Detection Rule Proposal
Summary
I wanted to suggest few good threat detection rule logics for on-premises firewall and proxy server logs.
Threat Scenario
Here are specific attack scenarios detected using these logs:
- Malware and Command & Control (C2) Activity
- Data Exfiltration
- Privilege Escalation and Unauthorized Access
- Insider Threats and Compliance Issues
Data Sources Required
- commonsecuritylogs
- Signinlogs
- Azureactivitylogs
Status
Additional Context
I am happy to implement this rule as a PR including:
- KQL query
- Metadata (severity, tactics, techniques)
- ARM/YAML format as per repo standards
Detection Rule Proposal
Summary
I wanted to suggest few good threat detection rule logics for on-premises firewall and proxy server logs.
Threat Scenario
Here are specific attack scenarios detected using these logs:
Data Sources Required
Status
Additional Context
I am happy to implement this rule as a PR including: