urlscan.io logo urlscan.io
SecurityTrails logo

rules.fluencysecurity.com Open in urlscan Pro
2606:50c0:8002::153  Public Scan

Back to summary
URL: https://rules.fluencysecurity.com/
Submission: On October 14 via automatic, source certstream-suspicious — Scanned from DE

Form analysis 0 forms found in the DOM

Text Content

Link Search Menu Expand Document
 * Introduction
 * Models
   * AD
     * AD Audit Log Cleared
     * AD Audit Policy Change
     * AD Cred DC Validate Failed
     * AD Dir Srvc Obj Created
     * AD Dir Srvc Obj Deleted
     * AD Dir Srvc Obj Modified
     * AD Dir Srvc Obj Moved
     * AD Dir Srvc Obj Undeleted
     * AD EventLogServiceStarted
     * AD EventLogServiceStopped
     * AD LocalGroupEnumerated
     * AD Logon Failed Locked Account
     * AD Member Add Sec Dsbl Gbl Group
     * AD Member Add Sec Dsbl Lcl Group
     * AD Member Add Sec Dsbl Unv Group
     * AD Member Add Sec Enbl Gbl Group
     * AD Member Add Sec Enbl Lcl Group
     * AD Member Add Sec Enbl Unv Group
     * AD Net Share Obj Accessed
     * AD Net Share Obj Added
     * AD Net Share Obj Deleted
     * AD Net Share Obj Modified
     * AD Object Permissions Changed
     * AD Password Reset Multiple
     * AD ProcessCreation
     * AD Registry Value Modified
     * AD Replica Src Naming Context Established
     * AD Replica Src Naming Context Removed
     * AD Scheduled Task Created
     * AD Scheduled Task Deleted
     * AD Scheduled Task Disabled
     * AD Scheduled Task Enabled
     * AD Scheduled Task Updated
     * AD Sec Enabled Global Grp Created
     * AD Sec Enabled Local Grp Created
     * AD Sec Enabled Universal Grp Created
     * AD Successful Login With Explicit Credentials
     * AD SystemShutdown
     * AD User Account Changed
     * AD User Account Deleted
     * AD User Account Enabled
     * AD User Locked Out Multiple
     * AD User Right Assigned
     * AD UserCreated Used
     * EventADHostnameInterruption
     * EventADHostnameInterruptionDaily
     * EventID 5156 Discard
     * Ingress Interruption ADHostname Daily
     * Ingress Interruption ADHostname Hourly
   * AMP
     * AMPCloudIOC
     * AMPExploitPrevention
     * AMPQuarantineFailure
     * AMPThreatAlert
     * AMPThreatQuarantined
   * ATP
     * ATP New Category
     * ATP Unwanted Software
   * AWS
     * AWS AMI Modified for Public Access
     * AWS Cloudtrail Created
     * AWS Cloudtrail Stopped
     * AWS Config Service Created
     * AWS Config Service Deleted
     * AWS Console Login
     * AWS Console Login Failed
     * AWS Credentials Updated
     * AWS Gateway Modified
     * AWS IAM Change Action Performed
     * AWS IAM Policy Modified
     * AWS Key Compromised
     * AWS MFA Device Deactivated
     * AWS NACL Modified
     * AWS NACL Permissive Entry
     * AWS Password Recovery Requested
     * AWS Root Access Key Created
     * AWS Root Activity
     * AWS Root Console Login
     * AWS Root Console Login Failed
     * AWS Root Password Changed
     * AWS Route Table Modified
     * AWS S3 Policy Modified
     * AWS Security Configuration Changed
     * AWS Security Group Modified
     * AWS Snapshot Made Public
     * AWS Successful Login With MFA
     * AWS Successful Login Without MFA
     * AWS Successful Login Without SAML
     * AWS Unauthorized API Call
     * AWS VPC Modified
   * BitDefender
     * BitDefenderAlertAV
     * BitDefenderAlertHD
     * BitDefenderAlertPhishing
   * CarbonBlack
     * CB Malware Known Malware
     * CB Malware New Malware
   * Checkpoint
     * Checkpoint Malware Alert Severity High
     * Checkpoint Malware Alert Severity Low
     * Checkpoint Malware Alert Severity Medium
     * Checkpoint SmartConsole IPS Update
     * Checkpoint SmartConsole Login
     * Checkpoint SmartConsole Object Create
     * Checkpoint SmartConsole Object Modify
     * Checkpoint SmartConsole Policy Install
     * Checkpoint SmartConsole Publish
     * Checkpoint SmartConsole Rule Create
     * Checkpoint SmartConsole Rule Modify
   * Compliance
     * Flow InboundFTP
     * Flow InboundIMAP
     * Flow InboundPOP3
     * Flow InboundSMTP
     * Flow InboundTELNET
     * Flow OutboundIMAP
     * Flow OutboundPOP3
     * Flow OutboundSMTP
   * CrowdStrike
     * Falcon Auth Activity
     * Falcon Detection Event
     * Falcon Incident
     * Falcon Incident Lateral Movement
     * Falcon User Activity
     * Falcon User Activity Containment Requested
     * Falcon User Activity Lift Containment Requested
   * CrowdStrikeES
     * Falcon Detection Event
     * Falcon Incident
     * Falcon Incident Lateral Movement
     * Falcon Login
     * Falcon User Activity Containment Requested
     * Falcon User Activity Lift Containment Requested
     * Falcon UserActivity
   * Cylance
     * CylanceImportInterruption
     * CylanceThreatAlert
     * USBDeviceUsage
   * Fortigate
     * Fortigate Critical Event
     * Ingress Interruption FortigateDevice Daily
     * Ingress Interruption FortigateDevice Hourly
   * GSuites
     * GSuites Advanced Protection
     * GSuites Brute Force Login
     * GSuites Government Attack
     * GSuites Group Banned User
     * GSuites High Severity
     * GSuites Leaked Password
     * GSuites Medium Severity
     * GSuites Mobile Device Compromised
     * GSuites Mobile Device Suspicious Activity
     * GSuites Suspicious Login
     * GSuites Unapproved Login Type
     * GSuites User Suspended
     * Login Gsuites
   * IT
     * AccountAWSAlert
     * AccountMultipleAlerts
   * Mimecast
     * Mimecast UnauthorizedAPIAccess
     * MimecastLogin
   * Network
     * Client Download Bandwidth Threshold Exceeded
     * Client Upload Bandwidth Threshold Exceeded
     * Device Bandwidth Exceeds Threshold
     * Domain Bandwidth Exceeds Threshold
     * Flow InboundRDP
     * Flow InboundSSH
     * Flow NetBIOS Over TCPIP Inbound
     * Flow OutboundFTP
     * Flow OutboundHTTP HTTPS
     * Flow OutboundRDP
     * Flow OutboundSSH
     * Flow OutboundTELNET
     * Flow PortActivity PrivilegedPorts
     * Flow PortActivity PrivilegedPorts BySource
     * Flow PortActivity ReservedPorts
     * Flow PortActivity ReservedPorts BySource
     * Flow UncommonPortUsage Listener SpecificMachine
     * Flow UncommonPortUsage SpecificMachine
     * Hostname Bandwidth Exceeds Threshold
     * Hostname Bandwidth Exceeds Threshold 2
   * Office365
     * Exchange Uncommon Operations
     * Exchange Update Inbox Rule
     * O365 Add Application
     * O365 Add Application Role Assignment
     * O365 AddPolicy
     * O365 Anti Phishing Rule Modified
     * O365 Azure Administrative Operations
     * O365 AzureAD Add Member To Group
     * O365 AzureAD Add Member To Role
     * O365 AzureAD Consent To Application
     * O365 AzureAD Consent To Application Admin
     * O365 AzureAD UserLoggedIn
     * O365 AzureAD UserLoginFailed Brute Force
     * O365 DLP Policy Removed
     * O365 Disable-InboxRule IP
     * O365 Disable-InboxRule UserName
     * O365 Exchange Add-MailboxPermission
     * O365 Exchange Disable-InboxRule
     * O365 Exchange Disable-TransportRule
     * O365 Exchange New-InboxRule
     * O365 Exchange New-TransportRule
     * O365 Exchange RecipientPermission SendAs
     * O365 Exchange Remove-TransportRule
     * O365 Exchange Set MailBoxJunkEmailConfiguration
     * O365 Exchange SetMailBox ForwardingSmtpAddress
     * O365 Exchange SetMailBox GrantSendOnBehalf
     * O365 Exchange SetMailBox GrantSendOnBehalf External
     * O365 File Access
     * O365 Files Accessed
     * O365 Logins From Different ISPs
     * O365 Malware Filter Modified
     * O365 Management Group Role Assigned
     * O365 Multiple Failed MFA Challenges
     * O365 Multiple New Operations
     * O365 Remove Member From Role
     * O365 Remove Service Principal
     * O365 Safe Attachment Rule Disabled
     * O365 SharePoint OneDrive FileUploaded
     * O365 Update Application
     * O365 Update Application Credential
     * O365 UpdatePolicy
     * O365 User Activity Outside USA
     * O365 User Added
     * O365 User Updated
     * SCC Insider Risk Management
     * SCC Threat Intelligence Mail Data
     * Teams External Access Enabled
     * Teams Guest Access Enabled
     * Teams Modification
   * Office365ES
     * AzureAD UpdateServicePrincipal
     * Exchange Uncommon Operations
     * Exchange Update Inbox Rule
     * O365 Add Application
     * O365 Add Application Role Assignment
     * O365 Add Member To Role
     * O365 AddPolicy
     * O365 Anti Phishing Rule Modified
     * O365 Azure Administrative Operations
     * O365 Brute Force Attempt
     * O365 Consent To Application
     * O365 DLP Policy Removed
     * O365 Disable-InboxRule IP
     * O365 Disable-InboxRule UserName
     * O365 Exchange Disable-InboxRule
     * O365 Exchange Disable-TransportRule
     * O365 Exchange New-InboxRule
     * O365 Exchange Remove-TransportRule
     * O365 Files Accessed
     * O365 Login From New ISP
     * O365 Logins From Different ISPs
     * O365 Malware Filter Modified
     * O365 Management Group Role Assigned
     * O365 Multiple Failed MFA Challenges
     * O365 Multiple New Operations
     * O365 Remove Member From Role
     * O365 Remove Service Principal
     * O365 Safe Attachment Rule Disabled
     * O365 SharePoint OneDrive FileUploaded
     * O365 Successful Login
     * O365 Update Application
     * O365 Update Application Credential
     * O365 UpdatePolicy
     * O365 User Activity Outside USA
     * O365 User Added
     * O365 UserLoginFailed
     * SCC Insider Risk Management
     * SCC Threat Intelligence Mail Data
     * Teams External Access Enabled
     * Teams Guest Access Enabled
     * Teams Modification
   * PaloAlto
     * PAthreats
     * Palo Alto virus alerts
     * proxy-avoidance-and-anonymizers
   * Proofpoint
     * ProofPoint Clicks Blocked
     * ProofPoint Malware Threat
     * ProofPoint Phishing Threat
   * SCC
     * SCC Access Governance
     * SCC Data Governance
     * SCC Data Loss Prevention Exchange
     * SCC Data Loss Prevention SharePoint
     * SCC Mail Flow
     * SCC Threat Intelligence
     * SCC Threat Intelligence URL Click Data
     * SCC Threat Management
   * SSHD
     * SSH Login Accepted
     * SSH Login Brute Force
     * SSH Login Failed
   * SentinelOne
     * S1 USBDevice New
     * S1 USBDeviceMovement
     * SentinelOne Device Blocked
     * SentinelOne Invalid Token
     * SentinelOne Syslog IP Changed
     * SentinelOneManagement
     * SentinelOneNewProcess
     * SentinelOneProcessKilled
     * SentinelOneQuarantineFailed
     * SentinelOneQuarantineOK
     * SentinelOneThreat
   * Sophos
     * Sophos Attempted Information Leak
     * Sophos Attempted Login Default Credentials
     * Sophos Attempted User Privilege Gain
     * Sophos Critical Alert
     * Sophos Major Alert
     * Sophos Potential Corporate Privacy Violation
     * Sophos Web Application Attack
   * SourceFire
     * IDSTrojanAlert
   * System
     * EventIngressAnomaly
     * EventIngressMonitor
     * EventSenderInterruption
     * EventSenderInterruptionDaily
     * EventSourceInterruption
     * EventSourceInterruptionDaily
     * Ingress Interruption EventSender Daily
     * Ingress Interruption EventSender Hourly
     * Ingress Interruption EventSource Daily
     * Ingress Interruption EventSource Hourly
   * ThreatAnalysis
     * CheckpointSB Trojan
     * ExtrahopAnomalyAlert
     * PA DropBox
     * PACortexAlert
   * UEBA
     * ADCompletedSession
     * ADLogin
     * CiscoVPNLogin
     * PaloAltoVPNLogin
     * VPNLogin
   * WinlogBeat
     * AD Audit Log Cleared
     * AD Audit Policy Change
     * AD Cred DC Validate Failed
     * AD Dir Srvc Obj Created
     * AD Dir Srvc Obj Deleted
     * AD Dir Srvc Obj Modified
     * AD Dir Srvc Obj Moved
     * AD Dir Srvc Obj Undeleted
     * AD EventLogServiceStarted
     * AD EventLogServiceStopped
     * AD Failed Login On Locked Account
     * AD LocalGroupEnumerated
     * AD LocalGroupEnumeratedAnomaly
     * AD LoginFailure
     * AD Logon SpecialPrivileges
     * AD Member Add Sec Dsbl Gbl Group
     * AD Member Add Sec Dsbl Lcl Group
     * AD Member Add Sec Dsbl Unv Group
     * AD Member Add Sec Enbl Gbl Group
     * AD Member Add Sec Enbl Lcl Group
     * AD Member Add Sec Enbl Unv Group
     * AD NTLMv1Anonymous
     * AD NTLMv1NonAnonymous
     * AD Net Share Obj Accessed
     * AD Net Share Obj Added
     * AD Net Share Obj Deleted
     * AD Net Share Obj Modified
     * AD Object Permissions Changed
     * AD ProcessCreation
     * AD Registry Value Modified
     * AD Replica Src Naming Context Established
     * AD Replica Src Naming Context Removed
     * AD Scheduled Task Created
     * AD Scheduled Task Deleted
     * AD Scheduled Task Disabled
     * AD Scheduled Task Enabled
     * AD Scheduled Task Updated
     * AD Sec Enabled Global Grp Created
     * AD Sec Enabled Local Grp Created
     * AD Sec Enabled Universal Grp Created
     * AD Successful Login With Explicit Credentials
     * AD SystemShutdown
     * AD User Account Changed
     * AD User Account Deleted
     * AD User Account Enabled
     * AD User Right Assigned
     * ADMassPasswordChange
     * ADPasswordChange
     * ADPasswordChangeOtherUser
     * ADUserLockout
     * EventADHostnameInterruption
     * EventADHostnameInterruptionDaily
     * Ingress Interruption ADHostname Daily
     * Ingress Interruption ADHostname Hourly
   * Zoom
     * Zoom
     * ZoomTimeZoneRules
     * zoomRecords
 * Processors
   * Office365
     * O365 AzureActiveDirectory AddUser PatternVerification

This site uses Just the Docs, a documentation theme for Jekyll.


INTRODUCTION

The concept of using behaviors is the process of using machine learning to
identify specific conditions or changes (such as a new IP address or user) that
can indicate undesirable activities.

Currently, behaviors can be defined with correlation rules for First Occurrence
(the first time a condition is seen) and Aggregation (when a condition reaches a
certain threshold). Behaviors themselves can be configured to only show when a
correlation is triggered (narrow) or for every behavior match (broad and
potentially noisy but informative).

The table of contents to the left shows the major categories for Behavior Rules.