Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'This detection uses Security events from the "AD FS Auditing" provider to detect suspicious authentication events on an AD FS server. The results then get correlated with events from the Windows Filtering Platform (WFP) to detect suspicious incoming network traffic on port 80 on the AD FS server. This could be a sign of a threat actor trying to use replication services on the AD FS server to get its configuration settings and extract sensitive information such as AD FS certificates. In order to
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Windows Security Events |
| ID | 2f4165a6-c4fb-4e94-861e-37f1b4d6c0e6 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | Collection |
| Techniques | T1005 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
EventID in "412,501,5156" |
✓ | ✓ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊