Unusual or unauthorized external remote access attempts (e.g., RDP, VPN, Citrix) → repeated failed logins followed by a successful session from uncommon geolocations or outside business hours → subsequent internal lateral movement or data exfiltration activities.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | WinEventLog:Security | EventCode=4624, 4625 |
| Application Log Content (DC0038) | WinEventLog:Application | VPN, Citrix, or remote access gateway logs showing external IP addresses |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Field | Description |
|---|---|
| BusinessHours | Normal business hours for logon activity. |
| KnownRemoteIPs | List of approved external IPs or VPN endpoints. |
| FailedLogonThreshold | Number of failed logons before raising suspicion (e.g., >5). |
| GeoIPWhitelist | Geographic regions allowed for remote access. |
| TimeWindow | Time window to correlate failed attempts and success (e.g., 15m). |
Repeated SSH, VPN, or RDP gateway authentication attempts from external IPs → subsequent successful logon → remote shell or lateral movement activity (e.g., scp/sftp).
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | auditd:SYSCALL | ssh logins or execve of remote commands |
| Application Log Content (DC0038) | NSM:Connections | Failed password or accepted password for SSH users |
| Network Connection Creation (DC0082) | NSM:Flow | connection: Inbound connections to SSH or VPN ports |
| Field | Description |
|---|---|
| KnownSSHClients | Legitimate IPs or client fingerprints for SSH/VPN. |
| FailedLogonThreshold | Number of failed SSH logins to trigger alert. |
| TimeWindow | Correlation window for failed attempts and success. |
Unexpected inbound or outbound VNC/SSH/Screen Sharing connections from external sources → repeated failed logins followed by success → remote interactive sessions or abnormal file transfers.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | macos:unifiedlog | Remote login (ssh) or screen sharing authentication attempts |
| Network Connection Creation (DC0082) | macos:unifiedlog | Inbound connections to VNC/SSH ports |
| Network Traffic Flow (DC0078) | PF:Logs | External traffic to remote access services |
| Field | Description |
|---|---|
| KnownVNCServers | List of approved VNC/SSH sources. |
| TimeWindow | Time correlation between failed attempts and success. |
Connections to exposed container services (e.g., Docker API, Kubernetes API server) from unauthorized external IPs → abnormal container creation/start → lateral activity within cluster nodes.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | ApplicationLog:API | Docker/Kubernetes API access from external sources |
| Logon Session Metadata (DC0088) | kubernetes:audit | Unauthorized container creation or kubelet exec logs |
| Network Connection Creation (DC0082) | NSM:Flow | External access to container ports (2375, 6443) |
| Field | Description |
|---|---|
| AllowedCIDRs | Approved external IP ranges for container APIs. |
| TimeWindow | Correlation window for API calls and container starts. |