uc_physical_security.md

Use Case: Physical Security

Vendor: AMAG

Product	Event Types	MITRE TTP	Content
Symmetry Access Control	dlp-alert failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: AccessIT

Product	Event Types	MITRE TTP	Content
Universal.NET	physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Badge

Product	Event Types	MITRE TTP	Content
Badge	database-failed-login failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Badgepoint

Product	Event Types	MITRE TTP	Content
Badgepoint	authentication-failed physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: BeyondTrust

Product	Event Types	MITRE TTP	Content
BeyondTrust	dlp-email-alert-out-failed failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models
BeyondTrust Privileged Identity	account-switch app-activity app-login authentication-successful dlp-alert failed-app-login failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models
BeyondTrust Secure Remote Access	app-login failed-app-login failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Brivo

Product	Event Types	MITRE TTP	Content
Brivo	database-delete physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
Cisco Secure Email	dlp-email-alert-in failed-usb-activity physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Web Logging	failed-physical-access web-activity-allowed	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Clearswift SEG

Product	Event Types	MITRE TTP	Content
Clearswift SEG	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Datawatch Systems

Product	Event Types	MITRE TTP	Content
DataWatch	failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Fidelis

Product	Event Types	MITRE TTP	Content
Fidelis Network	failed-logon failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models
Fidelis XPS	dlp-email-alert-in failed-physical-access security-alert	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Galaxy

Product	Event Types	MITRE TTP	Content
Galaxy	physical-access print-activity	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Generic Badge Access

Product	Event Types	MITRE TTP	Content
Generic Badge Access	failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Honeywell

Product	Event Types	MITRE TTP	Content
Honeywell Pro-Watch	account-creation physical-access	T1078 - Valid Accounts	8 Rules 3 Models
Honeywell WIN-PAK	physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM DB2	authentication-failed failed-physical-access file-read remote-logon	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: ICDB

Product	Event Types	MITRE TTP	Content
ICDB	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Lenel

Product	Event Types	MITRE TTP	Content
Lenel OnGuard	failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models
OnGuard	failed-physical-access physical-access security-alert	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Lyrix

Product	Event Types	MITRE TTP	Content
Lyrix	app-activity physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: MasterSAM

Product	Event Types	MITRE TTP	Content
MasterSAM PAM	authentication-failed authentication-successful failed-physical-access remote-logon	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee Advanced Threat Defense	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Mimecast

Product	Event Types	MITRE TTP	Content
Targeted Threat Protection - URL	physical-access web-activity-allowed	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: NetIQ

Product	Event Types	MITRE TTP	Content
NetIQ	app-login failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Oracle

Product	Event Types	MITRE TTP	Content
Oracle	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models
Oracle Access Manager	app-activity app-login authentication-successful failed-app-login failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models
Oracle DB	database-access database-failed-login database-login database-query database-update failed-physical-access local-logon	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
GlobalProtect	authentication-failed authentication-successful failed-vpn-login network-alert physical-access remote-logon security-alert vpn-login	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Paxton

Product	Event Types	MITRE TTP	Content
NET2DOOR	netflow-connection physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: PicturePerfect

Product	Event Types	MITRE TTP	Content
PicturePerfect	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Quest Software

Product	Event Types	MITRE TTP	Content
Change Auditor	account-lockout account-unlocked ds-access failed-app-login file-delete file-write local-logon member-added member-removed nac-failed-logon physical-access remote-logon security-alert	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: RS2

Product	Event Types	MITRE TTP	Content
RS2	app-login physical-access	T1078 - Valid Accounts	8 Rules 3 Models
RS2 Technologies	authentication-failed physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: RSA

Product	Event Types	MITRE TTP	Content
RSA ECAT	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: RedCloud

Product	Event Types	MITRE TTP	Content
RedCloud	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: RightCrowd

Product	Event Types	MITRE TTP	Content
RightCrowd	authentication-failed failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Sensormatik

Product	Event Types	MITRE TTP	Content
Sensormatik	dlp-email-alert-out physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Siemens

Product	Event Types	MITRE TTP	Content
Siemens	authentication-successful failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Fireglass	failed-physical-access web-activity-allowed	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: TimeLox

Product	Event Types	MITRE TTP	Content
TimeLox	failed-physical-access physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Tyco

Product	Event Types	MITRE TTP	Content
CCURE Building Management System	app-activity app-login dns-response failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: VMware

Product	Event Types	MITRE TTP	Content
VMware Carbon Black App Control	app-activity batch-logon dlp-email-alert-out-failed failed-physical-access file-alert file-delete file-write local-logon process-alert process-created security-alert usb-write workstation-locked workstation-unlocked	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Vanderbilt

Product	Event Types	MITRE TTP	Content
Vanderbilt	physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Vectra

Product	Event Types	MITRE TTP	Content
Vectra Cognito Stream	failed-physical-access	T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Viscount

Product	Event Types	MITRE TTP	Content
Viscount	physical-access	T1078 - Valid Accounts	8 Rules 3 Models

Vendor: Visma

Product	Event Types	MITRE TTP	Content
Megaflex	app-activity-failed physical-access	T1078 - Valid Accounts	8 Rules 3 Models