Monitor for network traffic originating from unknown/unexpected systems.
Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts.
When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.
| Data Component | Name | Channel |
|---|---|---|
| Network Traffic Flow (DC0078) | Network Traffic | None |
| Logon Session Metadata (DC0088) | Logon Session | None |
| Application Log Content (DC0038) | Application Log | None |