Objectives of Anomalies and Events
Anomalous activity is detected in a timely manner and the potential impact of events is understood.
- DE.AE-1: A baseline of network operations and expected data flows for users and systems is established and managed
- DE.AE-2: Detected events are analyzed to understand attack targets and methods
- DE.AE-3: Event data are aggregated and correlated from multiple sources and sensors
- DE.AE-4: Impact of events is determined
- DE.AE-5: Incident alert thresholds are established
Useful SOC Queries regarding USER ACCOUNTs
- Failed logins, lockouts
- Successful logins from 2 distant locations(USA, France, and Russia) in a time period to where that it physically impossible.
- I want to see new user accounts that were created;
- WHEN was it added
- Created by WHO
- Created WHERE
- WHAT did they do next? A new user that is created for a specific purpose, should be used for that purpose pretty quickly. If it is for a malicious purpose, kill it.