INTERCEPT Offenses in QRadar
The Netwrix Active Directory App for QRadar feeds several QRadar Offenses.
While the Authentication Attacks Dashboard reports on incidents monitored by Threat Prevention Authentication Analytics, these incidents also generate offenses.
| QRadar Offense | Threat Prevention Analytic Definition |
|---|---|
| INTERCEPT: Bad User ID (By Source Host) | Pre-authentication failures using one or more non-existing user IDs |
| INTERCEPT: Bad User ID (By User) | Pre-authentication failures using one or more non-existing user IDs |
| INTERCEPT: Breached Password | Multiple failed authentications followed by a successful authentication |
| INTERCEPT: Brute Force Attacks | Repeated failed authentications against systems and other network assets in a specified time range |
| INTERCEPT: Concurrent Logins | Logins from multiple locations simultaneously |
| INTERCEPT: File System Attacks (By User) | Significant number of file changes made by an account in a short time period |
| INTERCEPT: Golden Tickets | Kerberos tickets with modified maximum lifetimes for a user ticket and maximum lifetimes for a user ticket renewal |
| INTERCEPT: Horizontal Account Movement | User account authentications across multiple network assets in a specified time period |
| INTERCEPT: Impersonation Logins | Multiple authenticated accounts from a single system |
| INTERCEPT: User Account Hacking | Repeated failed logins below lockout thresholds and/or over extended periods |
Additional offenses may be generated by the Netwrix Active Directory App.
| QRadar Offense | Definition |
|---|---|
| INTERCEPT: Domain Admin Activity | When a Domain Admin makes at least X Active Directory modifications within the defined time frame |
| INTERCEPT: First-Time/Stale Client Host Use | When a user authenticates from a host for the first time or when a user account that has become stale authenticates from a host |
| INTERCEPT (Sense): First-Time/Stale Client Host Use | Sends INTERCEPT: Honey Accounts offenses to IBM QRadar User Behavior Analytics App |
| INTERCEPT: Honey Accounts | When any activity occurs on a specified Honey Account |
| INTERCEPT (Sense): Honey Accounts | Sends INTERCEPT: Honey Accounts offenses to IBM QRadar User Behavior Analytics App |
| INTERCEPT: OU Moved | When an OU is moved within Active Directory |
| INTERCEPT: Password Changes | When a single perpetrator makes more than X password changes within the specified timeframe |
| INTERCEPT: Privilege Escalation | When group members are added to any of the following built-in privileged groups: Enterprise Admins, Schema Admins, Domain Admins, Administrator, Backup Operator, Account Operators, and Print Operators |
| INTERCEPT (Sense): Privilege Escalation | Sends INTERCEPT: Privilege Escalation offenses to IBM QRadar User Behavior Analytics App |
| INTERCEPT: Sensitive Group Modifications | When X occurrences of a group membership change happen to a sensitive group |
| INTERCEPT: SID History Tampering | When activity results in the modification of SID history |
| INTERCEPT (Sense): SID History Tampering | Sends INTERCEPT: SID History Tampering offenses to IBM QRadar User Behavior Analytics App |
| INTERCEPT: Stale User Account Activity | When events are generated by a user account that has become stale |
| INTERCEPT (Sense): Stale User Account Activity | Sends INTERCEPT: Stale User Account Activity offenses to IBM QRadar User Behavior Analytics App |
| INTERCEPT: SYSVOL Tampering | When X occurrences happen for file changes under SYSVOL within the defined timeframe |
| INTERCEPT: User Lockouts | When X occurrences happen within the defined timeframe where a user is getting locked out |