Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'The rule identifies anomalous pattern in network session traffic based on previously seen data, different Device Action, Network Protocol, Network Direction or overall volume. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. This rule leverages log summaries generated by a Summary Rule or Summarized Playbook. If no such summaries are available, the rule falls back to direct analysis using ASIM function.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Network Session Essentials |
| ID | cd6def0d-3ef0-4d55-a7e3-faa96c46ba12 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CommandAndControl, Discovery, Exfiltration, LateralMovement |
| Techniques | T1095, T1071, T1046, T1030, T1210 |
| Required Connectors | AWSS3, MicrosoftThreatProtection, SecurityEvents, WindowsSecurityEvents, WindowsForwardedEvents, Zscaler, MicrosoftSysmonForLinux, PaloAltoNetworks, AzureMonitor(VMInsights), AzureFirewall, AzureNSG, CiscoASA, CiscoAsaAma, Corelight, AIVectraStream, CheckPoint, Fortinet, CiscoMeraki |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Anomalies |
✓ | ✓ | ? |
NetworkCustomAnalytics_protocol_CL 🔶 |
? | ✓ | ? |
NetworkSummary_Protocol_CL |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Network Session Essentials