Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This rule detects anomalous pattern in port usage. The rule utilize ASIM normalization, and is applied to any source which supports the ASIM Network Session schema. To tune the rule to your environment configure it using the 'NetworkSession_Monitor_Configuration' watchlist. This rule leverages log summaries generated by a Summary Rule or Summarized Playbook. If no such summaries are available, the rule falls back to direct analysis using ASIM function.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Network Session Essentials |
| ID | cbf07406-fa2a-48b0-82b8-efad58db14ec |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CommandAndControl, LateralMovement, Execution, InitialAccess |
| Techniques | T1095, T1059, T1203, T1190 |
| Required Connectors | AWSS3, MicrosoftThreatProtection, SecurityEvents, WindowsSecurityEvents, WindowsForwardedEvents, Zscaler, MicrosoftSysmonForLinux, PaloAltoNetworks, AzureMonitor(VMInsights), AzureFirewall, AzureNSG, CiscoASA, CiscoAsaAma, Corelight, AIVectraStream, CheckPoint, Fortinet, CiscoMeraki |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
Anomalies |
✓ | ✓ | ? |
NetworkCustomAnalytics_protocol_CL 🔶 |
? | ✓ | ? |
NetworkSummary_Protocol_CL |
? | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Network Session Essentials