LoFP
/
identity
identity rule
Title
Tags
false positives may be generated by normal provisioning workflows for user device registration.
t1078
t1098.005
t1110
t1556.006
t1621
identity
splunk
false positives may be generated by normal provisioning workflows that generate a password reset followed by a device registration.
t1098.005
t1556.006
t1621
identity
splunk
false positives may be generated by users working out the geographic region where the organizations services or technology is hosted.
t1098.005
t1556.006
t1621
identity
splunk
legitimate usage of some vpns may cause false positives. tune as needed.
t1078
identity
splunk
limited to no expected false positives once a baseline of common vpn software has been completed.
t1078
t1090
t1572
identity
splunk
this is a hunting query meant to identify rare audio devices.
t1123
identity
splunk
this is a hunting query meant to identify rare microphone devices.
t1123
identity
splunk
this is a hunting query meant to identify rare video devices.
t1123
identity
splunk
while latency could simply indicate a slow network connection, when combined with other indicators, it can help build a more complete picture. tune the threshold as needed for your environment baseline.
t1078
identity
splunk
LoFP
/
identity