Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Identifies new UserAgents observed in the last 24 hours versus the previous 14 days. This detection extracts words from user agents to build the baseline and determine rareity rather than perform a direct comparison. This avoids FPs caused by version numbers and other high entropy user agent components. These new UserAgents could be benign. However, in normally stable environments, these new UserAgents could provide a starting point for investigating malicious activity. Note: W3CIISLog can be n
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Network Threat Protection Essentials |
| ID | b725d62c-eb77-42ff-96f6-bdc6745fc6e0 |
| Severity | Low |
| Status | Available |
| Kind | Scheduled |
| Tactics | InitialAccess, CommandAndControl, Execution |
| Techniques | T1189, T1071, T1203 |
| Required Connectors | AWS, Office365, AzureMonitor(IIS) |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AWSCloudTrail |
✓ | ✓ | ? |
OfficeActivity |
✓ | ✗ | ? |
W3CIISLog |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to Network Threat Protection Essentials