Alert Types That Use the Windows Index

The Alert Types listed below use the Windows Index . For a list of Alert Types by each index or XDR Kill Chain stage, or for a general overview, refer to Machine Learning and Analytics Overview.

To minimize excessive alerting, each alert type is triggered only once in a 24-hour period for the set of attributes that triggered that specific alert.

Where applicable, the Tactics and Techniques are linked to the relevant MITRE | ATT&CK page.

Stellar Cyber also provides an interactive tool that lets you look up alert types by data source, alert name, event type, or source index.

Abnormal Parent / Child Process

A process that typically launches a small, consistent number of child processes has launched a new child process. Investigate the new child process or the parent process to see if it is benign.

This alert type has the following subtype categories:

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR EBA (XTA0001)

  • Technique: XDR Process Relationship Anomaly (XT1002)

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is parent_child.

Severity

25

Alert Subtype: Machine Learning Anomaly Detection

The xdr_event.subtype.name for this alert subtype in the Interflow data is machine_learning_anomaly_detection.

Key Fields and Relevant Data Points

  • process_name — name of the process
  • parent_proc_name — name of the parent process
  • hostip — host IP address
  • hostip_host — host name
  • stability — score measuring the time since the parent process launched the last child process
  • diversity — score measuring the number of child processes that the parent process spawned
  • days_stable — time since the parent process launched the last child process
  • child_count — number of child processes that the parent process spawned

Use Case with Data Points

Each pair of parent/child processes (parent_proc_name and process_name) is examined periodically. If a parent process (parent_proc_name) with a small number of child processes (diversity, child_count) has not launched a new child process (process_name) for a long time (stability, days_stable) launches a new child process from a host (srcip_host), an alert is triggered.

Alert Subtype: Rule Based Detection

The Parent/Child Suspicious Process Creation rules are used to identify suspicious activity with parent/child relationships associated with process creation. Any one or more of these will trigger the Parent/Child Suspicious Process Creation alert types.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Parent/Child Suspicious Process Creation Alert Type

Backup Catalogs Deleted by Ransomware

The wbadmin.exe utility was used to delete the backup catalog. Ransomware and other malware do this to prevent system recovery. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Indicator Removal on Host (T1070 )

  • Tags: [Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is ransomware_delete_backup_catalogs.

Severity

80

Key Fields and Relevant Data Points

  • hostip — IP address of the host on which the ransomware action happened
  • hostip_host — host name
  • process_name — name of the executed process
  • event_data.CommandLine — command that was executed to delete the backup catalog

Use Case with Data Points

If wbadmin.exe is used to delete the backup catalog, an alert is triggered. The Interflow includes the host IP address (hostip), process name (process_name), and command line (event_data.CommandLine).

Bad Reputation Login

A successful login was observed from an IP address with a history of malicious activity. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR Bad Reputation (XT2010)

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is bad_reputation_login.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name

Use Case with Data Points

The login records are checked for every source IP address (srcip). If a source IP address has successful login records and its reputation (srcip_reputation) is bad (except brute-forcer and scanner), an alert is triggered. A sample Interflow includes source IP address (srcip), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), login type (login_type), and user name (username).

Command Anomaly

A command has been executed an anomalously large number of times compared to its typical executions or those of other commands. Investigate the command and the user to determine if this is expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is command_anomaly.

Severity

15

Key Fields and Relevant Data Points

  • command — command executed
  • actual — actual number of executions in the period
  • typical — typical number of executions in the period
  • cwd — current working directory from which the command executed
  • hostip — host from which the command was run
  • hostip_host — host name
  • username — user name who ran the command

Use Case with Data Points

The number of times a command (command) has been executed is calculated periodically. If the volume (actual) is much larger than the typical volume (typical) of the command or other commands in any period, an alert is triggered. The Interflow includes the directory from which the command was executed (cwd), the host and source IP addresses (hostip and srcip) from which the command was executed, and the name of the user who ran the command (username).

Encoded PowerShell

A Windows host executed an encoded PowerShell script. Investigate the script contents to see if it is malicious. If so, consider quarantining the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is encoded_powershell.

Severity

80

Key Fields and Relevant Data Points

  • srcip — source IP address
  • hostip — IP address of the Windows host
  • hostip_host — host name
  • event_data.ContextInfo — PowerShell script context
  • event_data.Payload — PowerShell script payload

Use Case with Data Points

If a Windows host (srcip) executes a PowerShell script whose context (event_data.ContextInfo) includes flags that indicate encoding or obfuscation of the script, an alert is triggered. The Interflow includes the IP address of the Windows host (srcip), the script context (event_data.ContextInfo), and script payload (event_data.Payload).

External Account Login Failure Anomaly

An anomalously large number of user login failures was observed for an account. Check with the user.

This alert type has the following subtypes:

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_cloud_account_login_failure.

Severity

45

Key Fields and Relevant Data Points

  • srcip_usersid — cloud account user ID
  • scrip_username — cloud account user name
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • srcip_host — host name of corresponding source IP address
  • login_type — type of login
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes are calculated periodically for every account (srcip_usersid). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Office 365 / Entra ID

The Office 365 / Entra ID alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Office 365 and Microsoft Entra ID (formerly Azure AD).

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_cloud_account_login_failure_o365_azure.

Alert Subtype: Windows Security Events

The Windows Security Events alert subtype is the same as the External Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from all Windows security events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_cloud_account_login_failure_windows.

External Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has the following subtypes:

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_success_brute_forcer.

Severity

90

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related External User Login Failure Anomaly

Use Case with Data Points

The login records are checked for every external source IP address (srcip). An alert is triggered if that IP address:

  1. Has so many failed login attempts that it triggered the External User Login Failure Anomaly, and
  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_success_brute_forcer_srcip_usersid.

Key Fields and Relevant Data Points

  • srcip_usersid — Windows SID associated with the source IP address
  • srcip — source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related External Account Login Failure Anomaly

Use Case with Data Points

The login records to a user account (srcip_usersid) are checked for every external source IP address (srcip). An alert is triggered if that user account:

  1. Has so many failed login attempts that it triggered the External Account Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

External Credential Stuffing

An anomalously large amount of username/password testing was observed on AWS, Okta, or Windows. Check the activity after successful logins, and consider blocking the source IP addresses.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_credential_stuffing.

Severity

50

Key Fields and Relevant Data Points

  • msg_class — name of the service: cloudtrail for AWS, okta for Okta, Microsoft-Windows-Security-Auditing for Windows
  • service_id — specific account ID of a service
  • login_failure_rate — rate of login failures per minute in the period
  • unknown_users_rate — rate of unknown user names per minute in the period
  • unknown_users_to_login_failures — ratio of unknown user names to login failures in the period
  • suspicious_ips — suspicious source IP addresses (up to 100)
  • possible_breached_ips — list of malicious IPs that may have successful breach activities

Use Case with Data Points

External credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class), tenant's account ID on that service (service_id), suspicious source IP address (suspicious_ips), login failure rate (login_failure_rate), unknown user rate (unknown_users_rate), the ratio of unknown users to login failures (unknown_users_to_login_failures), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips).

External Password Spraying

.An anomalously large number of failed logins with unknown user names was observed on external Windows authentication services. Check the activity after successful logins, and consider blocking the source IP addresses.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Sub-technique: Password Spraying (T1110.003 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_password_spray.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address generating a failed login

    or

  • event_data.Workstation — workstation generating a failed login

    The key field for this alert type can be either srcip or event_data.Workstation, depending on the data feed.

  • srcip_host — source host name
  • event_id — Windows event ID corresponding to the login failures
  • login_type — type of login protocol; the available values vary by event_id
  • actual — actual number of failed logins with unknown user names in a 5-minute period
  • typical — typical number of failed logins with unknown user names in a 5-minute period
  • password_spray_user_summary — list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)

Use Case with Data Points

If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip or event_data.Workstation), timestamp, the type of login (login_type), the number of failed logins (actual), the usual number of failed logins (typical), and a sampling of the user names used in the attack (password_spray_user_summary).

External RDP BlueKeep

Detects the use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [External] Privilege Escalation (TA0004 )

  • Technique: Exploitation for Privilege Escalation (T1068 )

  • Tags: [External; RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_bluekeep.

Severity

80

Key Fields and Relevant Data Points

  • ids.signature — IDS signature
  • srcip_host — source host name
  • dstip_host — destination host name

Use Case with Data Points

If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source host (srcip_host), and destination host (dstip_host).

External RDP Suspicious Outbound

Non-standard tools connecting to TCP port 3389 were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR NBA (XTA0002)

  • Technique: XDR App Anomaly (XT2003)

  • Tags: [External; RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_rdp_suspicious_outbound.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that connects to TCP port 3389 with a non-standard tool
  • srcip_host — source host name
  • process_name — process name

Use Case with Data Points

Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip) and the process name (process_name). The following are the standard tools:

  • mstsc.exe
  • RTSApp.exe
  • RTS2App.exe
  • RDCMan.exe
  • ws_TunnelService.exe
  • RSSensor.exe
  • RemoteDesktopManagerFree.exe
  • RemoteDesktopManager.exe
  • RemoteDesktopManager64.exe
  • mRemoteNG.exe
  • mRemote.exe
  • Terminals.exe
  • spiceworks-finder.exe
  • FSDiscovery.exe
  • FSAssessment.exe
  • MobaRTE.exe
  • chrome.exe
  • thor.exe
  • thor64.exe

External User Login Failure Anomaly

An anomalous number of login failures was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, or Google Workspace. For Okta, an anomalous number of multi-factor authentication (MFA) failures was observed. Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [External]

Event Name

The xdr_event.name for this alert type in the Interflow data is external_user_login_fail.

Severity

30

Key Fields and Relevant Data Points

  • srcip — source IP address
  • dstip — destination IP address
  • dstip_host — destination host name
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • login_type — type of login, such as ssh_traffic, okta_log, or aws_cloudtrail
  • srcip_host — source host name
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes are calculated periodically for every source (srcip) and destination (dstip) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Office 365 / Entra ID

The Office 365 / Entra ID alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Office 365 and Microsoft Entra ID (formerly Azure AD).

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_o365_azure.

Alert Subtype: Source IP Based

The Source IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_srcip.

Alert Subtype: Destination IP Based

The Destination IP-based alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_dstip.

Alert Subtype: Kerberos Events

The Kerberos Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Kerberos events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_kerberos.

Alert Subtype: Source IP Based Windows Logon Events

The Source IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_src_win_logon.

Alert Subtype: Destination IP Based Windows Logon Events

The Destination IP-based Windows Logon Events alert subtype is the same as the External User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is external_user_login_fail_dst_win_logon.

Hydra Password Guessing Hack Tool

A user on a Windows host executed a command-line script that launched either the hydra.exe command or a command using known Hydra style parameters, which may be an inappropriate use of the Hydra password guessing tool.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Hydra]

Event Name

The xdr_event.name for this alert type in the Interflow data is hydra_password_guessing_hack_tool.

Severity

90

Key Fields and Relevant Data Points

  • hostip — device internal IP address
  • event_data.Image — process running hydra.exe for password cracking.
  • event_data.CommandLine — command used to run the tool
  • computer_name — name of the Windows host

Use Case with Data Points

This alert is triggered if a Windows host (hostip) executes a PowerShell script with a context that includes one or more flags (event_data.Imageor event_data.CommandLine indicating usage of the Hydra password guessing hack tool. The Interflow includes the IP address of the Windows host (hostip), the host name (computer_name), and the script image (event_data.Image) or script payload (event_data.CommandLine).

Validation / Remediation

Check the body of the Powershell script that is reported on the Windows host to identify whether the contents of the script are actually malicious. If malicious, consider quarantining the host.

Potential False Positives

The running of any executable named hydra.exe or a command that has parameters of -u and -p or ^user^ and ^pass^ triggers this alert.

Impossible Travel Anomaly

A user logged in from locations that are geographically impossible to travel between in the time frame. Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

For the Impossible Travel Anomaly, there are two chances for ingestion delay, so the slowest of the two records will define the delay. This alert type is also sensitive to the order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Location Anomaly (XT2001)

  • Tags: [User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_impossible_travel.

Severity

60

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the source user
  • srcip_username — source user name
  • srcip — source IP address
  • srcip_host — source host name
  • srcip_geo — source IP address geo location, including latitude and longitude
  • distance_deviation — deviation in distance (miles) between the two login locations
  • time_deviation — deviation in time (seconds) between the two login events
  • travel_speed — calculated speed for the user to travel between the two location (miles/hour)
  • appid_name — application name for the login event
  • last_login_time — time of 2nd login, event 2 (E2)
  • _id2 — ID of E2
  • _index2 — index of E2
  • srcip2 — source IP address of E2
  • srcip_geo2 — source IP address geo location of E2, including latitude and longitude
  • engid_gateway — gateway IP address, used to determine geo location when source IP address is private

Use Case with Data Points

Login events (E1 and E2) are examined for a user (srcip_usersid), to see if the login locations (srcip_geo and srcip_geo2), that are at least 100 miles apart, changed faster (travel_speed = distance_deviation/time_deviation) than possible with the typical commercial flight speed of 600 miles/hour.

E1 is the basis for the Interflow. The srcip_usersid and srcip_username identify the user, appid_name identifies the application, and last_login_time identifies the time when the 2nd login event happened. You can find detailed information about E2 by checking id2 in index2, source IP (srcip2), and geo location (srcip_geo2).

Internal Account Login Failure Anomaly

An anomalously large number of login failures from an internal source IP address to an internal destination IP address was observed for an account. Check with the user.

This alert type has the following subtypes:

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_cloud_account_login_failure.

Severity

60

Key Fields and Relevant Data Points

  • srcip_usersid — account user ID

    or

  • srcip_username — account user name, enriched from event_data.targetusername

    The key field for this alert type can be either srcip_usersid or srcip_username, depending on the data feed.

  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • srcip_host — host name of corresponding source IP address
  • login_type — type of login
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes between any internal IP addresses are calculated periodically for every account (srcip_usersid). If the number of failures is significantly larger than the number of successes, an alert is triggered. A sample Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Windows Logon Events

The Windows Logon Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_cloud_account_login_failure_win_logon.

Alert Subtype: Kerberos Events

The Kerberos Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Kerberos events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_cloud_account_login_failure_kerberos.

Alert Subtype: NTLM Events

The NTLM Events alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from NTLM events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_cloud_account_login_failure_ntlm.

Alert Subtype: Hibun Security Logs

The Hibun Security Logs alert subtype is the same as the Internal Account Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Hibun security logs.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_cloud_account_login_failure_hibun.

Internal Brute-Forced Successful User Login

A successful login was observed from an IP address that had previously seen a large number of login failures, or a successful login to a user account was observed from another IP address or IP addresses that had previously seen a large number of login failures to that account. Check with the user.

This alert type has the following subtypes:

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_success_brute_forcer.

Severity

95

Alert Subtype: Source IP Based

The source IP-based alert subtype has the same XDR Kill Chain as the user ID-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip_usersid.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related Internal User Login Failure Anomaly

Use Case with Data Points

The login records to an internal IP address (dstip) are checked for every internal source IP address (srcip). An alert is triggered if that IP address:

  1. Has so many failed login attempts that it triggered the Internal User Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host name (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Alert Subtype: User ID Based

The user ID-based alert subtype has the same XDR Kill Chain as the source IP-based alert subtype, but differs in the Key Fields and Relevant Data Points and Use Case with Data Points.

The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_success_brute_forcer_srcip.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • srcip_usersid — Windows SID associated with the source IP address
  • srcip_host — source host name
  • srcip_reputation — source reputation
  • source_geo.countryName — source country
  • dstip_host — destination host name
  • login_type — type of login
  • username — user name
  • related_alert._id — link to the related Internal Account Login Failure Anomaly

Use Case with Data Points

The login records to a user account (srcip_usersid) are checked for every internal source IP address (srcip). An alert is triggered if that user account:

  1. Has so many failed login attempts that it triggered the Internal Account Login Failure Anomaly, and

  2. Had a successful login

A sample Interflow includes the source IP address (srcip), login type (login_type), source host name (srcip_host), source reputation (srcip_reputation), source country (srcip_geo.countryName), and user name (username).

Internal Password Spraying

An anomalously large number of failed logins with unknown user names was observed on internal Windows authentication services. Check the activity after successful logins, and consider blocking the internal source IP addresses.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Sub-technique: Password Spraying (T1110.003 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_password_spray.

Severity

75

Key Fields and Relevant Data Points

  • srcip — source IP address generating a failed login

    or

  • event_data.Workstation — workstation generating a failed login

    The key field for this alert type can be either srcip or event_data.Workstation, depending on the data feed.

  • srcip_host — source host name
  • event_data.WorkstationName — workstation associated with the alerting srcip (when applicable)
  • event_id — Windows event ID corresponding to the login failures
  • login_type — type of login protocol; the available values vary by event_id
  • actual — actual number of failed logins with unknown user names in a 5-minute period
  • typical — typical number of failed logins with unknown user names in a 5-minute period
  • password_spray_user_summary — list of up to 100 unknown user names associated with the failed logins (the first three are shown in the alert description)

Use Case with Data Points

If a potential password spraying attack is observed, an alert is triggered. The Interflow includes a source (srcip or event_data.Workstation), timestamp, the type of login (login_type), the number of failed logins (actual), the usual number of failed logins (typical), and a sampling of the user names used in the attack (password_spray_user_summary).

Internal Credential Stuffing

An anomalously large amount of username/password testing was observed on an internal Windows authentication service. Check the activity after successful logins, and consider blocking the internal source IP addresses.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_credential_stuffing.

Severity

75

Key Fields and Relevant Data Points

  • msg_classMicrosoft-Windows-Security-Auditing for Windows
  • service_id — specific account ID of a service
  • login_failure_rate — rate of login failures per minute in the period
  • unknown_users_rate — rate of unknown user names per minute in the period
  • unknown_users_to_login_failures — ratio of unknown user names to login failures in the period
  • suspicious_ips — suspicious source IP addresses (up to 100)
  • possible_breached_ips — list of malicious IP addresses that may have successful breach activities

Use Case with Data Points

Internal credential stuffing is the constant testing of username/password combinations on the AWS, Okta, or Windows authentication functions. Login activity is monitored and if the number of failed logins is larger than normal for that service, an alert is triggered. The Interflow includes the service (msg_class), tenant's account ID on that service (service_id), suspicious source IP address (suspicious_ips), login failure rate (login_failure_rate), unknown user rate (unknown_users_rate), the ratio of unknown users to login failures (unknown_users_to_login_failures), and a list of source IP addresses that might have suspicious activities and should be investigated (possible_breached_ips).

Internal RDP BlueKeep

The use of a scanner by zerosum0x0 that discovers targets vulnerable to BlueKeep (CVE-2019-0708) has been observed between internal hosts. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Privilege Escalation (TA0004 )

  • Technique: Exploitation for Privilege Escalation (T1068 )

  • Tags: [Internal; RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_rdp_bluekeep.

Severity

90

Key Fields and Relevant Data Points

  • ids.signature — IDS signature
  • srcip_host — source host name
  • dstip_host — destination host name

Use Case with Data Points

If the scanner by zerosum0x0 is used, an alert is triggered. A sample Interflow includes the IDS signature (ids.signature), source host (srcip_host), and destination host (dstip_host).

Internal RDP Suspicious Outbound

Non-standard tools from an internal host connecting to TCP port 3389 in the other internal host were observed. This could indicate lateral movement attempting to establish an RDP connection. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Lateral Movement (TA0008)

  • Technique: Remote Services (T1021)

  • Tags: [Internal; RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_rdp_suspicious_outbound.

Severity

50

Key Fields and Relevant Data Points

  • srcip — source IP address of the host that connects to TCP port 3389 with a non-standard tool
  • srcip_host — source host name
  • process_name — process name

Use Case with Data Points

Connections to TCP port 3389 are monitored, and if non-standard tools connect, an alert is triggered. A sample Interflow includes the source IP address (srcip) and the process name (process_name). The following are the standard tools:

  • mstsc.exe
  • RTSApp.exe
  • RTS2App.exe
  • RDCMan.exe
  • ws_TunnelService.exe
  • RSSensor.exe
  • RemoteDesktopManagerFree.exe
  • RemoteDesktopManager.exe
  • RemoteDesktopManager64.exe
  • mRemoteNG.exe
  • mRemote.exe
  • Terminals.exe
  • spiceworks-finder.exe
  • FSDiscovery.exe
  • FSAssessment.exe
  • MobaRTE.exe
  • chrome.exe
  • thor.exe
  • thor64.exe

Internal User Login Failure Anomaly

An anomalous number of login failures between internal IP addresses was observed for one of the following applications: SSH, SMTP, FTP, RDP, SMB, databases, Active Directory, Office 365, Okta, AWS CloudTrail, Google Workspace, Salesforce, or Microsoft Entra ID (formerly Azure Active Directory). Check with the user.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is internal_user_login_fail.

Severity

60

Key Fields and Relevant Data Points

  • srcip — source IP address
  • service_id — source domain, workstation, organization, or service
  • dstip — destination IP address
  • dstip_host — destination host name
  • event_summary.total_failed — number of failed logins in the period
  • event_summary.total_successful — number of successful logins in the period
  • event_summary.total_fail_ratio — percent of failed logins in the period, which is: event_summary.total_failed / (event_summary.total_failed + event_summary.total_successful)
  • weighted_anomaly_score — net score based on weighted rating of successful versus failed attempts (scanning, login, or other). Scores greater than upper threshold are potentially malicious and less than lower threshold are benign.
  • login_type — type of login, such as ssh_traffic, okta_log, or aws_cloudtrail
  • srcip_host — source host name
  • srcip_reputation — source reputation

Use Case with Data Points

Login failures and successes between internal IP addresses are calculated periodically for every source (srcip) and destination (dstip) IP address. If the number of failures is significantly larger than the number of successes, an alert is triggered. The Interflow includes the login type (login_type), source host (srcip_host), and source reputation (srcip_reputation).

Alert Subtype: Source IP Based

The Source IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_srcip.

Alert Subtype: Destination IP Based

The Destination IP-based alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from network traffic, system logs, Linux events, and AWS events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_dstip.

Alert Subtype: NTLM Events

The NTLM Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from NTLM events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_ntlm.

Alert Subtype: Kerberos Events

The Kerberos Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Kerberos events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_kerberos.

Alert Subtype: Windows Logon Events

The Windows Logon Events alert subtype is the same as the Internal User Login Failure Anomaly alert type above, with the following differences:

  • The subtype is for data sources from Windows Logon events.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is internal_user_login_fail_win_logon.

Login Time Anomaly

A user logged in at an abnormal time. Check with the user.

This alert type has a relatively long detection delay of up to 40 minutes because it waits for login events from high latency data sources and is sensitive to the event order of user logins.

This alert type reads the System Timezone in Global Settings and puts the timezone into the alert descriptions. In Global Settings, set your timezone relative to UTC.

When a Login Time Anomaly occurs, the timezone is bound to the alert description with the following priorities:

  • The timezone inferred from engid_gateway takes precedence over the DP timezone, but only when it is present. If engid_gateway is present, the description will use the timezone where the login actually happened.

  • If engid_gateway is not present, the DP timezone setting is used.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Time Anomaly (XT4005)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_login_time.

Severity

40

Key Fields and Relevant Data Points

  • srcip_usersid — key ID of the source user

    or

  • event_data.TargetUserName — name of the user (Windows event)
  • The key field for this alert type can be either srcip_usersid or event_data.TargetUserName, depending on the data feed.

  • srcip_username — source user name
  • srcip_host — host name of corresponding source IP address
  • srcip_geo.countryName — source country
  • actual_range — actual login time range
  • typical_range — typical login time range

Use Case with Data Points

Every user's (srcip_usersid) login time (actual) is compared to the typical login times (typical_range). If it is outside the range, an alert is triggered. The Interflow includes information such as the source user name (srcip_username), source host name (srcip_host), and source country (srcip_geo.countryName), as well as the destination host (dstip_host).

Malware on Disk

Sophos is deprecated from this alert type as of the 5.2.0 release. It is replaced by Sophos alert integration.

Malicious software or a potentially unwanted application was found on a device and reported as not cleaned. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] XDR Malware (XTA0006)

  • Technique: XDR Miscellaneous Malware (XT6001)

  • Tags: [Internal; Malware]

Event Name

The xdr_event.name for this alert type in the Interflow data is malware_on_disk.

Severity

90 (Windows Defender)

80 (Sophos)

Key Fields and Relevant Data Points

  • hostip — IP address of the host
  • file_path — file path
  • computer_name — computer name
  • malware_engine — malware engine, can be Sophos or Windows Defender
  • group — type of malware
  • type — status of malware

Use Case with Data Points

If either of the following occurs, an alert is triggered:

  • Windows Defender indicates a failure or error when taking actions to protect the system
  • Sophos engine indicates there is uncleaned malware

A sample Interflow includes the computer name (computer_name), malware engine (malware_engine), host IP address (hostip), path to the file (file_path), type of malware (group, for Sophos), and status of the malware (type, for Sophos).

Microsoft Entra Application Configuration Changes

The Microsoft Entra Application Configuration Changes rules are used to identify suspicious Microsoft Entra application configuration changes. Any one or more of these will trigger the Microsoft Entra Application Configuration Changes alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_application_configuration_changes.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Application Configuration Changes Alert Type

Microsoft Entra Application Deleted

The Microsoft Entra Application Deleted rules are used to identify events when a Microsoft Entra application is deleted. Any one or more of these will trigger the Microsoft Entra Application Deleted alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is microsoft_entra_app_deleted.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Application Deleted Alert Type

Microsoft Entra Application Permission Changes

The Microsoft Entra Application Permission Changes rules are used to identify suspicious Microsoft Entra application permission changes. Any one or more of these will trigger the Microsoft Entra Application Permission Changes alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_application_permission_changes.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Application Permission Changes Alert Type

Microsoft Entra Apps Modified to Allow Multi-Tenant Access

Microsoft Entra ID (formerly Azure Active Directory) observed an application being modified to allow multi-tenant access. Check with the organization to be sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_ad_add_app_multitenant.

Severity

75

Key Fields and Relevant Data Points

  • srcip_usersid — user ID that modified the property change
  • activityDisplayName — description of the action
  • targetResources.modifiedProperties.displayName — properties that were changed

Use Case with Data Points

If Microsoft Entra ID detects any user (srcip_usersid) changing an application to allow multi-tenant access, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid), activity name (activityDisplayName), and name of the changed property (targetResources.modifiedProperties.displayName).

Microsoft Entra Bitlocker Key Retrieval

The Microsoft Entra Bitlocker Key Retrieval rules are used to identify suspicious Microsoft Entra Bitlocker key retrieval activity. Any one or more of these will trigger the Microsoft Entra Bitlocker Key Retrieval alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_bitlocker_key_retrieval.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra BitLocker Key Retrieval Alert Type

Microsoft Entra Changes to Conditional Access Policy

The Microsoft Entra Changes to Conditional Access Policy rules are used to identify suspicious Microsoft Entra changes to conditional access policy. Any one or more of these will trigger the Microsoft Entra Changes to Conditional Access Policy alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_suspicious_changes_to_conditional_access_policy.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Changes to Conditional Access Policy Alert Type

Microsoft Entra Changes to Device Registration Policy

The Microsoft Entra Changes to Device Registration Policy rules are used to identify suspicious Microsoft Entra changes to device registration policy. Any one or more of these will trigger the Microsoft Entra Changes to Device Registration Policy alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_changes_to_device_registration_policy.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Changes to Device Registration Policy Alert Type

Microsoft Entra Changes to Privileged Account

The Microsoft Entra Changes to Privileged Account rules are used to identify suspicious Microsoft Entra changes to privileged account. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Account alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_changes_to_privileged_account.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Changes to Privileged Account Alert Type

Microsoft Entra Changes to Privileged Role Assignment

The Microsoft Entra Changes to Privileged Role Assignment rules are used to identify suspicious Microsoft Entra changes to privileged role assignment. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Role Assignment alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_changes_to_privileged_role_assignment.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Changes to Privileged Role Assignment Alert Type

Microsoft Entra Custom Domains Changed

Microsoft Entra ID (formerly Azure Active Directory) observed a custom domain being changed. Check with the organization to be sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Domain Policy Modification (T1484 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_ad_change_domain.

Severity

75

Key Fields and Relevant Data Points

  • srcip_usersid — user account that made the domain change
  • activityDisplayName — activity display name
  • activity_name — action description
  • targetResources.modifiedProperties — properties that were changed

Use Case with Data Points

If Microsoft Entra ID detects any user (srcip_usersid) changing a custom domain, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid) and activity name (activity_name).

Microsoft Entra Federation Modified

The Microsoft Entra Federation Modified rules are used to identify suspicious Microsoft Entra federation modified activity. Any one or more of these will trigger the Microsoft Entra Federation Modified alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_federation_modified.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Federation Modified Alert Type

Microsoft Entra Guest User Invited by Non-Approved Inviters

The Microsoft Entra Guest User Invited by Non-Approved Inviters rules are used to identify suspicious Microsoft Entra guest user invited by non-approved inviters. Any one or more of these will trigger the Microsoft Entra Guest User Invited by Non-Approved Inviters alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_guest_user_invited_by_non_approved_inviters.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Guest User Invited by Non-Approved Inviters Alert Type

Microsoft Entra ID Discovery Using AzureHound

The Microsoft Entra ID Discovery using AzureHound rules are used to identify Microsoft Entra ID discovery using Azurehound. Any one or more of these will trigger the Microsoft Entra ID Discovery using Azurehound alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_discovery_using_azurehound.

Key Fields and Relevant Data Points

  • srcip_username — user name of the account involved in the event
  • srcip — IP address of the login client
  • srcip_host — host name of the login client
  • UserAgent — user agent
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra ID Discovery Using Azurehound Alert Type

Microsoft Entra ID MFA Disabled

The Microsoft Entra ID MFA Disabled rules are used to identify events when a Microsoft Entra ID multi-factor authentication is disabled. Any one or more of these will trigger the Microsoft Entra ID MFA Disabled alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_mfa_disabled.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra ID MFA Disabled Alert Type

Microsoft Entra Owner Removed from Application

The Microsoft Entra Owner Removed from Application rules are used to identify events when a Microsoft Entra owner is removed from an application. Any one or more of these will trigger the Microsoft Entra Owner Removed from Application alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is microsoft_entra_owner_removed_from_app.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Owner Removed from Application Alert Type

Microsoft Entra PIM Setting Changed

The Microsoft Entra PIM Setting Changed rules are used to identify suspicious Microsoft Entra PIM setting changed. Any one or more of these will trigger the Microsoft Entra PIM Setting Changed alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_pim_setting_changed.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra PIM Setting Changed Alert Type

Microsoft Entra Privileged Account Assignment or Elevation

The Microsoft Entra Privileged Account Assignment or Elevation rules are used to identify suspicious Microsoft Entra privileged account assignment or elevation. Any one or more of these will trigger the Microsoft Entra Privileged Account Assignment or Elevation alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_privileged_account_assignment_or_elevation.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Privileged Account Assignment or Elevation Alert Type

Microsoft Entra Sign-in Failure

The Microsoft Entra Sign-in Failure rules are used to identify suspicious Microsoft Entra sign-in failures. Any one or more of these will trigger the Microsoft Entra Sign-in Failure alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_sign_in_failures.

Key Fields and Relevant Data Points

  • srcip_username — user name of the account involved in the event
  • srcip — IP address of the login client
  • srcip_host — host name of the login client
  • login_result — login result of user login events
  • azure_ad.status.failureReason — reason for the login failure
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Sign-in Failure Alert Type

Microsoft Entra Suspicious Sign-in Activity

The Microsoft Entra Suspicious Sign-in Activity rules are used to identify suspicious Microsoft Entra sign-in activity. Any one or more of these will trigger the Microsoft Entra Suspicious Sign-in Activity alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_suspicious_sign_in_activity.

Key Fields and Relevant Data Points

  • srcip_username — user name of the account involved in the event
  • srcip — IP address of the login client
  • srcip_host — host name of the login client
  • login_result — login result of user login events
  • azure_ad.status.failureReason — reason for the login failure
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Microsoft Entra Sign-In Activity Alert Type

Microsoft Entra Unusual Account Creation

The Microsoft Entra Unusual Account Creation rules are used to identify Microsoft Entra unusual account creation activity. Any one or more of these will trigger the Microsoft Entra Unusual Account Creation alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is azure_unusual_account_creation.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Microsoft Entra Unusual Account Creation Alert Type

Mimikatz Credential Dump

A potential Mimikatz memory dump was observed. Check the process to determine whether the host is compromised. Consider quarantining the host.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: OS Credential Dumping (T1003 )

  • Tags: [Internal]

Event Name

The xdr_event.name for this alert type in the Interflow data is mimikatz_mem_scan.

Severity

90

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • access_subject — process attempting access
  • access_mask — mask that the suspicious process used to obtain access privileges (different access masks indicate different capabilities obtained by the suspicious process)

Use Case with Data Points

If a process (access_subject) on a Windows host (srcip) tries to access lsass.exe with a special access mask (access_mask), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip), the process performing mimikatz activity (access_subject), and the access mask used to acquire access privilege (access_mask).

Mimikatz DCSync

An attempt to replicate Active Directory for the first time on a domain controller, or the first time by that account, has occurred. Evaluate whether the replication is intended and, if not, consider disabling the account involved in the replication and investigate for further signs of compromise.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: OS Credential Dumping (T1003 )

  • Tags: [Internal, Active Directory]

Event Name

The xdr_event.name for this alert type in the Interflow data is mimikatz_dcsync.

Severity

90

Key Fields and Relevant Data Points

  • hostip — IP address of the targeted domain controller
  • event_data.SubjectUserSid — source user ID associated with the account attempting replication
  • hostip_host — host name of the targeted domain controller
  • event_data.SubjectUserName — name of the account that attempted the Active Directory replication
  • event_data.SubjectDomainName — domain of the account that attempted the Active Directory replication

Use Case with Data Points

This alert is triggered when replication of an Active Directory domain controller (hostip) occurs for the first time or is attempted by a user account or computer account (event_data.SubjectUserName) that has rarely occurred (days_silent) or never initiated replication on that DC before. The Interflow includes the IP address of the targeted domain controller (hostip), the account (event_data.SubjectUserName) attempting the replication and its domain (event_data.SubjectDomainName), and the replication operation attempted (event_data.Properties). (For guidance understanding the GUID in the event_data.Properties field, refer to Microsoft Documentation.)

Validation / Remediation

To triage an alert of this type, consider first verifying whether the Active Directory replication event was expected. If the replication is not intended, then the alert has indicated that a DCSync attack is highly likely. This attack can be very severe, because all password hashes stored on the targeted domain controller might have been dumped. Disable the account involved in the replication as soon as possible and further investigate the account for any signs of compromise.

There is no simple remediation for a confirmed DCSync attack. Evaluate the overall risks of credential leakage and apply appropriate corrective actions, including minimizing accounts with permissions to perform Active Directory replication, and forcing a change of credentials for accounts with weak passwords.

Potential False Positives

The following will trigger an alert:

  • Set up of a new  DC

  • Replication of a DC for the first time

Office 365 Admin Audit Logging Disabled

Office 365 admin audit logging was disabled. Make sure this change was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Impair Defenses (T1562 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_admin_audit_logging_disabled.

Severity

60

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationName — organization with audit logging

Use Case with Data Points

Office 365 monitors each Office 365 account (srcip_usersid) for admin audit logging status. If admin audit logging is disabled, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid) and organization name (OrganizationName).

Office 365 Content Filter Policy Changed

The Microsoft Exchange content policy was changed. An overly permissive content policy can allow spammers to send your organization unwanted email. Make sure this change was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_content_filter_policy_changed.

Severity

40

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationId — ID of the organization with the Microsoft content policy change
  • OrganizationName — organization with the Microsoft content policy change

Use Case with Data Points

Office 365 monitors all Office 365 accounts (srcip_usersid) in each organization (OrganizationId) for a Microsoft Exchange content policy change. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid), organization ID (OrganizationId), and organization name (OrganizationName).

Office 365 File Sharing with Outside Entities

An Office 365 account shared multiple files with entities outside of the organization. Check with the user to make sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Exfiltration (TA0010 )

  • Technique: Transfer Data to Cloud Account (T1537 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_outside_entity_file_sharing.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • srcip — source IP address of the sharing action
  • srcip_host — source host name
  • srcip_geo.countryName — source country

Use Case with Data Points

Office 365 monitors sharing with outside entities for each Office 365 account (srcip_usersid). If an account shares multiple files with outside entities, an alert is triggered. A sample Interflow includes the user ID (srcip_usersid), source IP address (srcip), and source country (srcip_geo.countryName).

Office 365 Malware Filter Policy Changed

The Microsoft Exchange malware filter policy changed. An overly permissive malware filter policy can allow attackers to send malicious attachments to your organization. Make sure this change was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Impair Defenses (T1562 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_malware_filter_policy_changed.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationId — ID of the organization with the Microsoft Exchange malware policy change
  • OrganizationName — organization with the Microsoft Exchange malware policy change

Use Case with Data Points

Office 365 monitors all Office 365 accounts (srcip_usersid) in every organization (OrganizationId) for Microsoft Exchange malware policy changes. If a change is discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid), organization ID (OrganizationId), and organization name (OrganizationName).

Office 365 Multiple Files Restored

Office 365 observed that multiple files were restored in a short period. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: Collection (TA0009 )

  • Technique: Data Staged (T1074 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_multi_file_restore.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • EventSource — event source
  • srcip — source IP address that caused the restore
  • srcip_host — source host name

Use Case with Data Points

Office 365 periodically checks file restore records. If multiple file restore records are detected within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid), event source (EventSource), and source IP address (srcip).

Office 365 Multiple Users Deleted

Office 365 observed that multiple users were deleted in a short period. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Impact (TA0040 )

  • Technique: Account Access Removal (T1531 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_multi_user_deleted.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • EventSource — event source
  • srcip — source IP address that did the deletion
  • srcip_host — source host name

Use Case with Data Points

Office 365 periodically checks user deletion records. If multiple users were deleted within a short period, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid), event source (EventSource), and source IP address (srcip).

Office 365 Network Security Configuration Changed

Office 365 identified a change to your organization's network security configuration, which is uncommon. Make sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_security_conf_changed.

Severity

70

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for ther Office 365 account
  • OrganizationId — ID of the organization whose security configuration changed
  • OrganizationName — name of the organization whose security configuration changed

Use Case with Data Points

Office 365 monitors all Office 365 accounts (srcip_usersid) in every organization (OrganizationId) for network security configuration changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid), organization ID (OrganizationId), and organization name (OrganizationName).

Office 365 Password Policy Changed

Office 365 identified a change to your organization's password policy, which is uncommon. Make sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Modify Authentication Process (T1556 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_password_policy_changed.

Severity

40

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationId — ID of the organization whose password policy changed
  • OrganizationName — name of the organization whose password policy changed

Use Case with Data Points

Office 365 monitors all Office 365 accounts (srcip_usersid) in every organization (OrganizationId) for sharing policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid), organization ID (OrganizationId), and organization name (OrganizationName).

Office 365 Sharing Policy Changed

Office 365 identified a change to your organization's sharing policy, which is uncommon. Make sure this was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_sharing_policy_changed.

Severity

60

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationId — ID of the organization whose sharing policy changed
  • OrganizationName — name of the organization whose sharing policy changed

Use Case with Data Points

Office 365 monitors all Office 365 accounts (srcip_usersid) in every organization (OrganizationId) for password policy changes. If a change is detected, an alert is triggered. A sample Interflow includes the Office 365 account ID (srcip_usersid), organization ID (OrganizationId), and organization name (OrganizationName).

Office 365 User Network Admin Changed

The Office 365 account’s network admin information was changed. Make sure this change was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is office365_user_network_admin_changed.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the Office 365 account
  • OrganizationName — name of the organization

Use Case with Data Points

Office 365 monitors the network admin information for each Office 365 account (srcip_usersid). If changes to the network admin are discovered, an alert is triggered. A sample Interflow includes the account ID (srcip_usersid) and organization name (OrganizationName).

Password Cracking with Hashcat

A user from a Windows host executed a command-line script that launched either the hashcat.exe command or a command using known Hashcat parameters (-a -m 1000 -r). The Hashcat command is known to use a SAM file from the Windows registry along with a password list to crack passwords.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Hashcat]

Event Name

The xdr_event.name for this alert type in the Interflow data is password_cracking_with_hashcat.

Severity

90

Key Fields and Relevant Data Points

  • hostip — device internal IP address
  • event_data.Image — process running the hashcat tool
  • event_data.CommandLine — command used to run the tool
  • computer_name — name of the Windows host

Use Case with Data Points

This alert is triggered if a Windows host (hostip) executes a PowerShell script with a context that includes one or more flags (event_data.Image or event_data.CommandLine) indicating usage of the Hashcat password cracking tool. The Interflow includes the IP address of the Windows host (hostip), the host name (computer_name), and the script image (event_data.Image) or script payload (event_data.CommandLine).

Validation / Remediation

Check the body of the Powershell script that is reported on the Windows host to identify whether the contents are actually malicious. If malicious, consider quarantining the host.

Potential False Positives

The running of any executable named hashcat.exe or any command that uses the hashcat signature parameter list (-a -m 1000 -r).

Password Resets Anomaly

An account reset/changed one or more target accounts' passwords an anomalously large number of times. Check the subject account and major target accounts.

This alert type has the following subtype:

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Persistence (TA0003 )

  • Technique: Account Manipulation (T1098 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is password_resets_anomaly.

Severity

30

Key Fields and Relevant Data Points

  • event_data.SubjectDomainName — domain to which the SubjectUserName belongs
  • event_data.SubjectUserName — user name of the account that resets/changes the password
  • actual — actual time of the password resets/changes made by the user
  • typical — expected maximum time of password resets/changes made by the user

Use Case with Data Points

The daily number of password reset/change actions of a user (SubjectDomainName + SubjectUserName) are monitored by (actual), which is compared with a dynamic upper threshold of (typical). An alert is triggered when the actual number exceeds the threshold.

Validation / Remediation

Validate the alert by checking the account activity on the date. If the number of resets/changes are abnormal, check the target user names that are being reset to verify if the action is expected.

Potential False Positives

False positives can be triggered in the following situations:

  • Traffic pattern change, such as when an account is newly added or has some systematic change from the typical number of resets/changes

  • Resets of usually silent accounts

Alert Subtype: Windows Account Password Reset Anomaly

The xdr_event.subtype.name for this alert subtype in the Interflow data is windows_account_password_resets_anomaly.

Password Spraying Attempts Using Dsacls

A user from a Windows host executed a command-line script to launch a command that by name and parameter list indicates an attempt to abuse dsacls.exe for password spraying.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: [Internal] Defense Evasion (TA0005 )

  • Technique: System Binary Proxy Execution (T1218)

  • Tags: [Password Spray;Dsacls]

Event Name

The xdr_event.name for this alert type in the Interflow data is password_spraying_attempts_using_dsacls.

Severity

50

Key Fields and Relevant Data Points

  • hostip — device internal IP address
  • event_data.Image — process running dsacls for password cracking
  • event_data.CommandLine — command used to run the tool
  • event_data.OriginalFileName — actual file name that was executed
  • computer_name — name of the Windows host

Use Case with Data Points

This alert is triggered if a Windows host (hostip) executes a dsacls.exe with a context that includes one or more flags (event_data.Image, event_data.CommandLine, or event_data.OriginalFileName including /user and /passwd as parameters). This indicates possible usage of Dcacls as a password spraying tool. The Interflow includes the IP address of the Windows host (hostip), the host name (computer_name), and the script image (event_data.Image) or the original file name (event_data.OriginalFileName), and script commandline (event_data.CommandLine).

Validation / Remediation

Check whether the usage was actually malicious. If so, consider quarantining the Windows host.

Potential False Positives

This alert could be triggered even if the use is a legitimate use of dsacls to bind to an LDAP session.

Potentially Malicious Windows Event

The Potentially Malicious Windows Event rules are used to identify suspicious activity with Windows events. This is a generic rule name. Any one or more of these will trigger the Potentially Malicious Windows Event alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_malicious_event.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Potentially Malicious Event Alert Type

PowerShell Remote Access

A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is powershell_cnc.

Severity

80

Key Fields and Relevant Data Points

  • hostip — IP address of the Windows host
  • hostip_host — host name
  • remote_ip — IP address of the remote host involved in the script
  • event_data.ScriptBlockText — contents of the PowerShell script

Use Case with Data Points

If a Windows host (srcip) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText) with a remote host (remote_ip), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip), the script body (event_data.ScriptBlockText), and the remote host IP address (remote_ip).

PowerShell Remote Access

A Windows host executed a PowerShell script interacting with a remote host. Investigate the script and the remote host to determine whether the script is malicious. If so, consider quarantining the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: Command and Scripting Interpreter (T1059 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is powershell_cnc.

Severity

80

Key Fields and Relevant Data Points

  • hostip — IP address of the Windows host
  • hostip_host — host name
  • remote_ip — IP address of the remote host involved in the script
  • event_data.ScriptBlockText — contents of the PowerShell script

Use Case with Data Points

If a Windows host (srcip) executes a PowerShell script that includes potential communication (event_data.ScriptBlockText) with a remote host (remote_ip), an alert is triggered. The Interflow includes the IP address of the Windows host (srcip), the script body (event_data.ScriptBlockText), and the remote host IP address (remote_ip).

Process Anomaly

A process has been launched an anomalously large number of times. Investigate the process and the user to see if this is expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR EBA (XTA0001)

  • Technique: XDR Process Anomaly (XT1001)

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is bad_process.

Severity

15

Key Fields and Relevant Data Points

  • process_name — name of the process
  • hostip — host IP address
  • hostip_host — host name
  • actual — actual number of launches in the period
  • typical — typical number of launches in the period

Use Case with Data Points

The number of times a process (process_name) has been launched is calculated periodically. If the volume (actual) is much larger than the typical volume (typical) of the command or other commands in any period, an alert is triggered. The Interflow includes the (hostip) who launched the process.

RDP Port Opening

Netsh commands to open TCP port 3389 were observed. This could indicate Sarwent malware attempting to establish an RDP connection. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Impair Defenses (T1562 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_port_opening.

Severity

50

Key Fields and Relevant Data Points

  • hostip — source IP address that executes the command
  • hostip_host — host name
  • event_data.CommandLine — command that was executed
  • process_name — process name

Use Case with Data Points

Commands that open TCP port 3389 are monitored, and if netsh commands are seen, an alert is triggered. A sample Interflow includes the source IP address (hostip) and the command used (event_data.CommandLine).

RDP Registry Modification

Modifications of the property values of fDenyTSConnections and UserAuthentication to enable remote desktop connections were observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Modify Registry (T1112 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_registry_modification.

Severity

50

Key Fields and Relevant Data Points

  • hostip — IP address of the host that made the setting change
  • hostip_host — host name
  • event_data.TargetObject — name of the registry key
  • event_data.Details — value of the registry

Use Case with Data Points

The property values of fDenyTSConnections and UserAuthentication are monitored, and if a possible malicious modification of the settings to enable remote desktop connections is observed, an alert is triggered. A sample Interflow includes the source IP address (hostip) and the registry name (event_data.TargetObject).

RDP Reverse Tunnel

An svchost hosting RDP termsvcs communicating with the loopback address on TCP port 3389 was observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Command and Control (TA0011 )

  • Technique: Protocol Tunneling (T1572 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_reverse_tunnel.

Severity

80

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.Image — process communicating with the loopback address

Use Case with Data Points

If an svchost hosting RDP termsvcs communicating with the loopback address is found on TCP port 3389, an alert is triggered. A sample Interflow includes the host IP address (hostip) and host name (hostip_host).

RDP Session Hijacking

A suspicious RDP session using tscon.exe or MSTSC shadowing was observed. This could indicate a hijacked RDP session. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: Lateral Movement (TA0008 )

  • Technique: Remote Service Session Hijacking (T1563 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_session_hijacking.

Severity

50

Key Fields and Relevant Data Points

  • hostip — host IP address that executes the command
  • hostip_host — host name
  • event_data.CommandLine — command line used
  • process_name — process name

Use Case with Data Points

If an RDP session redirect using tscon.exe or MSTSC is detected, an alert is triggered. A sample Interflow includes the host IP address (hostip), name of the process used (process_name), and command used (event_data.CommandLine).

RDP Settings Hijacking

Changes to RDP terminal services settings were observed. Check the IP address and block if necessary.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Defense Evasion (TA0005 )

  • Technique: Modify Registry (T1112 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_settings_hijack.

Severity

50

Key Fields and Relevant Data Points

  • hostip — IP address of the host that made the setting change
  • hostip_host — host name
  • event_data.TargetObject — name of the registry key
  • event_data.EventType — event type on the registry key (SetValue, DeleteValue)

  • event_data.Details — value of the registry

Use Case with Data Points

RDP terminal service settings are monitored, and if changes are found to these settings, an alert is triggered. A sample Interflow includes the source IP address (hostip) and the registry name (event_data.TargetObject).

RDP Suspicious Logon

An RDP logon with a local source IP address was observed. This could indicate a tunneled logon. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Command and Control (TA0011 )

  • Technique: Protocol Tunneling (T1572 )

  • Tags: [RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_suspicious_logon.

Severity

75

Key Fields and Relevant Data Points

  • hostip — host IP address of the RDP server
  • event_data.TargetDomainName — domain of the login account
  • event_data.TargetUserName — user name of the login account
  • hostip_host — host name

Use Case with Data Points

Remote desktop logins are monitored, and if a local source IP address is seen, an alert is triggered. A sample Interflow includes the source IP address (hostip) and host name (hostip_host).

RDP Suspicious Logon Attempt

An authenticated user who is not allowed to log on remotely attempted to connect through RDP. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] Credential Access (TA0006 )

  • Technique: Brute Force (T1110 )

  • Tags: [Internal; RDP]

Event Name

The xdr_event.name for this alert type in the Interflow data is rdp_suspicious_logon_attempt.

Severity

75

Key Fields and Relevant Data Points

  • hostip — host IP address of the RDP server
  • hostip_host — host name
  • event_data.AccountDomain — account domain of the user who attempts to connect
  • event_data.AccountName — account name of the user who attempts to connect
  • event_data.ClientAddress — IP address of the user who attempts to connect

Use Case with Data Points

Windows remote desktop logins are monitored, and if a user who is not allowed to remotely log in tries to log in with RDP, an alert is triggered. A sample Interflow includes the source IP address (hostip) and host name (hostip_host).

Sensitive Windows Active Directory Attribute Modification

The Sensitive Windows Active Directory Attribute Modification rules are used to identify suspicious activity with sensitive Windows Active Directory attribute modification. Any one or more of these will trigger the Sensitive Windows Active Directory Attribute Modification alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_ad_sensitive_attribute_modification.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Sensitive Windows Active Directory Attribute Modification Alert Type

Sensitive Windows Network Share File or Folder Accessed

The Sensitive Windows Network Share File or Folder Accessed rules are used to identify suspicious activity with Windows network share file or folder access. Any one or more of these will trigger the Sensitive Windows Network Share File or Folder Accessed alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_sensitive_networkshare.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Sensitive Windows Network Share File or Folder Accessed Alert Type

SMB Impacket Lateralization

The execution of wmiexec, dcomexec, atexec, smbexec or PSExec from the Impacket framework was observed. Check the source host. If malicious, consider blocking the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: Windows Management Instrumentation (T1047 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is smb_impacket_lateralization.

Severity

80

Key Fields and Relevant Data Points

  • srcip — source IP address
  • hostip — host IP address
  • hostip_host — host name
  • event_data.CommandLine — command line of the command that was executed
  • event_data.ParentCommandLine — command line of the parent process

Use Case with Data Points

If a Windows host (srcip) executes a command (wmiexec, dcomexec, atexec, smbexec, or PSExec) from the Impacket framework, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), and the command executed (event_data.CommandLine).

SMB Specific Service Installation

A specific service installation used by the Impacket tool or Metasploit was observed. Check the source host. If malicious, consider blocking the host.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: Execution (TA0002 )

  • Technique: System Services (T1569 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is smb_hack_smbexec.

Severity

80

Key Fields and Relevant Data Points

  • srcip — source IP address
  • event_data.ServiceName — name of the service installed
  • hostip — host IP address
  • hostip_host — host name

Use Case with Data Points

If a Windows host (srcip) installs a specific service installation that is used by the smbexec.py tool, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), and the service installed (event_data.ServiceName).

SMB Suspicious Copy

A suspicious copy command from a remote C$ or ADMIN$ share was observed. Check the source host. If malicious, consider blocking the host.

XDR Kill Chain

  • Kill Chain Stage: Exploration

  • Tactic: Collection (TA0009 )

  • Technique: Data from Network Shared Drive (T1039 )

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is smb_suspicious_copy.

Severity

75

Key Fields and Relevant Data Points

  • srcip — source IP address
  • hostip — host IP address
  • hostip_host — host name
  • event_data.CommandLine — command line of the copy command

Use Case with Data Points

If a Windows host (srcip) uses the copy command to copy files from a remote C$ or ADMIN$ share, an alert is triggered. A sample Interflow includes the source IP address (srcip), source host (srcip_host), and the command executed (event_data.CommandLine).

Steal or Forge Kerberos Tickets

The Steal or Forge Kerberos Tickets rules are used to identify suspicious activity to steal or forge Kerberos tickets. Any one or more of these will trigger the Steal or Forge Kerberos Tickets alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_steal_or_forge_kerberos_tickets.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • wineventlog_user — Windows user who executed the script
  • event_data.ScriptBlockText — Powershell script block text
  • event_id — Windows event ID associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Steal or Forge Kerberos Tickets Alert Type

Suspicious Access Attempt to Windows Object

The Suspicious Access Attempt to Windows Object rules are used to identify suspicious activity with access attempt to Windows objects. Any one or more of these will trigger the Suspicious Access Attempt to Windows Object alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_object_access_suspicious_attempt.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Access Attempt to Windows Object Alert Type

Suspicious Activity Related to Security-Enabled Group

The Suspicious Activity Related to Security-Enabled Group rules are used to identify suspicious activity related to security-enabled groups. Any one or more of these will trigger the Suspicious Activity Related to Security-Enabled Group alert types.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_suspicious_activity_related_to_security_enabled_group.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • event_id — Windows event ID associated with the activity
  • hostip_host — host name
  • event_data.SubjectUserName — subject user name associated with the activity
  • event_data.SubjectUserSid — subject user SID associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Activity Related to Security-Enabled Group Alert Type

Suspicious Connection to Another Process

The Suspicious Connection to Another Process rules are used to identify suspicious connection to another process. Any one or more of these will trigger the Suspicious Connection to Another Process alert types.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_suspicious_connection_process.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Connection to Another Process Alert Type

Suspicious Handle Request to Sensitive Object

The Suspicious Handle Request to Sensitive Object rules are used to identify suspicious activity with handle requests to sensitive Windows objects. Any one or more of these will trigger the Suspicious Handle Request to Sensitive Object alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_suspicious_handle_request.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Handle Request to Sensitive Object Alert Type

Suspicious LSASS Process Access

The Suspicious LSASS Process Access rules are used to identify suspicious process access to or from the Local Security Authority Subsystem Service (LSASS). Any one or more of these will trigger the Suspicious LSASS Process Access alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_process_access_lsass.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.SourceImage — source image path associated with the activity
  • event_data.TargetImage — target image path associated with the activity
  • wineventlog_user — user associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious LSASS Process Access Alert Type

Suspicious Microsoft Entra Device Activity

The Suspicious Microsoft Entra Device Activity rules are used to identify suspicious Microsoft Entra device activity. Any one or more of these will trigger the Suspicious Microsoft Entra Device Activity alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_azure_device_activity.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Microsoft Entra Device Activity Alert Type

Suspicious Microsoft Entra Service Principal Activity

The Suspicious Microsoft Entra Service Principal Activity rules are used to identify suspicious Microsoft Entra service principal activity. Any one or more of these will trigger the Suspicious Microsoft Entra Service Principal Activity alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_azure_service_principal_activity.

Key Fields and Relevant Data Points

  • initiatedBy.user.id — user ID who initiated the activity
  • initiatedBy.app.servicePrincipalId — application and Service Principal ID that initiated the activity
  • user.name — user name
  • activityDisplayName — activity display name
  • category — activity category
  • result — result of the activity
  • resultReason — result reason of the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Microsoft Entra Service Principal Activity Alert Type

Suspicious Powershell Script

The Suspicious Powershell Script rules are used to identify suspicious activity relating to PowerShell scripts. Any one or more of these will trigger the Suspicious PowerShell Script alert types.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_powershell_script.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • wineventlog_user — Windows user who executed the script
  • event_data.ScriptBlockText — Powershell script block text
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Powershell Script Alert Type

Suspicious Process Creation Commandline

The Suspicious Process Creation Commandline rules are used to identify suspicious activity relating to command-line process creation. Any one or more of these will trigger the Suspicious Process Creation Commandline alert types.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_commandline.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • event_data.CommandLine — process creation command line
  • hostip_host — host name
  • wineventlog_user — Windows user who executed the command
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Process Creation Commandline Alert Type

Suspicious Windows Active Directory Operation

The Suspicious Windows Active Directory Operation rules are used to identify suspicious activity with Windows Active Directory operation. Any one or more of these will trigger the Suspicious Windows Active Directory Operation alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_ad_suspicious_operation.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Active Directory Operation Alert Type

Suspicious Windows Network Connection

The Suspicious Windows Network Connection rules are used to identify suspicious Windows network connection activities. Any one or more of these will trigger the Suspicious Windows Network Connection alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_windows_network_connection.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.Image — process associated with the activity
  • wineventlog_user — user associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Network Connection Alert Type

Suspicious Windows Logon Event

The Suspicious Windows Logon Event rules are used to identify suspicious activity with Windows Logons. Any one or more of these will trigger the Suspicious Windows Logon alert types.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_suspicious_logon_event.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Logon Event Alert Type

Suspicious Windows Process Creation

The Suspicious Windows Process Creation rules are used to identify suspicious activity associated with process creation. Any one or more of these will trigger the Suspicious Process Creation alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_suspicious_process_creation.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • process_name — process associated with the activity
  • hostip_host — host name
  • wineventlog_user — Windows user associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Windows Suspicious Process Creation Alert Type

Suspicious Windows Registry Event: Impact

The Suspicious Windows Registry Event: Impact rules are used to identify suspicious Windows registry events usually in the impact stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Impact alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_windows_registry_event_impact.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.Image — process associated with the activity
  • event_data.TargetObject — target registry
  • event_data.Details — value set to the registry
  • wineventlog_user — user associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Registry Event: Impact Alert Type

Suspicious Windows Registry Event: Persistence

The Suspicious Windows Registry Event: Persistence rules are used to identify suspicious Windows registry events usually in the persistence stage. Any one or more of these will trigger the Suspicious Windows Registry Event: Persistence alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is suspicious_windows_registry_event_persistence.

Key Fields and Relevant Data Points

  • hostip — host IP address
  • hostip_host — host name
  • event_data.Image — process associated with the activity
  • event_data.TargetObject — target registry
  • event_data.Details — value set to the registry
  • wineventlog_user — user associated with the activity
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Registry Event: Persistence Alert Type

Suspicious Windows Service Installation

The Suspicious Windows Service Installation rules are used to identify suspicious activity with service installation. Any one or more of these will trigger the Suspicious Windows Service Installation alert type.

Event Name

The xdr_event.name for this alert type in the Interflow data is windows_security_suspicious_service_installation.

Key Fields and Relevant Data Points

  • event_id — Windows event ID associated with the activity
  • hostip — host IP address
  • hostip_host — host name
  • stellar.rule_idStellar Cyber rule ID

Link to Rule-Based Alert Types

Rules Contributing to Suspicious Windows Service Installation Alert Type

Uncommon Process Anomaly

An asset launched a process that has never been seen before (or has very rarely been seen). This could indicate a malware attack.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR EBA (XTA0001)

  • Technique: XDR Process Anomaly (XT1001)

  • Tags: []

Event Name

The xdr_event.name for this alert type in the Interflow data is network_uncommon_process.

Severity

30

Key Fields and Relevant Data Points

  • hostip — IP address of the host running the process
  • hostip_host — host name
  • process_name — name of the process
  • wineventlog_user — user that created the process
  • days_silent — number of days since this process was last seen

Use Case with Data Points

If a process (process_name) has never been observed by Stellar Cyber or been seen very rarely (days_silent), an alert is triggered. The Interflow includes the user (process_user) and host (srcip) that executed the process.

User Asset Access Anomaly

A user who typically uses a small, consistent number of assets logged in to a new asset. Investigate the asset and user to see if this was expected.

This alert type has the following subtype:

XDR Kill Chain

  • Kill Chain Stage: Propagation

  • Tactic: [Internal] XDR UBA (XTA0004)

  • Technique: XDR Asset Anomaly (XT4004)

  • Tags: [Internal; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_asset_access.

Severity

30

Key Fields and Relevant Data Points

  • srcip_usersid — source user ID
  • dstip_host — host name of corresponding destination IP address
  • srcip_host — host name of corresponding source IP address
  • srcip_username — source user name
  • stability — score measuring the time since the last new asset was accessed
  • days_stable — time since the last new asset was accessed
  • diversity — score measuring the number of assets that the user accessed
  • child_count — number of assets that the user accessed

Use Case with Data Points

Users (srcip_usersid and srcip_username) with a small number of assets (diversity, child_count) who also have not used a new asset (srcip_host) for a long time (stability, days_stable) are examined. If a new asset appears on a host (srcip_host) with this user, an alert is triggered.

The user is identified with the scrip_userid and scrip_username fields. The asset is identified with the scrip_host field. Active Directory, which is identified from the dstip_host field, provides the relationship between the user and the asset. Stability is identified with the stability field and diversity is identified with the diversity field.

Alert Subtype: SMB User Based

The SMB User Based alert subtype is the same as the User Asset Access Anomaly alert type above, with the following differences:

  • The subtype is more specific to SMB users authenticating to a new asset. It uses network traffic to monitor the network shares the users accessed.

  • The xdr_event.subtype.name for this alert subtype in the Interflow data is smb_user_asset_access.

  • It has the following Key Fields and Relevant Data Points.

Key Fields and Relevant Data Points

  • srcip — source IP address
  • dstip — destination IP address
  • event_summary.ueba_smb_username — SMB user that accessed the assets
  • stability — score measuring the time since the last new asset was accessed
  • days_stable — time since the last new asset was accessed
  • diversity — score measuring the number of assets that the user accessed
  • child_count — number of assets that the user accessed

User Login Location Anomaly

A login to a user account occurred from a source IP address that is anomalously distant from the nearest location typically observed for logins to that user account.

This alert type has a detection delay for on-time records while maintaining detection coverage for high latency data sources. High latency data will have a detection delay corresponding to their amount of latency.

The expected detection delay is 5-10 minutes, although it could be longer when there is an ingestion delay. Sources without ingestion delays will get their alerts between 5 and 10 minutes after ingestion.

XDR Kill Chain

  • Kill Chain Stage: Initial Attempts

  • Tactic: [External] XDR UBA (XTA0004)

  • Technique: XDR Location Anomaly (XT2001)

  • Tags: [External; User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_login_region.

Severity

50

Key Fields and Relevant Data Points

  • srcip_usersid — key ID for the source user
  • distance_deviation — deviation in distance between two login locations (miles)
  • srcip_host — host name of corresponding source IP address
  • srcip_reputation — source reputation
  • srcip_geo.countryName — source country name
  • srcip_geo.region — source region name
  • srcip_geo.city — source city name
  • dstip_host — host name of corresponding destination IP address
  • login_type — type of login

Use Case with Data Points

Successful login events for certain login types (login_type) of a user (srcip_usersid) from a source host (srcip_host) and country location (srcip_geo.countryName are examined. If the detected login location is too far away (distance_deviation in miles) from that user's typical locations, an alert is triggered. The source host's reputation (srcip_reputation) is also checked. Map views of the Interflow include data points for the closest typical login locations for the user.

User Process Usage Anomaly

A user who typically executes a small, consistent number of processes suddenly executed a new process. Investigate the process, to see if it is benign. Check with the user to see if this process was expected.

XDR Kill Chain

  • Kill Chain Stage: Persistent Foothold

  • Tactic: XDR EBA (XTA0001)

  • Technique: XDR Process Anomaly (XT1001)

  • Tags: [User Behavior Analytics]

Event Name

The xdr_event.name for this alert type in the Interflow data is user_uncommon_process.

Severity

10

Key Fields and Relevant Data Points

  • srcip_usersid — non-Windows source user ID

    or

  • user.identifier — Windows source user ID

    The key field for this alert type can be either srcip_usersid or user.identifier, depending on the data feed.

  • process_name — name of the process
  • hostip — IP address of the host
  • hostip_host — host name
  • srcip_username — source user name
  • wineventlog_user.name — source user name (Windows)
  • user.name — source user name (Windows)
  • stability — score measuring the time since the last new process was executed
  • days_stable — time since the last new process was executed
  • diversity — score measuring the number of processes that the user executed
  • child_count — number of processes that the user executed

Use Case with Data Points

Looks for a user (srcip_usersid or user.identifier and a srcip_username) with a small number of processes (diversity, child_count) who also has not used a new process for a long time (stability, days_stable). If a new process (process_name) appears on a host (srcip_host) with this user and connects to another host (dstip_host), an alert is triggered.

The user is identified with the scrip_userid or user.identifier and scrip_username fields. The process is identified with the process_name field. The host on which the user is running the process is identified with the srcip_host field. The destination of the traffic generated by the process is identified with the dstip_host field. Stability is identified with the stability field, and diversity is identified with the diversity field.

Volume Shadow Copy Deletion via WMIC

The wmic.exe utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Impact (TA0040 )

  • Technique: Inhibit System Recovery (T1490 )

  • Tags: [Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_wmicredit.

Severity

80

Key Fields and Relevant Data Points

  • hostip — IP address of the host where the Shadow Copy was deleted
  • hostip_host — host name
  • process_name — name of the executed process
  • event_data.CommandLine — command that was executed to delete the Shadow Copy

Use Case with Data Points

If wmic.exe is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow includes the host IP address (hostip), process name (process_name), and command line (event_data.CommandLine).

Volume Shadow Copy Deletion via VssAdmin

The vssadmin.exe utility was used to delete the Shadow Copy on an endpoint. Ransomware and other malware do this to prevent system recovery. Check with the user.

XDR Kill Chain

  • Kill Chain Stage: Exfiltration & Impact

  • Tactic: Impact (TA0040 )

  • Technique: Inhibit System Recovery (T1490 )

  • Tags: [Malware; Ransomware]

Event Name

The xdr_event.name for this alert type in the Interflow data is ransomware_volume_shadow_copy_deletion_via_vssadminedit.

Severity

80

Key Fields and Relevant Data Points

  • hostip — IP address of the host where the Shadow Copy was deleted
  • hostip_host — host name
  • process_name — name of the executed process
  • event_data.CommandLine — command that was executed to delete the Shadow Copy

Use Case with Data Points

If vssadmin.exe is used to delete the Shadow Copy on an endpoint, an alert is triggered. The Interflow ibncludes the host IP address (hostip), process name (process_name), and command line (event_data.CommandLine).