LoFP
/
cisco
cisco rule
Title
Tags
admins may setup new or modify old spans, or use a monitor for troubleshooting
t1040
cisco
sigma
commonly run by administrators
t1005
t1087
t1087.001
t1552
t1552.001
cisco
sigma
commonly used by administrators for troubleshooting
t1016
t1018
t1033
t1049
t1057
t1082
t1083
t1124
t1201
cisco
sigma
generally used to copy configs or ios images
t1074
t1105
t1560
t1560.001
cisco
sigma
legitimate administrators may run these commands
t1053
t1070
t1070.003
t1490
t1505
t1565
t1565.002
cisco
sigma
legitimate administrators may run these commands, though rarely.
t1495
t1529
t1565
t1565.001
cisco
sigma
legitimate user that was assigned on purpose to a bypass group
cisco
sigma
not commonly run by administrators, especially if remote logging is configured
t1552
t1552.003
cisco
sigma
not commonly run by administrators. also whitelist your known good certificates
t1552
t1552.004
t1553
t1553.004
cisco
sigma
unlikely. except due to misconfigurations
t1078
t1110
t1557
cisco
juniper
huawei
sigma
when remote authentication is in place, this should not change often
t1098
t1136
t1136.001
cisco
sigma
will be used sometimes by admins to clean up local flash space
t1070
t1070.004
t1561
t1561.001
t1561.002
cisco
sigma
LoFP
/
cisco