Skip to content

Latest commit

 

History

History
589 lines (587 loc) · 340 KB

uc_data_exfiltration.md

File metadata and controls

589 lines (587 loc) · 340 KB

Use Case: Data Exfiltration

Vendor: AMAG

Product Event Types MITRE TTP Content
Symmetry Access Control
  • dlp-alert
  • failed-physical-access
  • physical-access
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Absolute

Product Event Types MITRE TTP Content
Absolute SIEM Connector
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: Accellion

Product Event Types MITRE TTP Content
Kiteworks
  • account-password-change
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • security-alert
 T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 3 Rules
  • 2 Models

Vendor: Airlock

Product Event Types MITRE TTP Content
Airlock
  • app-activity-failed
  • app-login
  • database-query
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
  • file-write
  • network-connection-successful
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Akamai

Product Event Types MITRE TTP Content
Cloud Akamai
  • file-delete
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Amazon

Product Event Types MITRE TTP Content
AWS CloudTrail
  • account-password-change
  • app-activity
  • app-login
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • netflow-connection
  • storage-access
  • storage-activity
  • storage-activity-failed
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
AWS GuardDuty
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: Apache

Product Event Types MITRE TTP Content
Apache
  • network-connection-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Apple

Product Event Types MITRE TTP Content
macOS
  • file-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models

Vendor: AssetView

Product Event Types MITRE TTP Content
AssetView
  • file-download
  • file-write
  • network-connection-failed
  • print-activity
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Atlassian

Product Event Types MITRE TTP Content
Atlassian BitBucket
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Barracuda

Product Event Types MITRE TTP Content
Barracuda Email Security Gateway
  • account-password-change-failed
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • file-upload
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: BeyondTrust

Product Event Types MITRE TTP Content
BeyondTrust Privilege Management
  • dns-response
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
BeyondTrust Privileged Identity
  • account-switch
  • app-activity
  • app-login
  • authentication-successful
  • dlp-alert
  • failed-app-login
  • failed-physical-access
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Bitdefender

Product Event Types MITRE TTP Content
Bitdefender GravityZone
  • authentication-successful
  • process-created
  • web-activity-denied
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 21 Rules
  • 2 Models

Vendor: Bitglass

Product Event Types MITRE TTP Content
Bitglass CASB
  • app-login
  • authentication-successful
  • dlp-email-alert-out
  • failed-app-login
  • file-read
  • file-write
 T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 3 Rules
  • 2 Models

Vendor: BlackBerry

Product Event Types MITRE TTP Content
BlackBerry Protect
  • app-activity
  • file-delete
  • security-alert
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Box

Product Event Types MITRE TTP Content
Box Cloud Content Management
  • app-activity
  • app-activity-failed
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • print-activity
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Bromium

Product Event Types MITRE TTP Content
Bromium Secure Platform
  • file-alert
  • file-write
  • share-access
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: CatoNetworks

Product Event Types MITRE TTP Content
Cato Cloud
  • failed-logon
  • network-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
  • workstation-unlocked
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: Centrify

Product Event Types MITRE TTP Content
Centrify Audit and Monitoring Service
  • authentication-successful
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models
Centrify Authentication Service
  • account-switch
  • authentication-failed
  • local-logon
  • process-created
  • remote-logon
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: Check Point Software

Product Event Types MITRE TTP Content
Check Point Identity Awareness
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Check Point NGFW
  • authentication-successful
  • database-update
  • dlp-email-alert-in
  • failed-vpn-login
  • file-permission-change
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 11 Rules
  • 6 Models
Check Point Security Gateway
  • failed-vpn-login
  • network-connection-failed
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 11 Rules
  • 6 Models
Check Point Security Gateway Virtual Edition (vSEC)
  • authentication-failed
  • authentication-successful
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Cimtrak

Product Event Types MITRE TTP Content
Cimtrak
  • file-write
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Cisco

Product Event Types MITRE TTP Content
AnyConnect
  • failed-vpn-login
  • nac-logon
  • process-created
  • vpn-login
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Cisco Adaptive Security Appliance
  • authentication-successful
  • dlp-email-alert-out
  • file-download
  • print-activity
  • process-created
  • remote-logon
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1133 - External Remote Services
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 27 Rules
  • 7 Models
Cisco Cloud Web Security
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Cisco Firepower
  • app-activity
  • app-login
  • authentication-successful
  • config-change
  • dns-query
  • dns-response
  • failed-usb-activity
  • netflow-connection
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 8 Rules
  • 2 Models
Cisco ISE
  • account-lockout
  • app-activity
  • authentication-failed
  • computer-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • print-activity
  • remote-logon
  • security-alert
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
Cisco Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 9 Rules
  • 6 Models
Cisco NPE
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Cisco Netflow
  • netflow-connection
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
Cisco Secure Network Analytics
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
Cisco Secure Web Appliance
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Cisco Umbrella
  • dns-query
  • dns-response
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Duo Access Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-delete
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
IronPort Email
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-alert
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 3 Models
IronPort Web Security
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Proxy Umbrella
  • app-activity
  • print-activity
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Citrix

Product Event Types MITRE TTP Content
Citrix Netscaler
  • app-login
  • authentication-successful
  • database-access
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 10 Rules
  • 6 Models
Citrix Netscaler VPN
  • app-login
  • authentication-failed
  • dlp-email-alert-in-failed
  • network-connection-failed
  • vpn-login
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Citrix ShareFile
  • app-login
  • failed-app-login
  • file-download
  • file-upload
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models
Web Logging
  • failed-physical-access
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Clearswift SEG

Product Event Types MITRE TTP Content
Clearswift SEG
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • physical-access
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: Cloudflare

Product Event Types MITRE TTP Content
Cloudflare WAF
  • app-activity
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: Code42

Product Event Types MITRE TTP Content
Code42 Incydr
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • usb-insert
 T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 3 Rules
  • 2 Models

Vendor: CrowdStrike

Product Event Types MITRE TTP Content
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • dlp-alert
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • usb-activity
  • usb-insert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 47 Rules
  • 18 Models

Vendor: CyberArk

Product Event Types MITRE TTP Content
CyberArk Vault
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • computer-logon
  • failed-app-login
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • process-created
  • remote-logon
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models

Vendor: Darktrace

Product Event Types MITRE TTP Content
Darktrace Enterprise Immune System
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Dell

Product Event Types MITRE TTP Content
Dell EMC Isilon
  • app-activity
  • file-delete
  • file-permission-change
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models
RSA Authentication Manager
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • failed-vpn-login
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Digital Arts

Product Event Types MITRE TTP Content
Digital Arts i-FILTER for Business
  • security-alert
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Digital Guardian

Product Event Types MITRE TTP Content
Digital Guardian Endpoint Protection
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • usb-insert
  • vpn-connection
 T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 3 Rules
  • 2 Models
Digital Guardian Network DLP
  • dlp-alert
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models

Vendor: Dropbox

Product Event Types MITRE TTP Content
Dropbox
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
  • network-connection-failed
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Dtex Systems

Product Event Types MITRE TTP Content
DTEX InTERCEPT
  • file-delete
  • file-read
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • workstation-locked
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models

Vendor: ESET

Product Event Types MITRE TTP Content
ESET Endpoint Security
  • app-login
  • authentication-successful
  • failed-ds-access
  • failed-logon
  • network-alert
  • security-alert
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: ESector

Product Event Types MITRE TTP Content
ESector DEFESA
  • file-read
  • file-write
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 3 Models

Vendor: EdgeWave

Product Event Types MITRE TTP Content
EdgeWave iPrism
  • security-alert
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Egnyte

Product Event Types MITRE TTP Content
Egnyte
  • account-password-reset
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-upload
  • file-write
  • remote-logon
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Exabeam

Product Event Types MITRE TTP Content
Exabeam DL
  • account-password-change
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: F5

Product Event Types MITRE TTP Content
BIG-IP DNS
  • dns-query
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
F5 Advanced Web Application Firewall (WAF)
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-connection-successful
  • print-activity
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 17 Rules
  • 1 Models
F5 BIG-IP Access Policy Manager (APM)
  • app-activity
  • authentication-failed
  • authentication-successful
  • process-alert
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
F5 BIG-IP Application Security Manager (ASM)
  • app-activity
  • authentication-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
WebSafe
  • app-login
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: FTP

Product Event Types MITRE TTP Content
FTP
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: FileAuditor

Product Event Types MITRE TTP Content
FileAuditor
  • failed-app-login
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: FireEye

Product Event Types MITRE TTP Content
FireEye Email Security (EX)
  • dlp-email-alert-out
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
FireEye Endpoint Security (HX)
  • file-write
  • process-alert
  • security-alert
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 3 Models
FireEye Network Security (NX)
  • network-alert
  • security-alert
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Forcepoint

Product Event Types MITRE TTP Content
Forcepoint DLP
  • authentication-failed
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • usb-insert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
Forcepoint Email Security
  • dlp-email-alert-in
  • dlp-email-alert-out
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Websense Secure Gateway
  • nac-failed-logon
  • network-connection-failed
  • usb-insert
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: Fortinet

Product Event Types MITRE TTP Content
FortiAuthenticator
  • authentication-successful
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
Fortinet Enterprise Firewall
  • app-activity
  • computer-logon
  • failed-app-login
  • file-write
  • network-connection-successful
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models
Fortinet FortiWeb
  • dlp-email-alert-out-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Fortinet UTM
  • app-activity
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • failed-app-login
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 37 Rules
  • 20 Models
Fortinet VPN
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 9 Rules
  • 6 Models

Vendor: Gemalto

Product Event Types MITRE TTP Content
Gemalto MFA
  • authentication-successful
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Google

Product Event Types MITRE TTP Content
GCP Squid Proxy
  • security-alert
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Gmail
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • vpn-login
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Google Drive
  • app-activity
  • file-delete
  • file-permission-change
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models
Virtual Private Cloud
  • netflow-connection
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules

Vendor: HP

Product Event Types MITRE TTP Content
Aruba Wireless controller
  • account-password-reset
  • computer-logon
  • nac-failed-logon
  • nac-logon
  • network-connection-failed
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: HashiCorp

Product Event Types MITRE TTP Content
Terraform
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: HelpSystems

Product Event Types MITRE TTP Content
Powertech Identity Access Manager (BoKs)
  • account-switch
  • file-delete
  • file-read
  • file-write
  • local-logon
  • remote-logon
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Hornet

Product Event Types MITRE TTP Content
Hornet Email
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • privileged-access
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: IBM

Product Event Types MITRE TTP Content
IBM Racf
  • app-login
  • authentication-successful
  • database-access
  • failed-app-login
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models
IBM Security Access Manager
  • usb-insert
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Infosphere Guardium
  • database-alert
  • database-login
  • network-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models

Vendor: IMSS

Product Event Types MITRE TTP Content
IMSS
  • dlp-alert
  • network-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: IMSVA

Product Event Types MITRE TTP Content
IMSVA
  • dlp-email-alert-in
  • dlp-email-alert-out
  • network-connection-failed
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: IPTables

Product Event Types MITRE TTP Content
IPTables
  • network-connection-successful
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: Imperva

Product Event Types MITRE TTP Content
CounterBreach
  • database-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models
Imperva File Activity Monitoring (FAM)
  • file-delete
  • file-read
  • file-write
  • print-activity
 T1204 - User Execution
  • 2 Rules
  • 1 Models
Imperva SecureSphere
  • app-login
  • database-alert
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • network-alert
  • print-activity
  • security-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models
Incapsula
  • authentication-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: InfoWatch

Product Event Types MITRE TTP Content
InfoWatch
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • file-permission-change
  • print-activity
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 3 Models

Vendor: Infoblox

Product Event Types MITRE TTP Content
Infoblox
  • computer-logon
  • dlp-email-alert-out-failed
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: Ipswitch

Product Event Types MITRE TTP Content
MoveIt DMZ
  • account-password-change
  • authentication-failed
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • file-write
  • member-added
  • process-created-failed
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Juniper Networks

Product Event Types MITRE TTP Content
Juniper Networks Pulse Secure
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-vpn-login
  • network-connection-successful
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
Juniper SRX
  • authentication-successful
  • config-change
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Juniper VPN
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • security-alert
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Kaspersky

Product Event Types MITRE TTP Content
Kaspersky AV
  • app-activity
  • file-alert
  • security-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models
Kaspersky Endpoint Security for Business
  • file-alert
  • network-alert
  • security-alert
  • usb-insert
 T1204 - User Execution
  • 1 Rules
  • 1 Models

Vendor: LOGBinder

Product Event Types MITRE TTP Content
SharePoint
  • config-change
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: LanScope

Product Event Types MITRE TTP Content
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • file-write
  • local-logon
  • print-activity
  • process-created
  • process-created-failed
  • process-network
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 53 Rules
  • 20 Models

Vendor: Linux

Product Event Types MITRE TTP Content
Linux CentOs
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: LogRhythm

Product Event Types MITRE TTP Content
LogRhythm
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: MariaDB

Product Event Types MITRE TTP Content
MariaDB
  • database-access
  • database-delete
  • database-query
  • database-update
  • dlp-email-alert-out
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: McAfee

Product Event Types MITRE TTP Content
McAfee DLP
  • dlp-alert
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • print-activity
  • security-alert
  • usb-insert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
McAfee Email Protection
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
McAfee Endpoint Security
  • dlp-alert
  • dlp-email-alert-in-failed
  • file-write
  • local-logon
  • network-alert
  • process-alert
  • security-alert
  • usb-insert
  • usb-write
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 31 Rules
  • 18 Models
McAfee IDPS
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
McAfee NSM
  • app-login
  • dlp-alert
  • process-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
McAfee Network Security Platform (IPS)
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
McAfee Web Gateway
  • alert-iot
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Skyhigh Networks CASB
  • account-creation
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • security-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Microsoft

Product Event Types MITRE TTP Content
Advanced Threat Analytics (ATA)
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Exchange
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • member-removed
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
IIS
  • network-connection-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Microsoft Azure
  • account-password-change
  • account-password-reset
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • database-query
  • dlp-email-alert-in-failed
  • dns-response
  • failed-app-login
  • failed-logon
  • failed-usb-activity
  • file-delete
  • file-download
  • file-read
  • file-write
  • member-added
  • member-removed
  • network-connection-failed
  • network-connection-successful
  • privileged-access
  • process-created
  • security-alert
  • storage-activity
  • storage-activity-failed
  • usb-activity
  • usb-insert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models
Microsoft Azure Active Directory
  • account-password-change
  • account-unlocked
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • member-added
  • process-created
  • security-alert
  • usb-insert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 17 Rules
  • 1 Models
Microsoft Cloud App Security (MCAS)
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models
Microsoft Defender ATP
  • app-login
  • batch-logon
  • file-delete
  • file-write
  • local-logon
  • member-removed
  • network-alert
  • process-alert
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • usb-write
  • web-activity-denied
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 23 Rules
  • 3 Models
Microsoft Office 365
  • account-disabled
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • failed-logon
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • ntlm-logon
  • process-created
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 19 Rules
  • 2 Models
Microsoft SQL Server
  • database-access
  • database-failed-login
  • database-login
  • database-query
  • failed-app-login
  • file-read
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models
Microsoft Sysmon
  • app-activity
  • dns-response
  • file-delete
  • process-created
  • process-network
  • web-activity-denied
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 21 Rules
  • 2 Models
Microsoft Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-activity
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • computer-logon
  • database-query
  • dcom-activation-failed
  • dlp-alert
  • dlp-email-alert-out-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • task-created
  • usb-activity
  • usb-write
  • vpn-login
  • vpn-logout
  • web-activity-denied
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1105 - Ingress Tool Transfer
T1133 - External Remote Services
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 57 Rules
  • 24 Models
Web Application Proxy
  • failed-logon
  • network-connection-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Web Application Proxy-TLS Gateway
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Windows Defender
  • computer-logon
  • file-alert
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 17 Rules
  • 1 Models

Vendor: Mimecast

Product Event Types MITRE TTP Content
Mimecast
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Mimecast Email Security
  • account-password-change
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • failed-app-login
  • network-alert
  • process-alert
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 3 Models
Targeted Threat Protection - URL
  • physical-access
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: NCP

Product Event Types MITRE TTP Content
NCP
  • authentication-successful
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Nasuni

Product Event Types MITRE TTP Content
Nasuni
  • authentication-failed
  • file-delete
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: NetDocs

Product Event Types MITRE TTP Content
NetDocs
  • app-activity
  • authentication-failed
  • failed-app-login
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Netskope

Product Event Types MITRE TTP Content
Netskope Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 54 Rules
  • 21 Models

Vendor: Netwrix

Product Event Types MITRE TTP Content
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • dns-query
  • ds-access
  • file-write
  • member-added
  • member-removed
  • nac-logon
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: ObserveIT

Product Event Types MITRE TTP Content
ObserveIT
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • member-added
  • process-created
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 45 Rules
  • 17 Models

Vendor: Onapsis

Product Event Types MITRE TTP Content
Onapsis
  • app-login
  • dns-query
  • security-alert
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Oracle

Product Event Types MITRE TTP Content
Oracle Solaris
  • computer-logon
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: Ordr

Product Event Types MITRE TTP Content
Ordr SCE
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Palo Alto Networks

Product Event Types MITRE TTP Content
NGFW
  • account-password-change
  • app-activity
  • authentication-successful
  • config-change
  • dlp-email-alert-out
  • file-alert
  • local-logon
  • network-connection-successful
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 9 Rules
  • 4 Models
Palo Alto Aperture
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-read
  • file-write
  • network-alert
 T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 3 Rules
  • 2 Models

Vendor: Paxton

Product Event Types MITRE TTP Content
NET2DOOR
  • netflow-connection
  • physical-access
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules

Vendor: Postfix

Product Event Types MITRE TTP Content
Postfix
  • app-activity-failed
  • dlp-email-alert-in
  • dlp-email-alert-out
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: Proofpoint

Product Event Types MITRE TTP Content
Proofpoint CASB
  • dlp-alert
  • network-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
Proofpoint DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
Proofpoint Enterprise Protection
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Proofpoint TAP
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Proofpoint TAP/POD
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: Quest Software

Product Event Types MITRE TTP Content
Change Auditor
  • account-lockout
  • account-unlocked
  • ds-access
  • failed-app-login
  • file-delete
  • file-write
  • local-logon
  • member-added
  • member-removed
  • nac-failed-logon
  • physical-access
  • remote-logon
  • security-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: RSA

Product Event Types MITRE TTP Content
RSA DLP
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: RangerAudit

Product Event Types MITRE TTP Content
RangerAudit
  • app-activity
  • app-login
  • database-activity-failed
  • database-query
  • dlp-alert
  • file-read
  • file-write
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 31 Rules
  • 18 Models

Vendor: Rapid7

Product Event Types MITRE TTP Content
InsightVM
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Nexpose
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: Red Canary

Product Event Types MITRE TTP Content
Red Canary
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: SFTP

Product Event Types MITRE TTP Content
SFTP
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: SIGSCI

Product Event Types MITRE TTP Content
SIGSCI
  • file-download
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: SSL Open VPN

Product Event Types MITRE TTP Content
SSL Open VPN
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-vpn-login
  • network-alert
  • vpn-login
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Sailpoint

Product Event Types MITRE TTP Content
FAM
  • account-lockout
  • file-delete
  • file-read
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models
IdentityNow
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-login
  • authentication-successful
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models
SecurityIQ
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • dlp-email-alert-in-failed
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Sangfor

Product Event Types MITRE TTP Content
NGAF
  • network-alert
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: Sensormatik

Product Event Types MITRE TTP Content
Sensormatik
  • dlp-email-alert-out
  • physical-access
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: SentinelOne

Product Event Types MITRE TTP Content
SentinelOne
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 25 Rules
  • 3 Models

Vendor: ServiceNow

Product Event Types MITRE TTP Content
ServiceNow
  • account-switch
  • app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
  • storage-access
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: SkySea

Product Event Types MITRE TTP Content
ClientView
  • app-activity
  • app-login
  • computer-logon
  • dlp-email-alert-out
  • dns-query
  • file-delete
  • file-read
  • file-upload
  • file-write
  • security-alert
  • usb-activity
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 9 Rules
  • 4 Models

Vendor: Sonicwall

Product Event Types MITRE TTP Content
Sonicwall
  • failed-logon
  • failed-vpn-login
  • network-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 10 Rules
  • 6 Models

Vendor: Sophos

Product Event Types MITRE TTP Content
Sophos Endpoint Protection
  • app-activity-failed
  • dlp-alert
  • failed-app-login
  • network-connection-successful
  • security-alert
  • usb-insert
  • usb-write
  • web-activity-denied
 T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 34 Rules
  • 19 Models
Sophos UTM
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Sophos XG Firewall
  • authentication-successful
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: Splunk

Product Event Types MITRE TTP Content
Splunk Stream
  • dlp-alert
  • dns-response
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Squid

Product Event Types MITRE TTP Content
Squid
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models

Vendor: StealthBits

Product Event Types MITRE TTP Content
StealthIntercept
  • account-disabled
  • account-enabled
  • authentication-successful
  • ds-access
  • file-read
  • file-write
  • member-added
  • member-removed
  • network-connection-failed
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 8 Rules
  • 3 Models

Vendor: Swipes

Product Event Types MITRE TTP Content
Swipes
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Swivel

Product Event Types MITRE TTP Content
Swivel
  • app-login
  • file-upload
  • vpn-logout
 T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1133 - External Remote Services
  • 4 Rules
  • 4 Models

Vendor: Sybase

Product Event Types MITRE TTP Content
Sybase
  • database-login
  • dlp-email-alert-out
  • security-alert
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: Symantec

Product Event Types MITRE TTP Content
Symantec Blue Coat ProxySG Appliance
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Symantec Brightmail
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
Symantec CloudSOC
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
  • usb-insert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
Symantec Critical System Protection
  • account-switch
  • config-change
  • dlp-alert
  • failed-logon
  • local-logon
  • member-added
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
Symantec DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • ds-access
  • failed-logon
  • security-alert
  • usb-activity
  • usb-read
  • usb-write
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 30 Rules
  • 18 Models
Symantec EDR
  • failed-logon
  • file-alert
  • file-delete
  • file-write
  • remote-logon
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 3 Models
Symantec Email Security.cloud
  • app-activity
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • process-created-failed
  • security-alert
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Symantec Fireglass
  • failed-physical-access
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
Symantec Secure Web Gateway
  • web-activity-allowed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 7 Rules
  • 2 Models
Symantec WSS
  • process-created
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 22 Rules
  • 2 Models

Vendor: Tanium

Product Event Types MITRE TTP Content
Endpoint Platform
  • authentication-failed
  • authentication-successful
  • file-write
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models

Vendor: Teradata

Product Event Types MITRE TTP Content
Teradata RDBMS
  • database-login
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models

Vendor: Thycotic Secret Server

Product Event Types MITRE TTP Content
Thycotic Secret Server
  • account-switch
  • app-login
  • failed-app-login
  • file-alert
 T1204 - User Execution
  • 1 Rules
  • 1 Models

Vendor: TitanFTP

Product Event Types MITRE TTP Content
TitanFTP
  • file-delete
  • file-read
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: Trend Micro

Product Event Types MITRE TTP Content
Apex One
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models
Deep Discovery Email Inspector
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
InterScan Web Security
  • account-password-change
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
OfficeScan
  • account-password-change
  • dlp-alert
  • dlp-email-alert-out
  • security-alert
  • usb-insert
  • usb-read
  • web-activity-denied
 T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 35 Rules
  • 20 Models

Vendor: USB

Product Event Types MITRE TTP Content
USB
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: Unix

Product Event Types MITRE TTP Content
Auditbeat
  • app-activity
  • app-activity-failed
  • app-login
  • process-created-failed
  • process-network
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models
Unix
  • account-creation
  • account-deleted
  • account-password-reset
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • batch-logon
  • config-change
  • database-access
  • database-query
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • failed-logon
  • file-permission-change
  • file-read
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • netflow-connection
  • network-alert
  • process-created
  • process-created-failed
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 47 Rules
  • 18 Models
Unix Auditd
  • account-creation
  • account-deleted
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • config-change
  • database-login
  • dlp-alert
  • failed-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-logon
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 45 Rules
  • 17 Models
Unix Privilege Management
  • dlp-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1204 - User Execution
  • 29 Rules
  • 17 Models
Unix Sendmail
  • authentication-failed
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
 T1048 - Exfiltration Over Alternative Protocol
  • 1 Rules
  • 1 Models

Vendor: VMware

Product Event Types MITRE TTP Content
Carbon Black
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules
Carbon Black EDR
  • file-read
  • file-write
  • process-created
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models
NSX FW
  • network-connection-successful
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models
VMware Carbon Black App Control
  • app-activity
  • batch-logon
  • dlp-email-alert-out-failed
  • failed-physical-access
  • file-alert
  • file-delete
  • file-write
  • local-logon
  • process-alert
  • process-created
  • security-alert
  • usb-write
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models
VMware Carbon Black Cloud Endpoint Standard
  • config-change
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • process-created-failed
  • security-alert
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1204 - User Execution
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 18 Rules
  • 1 Models

Vendor: Varonis

Product Event Types MITRE TTP Content
Data Security Platform
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • network-alert
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Watchguard

Product Event Types MITRE TTP Content
Watchguard
  • app-activity-failed
  • network-alert
  • network-connection-successful
  • web-activity-allowed
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 6 Rules
  • 2 Models

Vendor: Workday

Product Event Types MITRE TTP Content
Workday
  • account-password-change
  • app-login
  • failed-app-login
  • file-write
 T1204 - User Execution
  • 2 Rules
  • 1 Models

Vendor: Zeek

Product Event Types MITRE TTP Content
Zeek Network Security Monitor
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-alert
  • dlp-email-alert-in
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-successful
  • ntlm-logon
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
 T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 38 Rules
  • 20 Models

Vendor: Zscaler

Product Event Types MITRE TTP Content
Zscaler Internet Access
  • database-update
  • dlp-alert
  • image-loaded
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1020 - Automated Exfiltration
T1030 - Data Transfer Size Limits
T1048 - Exfiltration Over Alternative Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1204 - User Execution
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 36 Rules
  • 19 Models
Zscaler Private Access
  • process-created
  • vpn-login
 T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1105 - Ingress Tool Transfer
T1505.003 - Server Software Component: Web Shell
T1552.001 - T1552.001
T1560 - Archive Collected Data
  • 16 Rules

Vendor: eDocs

Product Event Types MITRE TTP Content
eDocs
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: iManage

Product Event Types MITRE TTP Content
iManage
  • app-activity
  • authentication-failed
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models

Vendor: xsuite

Product Event Types MITRE TTP Content
xsuite
  • web-activity-denied
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
  • 5 Rules
  • 2 Models