Use Case: Destruction of Data

Vendor: Abnormal Security

Product	Event Types	MITRE TTP	Content
Abnormal Security	database-access file-delete	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Accellion

Product	Event Types	MITRE TTP	Content
Kiteworks	account-password-change account-password-reset account-unlocked app-activity app-login dlp-email-alert-out failed-app-login file-alert file-delete file-download file-permission-change file-read file-upload file-write security-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Airlock

Product	Event Types	MITRE TTP	Content
Airlock	app-activity-failed app-login database-query failed-app-login file-delete file-download file-upload file-write network-connection-successful	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Akamai

Product	Event Types	MITRE TTP	Content
Cloud Akamai	file-delete web-activity-allowed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Apache

Product	Event Types	MITRE TTP	Content
Apache Subversion	app-activity-failed file-delete	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: BlackBerry

Product	Event Types	MITRE TTP	Content
BlackBerry Protect	app-activity file-delete security-alert vpn-logout	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Box

Product	Event Types	MITRE TTP	Content
Box Cloud Content Management	app-activity app-activity-failed file-delete file-download file-permission-change file-read file-upload file-write print-activity	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Centrify

Product	Event Types	MITRE TTP	Content
Centrify Zero Trust Privilege Services	app-activity app-login failed-app-login file-delete	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
Duo Access Security	app-login authentication-failed authentication-successful failed-logon file-delete vpn-login vpn-logout	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Code42

Product	Event Types	MITRE TTP	Content
Code42 Incydr	dlp-email-alert-out file-delete file-download file-read file-upload file-write usb-insert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: CrowdStrike

Product	Event Types	MITRE TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon dlp-alert dlp-email-alert-out-failed failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon usb-activity usb-insert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: CyberArk

Product	Event Types	MITRE TTP	Content
CyberArk Endpoint Privilege Management	file-delete network-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login computer-logon failed-app-login failed-logon file-delete file-read file-write process-created remote-logon	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Dell

Product	Event Types	MITRE TTP	Content
Dell EMC Isilon	app-activity file-delete file-permission-change file-read file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-login dlp-email-alert-out failed-app-login file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity usb-insert vpn-connection	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Dropbox

Product	Event Types	MITRE TTP	Content
Dropbox	app-activity app-login file-delete file-download file-permission-change file-read file-write network-connection-failed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Dtex Systems

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-delete file-read file-write local-logon print-activity process-created remote-logon usb-write workstation-locked	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Egnyte

Product	Event Types	MITRE TTP	Content
Egnyte	account-password-reset app-login file-delete file-download file-permission-change file-upload file-write remote-logon	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: FTP

Product	Event Types	MITRE TTP	Content
FTP	app-activity app-activity-failed app-login failed-app-login file-delete file-read file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: GoAnywhere

Product	Event Types	MITRE TTP	Content
GoAnywhere MFT	dlp-email-alert-out-failed failed-logon file-delete file-download remote-logon	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Google

Product	Event Types	MITRE TTP	Content
Google Drive	app-activity file-delete file-permission-change file-read file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: HelpSystems

Product	Event Types	MITRE TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon remote-logon	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Imperva

Product	Event Types	MITRE TTP	Content
Imperva File Activity Monitoring (FAM)	file-delete file-read file-write print-activity	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Ipswitch

Product	Event Types	MITRE TTP	Content
MoveIt DMZ	account-password-change authentication-failed failed-logon file-delete file-download file-upload file-write member-added process-created-failed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
Microsoft Azure	account-password-change account-password-reset app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed database-query dlp-email-alert-in-failed dns-response failed-app-login failed-logon failed-usb-activity file-delete file-download file-read file-write member-added member-removed network-connection-failed network-connection-successful privileged-access process-created security-alert storage-activity storage-activity-failed usb-activity usb-insert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Microsoft Cloud App Security (MCAS)	account-password-change app-activity app-activity-failed app-login failed-app-login file-delete file-download file-read file-upload file-write security-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Microsoft Defender ATP	app-login batch-logon file-delete file-write local-logon member-removed network-alert process-alert process-created process-network process-network-failed remote-access remote-logon security-alert usb-write web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Microsoft Office 365	account-disabled app-activity app-activity-failed app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login failed-logon file-delete file-download file-permission-change file-read file-upload file-write ntlm-logon process-created remote-logon security-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Microsoft Sysmon	app-activity dns-response file-delete process-created process-network web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Microsoft Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-reset account-switch account-unlocked app-activity app-login audit-log-clear audit-policy-change authentication-failed authentication-successful computer-logon database-query dcom-activation-failed dlp-alert dlp-email-alert-out-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-logon netflow-connection network-alert network-connection-failed privileged-access privileged-object-access process-created process-network process-network-failed remote-access remote-logon security-alert service-created service-logon share-access task-created usb-activity usb-write vpn-login vpn-logout web-activity-denied winsession-disconnect workstation-locked workstation-unlocked	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Nasuni

Product	Event Types	MITRE TTP	Content
Nasuni	authentication-failed file-delete file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: NetApp

Product	Event Types	MITRE TTP	Content
NetApp	app-activity file-delete file-read security-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Netskope

Product	Event Types	MITRE TTP	Content
Netskope Security Cloud	app-activity app-login dlp-alert dlp-email-alert-in dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
Palo Alto Aperture	app-login dlp-email-alert-out file-delete file-read file-write network-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Quest Software

Product	Event Types	MITRE TTP	Content
Change Auditor	account-lockout account-unlocked ds-access failed-app-login file-delete file-write local-logon member-added member-removed nac-failed-logon physical-access remote-logon security-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: SFTP

Product	Event Types	MITRE TTP	Content
SFTP	app-activity app-login file-delete file-download file-read file-upload file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Sailpoint

Product	Event Types	MITRE TTP	Content
FAM	account-lockout file-delete file-read file-write	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
SecurityIQ	account-creation account-deleted account-lockout account-password-reset dlp-email-alert-in-failed file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: SentinelOne

Product	Event Types	MITRE TTP	Content
SentinelOne	app-activity dns-query dns-response file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: ServiceNow

Product	Event Types	MITRE TTP	Content
ServiceNow	account-switch app-login file-delete file-download file-read file-upload file-write security-alert storage-access	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: SkySea

Product	Event Types	MITRE TTP	Content
ClientView	app-activity app-login computer-logon dlp-email-alert-out dns-query file-delete file-read file-upload file-write security-alert usb-activity web-activity-allowed	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec CloudSOC	app-login dlp-alert failed-app-login file-delete file-download file-upload usb-insert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules
Symantec EDR	failed-logon file-alert file-delete file-write remote-logon web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: TitanFTP

Product	Event Types	MITRE TTP	Content
TitanFTP	file-delete file-read web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: VMware

Product	Event Types	MITRE TTP	Content
VMware Carbon Black App Control	app-activity batch-logon dlp-email-alert-out-failed failed-physical-access file-alert file-delete file-write local-logon process-alert process-created security-alert usb-write workstation-locked workstation-unlocked	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Varonis

Product	Event Types	MITRE TTP	Content
Data Security Platform	file-delete file-permission-change file-read file-write network-alert	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity app-login authentication-failed authentication-successful computer-logon dlp-alert dlp-email-alert-in dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-successful ntlm-logon remote-logon share-access web-activity-allowed web-activity-denied	T1070.004 - Indicator Removal on Host: File Deletion	1 Rules

Files

uc_destruction_of_data.md

Latest commit

History

uc_destruction_of_data.md

File metadata and controls

Use Case: Destruction of Data

Vendor: Abnormal Security

Vendor: Accellion

Vendor: Airlock

Vendor: Akamai

Vendor: Apache

Vendor: BlackBerry

Vendor: Box

Vendor: Centrify

Vendor: Cisco

Vendor: Code42

Vendor: CrowdStrike

Vendor: CyberArk

Vendor: Dell

Vendor: Digital Guardian

Vendor: Dropbox

Vendor: Dtex Systems

Vendor: Egnyte

Vendor: FTP

Vendor: GoAnywhere

Vendor: Google

Vendor: HelpSystems

Vendor: Imperva

Vendor: Ipswitch

Vendor: Microsoft

Vendor: Nasuni

Vendor: NetApp

Vendor: Netskope

Vendor: Palo Alto Networks

Vendor: Quest Software

Vendor: SFTP

Vendor: Sailpoint

Vendor: SentinelOne

Vendor: ServiceNow

Vendor: SkySea

Vendor: Symantec

Vendor: TitanFTP

Vendor: VMware

Vendor: Varonis

Vendor: Zeek