Unauthorized Machine Access
Unauthorized Machine Access (Windows/Mac)
The following out-of-the-box alert rules are assigned to the (Windows/Mac) Category: UNAUTHORIZED MACHINE ACCESS.
|
ALERT RULE |
Description |
|---|---|
| Connecting to a new FTP or SFTP server using FTP application |
An alert is triggered upon using an FTP application and connecting to a remote FTP or SFTP server. |
| Connecting to a sensitive Mac machine using Screen Sharing |
An alert is triggered upon trying to connect to a sensitive remote Mac machine using Mac's built-in Screen Sharing mechanism. |
| Connecting to a sensitive server using Finder on Mac |
An alert is triggered upon trying to connect to a remote server that is part of the Sensitive Remote Servers list using Finder on Mac (the equivalent to Windows Explorer on Windows). |
| Connecting to a sensitive server using FTP applications |
An alert is triggered upon using an FTP client on Windows or Mac and connecting to a remote server that is part of the Sensitive Remote Servers list. |
| Connecting to a sensitive VMWare VsPhere client |
An alert is triggered upon trying to type the name or IP of sensitive machine in order to connect to a VMWare VsPhere Client. |
| Connecting to a sensitive Windows server from Mac |
An alert is triggered upon trying to connect to Windows server that is part of a Sensitive Remote Servers list, while doing it from Mac using Microsoft Remote Desktop application. |
| Interacting with remote machines using PowerShell commands |
An alert is triggered upon opening PowerShell and invoking specific commands that are used for interacting with remote machines. |
| Logging in locally to sensitive Windows Desktop by unauthorized user |
An alert is triggered upon local login (accessing the machine physically) to a predefined sensitive Windows desktop, by a user not included in the authorized users list for these sensitive machines. |
| Logging in locally to sensitive Windows Server by unauthorized user |
ACTION REQUIRED: Add users black/white list (authorized/unauthorized) in the WHO statement. An alert is triggered upon local login (accessing the machine physically) to a predefined sensitive Windows server, by an unauthorized user. |
| Logging in remotely (RDP) to sensitive Windows Server from unauthorized client |
An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server from a client not included in the list of authorized client IPs or client names for these sensitive machines. |
| Logging in remotely (RDP) to sensitive Windows Desktop by unauthorized user |
ACTION REQUIRED: Add users black/white list (Authorized/Unauthorized) in the WHO statement. An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows desktop by a user not included in the predefined list. |
| Logging in remotely (RDP) to sensitive Windows Desktop from unauthorized client |
An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows desktop from a client not included in the list of authorized client IPs or client names for these sensitive machines. |
| Logging in remotely (RDP) to sensitive Windows Server by unauthorized user |
ACTION REQUIRED: Add users black/white list (authorized/unauthorized) in the WHO statement. An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server by an unauthorized user. |
| Logging in remotely (RDP) to sensitive Windows Server during irregular hours |
An alert is triggered upon remote login (via RDP session) to a predefined sensitive Windows server during irregular hours (before the beginning or after the end of a working weekday, or during weekend). |
| Logging in to any machine by disabled users (ex-employees) |
This alert will be triggered upon login to any type of machine (Win, Mac, Unix, Linux) of users who are part of the list Disabled Users (ex-employees whose account in Active Directory should have been disabled). |
| Logging in to sensitive machine using a shared account |
An alert is triggered when Secondary Authentication mode was used while the user was logged in to this machine, indicating that the primary user name was probably a shared account (e.g., Administrator). |
| Logging in with the default built-in privileged account to sensitive servers |
An alert is triggered upon logging in to sensitive remote servers with the default privileged accounts of Administrator or root. |
| Running a remote PC access tool to access a remote machine |
An alert is triggered upon running a remote login utility in order to take control over a remote machine, or to open a telnet/SSH session on a remote machine. |
|
Taking control on remote machine from Mac Note: This rule applies specifically on Mac systems. |
An alert is triggered upon opening a Terminal application on Mac and running SSH to take control over a remote machine. |
Unauthorized Machine Access (Unix/Linux)
The following out-of-the-box alert rules are assigned to the (Unix/Linux) Category: UNAUTHORIZED MACHINE ACCESS.
|
ALERT RULE |
Description |
|---|---|
| Leapfrogging with identity change 1 |
An alert is triggered upon opening a new SSH session with an identity change which could indicate an account misuse. Note: This is rule 1 out of 2 rules for this scenario. |
| Leapfrogging with identity change 2 |
An alert is triggered upon opening a new SSH session with an identity change which could indicate an account misuse. Note: This is rule 2 out of 2 rules for this scenario. |
| Logging in remotely to sensitive Unix or Linux machine from unauthorized client |
An alert is triggered upon detecting a new login to a sensitive machine from a remote unauthorized client IP. The alert applies when the agent is installed on the machine that is being controlled (i.e., not on the controlling machine). |