受损的端点
未经批准的浏览器
当用户尝试访问组织 IT 政策不允许的浏览器类型或版本的内容或由于安全漏洞而出现时,就会发生这种情况。
详细信息
数据源:应用程序和桌面(Workspace 应用程序)
CAS 查询
Event-Type = "Session.Logon" AND Browser-Name !~ "<Browser-Name>"
当用户输入其凭据并登录其应用程序或桌面会话时,Session.Logon 事件就会触发。
Sigma 签名
author: Citrix
date: 2023/01/31
description: This occurs when a user accesses content from an authorized browser which might cause an undesirable event or action through the internet.
detection:
condition: index_selection and selection and not filter
filter:
- browser_name|contains: '<Browser-Name>'
index_selection:
source: cas_siem_consumer://<env>_<tenant_identifier>
selection:
- occurrence_event_type: Session.logon
logsource:
product: citrixanalytics
service: security
title: Access from unauthorized browser
未经批准的操作系统
当用户尝试访问您的组织 IT 政策不允许或存在安全漏洞的操作系统类型或版本的设备时,就会发生这种情况。
详细信息
数据源:应用程序和桌面(Workspace 应用程序)
CAS 查询
Event-Type = "Session.Logon" AND OS-Name ~ "<OS-Name>" AND OS-Version = "<OS-Version>" AND OS-Extra-Info = "<OS-Extra-Info>"
Sigma 签名
author: Citrix
date: 2023/01/31
description: This occurs when a user attempts to access apps from servers with blocked listed operating systems.
detection:
condition: index_selection and selection
filter_null: []
index_selection:
source: cas_siem_consumer://<env>_<tenant_identifier>
selection:
occurrence_event_type: Session.logon
os_name|contains: '<OS-Name>'
os_version: '<OS-Version>'
os_extra_info: '<OS-Extra-Info>'
logsource:
product: citrixanalytics
service: security
title: Unauthorized operating systems in block list
未经授权的 IP 地址或子网
当用户尝试从贵组织的 IT 策略标记为未授权的 IP 地址或范围进行访问时,就会发生这种情况。
详细信息
数据源:应用程序和桌面(Workspace 应用程序)
CAS 查询
Event-Type = "Session.Logon" AND Client-IP = "<XX.YY.ZZ.*>"
Sigma 签名
author: Citrix
date: 2023/01/31
description: This occurs when a user accessing content from an unauthorized IPs which might cause an undesirable event or action through the internet.
detection:
condition: selection and not filter_null and filter
filter:
- client_ip: '<IP>'
filter_null:
- client_ip: null
selection:
- occurrence_event_type: Session.Logon
logsource:
product: citrixanalytics
service: security
title: Access from unauthorized IP
允许列表之外的未授权操作系统
当用户尝试从托管允许列表之外的操作系统的服务器访问应用程序时,就会发生这种情况。
详细信息
数据源:应用程序和桌面(Workspace 应用程序)
CAS 查询
Event-Type = "Session.Logon" AND OS-Name !~ "<OS-Name>" AND OS-Version != "<OS-Version>" AND OS-Extra-Info != "<OS-Extra-Info>"
Sigma 签名
author: Citrix
date: 2023/01/31
description: Unauthorized operating systems outside allow list
detection:
condition: selection and not filter_null and not filter_os and not filter_os_version and not filter_os_extra
filter_os:
- os_name|contains: '<OS INFO>'
filter_os_version:
- os_version: '<OS Version>'
filter_os_extra:
- os_extra_info: '<OS Extra Info>'
filter_null:
- os_name: null
- os_version: null
- os_extra_info: null
selection:
- occurrence_event_type: Session.Logon
logsource:
product: citrixanalytics
service: security
title: Unauthorized operating systems outside allow list
未经批准的 Workspace 应用程序版本
当用户尝试访问不支持的客户端版本的 Workspace 应用程序版本时,就会发生这种情况。在这种情况下,用户必须将其客户端升级到支持的版本。有关更多信息,请参阅 支持客户端版本。
详细信息
数据源:应用程序和桌面(Workspace 应用程序)
CAS 查询
Event-Type = "Session.Logon" AND Client-Type IN ("Windows", "Macintosh", "Unix/Linux") AND Workspace-App-Version != "20*" AND Workspace-App-Version != "21*"
Sigma 签名
author: Citrix
date: 2023/01/31
description: Unsupported Workspace app versions
detection:
condition: selection and not filter_null and filter_product and not filter_product_version
filter_product:
- product: ['Windows', 'Mac', '<Other type>']
filter_product_version:
- product_version|contains: ['<Product Version1>', '<Product Version2>']
filter_null:
- product: null
- product_version: null
selection:
- occurrence_event_type: Session.Logon
logsource:
product: citrixanalytics
service: security
title: Unsupported Workspace app versions
本内容的正式版本为英文版。部分 Cloud Software Group 文档内容采用了机器翻译,仅供您参考。Cloud Software Group 无法控制机器翻译的内容,这些内容可能包含错误、不准确或不合适的语言。对于从英文原文翻译成任何其他语言的内容的准确性、可靠性、适用性或正确性,或者您的 Cloud Software Group 产品或服务沿用了任何机器翻译的内容,我们均不作任何明示或暗示的保证,并且适用的最终用户许可协议或服务条款或者与 Cloud Software Group 签订的任何其他协议(产品或服务与已进行机器翻译的任何文档保持一致)下的任何保证均不适用。对于因使用机器翻译的内容而引起的任何损害或问题,Cloud Software Group 不承担任何责任。
已复制!
失败!