Skip to content

Latest commit

 

History

History
863 lines (861 loc) · 623 KB

uc_privilege_escalation.md

File metadata and controls

863 lines (861 loc) · 623 KB

Use Case: Privilege Escalation

Vendor: AMAG

Product Event Types MITRE TTP Content
Symmetry Access Control
  • dlp-alert
  • failed-physical-access
  • physical-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: APC

Product Event Types MITRE TTP Content
APC
  • app-activity
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: ASUPIM

Product Event Types MITRE TTP Content
ASUPIM
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: AVI Networks

Product Event Types MITRE TTP Content
Load Balancer
  • account-switch
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models

Vendor: Accellion

Product Event Types MITRE TTP Content
Kiteworks
  • account-password-change
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: AirWatch

Product Event Types MITRE TTP Content
AirWatch
  • authentication-failed
  • authentication-successful
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Alert Logic

Product Event Types MITRE TTP Content
Alert Logic
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Amazon

Product Event Types MITRE TTP Content
AWS Bastion
  • app-activity
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 4 Models
AWS CloudTrail
  • account-password-change
  • app-activity
  • app-login
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • netflow-connection
  • storage-access
  • storage-activity
  • storage-activity-failed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
AWS CloudWatch
  • app-activity-failed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
AWS GuardDuty
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: AppSense Application Manager

Product Event Types MITRE TTP Content
AppSense Application Manager
  • local-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Arbor

Product Event Types MITRE TTP Content
Arbor
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Armis

Product Event Types MITRE TTP Content
Armis
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: AssetView

Product Event Types MITRE TTP Content
AssetView
  • file-download
  • file-write
  • network-connection-failed
  • print-activity
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Atlassian

Product Event Types MITRE TTP Content
Atlassian BitBucket
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Attivo

Product Event Types MITRE TTP Content
BOTsink
  • database-login
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Auth0

Product Event Types MITRE TTP Content
Auth0
  • account-password-change-failed
  • app-login
  • failed-logon
  • network-connection-successful
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Axway

Product Event Types MITRE TTP Content
Axway SFTP
  • file-upload
  • process-network-failed
 T1012 - Query Registry
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 1 Rules
  • 1 Models

Vendor: BIND

Product Event Types MITRE TTP Content
BIND
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Barracuda

Product Event Types MITRE TTP Content
Barracuda Firewall
  • account-lockout
  • database-query
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
 T1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

Product Event Types MITRE TTP Content
BeyondTrust PasswordSafe
  • privileged-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
BeyondTrust PowerBroker
  • account-enabled
  • dlp-email-alert-out-failed
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
BeyondTrust Privilege Management
  • dns-response
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
BeyondTrust Privileged Identity
  • account-switch
  • app-activity
  • app-login
  • authentication-successful
  • dlp-alert
  • failed-app-login
  • failed-physical-access
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 14 Rules
  • 9 Models

Vendor: Bitdefender

Product Event Types MITRE TTP Content
Bitdefender
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Bitdefender GravityZone
  • authentication-successful
  • process-created
  • web-activity-denied
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: BlackBerry

Product Event Types MITRE TTP Content
BlackBerry Protect
  • app-activity
  • file-delete
  • security-alert
  • vpn-logout
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 9 Rules
  • 6 Models

Vendor: BlueCat Networks

Product Event Types MITRE TTP Content
BlueCat Networks Adonis
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
BlueCat Networks DHCP
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Box

Product Event Types MITRE TTP Content
Box Cloud Content Management
  • app-activity
  • app-activity-failed
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • print-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Bromium

Product Event Types MITRE TTP Content
Bromium Secure Platform
  • file-alert
  • file-write
  • share-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1484 - Group Policy Modification
  • 4 Rules

Vendor: CA Technologies

Product Event Types MITRE TTP Content
CA Privileged Access Manager Server Control
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: CDS

Product Event Types MITRE TTP Content
CDS
  • failed-ds-access
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: CatoNetworks

Product Event Types MITRE TTP Content
Cato Cloud
  • failed-logon
  • network-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
  • workstation-unlocked
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
  • 2 Rules
  • 1 Models

Vendor: Centrify

Product Event Types MITRE TTP Content
Centrify Authentication Service
  • account-switch
  • authentication-failed
  • local-logon
  • process-created
  • remote-logon
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098 - Account Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 86 Rules
  • 21 Models
Centrify Infrastructure Services
  • authentication-failed
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules
Centrify Zero Trust Privilege Services
  • app-activity
  • app-login
  • failed-app-login
  • file-delete
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Check Point Software

Product Event Types MITRE TTP Content
Check Point Endpoint Security
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Check Point NGFW
  • authentication-successful
  • database-update
  • dlp-email-alert-in
  • failed-vpn-login
  • file-permission-change
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 6 Models
Check Point Security Gateway
  • failed-vpn-login
  • network-connection-failed
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models
Check Point Threat Prevention
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Cimtrak

Product Event Types MITRE TTP Content
Cimtrak
  • file-write
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Cisco

Product Event Types MITRE TTP Content
ACI
  • app-activity
  • authentication-failed
  • authentication-successful
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
AnyConnect
  • failed-vpn-login
  • nac-logon
  • process-created
  • vpn-login
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
Cisco
  • authentication-successful
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco ACS
  • account-lockout
  • app-activity
  • authentication-failed
 T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Cisco ADC
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco Adaptive Security Appliance
  • authentication-successful
  • dlp-email-alert-out
  • file-download
  • print-activity
  • process-created
  • remote-logon
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 81 Rules
  • 20 Models
Cisco Advance Malware Protection (AMP)
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco Airespace
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco Call Manager
  • app-activity
  • authentication-failed
  • authentication-successful
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cisco CloudLock
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco Console
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cisco Firepower
  • app-activity
  • app-login
  • authentication-successful
  • config-change
  • dns-query
  • dns-response
  • failed-usb-activity
  • netflow-connection
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Cisco ISE
  • account-lockout
  • app-activity
  • authentication-failed
  • computer-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • print-activity
  • remote-logon
  • security-alert
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 12 Rules
  • 8 Models
Cisco Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-denied
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 6 Models
Cisco NPE
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
Cisco Secure Endpoint
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cisco Secure Network Analytics
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models
Cisco TACACS
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Duo Access Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-delete
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
  • 6 Rules
  • 5 Models
IronPort Email
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-alert
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Proxy Umbrella
  • app-activity
  • print-activity
  • web-activity-allowed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Citrix

Product Event Types MITRE TTP Content
Citrix Endpoint Management
  • privileged-access
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Citrix Netscaler
  • app-login
  • authentication-successful
  • database-access
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 8 Models

Vendor: Clearsense

Product Event Types MITRE TTP Content
Clearsense
  • app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Cloud Application

Product Event Types MITRE TTP Content
Cloud Application
  • app-activity
  • app-login
  • failed-app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Cloudflare

Product Event Types MITRE TTP Content
Cloudflare CDN
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Cloudflare Insights
  • app-login
  • member-added
  • member-removed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cloudflare WAF
  • app-activity
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Cofense

Product Event Types MITRE TTP Content
Phishme
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Cognitas CrossLink

Product Event Types MITRE TTP Content
Cognitas CrossLink
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: CrowdStrike

Product Event Types MITRE TTP Content
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • dlp-alert
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • usb-activity
  • usb-insert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 79 Rules
  • 16 Models

Vendor: CyberArk

Product Event Types MITRE TTP Content
CyberArk Endpoint Privilege Management
  • file-delete
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
CyberArk Vault
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • computer-logon
  • failed-app-login
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • process-created
  • remote-logon
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 90 Rules
  • 22 Models
Privileged Session Manager
  • app-activity
  • app-login
  • file-permission-change
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Privileged Threat Analytics
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules

Vendor: Damballa

Product Event Types MITRE TTP Content
Failsafe
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Darktrace

Product Event Types MITRE TTP Content
Darktrace Enterprise Immune System
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Dell

Product Event Types MITRE TTP Content
Dell EMC Isilon
  • app-activity
  • file-delete
  • file-permission-change
  • file-read
  • file-write
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
One Identity Manager
  • account-password-change
  • account-switch
  • security-alert
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models
RSA Authentication Manager
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • failed-vpn-login
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Digital Arts

Product Event Types MITRE TTP Content
Digital Arts i-FILTER for Business
  • security-alert
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Digital Guardian

Product Event Types MITRE TTP Content
Digital Guardian Endpoint Protection
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • usb-insert
  • vpn-connection
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Digital Guardian Network DLP
  • dlp-alert
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Dropbox

Product Event Types MITRE TTP Content
Dropbox
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
  • network-connection-failed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Dtex Systems

Product Event Types MITRE TTP Content
DTEX InTERCEPT
  • file-delete
  • file-read
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • workstation-locked
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 76 Rules
  • 15 Models

Vendor: EMP

Product Event Types MITRE TTP Content
EMP
  • app-activity
  • dlp-email-alert-in-failed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: ESET

Product Event Types MITRE TTP Content
ESET Endpoint Security
  • app-login
  • authentication-successful
  • failed-ds-access
  • failed-logon
  • network-alert
  • security-alert
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
  • 2 Rules
  • 1 Models

Vendor: EdgeWave

Product Event Types MITRE TTP Content
EdgeWave iPrism
  • security-alert
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Egnyte

Product Event Types MITRE TTP Content
Egnyte
  • account-password-reset
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-upload
  • file-write
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: EnSilo

Product Event Types MITRE TTP Content
EnSilo
  • remote-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: EndPoint

Product Event Types MITRE TTP Content
EndPoint
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Epic

Product Event Types MITRE TTP Content
Epic SIEM
  • account-password-change
  • app-activity
  • app-login
  • authentication-successful
  • failed-app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Exabeam

Product Event Types MITRE TTP Content
Exabeam Advanced Analytics
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Exabeam DL
  • account-password-change
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Extrahop

Product Event Types MITRE TTP Content
Reveal(x)
  • authentication-successful
  • dns-query
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Extreme Networks

Product Event Types MITRE TTP Content
Zebra wireless LAN management
  • account-lockout
 T1078 - Valid Accounts
  • 1 Rules

Vendor: F5

Product Event Types MITRE TTP Content
BIG-IP DNS
  • dns-query
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models
F5 Advanced Web Application Firewall (WAF)
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-connection-successful
  • print-activity
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
F5 BIG-IP
  • app-activity
  • failed-vpn-login
  • print-activity
  • process-alert
  • remote-logon
  • vpn-login
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 7 Rules
  • 5 Models
F5 BIG-IP Access Policy Manager (APM)
  • app-activity
  • authentication-failed
  • authentication-successful
  • process-alert
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 9 Rules
  • 6 Models
F5 BIG-IP Advanced Firewall Module (AFM)
  • app-activity
  • network-connection-successful
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
F5 BIG-IP Application Security Manager (ASM)
  • app-activity
  • authentication-failed
  • web-activity-allowed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: FTP

Product Event Types MITRE TTP Content
FTP
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-read
  • file-write
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Fidelis

Product Event Types MITRE TTP Content
Fidelis Network
  • failed-logon
  • failed-physical-access
 T1210 - Exploitation of Remote Services
  • 1 Rules
Fidelis XPS
  • dlp-email-alert-in
  • failed-physical-access
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: FireEye

Product Event Types MITRE TTP Content
FireEye Email Gateway
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
FireEye Endpoint Security (CM)
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
FireEye Endpoint Security (HX)
  • file-write
  • process-alert
  • security-alert
  • web-activity-denied
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1087 - Account Discovery
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 2 Rules
  • 2 Models
FireEye Helix
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
FireEye Network Security (Helix)
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
FireEye Network Security (NX)
  • network-alert
  • security-alert
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Forcepoint

Product Event Types MITRE TTP Content
Forcepoint CASB
  • account-password-change
  • app-activity
  • failed-app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Forcepoint DLP
  • authentication-failed
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • usb-insert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Forescout

Product Event Types MITRE TTP Content
Forescout CounterACT
  • app-activity
  • network-alert
  • network-connection-failed
  • network-connection-successful
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Fortinet

Product Event Types MITRE TTP Content
FortiAuthenticator
  • authentication-successful
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models
Fortinet Enterprise Firewall
  • app-activity
  • computer-logon
  • failed-app-login
  • file-write
  • network-connection-successful
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Fortinet UTM
  • app-activity
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • failed-app-login
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Fortinet VPN
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-denied
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models

Vendor: GTB

Product Event Types MITRE TTP Content
GTBInspector
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Gamma

Product Event Types MITRE TTP Content
Gamma
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Gemalto

Product Event Types MITRE TTP Content
Gemalto MFA
  • authentication-successful
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: GitHub

Product Event Types MITRE TTP Content
GitHub
  • app-activity
  • app-activity-failed
  • app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: GoAnywhere

Product Event Types MITRE TTP Content
GoAnywhere MFT
  • dlp-email-alert-out-failed
  • failed-logon
  • file-delete
  • file-download
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
  • 4 Rules
  • 3 Models

Vendor: Google

Product Event Types MITRE TTP Content
GCP Squid Proxy
  • security-alert
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Google
  • app-activity
  • app-login
  • failed-app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Google Drive
  • app-activity
  • file-delete
  • file-permission-change
  • file-read
  • file-write
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: HP

Product Event Types MITRE TTP Content
Aruba Mobility Master
  • local-logon
  • nac-failed-logon
  • nac-logon
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Aruba Wireless controller
  • account-password-reset
  • computer-logon
  • nac-failed-logon
  • nac-logon
  • network-connection-failed
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
HP Comware
  • failed-logon
 T1210 - Exploitation of Remote Services
  • 1 Rules
HP SafeCom
  • dlp-email-alert-in
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Print Server
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: HashiCorp

Product Event Types MITRE TTP Content
HashiCorp Vault
  • account-password-reset
  • privileged-object-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: HelpSystems

Product Event Types MITRE TTP Content
Powertech Identity Access Manager (BoKs)
  • account-switch
  • file-delete
  • file-read
  • file-write
  • local-logon
  • remote-logon
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 13 Rules
  • 9 Models

Vendor: Hornet

Product Event Types MITRE TTP Content
Hornet Email
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • privileged-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Huawei

Product Event Types MITRE TTP Content
Unified Security Gateway
  • authentication-successful
  • network-alert
  • network-connection-failed
  • vpn-login
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: IBM

Product Event Types MITRE TTP Content
IBM DB2
  • authentication-failed
  • failed-physical-access
  • file-read
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
IBM Sterling B2B Integrator
  • app-activity
  • failed-logon
  • member-added
  • member-removed
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
  • 7 Rules
  • 4 Models
Infosphere Guardium
  • database-alert
  • database-login
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Proventia Network IPS
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: ICPAM

Product Event Types MITRE TTP Content
ICPAM
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: IMSS

Product Event Types MITRE TTP Content
IMSS
  • dlp-alert
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: IXIA

Product Event Types MITRE TTP Content
IXIA ThreatArmor
  • app-activity
  • network-connection-failed
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Illumio

Product Event Types MITRE TTP Content
Illumio
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Imperva

Product Event Types MITRE TTP Content
Imperva SecureSphere
  • app-login
  • database-alert
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • network-alert
  • print-activity
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Imprivata

Product Event Types MITRE TTP Content
Imprivata
  • app-activity
  • app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Infoblox

Product Event Types MITRE TTP Content
Infoblox
  • computer-logon
  • dlp-email-alert-out-failed
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 74 Rules
  • 13 Models

Vendor: Ipswitch

Product Event Types MITRE TTP Content
IPswitch MoveIt
  • app-activity
  • app-login
  • failed-app-login
  • file-download
  • file-read
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
MoveIt DMZ
  • account-password-change
  • authentication-failed
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • file-write
  • member-added
  • process-created-failed
 T1012 - Query Registry
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1210 - Exploitation of Remote Services
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 2 Rules
  • 1 Models

Vendor: Johnson Controls

Product Event Types MITRE TTP Content
Johnson Controls P2000
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Juniper Networks

Product Event Types MITRE TTP Content
Juniper Networks Pulse Secure
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-vpn-login
  • network-connection-successful
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 5 Models
Juniper SRX
  • authentication-successful
  • config-change
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Juniper VPN
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • security-alert
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 9 Rules
  • 6 Models

Vendor: Kaspersky

Product Event Types MITRE TTP Content
Kaspersky AV
  • app-activity
  • file-alert
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Kaspersky Endpoint Security for Business
  • file-alert
  • network-alert
  • security-alert
  • usb-insert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Kemp

Product Event Types MITRE TTP Content
Kemp LoadMaster
  • app-activity
  • remote-logon
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 4 Models
Load Balancer
  • failed-app-login
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: LEAP

Product Event Types MITRE TTP Content
LEAP
  • app-activity
  • file-download
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: LanScope

Product Event Types MITRE TTP Content
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • file-write
  • local-logon
  • print-activity
  • process-created
  • process-created-failed
  • process-network
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 79 Rules
  • 16 Models

Vendor: LastPass

Product Event Types MITRE TTP Content
LastPass
  • app-activity
  • failed-app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Lastline

Product Event Types MITRE TTP Content
Lastline
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Lenel

Product Event Types MITRE TTP Content
OnGuard
  • failed-physical-access
  • physical-access
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Linux

Product Event Types MITRE TTP Content
SSH
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: LogMeIn

Product Event Types MITRE TTP Content
RemotelyAnywhere
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Lumension

Product Event Types MITRE TTP Content
Lumension
  • failed-usb-activity
  • usb-activity
  • usb-insert
  • usb-read
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Lyrix

Product Event Types MITRE TTP Content
Lyrix
  • app-activity
  • physical-access
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Malwarebytes

Product Event Types MITRE TTP Content
Malwarebytes Endpoint Protection
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Malwarebytes Incident Response
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: MasterSAM

Product Event Types MITRE TTP Content
MasterSAM PAM
  • authentication-failed
  • authentication-successful
  • failed-physical-access
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: McAfee

Product Event Types MITRE TTP Content
McAfee DLP
  • dlp-alert
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • print-activity
  • security-alert
  • usb-insert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
McAfee Email Protection
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
McAfee Endpoint Security
  • dlp-alert
  • dlp-email-alert-in-failed
  • file-write
  • local-logon
  • network-alert
  • process-alert
  • security-alert
  • usb-insert
  • usb-write
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1087 - Account Discovery
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 4 Rules
  • 4 Models
McAfee Enterprise Security Manager
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
McAfee IDPS
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models
McAfee NSM
  • app-login
  • dlp-alert
  • process-alert
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1087 - Account Discovery
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 2 Rules
  • 2 Models
McAfee Network Security Platform (IPS)
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
McAfee Solidifier
  • local-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Skyhigh Networks CASB
  • account-creation
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Microsoft

Product Event Types MITRE TTP Content
Advanced Threat Analytics (ATA)
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
AppLocker
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Exchange
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • member-removed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Microsoft Advanced Threat Protection
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Microsoft Azure
  • account-password-change
  • account-password-reset
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • database-query
  • dlp-email-alert-in-failed
  • dns-response
  • failed-app-login
  • failed-logon
  • failed-usb-activity
  • file-delete
  • file-download
  • file-read
  • file-write
  • member-added
  • member-removed
  • network-connection-failed
  • network-connection-successful
  • privileged-access
  • process-created
  • security-alert
  • storage-activity
  • storage-activity-failed
  • usb-activity
  • usb-insert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 78 Rules
  • 14 Models
Microsoft Azure AD Identity Protection
  • remote-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Microsoft Azure Active Directory
  • account-password-change
  • account-unlocked
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • member-added
  • process-created
  • security-alert
  • usb-insert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 77 Rules
  • 14 Models
Microsoft Azure Advanced Threat Protection
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Microsoft Azure Security Center
  • app-activity-failed
  • process-alert
  • security-alert
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1087 - Account Discovery
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 2 Rules
  • 2 Models
Microsoft Cloud App Security (MCAS)
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Microsoft Defender ATP
  • app-login
  • batch-logon
  • file-delete
  • file-write
  • local-logon
  • member-removed
  • network-alert
  • process-alert
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • usb-write
  • web-activity-denied
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 76 Rules
  • 15 Models
Microsoft DirectAccess
  • security-alert
  • vpn-login
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Microsoft Graph
  • dlp-email-alert-out-failed
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Microsoft Office 365
  • account-disabled
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • failed-logon
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • ntlm-logon
  • process-created
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 80 Rules
  • 16 Models
Microsoft OneDrive
  • app-activity
  • file-read
  • file-upload
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Microsoft ScanMail
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Microsoft Sysmon
  • app-activity
  • dns-response
  • file-delete
  • process-created
  • process-network
  • web-activity-denied
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 76 Rules
  • 13 Models
Microsoft Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-activity
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • computer-logon
  • database-query
  • dcom-activation-failed
  • dlp-alert
  • dlp-email-alert-out-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • task-created
  • usb-activity
  • usb-write
  • vpn-login
  • vpn-logout
  • web-activity-denied
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484 - Group Policy Modification
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 102 Rules
  • 28 Models
Web Application Proxy
  • failed-logon
  • network-connection-failed
  • web-activity-allowed
 T1210 - Exploitation of Remote Services
  • 1 Rules
Windows Defender
  • computer-logon
  • file-alert
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 74 Rules
  • 13 Models

Vendor: Mimecast

Product Event Types MITRE TTP Content
Mimecast Email Security
  • account-password-change
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • failed-app-login
  • network-alert
  • process-alert
  • web-activity-denied
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 5 Rules
  • 3 Models

Vendor: MobileIron

Product Event Types MITRE TTP Content
MobileIron
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Morphisec

Product Event Types MITRE TTP Content
Morphisec EPTP
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: N3K

Product Event Types MITRE TTP Content
N3K
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: NCP

Product Event Types MITRE TTP Content
NCP
  • authentication-successful
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models

Vendor: NNT

Product Event Types MITRE TTP Content
NNT ChangeTracker
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Namespace rDirectory

Product Event Types MITRE TTP Content
Namespace rDirectory
  • account-deleted
  • account-disabled
  • account-enabled
  • account-password-change-failed
  • app-login
  • member-added
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: NetApp

Product Event Types MITRE TTP Content
NetApp
  • app-activity
  • file-delete
  • file-read
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: NetDocs

Product Event Types MITRE TTP Content
NetDocs
  • app-activity
  • authentication-failed
  • failed-app-login
  • file-read
  • file-write
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Netskope

Product Event Types MITRE TTP Content
Netskope Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 77 Rules
  • 14 Models

Vendor: Netwrix

Product Event Types MITRE TTP Content
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • dns-query
  • ds-access
  • file-write
  • member-added
  • member-removed
  • nac-logon
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 2 Models

Vendor: Nexthink

Product Event Types MITRE TTP Content
Nexthink
  • task-created
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Novell

Product Event Types MITRE TTP Content
eDirectory
  • account-disabled
  • account-enabled
  • account-password-change
  • account-unlocked
  • app-activity
  • authentication-failed
  • authentication-successful
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: OSSEC

Product Event Types MITRE TTP Content
OSSEC
  • account-lockout
  • file-permission-change
 T1078 - Valid Accounts
  • 1 Rules

Vendor: ObserveIT

Product Event Types MITRE TTP Content
ObserveIT
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • member-added
  • process-created
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 79 Rules
  • 16 Models

Vendor: Okta

Product Event Types MITRE TTP Content
Okta Adaptive MFA
  • account-creation
  • account-enabled
  • account-lockout
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • failed-app-login
  • failed-logon
  • nac-logon
  • network-alert
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
  • 6 Rules
  • 2 Models

Vendor: Onapsis

Product Event Types MITRE TTP Content
Onapsis
  • app-login
  • dns-query
  • security-alert
  • vpn-logout
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 6 Models

Vendor: OneLogin

Product Event Types MITRE TTP Content
OneLogin
  • app-login
  • failed-app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: OpenDJ

Product Event Types MITRE TTP Content
OpenDJ LDAP
  • authentication-failed
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Oracle

Product Event Types MITRE TTP Content
Oracle Access Manager
  • app-activity
  • app-login
  • authentication-successful
  • failed-app-login
  • failed-physical-access
  • physical-access
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Oracle DB
  • database-access
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • failed-physical-access
  • local-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Oracle Solaris
  • computer-logon
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: Osirium

Product Event Types MITRE TTP Content
Osirium
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Palo Alto Networks

Product Event Types MITRE TTP Content
Cortex XDR
  • app-login
  • authentication-failed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
GlobalProtect
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • network-alert
  • physical-access
  • remote-logon
  • security-alert
  • vpn-login
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
Magnifier
  • remote-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
NGFW
  • account-password-change
  • app-activity
  • authentication-successful
  • config-change
  • dlp-email-alert-out
  • file-alert
  • local-logon
  • network-connection-successful
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 4 Models
Palo Alto Aperture
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-read
  • file-write
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Traps
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
WildFire
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Password Manager Pro

Product Event Types MITRE TTP Content
Password Manager Pro
  • account-switch
  • failed-app-login
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models

Vendor: Phantom

Product Event Types MITRE TTP Content
Phantom
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Ping Identity

Product Event Types MITRE TTP Content
Ping Identity
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • dlp-email-alert-in-failed
  • failed-app-login
  • service-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
PingOne
  • app-login
  • dns-response
  • network-alert
  • service-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: PostgreSQL

Product Event Types MITRE TTP Content
PostgreSQL
  • database-access
  • database-login
  • database-query
  • file-read
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Procad

Product Event Types MITRE TTP Content
Pro.File DMS
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Proofpoint

Product Event Types MITRE TTP Content
ObserveIT
  • app-activity
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 4 Models
Proofpoint CASB
  • dlp-alert
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Proofpoint DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Proofpoint TAP/POD
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Quest Software

Product Event Types MITRE TTP Content
Change Auditor
  • account-lockout
  • account-unlocked
  • ds-access
  • failed-app-login
  • file-delete
  • file-write
  • local-logon
  • member-added
  • member-removed
  • nac-failed-logon
  • physical-access
  • remote-logon
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 4 Rules
  • 3 Models

Vendor: RSA

Product Event Types MITRE TTP Content
RSA
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
RSA DLP
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
SecurID
  • authentication-successful
  • dlp-email-alert-in
  • task-created
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: RangerAudit

Product Event Types MITRE TTP Content
RangerAudit
  • app-activity
  • app-login
  • database-activity-failed
  • database-query
  • dlp-alert
  • file-read
  • file-write
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Rapid7

Product Event Types MITRE TTP Content
InsightVM
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
Nexpose
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: Ricoh

Product Event Types MITRE TTP Content
Ricoh
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: SAP

Product Event Types MITRE TTP Content
SAP
  • account-creation
  • account-deleted
  • account-lockout
  • account-unlocked
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-download
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 4 Rules
  • 3 Models

Vendor: SFTP

Product Event Types MITRE TTP Content
SFTP
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: SSL Open VPN

Product Event Types MITRE TTP Content
SSL Open VPN
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-vpn-login
  • network-alert
  • vpn-login
  • vpn-logout
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 9 Rules
  • 6 Models

Vendor: Safend

Product Event Types MITRE TTP Content
Data Protection Suite (DPS)
  • dlp-email-alert-in
  • usb-write
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Sailpoint

Product Event Types MITRE TTP Content
FAM
  • account-lockout
  • file-delete
  • file-read
  • file-write
 T1078 - Valid Accounts
  • 1 Rules
IdentityNow
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-login
  • authentication-successful
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 5 Models
SecurityIQ
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • dlp-email-alert-in-failed
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
 T1078 - Valid Accounts
  • 1 Rules

Vendor: Salesforce

Product Event Types MITRE TTP Content
Salesforce
  • account-password-change
  • app-activity
  • app-login
  • failed-app-login
  • file-upload
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Sangfor

Product Event Types MITRE TTP Content
NGAF
  • network-alert
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Secure Computing

Product Event Types MITRE TTP Content
Secure Computing SafeWord
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Secure Envoy

Product Event Types MITRE TTP Content
Secure Envoy
  • authentication-successful
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: SecureLink

Product Event Types MITRE TTP Content
SecureLink
  • app-login
  • file-download
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: SentinelOne

Product Event Types MITRE TTP Content
SentinelOne
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 77 Rules
  • 14 Models

Vendor: ServiceNow

Product Event Types MITRE TTP Content
ServiceNow
  • account-switch
  • app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
  • storage-access
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models

Vendor: Silverfort

Product Event Types MITRE TTP Content
Silverfort
  • app-login
  • authentication-successful
  • failed-app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: SkySea

Product Event Types MITRE TTP Content
ClientView
  • app-activity
  • app-login
  • computer-logon
  • dlp-email-alert-out
  • dns-query
  • file-delete
  • file-read
  • file-upload
  • file-write
  • security-alert
  • usb-activity
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models

Vendor: Snort

Product Event Types MITRE TTP Content
Snort
  • app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Sonicwall

Product Event Types MITRE TTP Content
Sonicwall
  • failed-logon
  • failed-vpn-login
  • network-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
  • 7 Rules
  • 6 Models

Vendor: Sophos

Product Event Types MITRE TTP Content
Sophos Endpoint Protection
  • app-activity-failed
  • dlp-alert
  • failed-app-login
  • network-connection-successful
  • security-alert
  • usb-insert
  • usb-write
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Sophos SafeGuard
  • app-activity
  • database-delete
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Splunk

Product Event Types MITRE TTP Content
Splunk Stream
  • dlp-alert
  • dns-response
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Swipes

Product Event Types MITRE TTP Content
Swipes
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models

Vendor: Swivel

Product Event Types MITRE TTP Content
Swivel
  • app-login
  • file-upload
  • vpn-logout
 T1003 - OS Credential Dumping
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 5 Rules
  • 5 Models

Vendor: Sybase

Product Event Types MITRE TTP Content
Sybase
  • database-login
  • dlp-email-alert-out
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Symantec

Product Event Types MITRE TTP Content
Symantec Advanced Threat Protection
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Symantec Brightmail
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Symantec CloudSOC
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
  • usb-insert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Symantec Critical System Protection
  • account-switch
  • config-change
  • dlp-alert
  • failed-logon
  • local-logon
  • member-added
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
T1210 - Exploitation of Remote Services
  • 14 Rules
  • 9 Models
Symantec DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • ds-access
  • failed-logon
  • security-alert
  • usb-activity
  • usb-read
  • usb-write
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
  • 2 Rules
  • 1 Models
Symantec EDR
  • failed-logon
  • file-alert
  • file-delete
  • file-write
  • remote-logon
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
  • 4 Rules
  • 3 Models
Symantec Email Security.cloud
  • app-activity
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • process-created-failed
  • security-alert
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 5 Rules
  • 3 Models
Symantec Endpoint Protection
  • authentication-successful
  • config-change
  • failed-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • remote-logon
  • security-alert
 T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1087 - Account Discovery
T1210 - Exploitation of Remote Services
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 5 Rules
  • 4 Models
Symantec Managed Security Services
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Symantec VIP
  • app-activity
  • authentication-failed
  • authentication-successful
  • dns-query
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Symantec WSS
  • process-created
  • web-activity-allowed
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: Tanium

Product Event Types MITRE TTP Content
Endpoint Platform
  • authentication-failed
  • authentication-successful
  • file-write
  • process-created
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 74 Rules
  • 13 Models

Vendor: Teradata

Product Event Types MITRE TTP Content
Teradata RDBMS
  • database-login
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Thycotic Secret Server

Product Event Types MITRE TTP Content
Thycotic Secret Server
  • account-switch
  • app-login
  • failed-app-login
  • file-alert
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models

Vendor: TrapX

Product Event Types MITRE TTP Content
TrapX
  • remote-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Trend Micro

Product Event Types MITRE TTP Content
Apex One
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Cloud App Security
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Deep Discovery Email Inspector
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Deep Discovery Inspector
  • app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Deep Security Agent
  • network-connection-successful
  • privileged-object-access
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
OfficeScan
  • account-password-change
  • dlp-alert
  • dlp-email-alert-out
  • security-alert
  • usb-insert
  • usb-read
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
TippingPoint NGIPS
  • app-activity
  • database-delete
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models
Trend Micro
  • network-alert
  • network-connection-successful
  • privileged-object-access
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Tripwire Enterprise

Product Event Types MITRE TTP Content
Tripwire Enterprise
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Tufin

Product Event Types MITRE TTP Content
SecureTrack
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Tyco

Product Event Types MITRE TTP Content
CCURE Building Management System
  • app-activity
  • app-login
  • dns-response
  • failed-physical-access
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Unix

Product Event Types MITRE TTP Content
Auditbeat
  • app-activity
  • app-activity-failed
  • app-login
  • process-created-failed
  • process-network
  • web-activity-denied
 T1012 - Query Registry
T1056.004 - T1056.004
T1070.004 - Indicator Removal on Host: File Deletion
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1547.006 - T1547.006
T1560 - Archive Collected Data
  • 4 Rules
  • 2 Models
Unix
  • account-creation
  • account-deleted
  • account-password-reset
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • batch-logon
  • config-change
  • database-access
  • database-query
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • failed-logon
  • file-permission-change
  • file-read
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • netflow-connection
  • network-alert
  • process-created
  • process-created-failed
  • remote-logon
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 77 Rules
  • 15 Models
Unix Auditd
  • account-creation
  • account-deleted
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • config-change
  • database-login
  • dlp-alert
  • failed-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-logon
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1210 - Exploitation of Remote Services
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 80 Rules
  • 16 Models
Unix Privilege Management
  • dlp-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: VMware

Product Event Types MITRE TTP Content
Carbon Black
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
Carbon Black EDR
  • file-read
  • file-write
  • process-created
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models
VMWare ID Manager (VIDM)
  • app-activity
  • app-login
  • remote-logon
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 6 Rules
  • 4 Models
VMware Carbon Black App Control
  • app-activity
  • batch-logon
  • dlp-email-alert-out-failed
  • failed-physical-access
  • file-alert
  • file-delete
  • file-write
  • local-logon
  • process-alert
  • process-created
  • security-alert
  • usb-write
  • workstation-locked
  • workstation-unlocked
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 79 Rules
  • 16 Models
VMware Carbon Black Cloud Endpoint Standard
  • config-change
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • process-created-failed
  • security-alert
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 74 Rules
  • 13 Models
VMware Carbon Black EDR
  • app-activity
  • config-change
  • workstation-unlocked
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
VMware ESXi
  • computer-logon
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
VMware VCenter
  • account-password-change
  • app-activity-failed
  • ds-access
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models
VMware View
  • account-password-change
  • app-login
  • authentication-failed
  • failed-app-login
  • remote-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: Varonis

Product Event Types MITRE TTP Content
Data Security Platform
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • network-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Vectra

Product Event Types MITRE TTP Content
Vectra Cognito Detect
  • network-connection-failed
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Vormetric

Product Event Types MITRE TTP Content
Vormetric
  • account-switch
  • file-read
 T1003 - OS Credential Dumping
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1087 - Account Discovery
T1098 - Account Manipulation
  • 11 Rules
  • 8 Models

Vendor: Watchguard

Product Event Types MITRE TTP Content
Watchguard
  • app-activity-failed
  • network-alert
  • network-connection-successful
  • web-activity-allowed
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Weblogin

Product Event Types MITRE TTP Content
Weblogin
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models

Vendor: Xceedium

Product Event Types MITRE TTP Content
Xceedium
  • app-activity
  • app-login
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Xerox

Product Event Types MITRE TTP Content
Xerox
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Zeek

Product Event Types MITRE TTP Content
Zeek Network Security Monitor
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-alert
  • dlp-email-alert-in
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-successful
  • ntlm-logon
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1210 - Exploitation of Remote Services
T1484 - Group Policy Modification
  • 11 Rules
  • 4 Models

Vendor: Zlock

Product Event Types MITRE TTP Content
Zlock
  • app-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: Zscaler

Product Event Types MITRE TTP Content
Zscaler Internet Access
  • database-update
  • dlp-alert
  • image-loaded
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
  • 1 Rules
  • 1 Models
Zscaler Private Access
  • process-created
  • vpn-login
 T1003 - OS Credential Dumping
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1047 - Windows Management Instrumentation
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1056.004 - T1056.004
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1543.003 - Create or Modify System Process: Windows Service
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1560 - Archive Collected Data
T1574.002 - Hijack Execution Flow: DLL Side-Loading
  • 73 Rules
  • 12 Models

Vendor: iManage

Product Event Types MITRE TTP Content
iManage
  • app-activity
  • authentication-failed
  • web-activity-denied
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models

Vendor: jSONAR

Product Event Types MITRE TTP Content
SonarG
  • local-logon
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1078 - Valid Accounts
T1087 - Account Discovery
  • 3 Rules
  • 3 Models

Vendor: oVirt

Product Event Types MITRE TTP Content
oVirt
  • app-activity
  • app-login
  • failed-app-login
  • security-alert
 T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 2 Models