Lateral Movement : Internal Asset Usage

The Lateral Movement : Internal Asset Usage model tracks a user's internal destination asset activity by time and creates a model for the predicted weekly behavior patterns.

Enable the Lateral Movement : Internal Asset Usage model to track a user's internal destination asset activity by time and create a model for the predicted weekly behavior patterns. If the user's activity deviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user's risk score. An event to increase the score is also sent when a new internal asset (destination IP) is used by the user.

Event name (new activity)

UBA : New internal asset used

Event Name (activity deviation)

UBA : Abnormal usage of internal asset

sensevalue

5

Required configuration

Configuring the Network Hierarchy will help with the accuracy of determining internal destination addresses.

Log source types

All events that have a defined username and local destination IP.