Risky user signin observed in non-Microsoft network device

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Content Index

---

This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	042f2801-a375-4cfd-bd29-041fc7ed88a0
Severity	Medium
Kind	Scheduled
Tactics	CommandAndControl
Techniques	T1071
Required Connectors	AzureActiveDirectory, PaloAltoNetworks, Fortinet, CheckPoint, Zscaler
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Selection Criteria	Transformations	Ingestion API	Lake-Only
CommonSecurityLog	DeviceProduct startswith "FireWall" DeviceProduct startswith "FortiGate" DeviceProduct startswith "NSSWeblog" DeviceProduct startswith "PAN" DeviceProduct startswith "URL" DeviceProduct startswith "VPN" DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler"	✓	✓	?
SigninLogs		✓	✗	?

Associated Connectors

The following connectors provide data for this content item:

Connector	Solution
AzureActiveDirectory	Microsoft Entra ID
CefAma	Common Event Format
CloudNSSAuditLogs_ccp	Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp	Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp	Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp	Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp	Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp	Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp	Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp	Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp	Zscaler Internet Access
CloudNSSDNSLogs_ccp	Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp	Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp	Zscaler Internet Access
CloudNSSFWLogs_ccp	Zscaler Internet Access
CloudNSSTunnelLogs_ccp	Zscaler Internet Access
CloudNSSWebLogs_ccp	Zscaler Internet Access
VirtualMetricDirectorProxy	VirtualMetric DataStream
VirtualMetricMSSentinelConnector	VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector	VirtualMetric DataStream

Solutions: Common Event Format, Microsoft Entra ID, VirtualMetric DataStream, Zscaler Internet Access

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules