Use Case: Workforce Protection

Vendor: AMAG

Product	Event Types	MITRE TTP	Content
Symmetry Access Control	dlp-alert failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Absolute

Product	Event Types	MITRE TTP	Content
Absolute SIEM Connector	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Accellion

Product	Event Types	MITRE TTP	Content
Kiteworks	account-password-change account-password-reset account-unlocked app-activity app-login dlp-email-alert-out failed-app-login file-alert file-delete file-download file-permission-change file-read file-upload file-write security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: AccessIT

Product	Event Types	MITRE TTP	Content
Universal.NET	physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Akamai

Product	Event Types	MITRE TTP	Content
Cloud Akamai	file-delete web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Apache

Product	Event Types	MITRE TTP	Content
Apache	network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Badge

Product	Event Types	MITRE TTP	Content
Badge	database-failed-login failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Badgepoint

Product	Event Types	MITRE TTP	Content
Badgepoint	authentication-failed physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Barracuda

Product	Event Types	MITRE TTP	Content
Barracuda Email Security Gateway	account-password-change-failed dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out file-upload	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: BeyondTrust

Product	Event Types	MITRE TTP	Content
BeyondTrust	dlp-email-alert-out-failed failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models
BeyondTrust Privileged Identity	account-switch app-activity app-login authentication-successful dlp-alert failed-app-login failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models
BeyondTrust Secure Remote Access	app-login failed-app-login failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Bitdefender

Product	Event Types	MITRE TTP	Content
Bitdefender GravityZone	authentication-successful process-created web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Bitglass

Product	Event Types	MITRE TTP	Content
Bitglass CASB	app-login authentication-successful dlp-email-alert-out failed-app-login file-read file-write	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Brivo

Product	Event Types	MITRE TTP	Content
Brivo	database-delete physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: CatoNetworks

Product	Event Types	MITRE TTP	Content
Cato Cloud	failed-logon network-alert vpn-login web-activity-allowed web-activity-denied workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Check Point Software

Product	Event Types	MITRE TTP	Content
Check Point Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Check Point NGFW	authentication-successful database-update dlp-email-alert-in failed-vpn-login file-permission-change network-alert network-connection-failed network-connection-successful security-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Check Point Security Gateway	failed-vpn-login network-connection-failed vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Check Point Security Gateway Virtual Edition (vSEC)	authentication-failed authentication-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
Cisco Adaptive Security Appliance	authentication-successful dlp-email-alert-out file-download print-activity process-created remote-logon security-alert vpn-login vpn-logout web-activity-allowed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models
Cisco Cloud Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Cisco Firepower	app-activity app-login authentication-successful config-change dns-query dns-response failed-usb-activity netflow-connection network-connection-failed network-connection-successful print-activity security-alert vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Cisco Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Cisco Secure Email	dlp-email-alert-in failed-usb-activity physical-access	T1078 - Valid Accounts	1 Rules 1 Models
Cisco Secure Web Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Cisco Umbrella	dns-query dns-response web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
IronPort Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-alert web-activity-denied	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Proxy Umbrella	app-activity print-activity web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Citrix Netscaler	app-login authentication-successful database-access remote-logon vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Citrix Netscaler VPN	app-login authentication-failed dlp-email-alert-in-failed network-connection-failed vpn-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Citrix ShareFile	app-login failed-app-login file-download file-upload web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Web Logging	failed-physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	6 Rules 3 Models

Vendor: Clearswift SEG

Product	Event Types	MITRE TTP	Content
Clearswift SEG	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out physical-access	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1078 - Valid Accounts	5 Rules 3 Models

Vendor: Cloudflare

Product	Event Types	MITRE TTP	Content
Cloudflare WAF	app-activity network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Code42

Product	Event Types	MITRE TTP	Content
Code42 Incydr	dlp-email-alert-out file-delete file-download file-read file-upload file-write usb-insert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Datawatch Systems

Product	Event Types	MITRE TTP	Content
DataWatch	failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Digital Arts

Product	Event Types	MITRE TTP	Content
Digital Arts i-FILTER for Business	security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-login dlp-email-alert-out failed-app-login file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity usb-insert vpn-connection	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Digital Guardian Network DLP	dlp-alert dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: ESET

Product	Event Types	MITRE TTP	Content
ESET Endpoint Security	app-login authentication-successful failed-ds-access failed-logon network-alert security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: ESector

Product	Event Types	MITRE TTP	Content
ESector DEFESA	file-read file-write web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: EdgeWave

Product	Event Types	MITRE TTP	Content
EdgeWave iPrism	security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: F5

Product	Event Types	MITRE TTP	Content
F5 Advanced Web Application Firewall (WAF)	dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-connection-successful print-activity process-created	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
F5 BIG-IP Application Security Manager (ASM)	app-activity authentication-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
WebSafe	app-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Fidelis

Product	Event Types	MITRE TTP	Content
Fidelis Network	failed-logon failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models
Fidelis XPS	dlp-email-alert-in failed-physical-access security-alert	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: FireEye

Product	Event Types	MITRE TTP	Content
FireEye Email Security (EX)	dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
FireEye Endpoint Security (HX)	file-write process-alert security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
FireEye Network Security (NX)	network-alert security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Forcepoint

Product	Event Types	MITRE TTP	Content
Forcepoint DLP	authentication-failed dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed usb-insert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Forcepoint Email Security	dlp-email-alert-in dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Websense Secure Gateway	nac-failed-logon network-connection-failed usb-insert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Fortinet

Product	Event Types	MITRE TTP	Content
Fortinet FortiWeb	dlp-email-alert-out-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Fortinet UTM	app-activity authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out failed-app-login security-alert web-activity-allowed web-activity-denied	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models
Fortinet VPN	failed-vpn-login vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Galaxy

Product	Event Types	MITRE TTP	Content
Galaxy	physical-access print-activity	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Generic Badge Access

Product	Event Types	MITRE TTP	Content
Generic Badge Access	failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Google

Product	Event Types	MITRE TTP	Content
GCP Squid Proxy	security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Gmail	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out vpn-login	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: HashiCorp

Product	Event Types	MITRE TTP	Content
Terraform	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Honeywell

Product	Event Types	MITRE TTP	Content
Honeywell Pro-Watch	account-creation physical-access	T1078 - Valid Accounts	1 Rules 1 Models
Honeywell WIN-PAK	physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Hornet

Product	Event Types	MITRE TTP	Content
Hornet Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed privileged-access	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM DB2	authentication-failed failed-physical-access file-read remote-logon	T1078 - Valid Accounts	1 Rules 1 Models
IBM Racf	app-login authentication-successful database-access failed-app-login web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
IBM Security Access Manager	usb-insert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: ICDB

Product	Event Types	MITRE TTP	Content
ICDB	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: IMSVA

Product	Event Types	MITRE TTP	Content
IMSVA	dlp-email-alert-in dlp-email-alert-out network-connection-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: IPTables

Product	Event Types	MITRE TTP	Content
IPTables	network-connection-successful web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Imperva

Product	Event Types	MITRE TTP	Content
Incapsula	authentication-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: InfoWatch

Product	Event Types	MITRE TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out file-permission-change print-activity web-activity-allowed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models

Vendor: Juniper Networks

Product	Event Types	MITRE TTP	Content
Juniper SRX	authentication-successful config-change failed-vpn-login network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: LanScope

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity file-write local-logon print-activity process-created process-created-failed process-network usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Lenel

Product	Event Types	MITRE TTP	Content
Lenel OnGuard	failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models
OnGuard	failed-physical-access physical-access security-alert	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Linux

Product	Event Types	MITRE TTP	Content
Linux CentOs	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: LogRhythm

Product	Event Types	MITRE TTP	Content
LogRhythm	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Lyrix

Product	Event Types	MITRE TTP	Content
Lyrix	app-activity physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: MariaDB

Product	Event Types	MITRE TTP	Content
MariaDB	database-access database-delete database-query database-update dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: MasterSAM

Product	Event Types	MITRE TTP	Content
MasterSAM PAM	authentication-failed authentication-successful failed-physical-access remote-logon	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee Advanced Threat Defense	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models
McAfee DLP	dlp-alert dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed print-activity security-alert usb-insert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
McAfee Email Protection	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
McAfee Web Gateway	alert-iot web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
Exchange	app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login member-removed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
IIS	network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Microsoft Azure Active Directory	account-password-change account-unlocked app-activity app-activity-failed app-login dlp-email-alert-out failed-app-login member-added process-created security-alert usb-insert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Microsoft Defender ATP	app-login batch-logon file-delete file-write local-logon member-removed network-alert process-alert process-created process-network process-network-failed remote-access remote-logon security-alert usb-write web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Microsoft Office 365	account-disabled app-activity app-activity-failed app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login failed-logon file-delete file-download file-permission-change file-read file-upload file-write ntlm-logon process-created remote-logon security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Microsoft SQL Server	database-access database-failed-login database-login database-query failed-app-login file-read web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Microsoft Sysmon	app-activity dns-response file-delete process-created process-network web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Microsoft Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-reset account-switch account-unlocked app-activity app-login audit-log-clear audit-policy-change authentication-failed authentication-successful computer-logon database-query dcom-activation-failed dlp-alert dlp-email-alert-out-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-logon netflow-connection network-alert network-connection-failed privileged-access privileged-object-access process-created process-network process-network-failed remote-access remote-logon security-alert service-created service-logon share-access task-created usb-activity usb-write vpn-login vpn-logout web-activity-denied winsession-disconnect workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Web Application Proxy	failed-logon network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Web Application Proxy-TLS Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Mimecast

Product	Event Types	MITRE TTP	Content
Mimecast	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Mimecast Email Security	account-password-change app-activity app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out failed-app-login network-alert process-alert web-activity-denied	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Targeted Threat Protection - URL	physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	6 Rules 3 Models

Vendor: NetIQ

Product	Event Types	MITRE TTP	Content
NetIQ	app-login failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Netskope

Product	Event Types	MITRE TTP	Content
Netskope Security Cloud	app-activity app-login dlp-alert dlp-email-alert-in dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models

Vendor: Oracle

Product	Event Types	MITRE TTP	Content
Oracle	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models
Oracle Access Manager	app-activity app-login authentication-successful failed-app-login failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models
Oracle DB	database-access database-failed-login database-login database-query database-update failed-physical-access local-logon	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
GlobalProtect	authentication-failed authentication-successful failed-vpn-login network-alert physical-access remote-logon security-alert vpn-login	T1078 - Valid Accounts	1 Rules 1 Models
NGFW	account-password-change app-activity authentication-successful config-change dlp-email-alert-out file-alert local-logon network-connection-successful security-alert vpn-login web-activity-allowed web-activity-denied	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models
Palo Alto Aperture	app-login dlp-email-alert-out file-delete file-read file-write network-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Paxton

Product	Event Types	MITRE TTP	Content
NET2DOOR	netflow-connection physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: PicturePerfect

Product	Event Types	MITRE TTP	Content
PicturePerfect	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Postfix

Product	Event Types	MITRE TTP	Content
Postfix	app-activity-failed dlp-email-alert-in dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Proofpoint

Product	Event Types	MITRE TTP	Content
Proofpoint DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Proofpoint Enterprise Protection	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Proofpoint TAP	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Proofpoint TAP/POD	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Quest Software

Product	Event Types	MITRE TTP	Content
Change Auditor	account-lockout account-unlocked ds-access failed-app-login file-delete file-write local-logon member-added member-removed nac-failed-logon physical-access remote-logon security-alert	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: RS2

Product	Event Types	MITRE TTP	Content
RS2	app-login physical-access	T1078 - Valid Accounts	1 Rules 1 Models
RS2 Technologies	authentication-failed physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: RSA

Product	Event Types	MITRE TTP	Content
RSA ECAT	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Red Canary

Product	Event Types	MITRE TTP	Content
Red Canary	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: RedCloud

Product	Event Types	MITRE TTP	Content
RedCloud	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: RightCrowd

Product	Event Types	MITRE TTP	Content
RightCrowd	authentication-failed failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: SIGSCI

Product	Event Types	MITRE TTP	Content
SIGSCI	file-download web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Sangfor

Product	Event Types	MITRE TTP	Content
NGAF	network-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Sensormatik

Product	Event Types	MITRE TTP	Content
Sensormatik	dlp-email-alert-out physical-access	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1078 - Valid Accounts	5 Rules 3 Models

Vendor: SentinelOne

Product	Event Types	MITRE TTP	Content
SentinelOne	app-activity dns-query dns-response file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Siemens

Product	Event Types	MITRE TTP	Content
Siemens	authentication-successful failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: SkySea

Product	Event Types	MITRE TTP	Content
ClientView	app-activity app-login computer-logon dlp-email-alert-out dns-query file-delete file-read file-upload file-write security-alert usb-activity web-activity-allowed	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	9 Rules 4 Models

Vendor: Sonicwall

Product	Event Types	MITRE TTP	Content
Sonicwall	failed-logon failed-vpn-login network-alert vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Sophos

Product	Event Types	MITRE TTP	Content
Sophos Endpoint Protection	app-activity-failed dlp-alert failed-app-login network-connection-successful security-alert usb-insert usb-write web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Sophos UTM	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Sophos XG Firewall	authentication-successful failed-vpn-login network-connection-failed network-connection-successful vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Squid

Product	Event Types	MITRE TTP	Content
Squid	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: StealthBits

Product	Event Types	MITRE TTP	Content
StealthIntercept	account-disabled account-enabled authentication-successful ds-access file-read file-write member-added member-removed network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Sybase

Product	Event Types	MITRE TTP	Content
Sybase	database-login dlp-email-alert-out security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Blue Coat ProxySG Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Symantec Brightmail	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Symantec DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed ds-access failed-logon security-alert usb-activity usb-read usb-write	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Symantec EDR	failed-logon file-alert file-delete file-write remote-logon web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Symantec Email Security.cloud	app-activity dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed process-created-failed security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Symantec Fireglass	failed-physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	6 Rules 3 Models
Symantec Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Symantec WSS	process-created web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: TimeLox

Product	Event Types	MITRE TTP	Content
TimeLox	failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: TitanFTP

Product	Event Types	MITRE TTP	Content
TitanFTP	file-delete file-read web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Trend Micro

Product	Event Types	MITRE TTP	Content
Apex One	app-login dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
InterScan Web Security	account-password-change web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
OfficeScan	account-password-change dlp-alert dlp-email-alert-out security-alert usb-insert usb-read web-activity-denied	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Tyco

Product	Event Types	MITRE TTP	Content
CCURE Building Management System	app-activity app-login dns-response failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: USB

Product	Event Types	MITRE TTP	Content
USB	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: Unix

Product	Event Types	MITRE TTP	Content
Auditbeat	app-activity app-activity-failed app-login process-created-failed process-network web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Unix	account-creation account-deleted account-password-reset app-activity-failed authentication-failed authentication-successful batch-logon config-change database-access database-query dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login failed-logon file-permission-change file-read kerberos-logon local-logon member-added member-removed netflow-connection network-alert process-created process-created-failed remote-logon security-alert	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models
Unix Sendmail	authentication-failed dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 2 Models

Vendor: VMware

Product	Event Types	MITRE TTP	Content
NSX FW	network-connection-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
VMware Carbon Black App Control	app-activity batch-logon dlp-email-alert-out-failed failed-physical-access file-alert file-delete file-write local-logon process-alert process-created security-alert usb-write workstation-locked workstation-unlocked	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Vanderbilt

Product	Event Types	MITRE TTP	Content
Vanderbilt	physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Vectra

Product	Event Types	MITRE TTP	Content
Vectra Cognito Stream	failed-physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Viscount

Product	Event Types	MITRE TTP	Content
Viscount	physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Visma

Product	Event Types	MITRE TTP	Content
Megaflex	app-activity-failed physical-access	T1078 - Valid Accounts	1 Rules 1 Models

Vendor: Watchguard

Product	Event Types	MITRE TTP	Content
Watchguard	app-activity-failed network-alert network-connection-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity app-login authentication-failed authentication-successful computer-logon dlp-alert dlp-email-alert-in dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-successful ntlm-logon remote-logon share-access web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: Zoom

Product	Event Types	MITRE TTP	Content
Zoom	nac-failed-logon web-meeting-created web-meeting-participant-joined web-meeting-started web-meeting-updated webconference-login webconference-operations-activity	T1078.004 - Valid Accounts: Cloud Accounts T1090.003 - Proxy: Multi-hop Proxy T1098 - Account Manipulation	11 Rules 5 Models

Vendor: Zscaler

Product	Event Types	MITRE TTP	Content
Zscaler Internet Access	database-update dlp-alert image-loaded network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models

Vendor: eDocs

Product	Event Types	MITRE TTP	Content
eDocs	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: iManage

Product	Event Types	MITRE TTP	Content
iManage	app-activity authentication-failed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Vendor: xsuite

Product	Event Types	MITRE TTP	Content
xsuite	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols	1 Rules

Files

uc_workforce_protection.md

Latest commit

History

uc_workforce_protection.md

File metadata and controls

Use Case: Workforce Protection

Vendor: AMAG

Vendor: Absolute

Vendor: Accellion

Vendor: AccessIT

Vendor: Akamai

Vendor: Apache

Vendor: Badge

Vendor: Badgepoint

Vendor: Barracuda

Vendor: BeyondTrust

Vendor: Bitdefender

Vendor: Bitglass

Vendor: Brivo

Vendor: CatoNetworks

Vendor: Check Point Software

Vendor: Cisco

Vendor: Citrix

Vendor: Clearswift SEG

Vendor: Cloudflare

Vendor: Code42

Vendor: Datawatch Systems

Vendor: Digital Arts

Vendor: Digital Guardian

Vendor: ESET

Vendor: ESector

Vendor: EdgeWave

Vendor: F5

Vendor: Fidelis

Vendor: FireEye

Vendor: Forcepoint

Vendor: Fortinet

Vendor: Galaxy

Vendor: Generic Badge Access

Vendor: Google

Vendor: HashiCorp

Vendor: Honeywell

Vendor: Hornet

Vendor: IBM

Vendor: ICDB

Vendor: IMSVA

Vendor: IPTables

Vendor: Imperva

Vendor: InfoWatch

Vendor: Juniper Networks

Vendor: LanScope

Vendor: Lenel

Vendor: Linux

Vendor: LogRhythm

Vendor: Lyrix

Vendor: MariaDB

Vendor: MasterSAM

Vendor: McAfee

Vendor: Microsoft

Vendor: Mimecast

Vendor: NetIQ

Vendor: Netskope

Vendor: Oracle

Vendor: Palo Alto Networks

Vendor: Paxton

Vendor: PicturePerfect

Vendor: Postfix

Vendor: Proofpoint

Vendor: Quest Software

Vendor: RS2

Vendor: RSA

Vendor: Red Canary

Vendor: RedCloud

Vendor: RightCrowd

Vendor: SIGSCI

Vendor: Sangfor

Vendor: Sensormatik

Vendor: SentinelOne

Vendor: Siemens