Lateral Movement : Internal Asset Usage
The Lateral Movement : Internal Asset Usage model tracks a user's internal destination asset activity by time and creates a model for the predicted weekly behavior patterns.
Enable the Lateral Movement : Internal Asset Usage model to track a user's internal destination asset activity by time and create a model for the predicted weekly behavior patterns. If the user's activity deviates from the learned behavior, it is deemed suspicious and a Sense Event is generated to increase the user's risk score. An event to increase the score is also sent when a new internal asset (destination IP) is used by the user.
Event name (new activity)
UBA : New internal asset used
Event Name (activity deviation)
UBA : Abnormal usage of internal asset
sensevalue
5
Required configuration
Configuring the Network Hierarchy will help with the accuracy of determining internal destination addresses.
Log source types
All events that have a defined username and local destination IP.