behavior from VIP or Executive User
  • Brute Force Access Behavior Detected — Against Category
  • User Logged into In-Scope System They Should Not Have
  • Hosts with Varied and Future Timestamps
  • Watchlisted Event Observed
  • Hosts Where Security Sources Go Quiet
  • Suspicious Network Exploration

Bug Tracking (JIRA,Bugzilla etc…)

  • Untriaged Notable Events
  • Monitor Execution of Triage Activity

Source Code (Git, Svn etc…)

  • First Time Accessing an Internal Git Repository Not Viewed by Peers
  • First Time Accessing an Internal Git Repository
  • Increase in Source Code (Git) Downloads

Network Level

  • Download from Internal Server
  • Basic Scanning
  • New Connection to In-Scope Device
  • Basic TOR Traffic Detection
  • Unusual Network Activity

AV

  • High Or Critical Priority Host With Malware Detected
  • Host With Multiple Infections
  • Basic Malware Outbreak
  • In-Scope Device with Outdated Anti-Malware Found
  • High Number of Hosts Not Updating Malware Signatures
  • Recurring Infection on Host

IDS/IPS

  • Vulnerability Scanner Detected (by targets)
  • Vulnerability Scanner Detected (by events)
  • Network Intrusion Event Detected on Malware Infected Host
  • Chained Exploit Followed by Suspicious Events Detected
  • Network Intrusion Internal Network
  • External Alarms

Malware detection

  • Threat Activity Detected
  • Network Malware Detection

Backups

  • Monitor Unsuccessful Backups
  • Monitor Successful Backups

DNS

  • Threat Activity Detected
  • Detect Long DNS TXT Record Response
  • Excessive DNS Failures (ESCU)
  • Blacklisted Domain
  • Suspicious Domain Communication
  • Domain Name Anomaly

DLP

  • First Time USB Usage
  • Detect USB device insertion
  • Multiple DLP Alarms
  • Unusual USB Activity

AWS Specific (IAM and CloudTail)

  • AWS Unusual Amount of Modifications to ACLs
  • AWS New API Call Per User
  • AWS New API Call Per Peer Group
  • AWS Instance Modified by Unusual User
  • AWS Instance Created by Unusual User
  • AWS Cloud Provisioning Activity from Unusual IP
  • AWS Cloud Provisioning Activity from Unusual Country
  • AWS APIs Called More Often Than Usual Per User
  • AWS Cloud Provisioning Activity from Unusual Country
  • Geographically Improbable Access Detected against Category
  • Auditing Overview of Data Processing Systems
  • Expected Host Not Reporting
  • AWS New API Call Per Peer Group
  • AWS Instance Created by Unusual User

Patch Management

  • No Windows/Linux Updates in Time-frame

Written by

Secure It - Run Your Applications Confidently

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade