Lateral Movement : Internal Destination Port Activity

The Lateral Movement : Internal Destination Port Activity model tracks a user's activity to internal destination port activity by time and creates a model for the predicted weekly behavior patterns.

Enable the Lateral Movement : Internal Destination Port Activity model to track a user's activity to internal destination port activity by time and create a model for the predicted weekly behavior patterns. If the user's activity deviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user's risk score. An event to increase the score is also sent when a new internal destination port is used by the user.

Event name (new activity)

UBA : First time access to internal destination port

Event Name (activity deviation)

UBA : Increased activity to internal destination port

sensevalue

5

Required configuration

Configure the Network Hierarchy to help with the accuracy of determining internal destination ports.

Log source types

All events that have a defined username and local destination port.