/
IDS detections
Document toolboxDocument toolbox

IDS detections

Owned by Former user (Deleted)
Last updated: Sept 07, 2023
1 min read

 

Detects actors utilizing MS-LSAT Remote protocol to map security SIDs to user accounts.

Source table → ids.bro.dce_rpc

Detects servers responding via SSL or TLS services using self-signed certificates.

Source table → ids.bro.ssl

Detects interesting host name login events. See Bro/Zeek reference for context around interesting hostnames.

Source table → ids.bro.notice

Remote Desktop Services Scan from one Entity to Multiple Destinations.

Source table → ids.bro.rdp

Detects actors enumerating user accounts in Active Directory via Security Account Manager Remote Protocol (SAMR).

Source table → ids.bro.dce_rpc

Related content

Release 15 - Out-of-the-box alerts
Release 15 - Out-of-the-box alerts
Devo latest
More like this
Windows detections
Windows detections
Devo latest
More like this
Release 21 - Out-of-the-box alerts
Release 21 - Out-of-the-box alerts
Devo latest
More like this
Linux detections
Linux detections
Devo latest
More like this
Alert Pack: Impair Defenses (MITRE Att&ck Technique: T1562)
Alert Pack: Impair Defenses (MITRE Att&ck Technique: T1562)
7.13
More like this
Release 25 - Out-of-the-box alerts
Release 25 - Out-of-the-box alerts
Devo latest
More like this