The ESA Activity Monitoring rules for monitoring network activity are vast limits vendor rules.

Network Rules

The rules in this section detect suspicious behavior related to network operations.

• Suspicious network target names
• PowerShell outbound network connections
• Suspicious outbound Kerberos connections
• PowerShell remoting
• Detect network connects from suspicious sources
• Detect network connects from Windows processes
• Detect network connects from third-party tools
• RDP connects from non-RDP software, indicating lateral movement
• Detect network connects to suspicious ports
• Detect network connects to 80 and 443 from non-browser applications