ds_google_gmail.md

Vendor: Google

Product: Gmail

Rules	Models	MITRE TTPs	Event Types	Parsers
80	33	6	4	4

Use-Case	Event Types/Parsers	MITRE TTP	Content
Abnormal Authentication & Access	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts T1133 - External Remote Services	30 Rules 16 Models
Compromised Credentials	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts T1133 - External Remote Services	11 Rules 2 Models
Data Exfiltration	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1048 - Exfiltration Over Alternative Protocol	1 Rules 1 Models
Data Leak	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	31 Rules 15 Models
Evasion	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1090.003 - Proxy: Multi-hop Proxy	1 Rules
Malware	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts	1 Rules
Phishing	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	12 Rules 6 Models
Privilege Abuse	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts T1133 - External Remote Services	4 Rules
Privileged Activity	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts T1133 - External Remote Services	3 Rules
Ransomware	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1078 - Valid Accounts	1 Rules
Workforce Protection	dlp-email-alert-in ↳cef-skyformation-gmail-in dlp-email-alert-in-failed ↳cef-skyformation-gmail-out dlp-email-alert-out ↳cef-skyformation-gmail-out vpn-login ↳cef-skyformation-gmail-in	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts		External Remote Services Valid Accounts	Valid Accounts	Valid Accounts					Proxy: Multi-hop Proxy Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Automated Exfiltration