Analytics Story: Compromised User Account
Description
Monitor for activities and techniques associated with Compromised User Account attacks.
Why it matters
Compromised User Account occurs when cybercriminals gain unauthorized access to accounts by using different techniques like brute force, social engineering, phishing & spear phishing, credential stuffing, etc. By posing as the real user, cyber-criminals can change account details, send out phishing emails, steal financial information or sensitive data, or use any stolen information to access further accounts within the organization. This analytic story groups detections that can help security operations teams identify the potential signs of Compromised User Accounts.
Detections
Data Sources
Name | Platform | Sourcetype | Source |
---|---|---|---|
AWS CloudTrail | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail ConsoleLogin | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail DeleteAccountPasswordPolicy | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail DescribeEventAggregates | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail GetAccountPasswordPolicy | AWS | aws:cloudtrail |
aws_cloudtrail |
AWS CloudTrail UpdateAccountPasswordPolicy | AWS | aws:cloudtrail |
aws_cloudtrail |
Azure Active Directory | Azure | azure:monitor:aad |
Azure AD |
Azure Active Directory Sign-in activity | Azure | azure:monitor:aad |
Azure AD |
Azure Active Directory User registered security info | Azure | azure:monitor:aad |
Azure AD |
PingID | N/A | XmlWinEventLog |
XmlWinEventLog:Security |
Windows Event Log Security 4625 | Windows | xmlwineventlog |
XmlWinEventLog:Security |
References
Source: GitHub | Version: 1