Link Search Menu Expand Document

Sophos_Attempted_User_Privilege_Gain

ID: 100213

Description:

Sophos has detected an attempted user privilege gain

Repository: Group: Sophos Type: event

Default Status:

Enabled

Tags:
Sophos
 

Selector:

Query:

Filters:

Field MUST hit
@tags sophos
@sophos.classification Attempted User Privilege Gain
Field MUST NOT hit
   

Behavior Rule:

Key Type Behavior Category
@sophos.src_ip ip security alert

Risks:

Risks Base Score Dimension
ALERT_NORMAL 100 alert
Timeline 0 -

Attributes:

Alias Key
Message @sophos.message
SrcIP @sophos.src_ip
DestIP @sophos.dst_ip
SrcPort @sophos.src_port
DestPort @sophos.dst_port
Country @sophos.src_country
Victim @sophos.victim
Severity @sophos.severity

Correlation Rules:

First Occurrence:

Name Window Fields
NewCountry 10 days @sophos.src_country
  Risks: ML_NEW_GEO_COUNTRY

History:

User Date
em*n@fluencysecurity.com 2021 Mar 22 10:13:32 EDT
em*n@fluencysecurity.com 2021 Mar 23 02:08:45 EDT
em*n@fluencysecurity.com 2021 Mar 23 09:20:20 EDT

This page was automatically created/formatted on Tue, 2021 Oct 19 00:29:17 EDT, from rule_dump.json (db47c470500ce8686ead334f5eda0596)