Detection of compromised or misused valid accounts via anomalous logon patterns, abnormal logon types, and inconsistent geographic or time-based activity across Windows endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventID=4624 |
| User Account Authentication (DC0002) | WinEventLog:Security | EventID=4625 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| LogonType | Flag unexpected logon types (e.g., Type 10 for remote interactive logins) for sensitive accounts. |
| TimeWindow | Define acceptable hours for interactive logon activity (e.g., 9AM-6PM local). |
| GeoIPMismatch | Trigger on location anomalies based on prior user behavior or policy. |
Detection of valid account misuse through SSH logins, sudo/su abuse, and service account anomalies outside expected patterns.
| Data Component | Name | Channel |
|---|---|---|
| Process Creation (DC0032) | auditd:SYSCALL | execve |
| User Account Authentication (DC0002) | NSM:Connections | sshd or PAM logins |
| Field | Description |
|---|---|
| UserContext | Identify logins to root or sudoers not aligned with normal usage profiles. |
| HostDensityThreshold | Number of unique systems a user authenticates to in a time window. |
| LoginMethod | Trigger on rarely used access methods such as password instead of SSH key. |
Detection of interactive and remote logins by service accounts or users at unusual times, with unexpected child process activity.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | macos:unifiedlog | loginwindow, sshd |
| Process Creation (DC0032) | macos:unifiedlog | exec logs |
| Field | Description |
|---|---|
| LoginOrigin | Login sourced from unexpected remote addresses. |
| ProcessTreeDepth | Track execution depth or anomalous chains post-login. |
Detection of valid account abuse in IdP logs via geographic anomalies, impossible travel, risky sign-ins, and multiple MFA attempts or failures.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:okta | Sign-in logs / audit events |
| Field | Description |
|---|---|
| MFAFailureCount | Threshold of failed MFA attempts before alerting. |
| RiskScoreThreshold | Custom threshold based on calculated identity risk. |
| IPGeoVelocity | Detect impossible travel (logins from two distant geolocations within short time). |
Detection of containerized service accounts or compromised kubeconfigs being used for cluster access from unexpected nodes or IPs.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | kubernetes:audit | authentication.k8s.io |
| Field | Description |
|---|---|
| ServiceAccountScope | Validate access from expected namespaces only. |
| ClusterIPWhitelist | Permit kubeconfig usage from a limited set of IPs. |