ds_vmware_nsx_fw.md

Vendor: VMware

Product: NSX FW

Rules	Models	MITRE TTPs	Event Types	Parsers
109	40	13	2	2

Use-Case	Event Types/Parsers	MITRE TTP	Content
Abnormal Authentication & Access	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols	6 Rules 6 Models
Compromised Credentials	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols T1102 - Web Service T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	33 Rules 15 Models
Cryptomining	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	3 Rules
Data Exfiltration	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution	6 Rules 2 Models
Data Leak	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	6 Rules 3 Models
Evasion	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy	7 Rules 1 Models
Lateral Movement	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071 - Application Layer Protocol T1090.002 - Proxy: External Proxy T1205.001 - T1205.001 T1571 - Non-Standard Port	37 Rules 17 Models
Malware	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	29 Rules 8 Models
Phishing	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	3 Rules
Privileged Activity	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols T1102 - Web Service	2 Rules
Ransomware	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	2 Rules
Workforce Protection	network-connection-successful ↳cef-nsx-fw-logs-1 web-activity-allowed ↳cef-nsx-fw-logs-1	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link Drive-by Compromise Phishing	User Execution	Traffic Signaling		Traffic Signaling					Web Service Non-Standard Port Application Layer Protocol: Web Protocols Dynamic Resolution Traffic Signaling Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Proxy: External Proxy Application Layer Protocol Proxy	Data Transfer Size Limits Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking