Sophos_Attempted_User_Privilege_Gain
ID: 100213
Description:
Sophos has detected an attempted user privilege gain
Repository: Group: Sophos Type: event
Default Status:
Enabled
Tags: |
---|
Sophos |
Selector:
Query:
Filters:
Field | MUST hit |
---|---|
@tags | sophos |
@sophos.classification | Attempted User Privilege Gain |
Field | MUST NOT hit |
---|---|
Behavior Rule:
Key | Type | Behavior Category |
---|---|---|
@sophos.src_ip | ip | security alert |
Risks:
Risks | Base Score | Dimension |
---|---|---|
ALERT_NORMAL | 100 | alert |
Timeline | 0 | - |
Attributes:
Alias | Key |
---|---|
Message | @sophos.message |
SrcIP | @sophos.src_ip |
DestIP | @sophos.dst_ip |
SrcPort | @sophos.src_port |
DestPort | @sophos.dst_port |
Country | @sophos.src_country |
Victim | @sophos.victim |
Severity | @sophos.severity |
Correlation Rules:
First Occurrence:
Name | Window | Fields |
---|---|---|
NewCountry | 10 days | @sophos.src_country |
Risks: | ML_NEW_GEO_COUNTRY |
History:
User | Date |
---|---|
em*n@fluencysecurity.com | 2021 Mar 22 10:13:32 EDT |
em*n@fluencysecurity.com | 2021 Mar 23 02:08:45 EDT |
em*n@fluencysecurity.com | 2021 Mar 23 09:20:20 EDT |
This page was automatically created/formatted on Wed, 2022 May 4 21:43:53 EDT, from rule_dump.json (4d88bffdfb1cea26b3985f2193033606)