Recommended Enterprise Rule Library

Copy these rules directly into the Custom Threat Models builder. Each rule includes the full condition JSON, recommended threshold, and the reasoning behind every parameter.

Rule 1 — Compromised Account Detection (FOLLOWED BY)

Threat: An attacker brute-forces a password and then logs in successfully with the cracked credentials — the classic account takeover chain.

Detection logic: 10 or more auth.login_failed events within 10 minutes from the same actor or IP, followed by a successful auth.login_success within 15 minutes of the threshold being crossed. LiteSOC automatically correlates the chained event to the same actor or IP that triggered the primary threshold.

Condition JSON:

{}

When the chain fires, LiteSOC overrides the severity to CRITICAL and sets the alert name to "Account Compromise Detected after Brute Force" regardless of the configured severity — indicating confirmed account takeover.

Tuning tips:

• Lower the threshold to 5 for admin accounts by adding { "field": "actor.role", "operator": "equals", "value": "admin" }
• Increase the chain time window to 30 minutes for slower, low-and-slow attacks

Rule 2 — Data Exfiltration from Non-Whitelisted Country

Threat: An insider or compromised account exports sensitive data while connected from an unexpected geographic location — a common signal of exfiltration or a compromised session.

Detection logic: Any data.export event where the destination or source country is not on your approved-country list.

Condition JSON:

{
  "logical_operator": "AND",
  "filters": [
    {
      "field": "event",
      "operator": "contains",
      "value": "export"
    },
    {
      "field": "metadata.country_code",
      "operator": "not_in",
      "value": ["US", "GB", "DE", "CA", "AU", "NL", "SE", "NO", "DK", "FR"]
    }
  ],
  "group_by": "user_ip"
}

Tuning tips:

• Adjust the country allowlist to match your organisation's operating locations
• Add { "field": "metadata.record_count", "operator": "gt", "value": 100 } to only fire on bulk exports, reducing noise from single-record queries
• Set threshold to 3 if occasional travel to non-listed countries is expected, so a single export doesn't page the team

Rule 3 — SSH Botnet / Datacenter Brute Force

Threat: Automated SSH login attacks originating from cloud/datacenter IP ranges rather than residential IPs. These are almost always scripted botnet activity or credential-stuffing tools — residential users do not SSH from AWS or Azure IP blocks.

Detection logic: 5 or more auth.login_failed events within 5 minutes where the source IP is tagged as a datacenter address by LiteSOC's network intelligence enrichment.

Condition JSON:

{
  "logical_operator": "AND",
  "filters": [
    {
      "field": "metadata.service",
      "operator": "equals",
      "value": "ssh"
    },
    {
      "field": "metadata.network_intelligence.is_datacenter",
      "operator": "equals",
      "value": "true"
    }
  ],
  "group_by": "user_ip"
}

Tuning tips:

• Remove the metadata.service filter to catch datacenter-sourced attacks against any service (API, admin panel, etc.)
• Add { "field": "metadata.raw_log", "operator": "contains", "value": "invalid user" } to narrow to SSH username enumeration specifically
• Pair with IP-whitelisting to suppress alerts from your own CI/CD infrastructure (which may run in datacenters)

Rule 4 — VPN / Anonymiser Access to Sensitive Endpoints

Threat: A user accessing sensitive API endpoints (admin panel, bulk export, user management) while routing through a VPN, Tor, or open proxy — a common tactic to obscure identity during insider attacks or session hijacking.

Condition JSON:

{
  "logical_operator": "AND",
  "filters": [
    {
      "field": "metadata.endpoint",
      "operator": "starts_with",
      "value": "/api/v1/admin"
    },
    {
      "logical_operator": "OR",
      "filters": [
        { "field": "metadata.network_intelligence.is_vpn",   "operator": "equals", "value": "true" },
        { "field": "metadata.network_intelligence.is_tor",   "operator": "equals", "value": "true" },
        { "field": "metadata.network_intelligence.is_proxy", "operator": "equals", "value": "true" }
      ]
    }
  ]
}

Note: Nested OR groups inside an outer AND are supported via the legacy { "and": [...] } / { "or": [...] } syntax for the inner group. Alternatively, flatten with three separate OR filters at the top level.

Rule 5 — Admin Privilege Escalation Spike

Threat: A burst of admin.privilege_escalation or authz.permission.changed events — a sign of a compromised admin account or an insider manipulating access controls before exfiltrating data.

Condition JSON:

{
  "logical_operator": "OR",
  "filters": [
    { "field": "event", "operator": "contains", "value": "privilege_escalation" },
    { "field": "event", "operator": "contains", "value": "role.changed" },
    { "field": "event", "operator": "contains", "value": "permission.changed" }
  ],
  "group_by": "actor.id"
}

Rule 6 — Scanner / Automated Attack Tool Detection

Threat: Common attack tools (SQLMap, Nikto, Nuclei, Masscan) identified by their user-agent strings in API event logs.

Condition JSON:

{
  "logical_operator": "AND",
  "filters": [
    {
      "field": "metadata.user_agent",
      "operator": "regex",
      "value": "(sqlmap|nikto|masscan|zgrab|nuclei|nmap|burpsuite|zap)"
    }
  ]
}

Quick-Reference: All Six Rules

Need a custom rule for a threat not listed here? Contact our Enterprise support team — we'll help design it with you.