Use-Case	Event Types/Parsers	MITRE TTP	Content
Brute Force Attack	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1003 - OS Credential Dumping	4 Rules 4 Models
Compromised Credentials	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1020 - Automated Exfiltration T1071 - Application Layer Protocol T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	22 Rules 13 Models
Data Access	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1078 - Valid Accounts T1110 - Brute Force	15 Rules 10 Models
Data Exfiltration	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1030 - Data Transfer Size Limits T1048 - Exfiltration Over Alternative Protocol T1133 - External Remote Services	4 Rules 4 Models
Data Leak	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1030 - Data Transfer Size Limits T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1114.003 - Email Collection: Email Forwarding Rule T1133 - External Remote Services	15 Rules 12 Models
Evasion	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1090.003 - Proxy: Multi-hop Proxy	1 Rules
Lateral Movement	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	2 Rules 2 Models
Malware	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1078 - Valid Accounts	1 Rules
Phishing	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1566 - Phishing	2 Rules 2 Models
Privilege Abuse	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	8 Rules 2 Models
Privilege Escalation	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1003 - OS Credential Dumping T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	8 Rules 5 Models
Privileged Activity	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Ransomware	account-password-change ↳s-sailpoint-pwd ↳sailpoint-password-change account-password-change-failed ↳s-sailpoint-auth ↳sailpoint-auth app-activity ↳s-sailpoint-pwd ↳sailpoint-password-change app-login ↳s-sailpoint-app-activity ↳s-sailpoint-pwd ↳sailpoint-app-activity-2 authentication-successful ↳s-sailpoint-auth ↳sailpoint-auth vpn-logout ↳sailpoint-app-activity-1 ↳s-sailpoint-launch ↳s-sailpoint-sso ↳s-sailpoint-app-activity	T1078 - Valid Accounts	1 Rules

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_sailpoint_identitynow.md

2_ds_sailpoint_identitynow.md

Files

2_ds_sailpoint_identitynow.md

Latest commit

History

2_ds_sailpoint_identitynow.md

File metadata and controls