Detects unauthorized modification of network device authentication by correlating OS image file changes, checksum mismatches, or memory verification failures with anomalous authentication events. Focus is on behaviors where patched images introduce hardcoded passwords or bypass native authentication.
| Data Component | Name | Channel |
|---|---|---|
| File Modification (DC0061) | networkconfig | unexpected OS image file upload or modification events |
| User Account Authentication (DC0002) | network:auth | repeated successful authentications with previously unknown accounts or anomalous password acceptance |
| Field | Description |
|---|---|
| BaselineChecksums | Trusted baseline cryptographic hashes for OS images, used to detect unauthorized modifications. |
| AuthFailureThreshold | Threshold for correlating unusual authentication successes following failed attempts or unknown account use. |
| VerificationInterval | Frequency of runtime OS image and memory integrity checks. |