Models
- Former user (Deleted)
- Gunther Brenes
- Borja Moro Moreno (Unlicensed)
Name | Description | Data Source | |
|---|---|---|---|
| 1 | Abnormal GitHub Activity | This calculates probabilities of events compared to the given time period (default 30 days). |
|
| 2 | Abnormal Login Activity | This calculates probabilities of authentication events compared to the given time period (default 30 days). |
|
| 3 | Anomalous Access to IP Address (and Port) from IP Address | This calculates the probability of an IP address accessing a resource at another IP address based on port information (Default 30 days). |
|
| 4 | Anomalous Authentication or Access to Asset from IP Address | This calculates the probability of a user accessing a computer system based on the past time period (Default 30 days). |
|
| 5 | Auth Impossible Travel | Detects impossible traveler situations from successful logins on a rolling 12-hour window. |
|
| 6 | Authentication on Anomalous Day of Week | This calculates the probability of a user authenticating on a given day of the week from the past given time period (default 30 days). |
|
| 7 | Authentication on Anomalous Time | This calculates the probability of a user authenticating at a given time on a day from the past given time period (default 30 days). |
|
| 8 | AWS Anomalous Source of Activity | This finds AWS actions performed from an anomalous source for a user compared to the given time period from the past given time period (default 30 days). |
|
| 9 | AWS ec2 First Time Action for AMI | This finds first time AWS ec2 actions per AMI events compared to the given time period (default 30 days). |
|
| 10 | AWS ec2 First Time Action for Instance Type | This finds first time AWS ec2 actions per instance type per user events compared to the given time period (default 30 days). |
|
| 11 | AWS ec2 First Time Action for Region | This finds first time AWS ec2 actions per region events compared to the given time period (default 30 days). |
|
| 12 | AWS ec2 First Time Action for User | This finds first time AWS ec2 actions per user events compared to the given time period (default 30 days). |
|
| 13 | AWS First Time Action | This finds first time AWS actions per user events compared to the given time period (default 30 days). |
|
| 14 | AWS Provisioning First Time Action in Region | This finds first time AWS actions per user per region events compared to the given time period (default 30 days). |
|
| 15 | AWS Provisioning First Time City | This finds first time AWS provisioning actions per user per city events compared to the given time period (default 30 days). |
|
| 16 | AWS Provisioning First Time Country | This finds first time AWS provisioning events per user per country compared to the given time period (default 30 days). |
|
| 17 | AWS Provisioning First Time IP | This finds first time AWS provisioning events per user per ip compared to the given time period (default 30 days). |
|
| 18 | Azure App Service First Time Action | This finds first time Azure App Service user actions compared to the given time period (default 30 days). |
|
| 19 | Azure App Service First Time Country | This finds first time Azure App Service events from a country compared to the given time period (default 30 days). |
|
| 20 | Azure App Service First Time User | This finds first time Azure App Service users compared to the given time period (default 30 days). |
|
| 21 | Azure Storage First Time Action | This finds first time Azure Storage action events compared to the given time period (default 30 days). |
|
| 22 | Azure Storage First Time Country | This finds first time Azure Storage events from a country compared to the given time period (default 30 days). |
|
| 23 | Azure Storage First Time User | This finds first time Azure Storage users compared to the given time period (default 30 days). |
|
| 24 | Azure VM First Time Action | This finds first time Azure VM action events compared to the given time period (default 30 days). |
|
| 25 | Azure VM First Time Country | This finds first time Azure VM events from a country compared to the given time period (default 30 days). |
|
| 26 | Azure VM First Time User | This finds first time Azure VM users compared to the given time period (default 30 days). |
|
| 27 | DNS Query for DGA Domain from this Asset | This finds assets making DNS queries to suspected DGA domains. |
|
| 28 | Failed Authentication on Anomalous Day of Week | This calculates the probability of a user failing authentication on a given day of the week from the past given time period (default 30 days). |
|
| 29 | Failed Login Activity Detection on Internal Traffic | This detects abnormally high failed logins from internal entities by comparing them to other entities on the network. |
|
| 30 | Firewall First Time Connection from Zone | This detects first time connections to a given asset from a new firewall zone compared to the given time period (default 30 days). |
|
| 31 | Firewall First Time Connection to Zone | This detects first time connections from a given asset to a new firewall zone compared to the given time period (default 30 days). |
|
| 32 | Firewall First Time Outbound Connection to Country | This detects first time connections from a given asset to a country that is new compared to historical data (default 30 days). |
|
| 33 | First Time Access to Domain from User | Identifies first time Domain is accessed over the proxy by a user compared to the past 30 days. |
|
| 34 | First Time Authentication or Authorization from a Country | Identify if this is the first authentication or authorization request for a user from a country in the past 30 days. |
|
| 35 | First Time Authentication or Authorization from an Organization | Identify if this is the first authentication or authorization request for a user from an organization in the past 30 days. |
|
| 36 | First Time Authentication to a Windows Domain | Identify if this is the first authentication to a Windows domain by a user in the past 30 days. |
|
| 37 | First Time Domain Accessed by Internal IP | Identifies first time internal IP accessed a domain over the proxy compared to the past 30 days. |
|
| 38 | First Time Login to Device/Asset | Identifies first time logins to devices compared to the past 30 days. |
|
| 39 | GitHub Organization First Time Access Protocol Events | This finds first time GitHub Organization user activity with a protocol compared to the given time period (default 30 days). |
|
| 40 | GitHub Organization First Time Action Events | This finds first time GitHub Organization user actions compared to the given time period (default 30 days). |
|
| 41 | GitHub Organization First Time Country Events | This finds first time GitHub Organization user activity from a country compared to the given time period (default 30 days). |
|
| 42 | GitHub Organization First Time Repo Access | This finds first time GitHub Organization repo access compared to the given time period (default 30 days). |
|
| 43 | GitHub Organization First Time User Access | This finds first time GitHub Organization user access compared to the given time period (default 30 days). |
|
| 44 | GSuite Admin First Time Action | This finds first time GSuite Admin actions per user compared to the given time period (default 30 days). |
|
| 45 | Login Activity Lateral Movement | This calculates likelihood that a user is exhibiting lateral movement behavior in the network. |
|
| 46 | Login Activity Peer Group Movement | This calculates likelihood that a user's login behavior has significantly changed compared to peers. |
|
| 47 | O365 Anomalous IP Address for Activity | This finds O365 actions performed from an anomalous ip address for a user compared to the given time period from the past given time period (default 30 days). |
|
| 48 | O365 Abnormal File Access | This calculates probabilities of O365 file access events compared to the given time period (default 30 days). |
|
| 49 | O365 First Time Action | This finds first time O365 actions per user compared to the given time period (default 30 days). |
|
| 50 | Proxy First Time Outbound Connection to Country | This detects first time connections from a given proxy to a country that is new compared to historical data (default 30 days). |
|