Monitor logon activity for unexpected or unusual access to devices from the Internet.
Monitor for unexpected protocols to/from the Internet. While network traffic content and logon session metadata may directly identify a login event, new Internet-based network flows may also be a reliable indicator of this technique.
Monitor for unusual logins to Internet connected devices or unexpected protocols to/from the Internet. Network traffic content will provide valuable context and details about the content of network flows.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | Logon Session | None |
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Network Traffic Content (DC0085) | Network Traffic | None |