| AIE Rule ID | Attack Lifecycle | Rule Description | Common Event | Classification | Suppression Multiple | Alarm on Event Occurrence | Environmental Dependence Factor | False Positive Probability | Log Sources (minimum) | Log Sources (recommended) | AIE Rule Additional Details |
|---|---|---|---|---|---|---|---|---|---|---|---|
| 1269 | Lateral Movement | An observed login by a user in the privileged user list followed by the change of two or more other account passwords. | AIE: Lateral: Multiple Account Passwords Modified by Admin | Security : Suspicious | 1 | No | Medium | 1 | Active Directory or LDAP | Host Logs | Action: Decide the Origin User that changed the account passwords and investigate if this action was known or unknown. If unknown, you may want to isolate the Origin Host where the account passwords changed from until |