Question more?? Blue Team in your Organisation
security essentials examples
Sep 3, 2018 · 2 min read
Web Server (Apache or IIS)
- HTTP Brute Force Activity Detected
- External Website Attack
- Potential Webshell Activity
- QL Injection with Long URLs
- Unusually Long Content-Type Length
- Detect Excessive Increase in HTTP Error Codes by Src
VPN
- Unusually Long VPN Session
- Unusual VPN Login Geo-location
- Email Attachments With Lots Of Spaces
- Threat Activity Detected
- Emails from Outside the Organization with Company Domains
- User with Increase in Outgoing Email
- Emails with Lookalike Domains
- High Volume Email Activity to Non-corporate Domains by User
Logs (system and security logs)
- Recurring Infection on Host
- Expected Host Not Reporting — in Category
- Same Error On Many Servers Detected
- Geographically Improbable Access Detected against Category
- Increase in # of Hosts Logged into
- Newly Seen Authentication Behavior from VIP or Executive User
- Brute Force Access Behavior Detected — Against Category
- User Logged into In-Scope System They Should Not Have
- Hosts with Varied and Future Timestamps
- Watchlisted Event Observed
- Hosts Where Security Sources Go Quiet
- Suspicious Network Exploration
Bug Tracking (JIRA,Bugzilla etc…)
- Untriaged Notable Events
- Monitor Execution of Triage Activity
Source Code (Git, Svn etc…)
- First Time Accessing an Internal Git Repository Not Viewed by Peers
- First Time Accessing an Internal Git Repository
- Increase in Source Code (Git) Downloads
Network Level
- Download from Internal Server
- Basic Scanning
- New Connection to In-Scope Device
- Basic TOR Traffic Detection
- Unusual Network Activity
AV
- High Or Critical Priority Host With Malware Detected
- Host With Multiple Infections
- Basic Malware Outbreak
- In-Scope Device with Outdated Anti-Malware Found
- High Number of Hosts Not Updating Malware Signatures
- Recurring Infection on Host
IDS/IPS
- Vulnerability Scanner Detected (by targets)
- Vulnerability Scanner Detected (by events)
- Network Intrusion Event Detected on Malware Infected Host
- Chained Exploit Followed by Suspicious Events Detected
- Network Intrusion Internal Network
- External Alarms
Malware detection
- Threat Activity Detected
- Network Malware Detection
Backups
- Monitor Unsuccessful Backups
- Monitor Successful Backups
DNS
- Threat Activity Detected
- Detect Long DNS TXT Record Response
- Excessive DNS Failures (ESCU)
- Blacklisted Domain
- Suspicious Domain Communication
- Domain Name Anomaly
DLP
- First Time USB Usage
- Detect USB device insertion
- Multiple DLP Alarms
- Unusual USB Activity
AWS Specific (IAM and CloudTail)
- AWS Unusual Amount of Modifications to ACLs
- AWS New API Call Per User
- AWS New API Call Per Peer Group
- AWS Instance Modified by Unusual User
- AWS Instance Created by Unusual User
- AWS Cloud Provisioning Activity from Unusual IP
- AWS Cloud Provisioning Activity from Unusual Country
- AWS APIs Called More Often Than Usual Per User
- AWS Cloud Provisioning Activity from Unusual Country
- Geographically Improbable Access Detected against Category
- Auditing Overview of Data Processing Systems
- Expected Host Not Reporting
- AWS New API Call Per Peer Group
- AWS Instance Created by Unusual User
Patch Management
- No Windows/Linux Updates in Time-frame
