General Rule

S. No.
Sub Category Applicable Event Sources

1 Web Attacks Web Server
Web Attacks Web Server
13 Network Attacks Network Firewall
47 Network Attacks DNS Logs
48 Network Attacks IDS/IPS
50 Network Attacks HIPS
63 Network Attacks Router
64 Network Attacks Router
65 Network Attacks Email/SMTP Server
66 Network Attacks Email/SMTP Server
67 Network Attacks Network Devices
68 Network Attacks Wireless
69 Network Attacks DHCP
Network Attacks Network Firewall, OS
Network Attacks Network Firewall
Network Attacks IDS/IPS
70 System Attacks Windows
System Attacks Windows, VA Scanner
System Attacks Network Firewall, VA Scanner
System Attacks Windows
System Attacks Network Firewall
System Attacks Web Proxy
System Attacks OS, Devices
System Attacks IDS/IPS, VA Scanner
System Attacks IDS/IPS, OS
System Attacks OS
System Attacks IDS/IPS, OS
81 Access & Authorization Violation Windows
88 Access & Authorization Violation Unix
92 Access & Authorization Violation Network Firewall
93 Access & Authorization Violation Proxy Server
96 Access & Authorization Violation VPN
99 Access & Authorization Violation Database
103 Access & Authorization Violation Wireless
104 Access & Authorization Violation Wireless
105 Malware Detection Network Firewall
109 Malware Detection IDS/IPS
113 Malware Detection Anti Virus
118 Malware Detection Proxy Server
119 Malware Detection URL Filter
121 Malware Detection Firewall
124 Malware Detection URL Filter
125 Advanced Target Attacks Detection Cross Correlation
126 Data Security Windows
127 Data Security Windows
128 Data Security Email/SMTP Server
131 Data Security URL Filter
132 Unauthorized or Insecure Configurations Network Firewall
133 Unauthorized or Insecure Configurations IDS/IPS
134 Suspicious communication with blackliste Network Firewall
135 Suspicious communication with blackliste Web Server
136 Suspicious communication with blackliste URL Filter
137 Suspicious communication with blackliste DNS Logs
138 Suspicious communication with blackliste DNS Logs
139 Suspicious communication with blackliste Email/SMTP Server
140 Network Attacks Firewall
152 Suspicious communication with blackliste Firewall
Use Case
Google Hacking attempts
Web Attacks like URL Guessing, Man in the middle detected.
Server Error codes detected in Webserver logs
Vulnerability scanning using scanners such as Nessus or Qualys
SQL Injection attempts
Malware injections attempts on web servers using XSS
Phishing Site detection using Referer Logs
Script injection attack
Monitoring directory traversal attempts
Web server –availability tracking alerts
Suspicious HTTP return codes
Suspicious Web Methods used
Probable Successful Attack – Probable Redirect Attack
Port Scan followed by Exploit
Sudden surge in volume of accepts to a destination
Sudden surge in volume of deny to a destination
Firewall repetitive block from a source.
Firewall accept after repetitive blocks
DoS attempt detected by firewall
IRC-Bot net Infected System
DOS attempt on hosts/network/services behind Firewall
Scanning for Multiple Ports on single host
Scanning for Multiple Hosts on single /different ports
ICMP traffic spike
SYN traffic spike
TCP traffic spike
UDP traffic spike
Confirmed Skype Activity
Traffic to external NetBIOS ports
ZBot P2P Command and Control
Possible DNSChanger Infection
Multiple Firewall Accesses from Same Source to Multiple Countries
Attempt to contact external DNS provider
Possible HTTP POST exfiltration attempt
Possible FTP data exfiltration attempt
RDP successful connection to foreign country
SSH successful connection to foreign country
Communication To CC server detected
Possible DDoS attack on Email Gateway
BOTNET Detected in the network
Malicious Port Activity - External to Internal - Allowed
Malicious Port Activity - Internal to External
ROGUE DNS Server Traffic
RDP successful connection from foreign country
Possible uTorrent Activity
Traffic to/from suspicious geographies
FTP Zero byte file upload
Single Internal Machine Trying to resolve Multiple External IP
Denial of Service attack
P2P traffic detected in the network
Possible SAM Service brute force sourced from client
Blackhole Exploit Kit
Trojan.ZeroAccess and Rogue TLD
Possible W32. Dasher
Possible Flashback.Trojan
Backdoor Activity Detected In the Network
IP Spoof attack detected
Multiple IPS signatures triggered for same target IP
Multiple IPS signatures triggered from same IP
HTTPS Tunnel Activity detected in the Network
Network Attacks -Man in the Middle
Syn flood attack
Network Port Scan
High number of denied traffic from particular source-IP
DOS attacks on routers
High number of mails to unique Internal address with same From: address
High number of rejected mails from single From: address
Brute Force Network Device Login
Wireless insecure AP detected
High number of DHCP request from same MAC address
Attack from Source having Reconnaissance History
Possible Internal Network Sweep
Possible Outbound Network Sweep
Suspicious Communication From Attacked Target
Attack From Suspicious Source
Suspicious Activity - Packet Manipulation
High Number of IDS Alerts for Backdoor
Firewall – Pass After Repetitive Blocks
Firewall – Repetitive Block – In Progress
Firewall – Host Port Scan
Firewall – Application Protocol Scan
Firewall - Network Port Scan
Security software has been disabled
User attempted to install a service
Windows Audit Log Cleared
Windows user account created and deleted in 1 hour
Windows account created and high account activity within 1 hour
High number of new users added within 1 hour
High number of user accounts deleted/disabled within 1 hour
Multiple password changes for different user-ids from same IP address
Password reset soon after login
Password reset not preceded by lockout
Hose Port Scan
SANS Top 20 OS (v6.01) - Microsoft Task Scheduler Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft WINS Vulnerabilities
SANS Top 20 OS (v6.01) - Microsoft SMB Service Vulnerabilities
SANS Top 20 Email (v6.01) – Microsoft Office XP Buffer Overflow Vulnerabilities
SANS Top 20 OS (v6.01) - Microsoft Plug and Play Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft NetDDE Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft NNTP Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft License Logging Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft Exchange SMTP Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft MSDTC and COM Service Vulnerabilities
SANS Top 20 OS (v6.01) – Microsoft Message Queuing Service Vulnerabilities
SANS Top 20 Email (v6.01) – Microsoft OLE and COM Remote Code Execution Vulnerabilities
Blaster Infected Host
Blaster DDOS From Infected Host
Multi Host Application Brute Force Logins
Open Vulnerability Exploit
Probable Successful Attack – DoS
Application Brute Force Logins
Probable Attack – Script Attack
Probable Successful Attack – Exploit
Brute force attempt on multiple devices, servers, DBs, applications
High severity events on multiple devices, servers, DBs, applications from the same source
Windows Multiple Login Failures for same account
Windows Multiple Login Failures for different accounts
Windows multiple login by same account from different desktops
The account was locked at the time of logon attempt was made
Multiple login attempt to locked windows account
Multiple login attempt to expired windows account
Activity from employees logged out of physical security system
Multiple password changes for different user ids from same IP address
Password reset soon after login
Linux brute Force Login Attempt from Single source
Root logins from untrusted Network
Multiple login failures on firewall
Access to Remote-Desktop-Access Site
Anonymous proxy access
Hacker tool website access
Multiple Login failure for same VPN user-id
Multiple login attempt for different user-id from same IP
Password change attempt for multiple user-id from same IP
Multiple failed database access attempts
Multiple commands executed on the same DB server with in short span
Database brute force login success
Unauthorized access to critical databases
Wireless unauthorized login attempts
Anonymous login from unknown IP address
Detect Malware Beacons
Bozori Infected System
IRC Botnet Detection
Traffic on known malware ports
Virus/Worm propagation - Internal network scans on a single port
Virus/Worm propagation - Multiple AD account lockouts
Worm activity detected
High number of IDS alerts detected for Malware
System with virus detected but not cleaned
Conficker Worm Found
System with high number of virus infection within 1 hour
Malicious code detected not quarantined
Malicious code Outbreak on multiple systems
Access attempts by BOTNET identified by HTTP Request header
Web filtering-Spyware traffic in the network
Shamoon Virus detected by AV
W32.ChangeUp Firewall Communication Detected (Outbound)
W32.ChangeUp detection
Traffic from or to Shamoon Virus Server
Web filtering-Detection of Phishing, key logger and malicious code
IE Zero Day Suspicious Communication
Windows sensitive file access
Excessive file deletion/modification with 1 hour
Employees responding to Email Outbreak
EMAIL Discovery Attack Detected
High number of outbound emails from Internal address during after business hours
Web filtering-Data leakage detected
Firewall rule base change allows traffic on insecure protocols
IDS mis -configuration alerts
Traffic from/towards blacklisted IP address listed by Dshield/other feeds.
Web request from blacklisted IP address
Traffic towards malicious domain
Malicious DNS Domain Query Request
Multiple PC trying to resolve same Malicious Hostname/IP
Email Gateway accepting Traffic from Malicious Source
Aggressive ICMP scan start detected
Aggressive UDP scan start detected
Aggressive_TCP_Scan_Started
Analyzer FTP Brute Force
Analyzer_DirectConnect-Client-To-Client-Handshake-DDoS
Analyzer_Executable-Upload-After-Attack
Analyzer_FTP-Brute-Force-Attack-Success
Anti-Virus Buffering Limit Exceeded
Attack followed by executable upload
BackDoor program request
BD-TCP_BackDoor-Response
DNS additional record cache poisoning
Malicious URI request accepted by the server
Reverse shell after an attack
Reverse shell after suspected attack
Shell after attack
Suspected attack followed by executable upload
Trojan FakeAV checkin
Trojan FakeAV file download detected
Username SQL Injection allows unauthorized login
Threshold
1 in 2 minutes
5 in 5 minutes
5 in 5 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
5 in 5 minutes
1 in 2 minutes
1 in 5 minutes
10 in 3 minutes
1 in 1 minutes
20 in 2 minutes
2 in 3 minutes
30 in 2 minutes
200 in 1 minute
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
5 in 1 Minute
1 in 1 second
10 Matches in 2 Minutes
1 in 1 second
1 in 1 second
1 in 1 second
1 in 1 minutes
1 in 1 minutes
1 in 1 minutes
500 in 10 seconds
10 in 15 minutes
1 in 2 minutes
5 in 5 minutes
1 in 2 minutes
1 in 1 minutes
5 in 1 minutes
10 in 5 minutes
3 in 2 minutes
5 in 2 Minutes
5 in 5 minutes
20 in 2 minutes
5 in 3 minutes
10 in 2 minutes
40 in 1 minute
40 in 1 minute
5 in 5 minutes
10 in 1 minute
2000 in 1 minute
30 in 2 minutes
200 in 1 minute
1 in 2 minutes
1 in 2 minutes
1 in 1 minutes
5 in 10 minutes
100 in 30 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
100 in 5 minutes
100 in 5 minutes
5 in 15 minutes
100 in 30 minutes
1 in 2 minutes
3 in 5 minutes
3 in 5 minutes
1 in 2 minutes
1 in 2 Minutes
1 in 2 minutes
1 in 1 minutes
10 in 5 minutes
5 in 2 Minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 Minutes
10 in 2 Minutes
1 in 2 minutes
30 in 1 hour
150 in 1 minute
20 in 5 Minutes
1 in 2 minutes
2 in 5 minutes
1 in 2 minutes
10 in 2 Minutes
5 in 2 Minutes
1 in 2 minutes
10 in 5 minutes
5 in 2 Minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
1 in 2 minutes
Applicable Event
S. No. Sub Category Sources
1 Change Management/Configuration Violations Windows

8 Change Management/Configuration Violations Network Firewall
9 Change Management/Configuration Violations Anti Virus
10 Change Management/Configuration Violations Anti Virus
11 System Access Violations Windows


18 System Access Violations Unix
19 System Access Violations Unix
20 System Access Violations Network Firewall
21 System Access Violations Database
22 System Access Violations Database

23 Data Access Violations Email/SMTP Server
27 Data Access Violations Database
28 Data Access Violations Proxy Server
29 Network Access Violations Network Firewall
30 Network Access Violations Windows
31 Network Access Violations DHCP Logs
32 Network Access Violations URL Filter
33 Application Access Violations
34 Standards & Regulations (PCI, ISO 27001, RBI) Windows
35 Standards & Regulations (PCI, ISO 27001, RBI) Windows

46 System Access Violation Windows
47 User Access Violation Windows
52 Network Access Violations Antivirus
Use Case Threshold
Created User Does Not Match Naming Policy 1 in 1 second
Administrative Group Membership changed 1 in 1 second
An audit policy was changed 1 in 2 minutes
USB Device Attached to High value System 1 in 1 Second
System restart at unscheduled time 1 in 1 second
Non-privileged user-id added to privileged administrator group. 1 in 2 minutes

Security Log is Full 1 in 2 minutes
Unauthorized firewall rule base changes 1 in 2 minutes
Anti-virus agent uninstalled
Anti-virus agent disabled 1 in 1 Minute
Access using built in default guest account 1 in 1 second
Authentication Attempted to Non-Existing Account 1 in 1 minute
Login attempt from differnt desktops for the same user account 2 in 10 minutes
Insider Threat - Deleted User Account Access Attempt 1 in 1 minute
User connecting with two different user names 2 in 5 minutes
Interactive or RDP Login using SERVICE ACCOUNT detected 1 in 2 minutes
A logon attempt was made by a user who is not allowed to log on
to this computer
SUDO Privilege escalation Failed
Direct login using root user id 1 in 1 minute
Firewall access from non-admin IPs 1 in 1 minute
Access to database from unauthorized terminals
Logins using non standard user-id as per organization policy

Large emails to competition organization 5 in 2 Minutes
Traffic from competition organisation 5 in 2 Minutes
Large emails to public webmail servers 5 in 2 Minutes
DBA user updating Customer name and address 1 in 2 minutes
Content access violation
Traffic on insecure protocols: FTP, VNC, Telnet, etc 1 in 1 Minute
Windows - ClearText Password Shared Over Network 1 in 1 Minute
Unauthorized PC connected to corporate Network 1 in 1 Minute
Users violating organization internet policy
Dormant Computer Detected 1 in 2 minutes

Dormant Account Detected 1 in 2 minutes
Database Admin Changed Card Number 1 in 2 min
Database Admin Changed Credit Limit 1 in 2 min
Database Admin Changing CVV Number 1 in 2 min
Database Admin Changed Expiry Date 1 in 2 min
Database Admin Changed Mobile Number 1 in 2 min
Database Admin Changed User Name Field in Banking Database 1 in 2 min
Database Admin Changing Address 1 in 2 min
Alert:Database Admin Changing Card Status 1 in 2 min
Database Admin Changing Track Data 1 in 2 hours
Database Critical Command Executed on Internet Banking
Databases 1 in 2 hours
Detection of server shutdown- reboot after office hours 1 in 2 min
Failed Login with Admin ID's 25 in 10 min
Failed Login with disabled account 1 in 2 min
High no of users created within a short period of time 10 in 20 min
High no of users removed within short period of time. 10 in 5 min
High No. Of Windows Login Failure 50 in 10 min
Detection of Backdoor traffic 1 in 5 min
Detection of Virus Outbreak 50 in 15 min
Detection of Worm Outbreak 1 in 5 min
S. No. Sub Category Applicable Event Sources
1 Privileged User Activity Monitorin Windows
5 Privileged User Activity Monitorin Unix
8 Privileged User Activity MonitoringNetwork Firewall
9 Privileged User Activity MonitoringNetwork Firewall
10 Privileged User Activity MonitoringDatabase
15 System & Application ManagemenWindows
21 System & Application ManagemenUnix
30 System & Application ManagemenNetwork Firewall

40 System & Application ManagemenRouter
44 System & Application ManagemenSwitch
45 System & Application ManagemenSwitch
46 System & Application ManagemenAnti Virus
47 System & Application ManagemenAnti Virus
48 System & Application ManagemenEmail/SMTP Server
49 System & Application ManagemenEmail/SMTP Server
50 System & Application ManagemenDatabase
51 System & Application ManagemenWireless
54 System & Application ManagemenDHCP
55 System & Application ManagemenDHCP
56 System & Application ManagemenCitrix
57 System & Application ManagemenCitrix
58 User Management Windows
62 User Management Network Firewall
63 User Management Network Firewall
64 Configuration Management Windows
65 Configuration Management Network Firewall
68 Configuration Management Router
72 Configuration Management Switch
73 Configuration Management Switch
74 Configuration Management Proxy Server
75 Configuration Management VPN
76 Configuration Management VPN
77 Configuration Management Database
78 Configuration Management Database
79 Configuration Management DHCP
80 Configuration Management Citrix
81 System Access Windows
85 System Access Unix
86 System Access Router
87 System Access Switch
88 System Access Switch
89 System Access Proxy Server
90 System Access Database
91 System Access Citrix
92 Network Access Network Firewall
93 Network Access Network Firewall
94 Web Access Proxy Server
95 Data Access Windows
96 Data Access Windows
Use Case Threshold
Login failure for user account in administrators group 1 in 2 minutes
Password Changed for administrator 1 in 2 minutes
New member added to domain admin group 1 in 2 minutes
New Local admin account created 1 in 1 minutes
SU Login Failures 3 in 5 minutes
Root login failure 5 in 2 Minutes
Password change for root user
Firewall administrator login failures 1 in 2 minutes
Admin user added-deleted
DBA login failure
Grant of Role and Privilages
Password change for DBA
Successful Login by DBA after business hours
Non DBA users added to DBA role
Windows Shutdown and Reboot 1 in 2 minutes
Windows abnormal shutdown 1 in 2 minutes
A user attempted to install a service 1 in 1 Minutes
Critical Service Stopped on Windows Hosts 1 in 2 minutes
SNMP Authentication Failure
Low disk space warning
Unix service stop 1 in 2 minutes
Linux NIC has gone down 1 in 1 minutes
Unix Machine Not added to OU 1 in 1 minutes
Linux Power Down 1 in 1 minutes
RAID failure 1 in 1 minutes
Linux device left promiscuous mode 1 in 1 minutes
Linux SCSI USB attached to Linux System 1 in 1 Minutes
Unix Shutdown and Reboot 1 in 2 minutes
Firewall Interface Status Change 1 in 2 minutes
Firewall critical errors 3 Matches in 5 Minutes
Firewall interface disconnected 1 in 2 minutes
Firewall service stops 1 in 2 minutes
Firewall low disk space alert 1 in 2 minutes
Firewall CPU usage alert 1 in 10 minutes

Firewall rebooted 1 in 2 minutes
Firewall service restart 1 in 2 minutes
Top triggered firewall rules
Router interface down 1 in 1 Minutes
Router BGP neighbor down 1 in 1 minutes
Router power supply failure 1 in 2 minutes
Switch interface change
Switch booted up
System with update attempted but failed
System Errors detected in Anti-virus DAT deployment
Email attachment near to the upper threshold defined
SMTP gateway sudden spike in Incoming mails
Critical commands executed on database 1 in 2 minutes
Rogue AP detected.
Wireless AP rebooted
Wireless authorization server is down.
DHCP logs stopped
DHCP request for statically allocated IP range
Citrix internal errors alerts
Policy violation in citrix alerts
User accounts created 1 in 2 minutes
User accounts deleted 1 in 2 minutes
Groups created
Groups deleted
Firewall user added 1 in 2 minutes
Firewall use deleted 1 in 2 minutes
The system time was changed
Firewall Rule base change/install 1 in 2 minutes
Firewall log settings changed
Firewall mis-configuration alerts
Changes to ACL
Changes to Router Logging level and syslog settings
Cisco IOS configuration changes
Router mis-configuration alerts
Switch configuration change. 1 in 2 minutes
Switch mis-configuration alerts
Proxy configuration changes
VPN configuration changes alerts 1 in 2 minutes
VPN misconfiguration alerts
Database configuration changes
Database password changes alert
DHCP mis-configuration alerts
Configuration changes in citrix 1 in 2 minutes
Windows login failure 10 in 1 Minute
A user account was locked out 1 in 2 minutes
User attempting excessive printing activity
User attempting printing after office hours
SSH login failure 3 in 2 Minutes
Login failure
Switch successful login
Switch failed login.
Proxy failed login attempt
After office hour access to database system. 1 in 1 minutes
Citrix login failure 1 in 2 minutes
Top bandwidth users
Traffic distribution by protocol
Pastebin site access
Windows File-Folder permission changes 1 in 1 minutes
Windows File-Folder has been Deleted 1 in 1 minutes
1 Segregation of Duties Violations Business Application
2 Access Violations Business Application
5 User Management & Authorization Violations Business Application
6 User Management & Authorization Violations Business Application

7 Changes to Critical Business Parameters Business Application
Changes to Critical Application Management
10 Parameters Business Application
13 Changes to Audit Parameters Business Application
Use Case
Maker/Checker logins from same IP
Logins during odd working hours from critical application IDs
Successful login from dormant user IDs
Password brute force on super user accounts
Administrative user additions, deletions
Changes to dormant , blocked account status

Interest rate changes
Limit changes
Changes to value dates
Creation, deletion & modification of critical application roles/groups
Changes to authorizations for critical application roles/groups
Changes to account & password policies in the application

Auditing disabled
1 Access from Blacklisted/Suspicious Geographies Internet Banking
5 Access Violation ATM Channel
6 Transaction Anomalies Internet Banking


12 Transaction Anomalies ATM Channel
13 Beneficiary Anomalies Internet Banking
14 Beneficiary Anomalies Internet Banking

15 Transaction Velocity Anomalies Internet Banking
21 Transaction Velocity Anomalies ATM Channel

Use Case Threshold
Internet banking logins from anonymous proxies 1 in 1 Minutes
Phishing IP's logging to Internet Banking 1 in 1 Minutes
Multiple account lockouts from same IP
Transactions from suspicious/blacklisted countries 1 in 2 Minutes
ATM location not matching customers profile of access.
Transfer/withdrawal beyond specified limits 1 in 1 Second
Transfer/withdrawal beyond specified limits during night time 1 in 1 Second
Transfer/payment amounts used in previous fraud. Sometimes the transfer

amounts are kept below the limits of bank and automated using scripts
New payee registration followed by high value transaction 2 in 2 Hrs
Transfers/payments that “empty accounts,” which could be automated
transfers driven by scripts
ATM withdrawals that are higher than average for the user
Money transfer to beneficiary on blacklist Account
New destination accounts or payees that have recently been used by many
“customers” over a short period of time. The destination accounts are
potential mule accounts
Logins/transactions from different cities in short period 2 in 1 Hrs
Multiple low value transactions in short period 3 in 2 hours
User Changed password or mobile No followed by transaction 1 in 10 minutes
Top 10 money transfers (Daily report) Report
Top 10 payees by value (Daily report) Report
Top 10 payees by count (Daily report Report
Same ATM card being used for transactions in geographically dispersed
ATMs within a short time
ATM hood opening during odd hours.
ATM cash chest opening during odd hours.

General Rule

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

General Rule

Hochgeladen von

Copyright:

Verfügbare Formate

S. No.

Sub Category Applicable Event Sources

6 Change Management/Configuration Violations Windows

13 System Access Violations Windows

17 System Access Violations Windows

22 System Access Violations Database

45 Data Access Violations Database

Non-privileged user-id added to privileged administrator group. 1 in 2 minutes

Logins using non standard user-id as per organization policy

Dormant Computer Detected 1 in 2 minutes

35 System & Application ManagemenNetwork Firewall

Firewall CPU usage alert 1 in 10 minutes

5 User Management & Authorization Violations Business Application

6 User Management & Authorization Violations Business Application

Administrative user additions, deletions

Changes to dormant , blocked account status

Creation, deletion & modification of critical application roles/groups

Changes to authorizations for critical application roles/groups

Changes to account & password policies in the application

8 Transaction Anomalies Internet Banking

11 Transaction Anomalies Internet Banking

14 Beneficiary Anomalies Internet Banking

21 Transaction Velocity Anomalies ATM Channel

Transfer/payment amounts used in previous fraud. Sometimes the transfer

Das könnte Ihnen auch gefallen