uc_malware.md

Use Case: Malware

Vendor: AMAG

Product	Event Types	MITRE TTP	Content
Symmetry Access Control	dlp-alert failed-physical-access physical-access	TA0002 - TA0002	4 Rules 2 Models

Vendor: APC

Product	Event Types	MITRE TTP	Content
APC	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: ASUPIM

Product	Event Types	MITRE TTP	Content
ASUPIM	failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: AVI Networks

Product	Event Types	MITRE TTP	Content
Load Balancer	account-switch	TA0002 - TA0002	4 Rules 2 Models

Vendor: Absolute

Product	Event Types	MITRE TTP	Content
Absolute SIEM Connector	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Accellion

Product	Event Types	MITRE TTP	Content
Kiteworks	account-password-change account-password-reset account-unlocked app-activity app-login dlp-email-alert-out failed-app-login file-alert file-delete file-download file-permission-change file-read file-upload file-write security-alert	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	10 Rules 3 Models

Vendor: AirWatch

Product	Event Types	MITRE TTP	Content
AirWatch	authentication-failed authentication-successful failed-logon	T1078 - Valid Accounts T1210 - Exploitation of Remote Services	2 Rules

Vendor: Airlock

Product	Event Types	MITRE TTP	Content
Web Application Firewall	app-activity-failed app-login database-query failed-app-login file-delete file-download file-upload file-write network-connection-successful	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002 TA0011 - TA0011	11 Rules 2 Models

Vendor: Akamai

Product	Event Types	MITRE TTP	Content
Akamai Siem	authentication-successful	T1078 - Valid Accounts	1 Rules
Cloud Akamai	file-delete web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Alert Logic

Product	Event Types	MITRE TTP	Content
Alert Logic	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Amazon

Product	Event Types	MITRE TTP	Content
AWS Bastion	app-activity remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
AWS CloudTrail	account-password-change app-activity app-login cloud-admin-activity cloud-admin-activity-failed netflow-connection storage-access storage-activity storage-activity-failed	T1078 - Valid Accounts TA0011 - TA0011	4 Rules
AWS CloudWatch	app-activity-failed security-alert	TA0002 - TA0002	4 Rules 2 Models
AWS GuardDuty	process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models
AWS Redshift	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Apache

Product	Event Types	MITRE TTP	Content
Apache	network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	25 Rules 6 Models
Apache Guacamole	app-login file-permission-change	T1078 - Valid Accounts	1 Rules
Cassandra	database-login database-update security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: AppSense Application Manager

Product	Event Types	MITRE TTP	Content
AppSense Application Manager	local-logon	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models

Vendor: Apple

Product	Event Types	MITRE TTP	Content
macOS	file-alert	TA0002 - TA0002	2 Rules 1 Models

Vendor: Arbor

Product	Event Types	MITRE TTP	Content
Arbor	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Armis

Product	Event Types	MITRE TTP	Content
Armis	failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: AssetView

Product	Event Types	MITRE TTP	Content
AssetView	file-download file-write network-connection-failed print-activity security-alert	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002 TA0011 - TA0011	11 Rules 3 Models

Vendor: Atlassian

Product	Event Types	MITRE TTP	Content
Atlassian BitBucket	dlp-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Attivo

Product	Event Types	MITRE TTP	Content
BOTsink	database-login remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: Auth0

Product	Event Types	MITRE TTP	Content
Auth0	account-password-change-failed app-login failed-logon network-connection-successful	T1078 - Valid Accounts T1210 - Exploitation of Remote Services TA0011 - TA0011	5 Rules

Vendor: Avaya

Product	Event Types	MITRE TTP	Content
Avaya Ethernet Routing Switch	authentication-successful nac-logon	T1078 - Valid Accounts	1 Rules
Avaya VPN	dns-query vpn-login	T1071 - Application Layer Protocol T1078 - Valid Accounts T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	4 Rules

Vendor: Axway

Product	Event Types	MITRE TTP	Content
Axway SFTP	file-upload process-network-failed	TA0002 - TA0002	4 Rules 2 Models

Vendor: BIND

Product	Event Types	MITRE TTP	Content
BIND	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Barracuda

Product	Event Types	MITRE TTP	Content
Barracuda Firewall	account-lockout database-query failed-vpn-login network-connection-failed network-connection-successful vpn-login	T1078 - Valid Accounts TA0011 - TA0011	5 Rules

Vendor: BeyondTrust

Product	Event Types	MITRE TTP	Content
BeyondTrust PasswordSafe	privileged-access	TA0002 - TA0002	4 Rules 2 Models
BeyondTrust PowerBroker	account-enabled dlp-email-alert-out-failed remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
BeyondTrust Privilege Management	dns-response process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	225 Rules 32 Models
BeyondTrust Privileged Identity	account-switch app-activity app-login authentication-successful database-alert failed-app-login failed-physical-access	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
BeyondTrust Secure Remote Access	app-login failed-app-login failed-physical-access	T1078 - Valid Accounts	1 Rules

Vendor: Bitdefender

Product	Event Types	MITRE TTP	Content
GravityZone	authentication-successful process-created security-alert web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	249 Rules 39 Models

Vendor: Bitglass

Product	Event Types	MITRE TTP	Content
Bitglass CASB	app-login authentication-successful dlp-email-alert-out failed-app-login file-download file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: BlackBerry

Product	Event Types	MITRE TTP	Content
BlackBerry Protect	app-activity file-delete security-alert vpn-logout	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: BlueCat Networks

Product	Event Types	MITRE TTP	Content
BlueCat Networks Adonis	security-alert	TA0002 - TA0002	4 Rules 2 Models
BlueCat Networks DHCP	failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: Box

Product	Event Types	MITRE TTP	Content
Box Cloud Content Management	app-activity app-activity-failed file-delete file-download file-permission-change file-read file-upload file-write print-activity	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: Bromium

Product	Event Types	MITRE TTP	Content
Bromium Secure Platform	file-alert file-permission-change file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: CA Technologies

Product	Event Types	MITRE TTP	Content
CA Privileged Access Manager Server Control	app-login authentication-failed authentication-successful failed-app-login remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: CDS

Product	Event Types	MITRE TTP	Content
CDS	failed-ds-access failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: CatoNetworks

Product	Event Types	MITRE TTP	Content
Cato Cloud	failed-logon network-alert vpn-login web-activity-allowed web-activity-denied workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	31 Rules 8 Models

Vendor: Centrify

Product	Event Types	MITRE TTP	Content
Centrify Audit and Monitoring Service	authentication-successful file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models
Centrify Authentication Service	account-switch authentication-failed local-logon process-created remote-logon	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	225 Rules 32 Models
Centrify Infrastructure Services	authentication-failed failed-logon	T1210 - Exploitation of Remote Services	1 Rules
Centrify Zero Trust Privilege Services	app-activity app-login failed-app-login file-delete	T1078 - Valid Accounts	1 Rules

Vendor: CenturyLink

Product	Event Types	MITRE TTP	Content
Adaptive Threat Intelligence	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Check Point

Product	Event Types	MITRE TTP	Content
Endpoint Security	security-alert	TA0002 - TA0002	4 Rules 2 Models
Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	28 Rules 6 Models
NGFW	authentication-successful database-update dlp-email-alert-in failed-vpn-login file-permission-change network-alert network-connection-failed network-connection-successful security-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	34 Rules 8 Models
Security Gateway	failed-vpn-login network-connection-failed vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	28 Rules 6 Models
Security Gateway Virtual Edition (vSEC)	authentication-failed authentication-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models
Threat Prevention	network-alert network-connection-failed network-connection-successful security-alert	TA0002 - TA0002 TA0011 - TA0011	8 Rules 2 Models

Vendor: Cimtrak

Product	Event Types	MITRE TTP	Content
Cimtrak	file-write security-alert	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	9 Rules 3 Models

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
ACI	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
AnyConnect	failed-vpn-login nac-logon process-created vpn-login	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	224 Rules 32 Models
Cisco	authentication-successful security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Cisco ACS	account-lockout app-activity authentication-failed	T1078 - Valid Accounts	1 Rules
Cisco ADC	security-alert	TA0002 - TA0002	4 Rules 2 Models
Cisco Adaptive Security Appliance	authentication-successful dlp-email-alert-out file-download print-activity process-created remote-logon security-alert vpn-login vpn-logout web-activity-allowed	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	250 Rules 39 Models
Cisco Advance Malware Protection (AMP)	security-alert	TA0002 - TA0002	4 Rules 2 Models
Cisco Airespace	security-alert	TA0002 - TA0002	4 Rules 2 Models
Cisco Call Manager	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
Cisco Cloud Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Cisco CloudLock	security-alert	TA0002 - TA0002	4 Rules 2 Models
Cisco Console	app-activity	T1078 - Valid Accounts	1 Rules
Cisco Firepower	app-activity app-login authentication-successful config-change dns-query dns-response failed-usb-activity netflow-connection network-connection-failed network-connection-successful print-activity security-alert vpn-login web-activity-allowed web-activity-denied	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002 TA0011 - TA0011	39 Rules 8 Models
Cisco ISE	account-lockout app-activity authentication-failed computer-logon nac-failed-logon nac-logon network-alert print-activity remote-logon security-alert vpn-login vpn-logout	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Cisco Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	32 Rules 8 Models
Cisco NPE	process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models
Cisco Netflow	netflow-connection	TA0011 - TA0011	3 Rules
Cisco Secure Endpoint	security-alert	TA0002 - TA0002	4 Rules 2 Models
Cisco Secure Web Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Cisco TACACS	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Cisco Umbrella	dns-query dns-response web-activity-allowed	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	28 Rules 6 Models
Duo Access Security	app-login authentication-failed authentication-successful failed-logon file-delete vpn-login vpn-logout	T1078 - Valid Accounts T1210 - Exploitation of Remote Services	2 Rules
IronPort Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	27 Rules 8 Models
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Proxy Umbrella	app-activity print-activity web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Citrix AppFW	database-query network-connection-successful	TA0011 - TA0011	3 Rules
Citrix Endpoint Management	privileged-access remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Citrix Netscaler	app-login authentication-successful database-access remote-logon vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	29 Rules 8 Models
Citrix Netscaler VPN	app-login authentication-failed dlp-email-alert-in-failed network-connection-failed vpn-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	26 Rules 6 Models
Citrix ShareFile	app-login failed-app-login file-download file-upload web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models
Citrix XenApp	app-login failed-app-login failed-vpn-login	T1078 - Valid Accounts	1 Rules
Citrix XenDesktop	app-login	T1078 - Valid Accounts	1 Rules
Netscaler WAF	network-connection-successful print-activity	TA0011 - TA0011	3 Rules
Web Logging	failed-physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Clearsense

Product	Event Types	MITRE TTP	Content
Clearsense	app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Cloud Application

Product	Event Types	MITRE TTP	Content
Cloud Application	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Cloudflare

Product	Event Types	MITRE TTP	Content
Cloudflare CDN	app-activity	T1078 - Valid Accounts	1 Rules
Cloudflare Insights	app-login member-added member-removed security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Cloudflare WAF	app-activity network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	29 Rules 6 Models

Vendor: Code42

Product	Event Types	MITRE TTP	Content
Code42 Incydr	dlp-email-alert-out file-delete file-download file-read file-upload file-write usb-insert	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: Cofense

Product	Event Types	MITRE TTP	Content
Phishme	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Cognitas CrossLink

Product	Event Types	MITRE TTP	Content
Cognitas CrossLink	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: CrowdStrike

Product	Event Types	MITRE TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon dlp-alert dlp-email-alert-out-failed failed-app-login file-alert file-delete file-download file-permission-change file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon usb-activity usb-insert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	238 Rules 36 Models

Vendor: CyberArk

Product	Event Types	MITRE TTP	Content
CyberArk Endpoint Privilege Management	file-delete network-alert	TA0002 - TA0002	4 Rules 2 Models
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login computer-logon failed-app-login failed-logon file-delete file-read file-write process-created remote-logon	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	231 Rules 33 Models
Privileged Session Manager	app-activity app-login file-permission-change	T1078 - Valid Accounts	1 Rules
Privileged Threat Analytics	failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: Damballa

Product	Event Types	MITRE TTP	Content
Failsafe	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Darktrace

Product	Event Types	MITRE TTP	Content
Darktrace	app-login dlp-email-alert-in-failed	T1078 - Valid Accounts	1 Rules
Darktrace Enterprise Immune System	dlp-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Dell

Product	Event Types	MITRE TTP	Content
EMC Isilon	app-activity file-delete file-permission-change file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models
One Identity Manager	account-password-change account-switch security-alert	TA0002 - TA0002	4 Rules 2 Models
RSA Authentication Manager	app-activity app-login authentication-failed authentication-successful dlp-alert failed-vpn-login	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
SonicWALL Aventail	nac-failed-logon vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: Digital Arts

Product	Event Types	MITRE TTP	Content
Digital Arts i-FILTER for Business	security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	27 Rules 8 Models

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-login dlp-email-alert-out failed-app-login file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity usb-insert vpn-connection	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 TA0011 - TA0011	15 Rules 3 Models
Digital Guardian Network DLP	dlp-alert dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	TA0002 - TA0002	4 Rules 2 Models

Vendor: Dropbox

Product	Event Types	MITRE TTP	Content
Dropbox	app-activity app-login file-delete file-download file-permission-change file-read file-write network-connection-failed	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002 TA0011 - TA0011	10 Rules 2 Models

Vendor: Dtex Systems

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-delete file-read file-write local-logon print-activity process-created remote-logon usb-write workstation-locked	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	230 Rules 33 Models

Vendor: EMP

Product	Event Types	MITRE TTP	Content
EMP	app-activity dlp-email-alert-in-failed	T1078 - Valid Accounts	1 Rules

Vendor: ESET

Product	Event Types	MITRE TTP	Content
ESET Endpoint Security	app-login authentication-successful failed-ds-access failed-logon network-alert security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	29 Rules 8 Models

Vendor: ESector

Product	Event Types	MITRE TTP	Content
ESector DEFESA	file-read file-write web-activity-denied	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	30 Rules 8 Models

Vendor: EdgeWave

Product	Event Types	MITRE TTP	Content
EdgeWave iPrism	security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	27 Rules 8 Models

Vendor: Egnyte

Product	Event Types	MITRE TTP	Content
Egnyte	account-password-reset app-login file-delete file-download file-permission-change file-upload file-write remote-logon	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	11 Rules 3 Models

Vendor: EnSilo

Product	Event Types	MITRE TTP	Content
EnSilo	remote-access	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models

Vendor: EndPoint

Product	Event Types	MITRE TTP	Content
EndPoint	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Entrust

Product	Event Types	MITRE TTP	Content
IdentityGuard	authentication-failed authentication-successful computer-logon	T1078 - Valid Accounts	1 Rules

Vendor: Epic

Product	Event Types	MITRE TTP	Content
Epic SIEM	account-password-change app-activity app-login authentication-successful failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Exabeam

Product	Event Types	MITRE TTP	Content
Exabeam Advanced Analytics	app-activity	T1078 - Valid Accounts	1 Rules
Exabeam DL	account-password-change app-activity app-login dlp-alert failed-app-login	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Extrahop

Product	Event Types	MITRE TTP	Content
Reveal(x)	authentication-successful dns-query network-alert	T1071 - Application Layer Protocol T1078 - Valid Accounts T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002	8 Rules 2 Models

Vendor: F5

Product	Event Types	MITRE TTP	Content
BIG-IP DNS	dns-query vpn-logout	T1071 - Application Layer Protocol T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	3 Rules
F5 Advanced Web Application Firewall (WAF)	dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-connection-successful print-activity process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	226 Rules 32 Models
F5 BIG-IP	app-activity failed-vpn-login print-activity process-alert remote-logon vpn-login	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	24 Rules 11 Models
F5 BIG-IP Access Policy Manager (APM)	app-activity authentication-failed authentication-successful process-alert vpn-login vpn-logout	T1078 - Valid Accounts TA0002 - TA0002	21 Rules 10 Models
F5 BIG-IP Advanced Firewall Module (AFM)	app-activity network-connection-successful	T1078 - Valid Accounts TA0011 - TA0011	4 Rules
F5 BIG-IP Application Security Manager (ASM)	app-activity authentication-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models
F5 Silverline	dlp-email-alert-in-failed network-connection-failed	TA0011 - TA0011	2 Rules
WebSafe	app-login web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models

Vendor: FTP

Product	Event Types	MITRE TTP	Content
FTP	app-activity app-activity-failed app-login failed-app-login file-delete file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: Fidelis

Product	Event Types	MITRE TTP	Content
Fidelis Network	failed-logon failed-physical-access	T1210 - Exploitation of Remote Services	1 Rules
Fidelis XPS	dlp-email-alert-in failed-physical-access security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: FileAuditor

Product	Event Types	MITRE TTP	Content
FileAuditor	failed-app-login file-read file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: FireEye

Product	Event Types	MITRE TTP	Content
FireEye Email Gateway	security-alert	TA0002 - TA0002	4 Rules 2 Models
FireEye Endpoint Security (CM)	security-alert	TA0002 - TA0002	4 Rules 2 Models
FireEye Endpoint Security (HX)	file-write process-alert security-alert web-activity-denied	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	48 Rules 17 Models
FireEye Helix	security-alert	TA0002 - TA0002	4 Rules 2 Models
FireEye Network Security (Helix)	security-alert	TA0002 - TA0002	4 Rules 2 Models
FireEye Network Security (NX)	network-alert security-alert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	27 Rules 8 Models

Vendor: Forcepoint

Product	Event Types	MITRE TTP	Content
Forcepoint CASB	account-password-change app-activity failed-app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Forcepoint DLP	authentication-failed dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed usb-insert	TA0002 - TA0002	4 Rules 2 Models
Forcepoint NGFW	app-login network-alert network-connection-successful	T1078 - Valid Accounts TA0002 - TA0002 TA0011 - TA0011	8 Rules 2 Models
Websense ESG	dns-query	T1071 - Application Layer Protocol T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	3 Rules
Websense Secure Gateway	nac-failed-logon network-connection-failed usb-insert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	27 Rules 6 Models

Vendor: Forescout

Product	Event Types	MITRE TTP	Content
EyeInspect	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
Forescout CounterACT	app-activity network-alert network-connection-failed network-connection-successful	T1078 - Valid Accounts TA0002 - TA0002 TA0011 - TA0011	9 Rules 2 Models

Vendor: Fortinet

Product	Event Types	MITRE TTP	Content
FortiAuthenticator	authentication-successful vpn-logout	T1078 - Valid Accounts	1 Rules
Fortinet Enterprise Firewall	app-activity computer-logon failed-app-login file-write network-connection-successful security-alert	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002 TA0011 - TA0011	13 Rules 3 Models
Fortinet FortiWeb	dlp-email-alert-out-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
Fortinet UTM	app-activity authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out failed-app-login security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	30 Rules 8 Models
Fortinet VPN	failed-vpn-login vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models

Vendor: GTB

Product	Event Types	MITRE TTP	Content
GTBInspector	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: Gallagher

Product	Event Types	MITRE TTP	Content
Access Control	physical-access vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: Gamma

Product	Event Types	MITRE TTP	Content
Gamma	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Gemalto

Product	Event Types	MITRE TTP	Content
Gemalto MFA	authentication-successful dlp-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: GitHub

Product	Event Types	MITRE TTP	Content
GitHub	app-activity app-activity-failed app-login	T1078 - Valid Accounts	1 Rules

Vendor: GoAnywhere

Product	Event Types	MITRE TTP	Content
GoAnywhere MFT	dlp-email-alert-out-failed failed-logon file-delete file-download remote-logon	T1078 - Valid Accounts T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	7 Rules 2 Models

Vendor: Google

Product	Event Types	MITRE TTP	Content
Cloud Platform	app-activity cloud-admin-activity cloud-admin-activity-failed file-download netflow-connection security-alert storage-access storage-activity storage-activity-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	31 Rules 8 Models
Workspace	account-password-change app-activity app-login authentication-failed dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out failed-app-login file-delete file-permission-change file-read file-write vpn-login	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: HP

Product	Event Types	MITRE TTP	Content
Aruba ClearPass Access Control and Policy Management	account-password-reset computer-logon nac-logon network-connection-failed vpn-connection	TA0011 - TA0011	2 Rules
Aruba Mobility Master	local-logon nac-failed-logon nac-logon remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Aruba Wireless controller	account-password-reset computer-logon nac-failed-logon nac-logon network-connection-failed process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	225 Rules 32 Models
HP Comware	failed-logon	T1210 - Exploitation of Remote Services	1 Rules
HP SafeCom	dlp-email-alert-in network-alert	TA0002 - TA0002	4 Rules 2 Models
Print Server	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: HashiCorp

Product	Event Types	MITRE TTP	Content
HashiCorp Vault	account-password-reset privileged-object-access	TA0002 - TA0002	4 Rules 2 Models
Terraform	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models

Vendor: HelpSystems

Product	Event Types	MITRE TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon remote-logon	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	11 Rules 3 Models

Vendor: Hornet

Product	Event Types	MITRE TTP	Content
Hornet Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed privileged-access	TA0002 - TA0002	4 Rules 2 Models

Vendor: Huawei

Product	Event Types	MITRE TTP	Content
Enterprise Network Firewall	database-query network-connection-successful	TA0011 - TA0011	3 Rules
Unified Security Gateway	authentication-successful network-alert network-connection-failed vpn-login	T1078 - Valid Accounts TA0002 - TA0002 TA0011 - TA0011	7 Rules 2 Models

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM DB2	authentication-failed failed-physical-access file-read remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
IBM Endpoint Manager	network-connection-failed	TA0011 - TA0011	2 Rules
IBM Lotus Notes	file-upload network-connection-successful	TA0011 - TA0011	3 Rules
IBM Racf	app-login authentication-successful database-access failed-app-login web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models
IBM Sametime	app-login dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules
IBM Security Access Manager	usb-insert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
IBM Sterling B2B Integrator	app-activity failed-logon member-added member-removed remote-logon	T1078 - Valid Accounts T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	7 Rules 2 Models
Infosphere Guardium	database-alert database-login network-alert	TA0002 - TA0002	4 Rules 2 Models
Lotus Mobile Connect	authentication-failed authentication-successful vpn-login	T1078 - Valid Accounts	1 Rules
Proventia Network IPS	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: ICPAM

Product	Event Types	MITRE TTP	Content
ICPAM	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: IMSS

Product	Event Types	MITRE TTP	Content
IMSS	dlp-alert network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: IMSVA

Product	Event Types	MITRE TTP	Content
IMSVA	dlp-email-alert-in dlp-email-alert-out network-connection-failed	TA0011 - TA0011	2 Rules

Vendor: IPTables

Product	Event Types	MITRE TTP	Content
IPTables	network-connection-successful web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	26 Rules 6 Models

Vendor: IXIA

Product	Event Types	MITRE TTP	Content
IXIA ThreatArmor	app-activity network-connection-failed	T1078 - Valid Accounts TA0011 - TA0011	3 Rules

Vendor: Illumio

Product	Event Types	MITRE TTP	Content
Illumio	network-connection-failed remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 TA0011 - TA0011	8 Rules 2 Models

Vendor: Imperva

Product	Event Types	MITRE TTP	Content
CounterBreach	database-alert	TA0002 - TA0002	2 Rules 1 Models
Imperva File Activity Monitoring (FAM)	file-delete file-read file-write print-activity	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models
Imperva SecureSphere	app-login database-alert database-delete database-failed-login database-login database-query database-update network-alert print-activity security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Incapsula	authentication-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Imprivata

Product	Event Types	MITRE TTP	Content
Imprivata	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: InfoWatch

Product	Event Types	MITRE TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out file-permission-change print-activity web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models

Vendor: Infoblox

Product	Event Types	MITRE TTP	Content
BloxOne	computer-logon dlp-email-alert-out-failed network-connection-failed network-connection-successful process-created security-alert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	229 Rules 33 Models
NIOS	process-alert	TA0002 - TA0002	20 Rules 10 Models

Vendor: Ipswitch

Product	Event Types	MITRE TTP	Content
IPswitch MoveIt	app-activity app-login failed-app-login file-download file-read	T1078 - Valid Accounts	1 Rules
MoveIt DMZ	account-password-change authentication-failed failed-logon file-delete file-download file-upload file-write member-added process-created-failed	T1003.002 - T1003.002 T1047 - Windows Management Instrumentation T1059.005 - T1059.005 T1059.007 - T1059.007 T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1210 - Exploitation of Remote Services T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	13 Rules 3 Models

Vendor: IronNet

Product	Event Types	MITRE TTP	Content
IronDefense	failed-logon	T1210 - Exploitation of Remote Services	1 Rules

Vendor: JH

Product	Event Types	MITRE TTP	Content
JH	network-connection-failed	TA0011 - TA0011	2 Rules

Vendor: Johnson Controls

Product	Event Types	MITRE TTP	Content
Johnson Controls P2000	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Juniper Networks

Product	Event Types	MITRE TTP	Content
Juniper Networks	account-deleted network-connection-successful	TA0011 - TA0011	3 Rules
Juniper Networks Pulse Secure	app-activity authentication-failed authentication-successful failed-app-login failed-vpn-login network-connection-successful vpn-login vpn-logout	T1078 - Valid Accounts TA0011 - TA0011	4 Rules
Juniper SRX	authentication-successful config-change failed-vpn-login network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	34 Rules 8 Models
Juniper VPN	app-activity authentication-failed authentication-successful failed-vpn-login security-alert vpn-login vpn-logout	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Kaspersky

Product	Event Types	MITRE TTP	Content
Kaspersky AV	app-activity file-alert security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Kaspersky Endpoint Security for Business	file-alert network-alert security-alert usb-insert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Kemp

Product	Event Types	MITRE TTP	Content
Kemp LoadMaster	app-activity remote-logon security-alert	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Load Balancer	failed-app-login remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: LEAP

Product	Event Types	MITRE TTP	Content
LEAP	app-activity file-download	T1078 - Valid Accounts	1 Rules

Vendor: LOGBinder

Product	Event Types	MITRE TTP	Content
SharePoint	config-change file-read file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: LanScope

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity file-write local-logon print-activity process-created process-created-failed process-network usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	260 Rules 40 Models

Vendor: LastPass

Product	Event Types	MITRE TTP	Content
LastPass	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Lastline

Product	Event Types	MITRE TTP	Content
Lastline	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Lenel

Product	Event Types	MITRE TTP	Content
OnGuard	failed-physical-access physical-access security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Linux

Product	Event Types	MITRE TTP	Content
Linux CentOs	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
SSH	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: LogMeIn

Product	Event Types	MITRE TTP	Content
RemotelyAnywhere	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: LogRhythm

Product	Event Types	MITRE TTP	Content
LogRhythm	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Lumension

Product	Event Types	MITRE TTP	Content
Lumension	failed-usb-activity usb-activity usb-insert usb-read	TA0002 - TA0002	4 Rules 2 Models

Vendor: Lyrix

Product	Event Types	MITRE TTP	Content
Lyrix	app-activity physical-access	T1078 - Valid Accounts	1 Rules

Vendor: Malwarebytes

Product	Event Types	MITRE TTP	Content
Malwarebytes Endpoint Protection	process-alert security-alert	TA0002 - TA0002	22 Rules 11 Models
Malwarebytes Incident Response	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: MasterSAM

Product	Event Types	MITRE TTP	Content
MasterSAM PAM	authentication-failed authentication-successful failed-physical-access remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee DLP	dlp-alert dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed print-activity security-alert usb-insert	TA0002 - TA0002	4 Rules 2 Models
McAfee Email Protection	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	TA0002 - TA0002	4 Rules 2 Models
McAfee Endpoint Security	dlp-alert dlp-email-alert-in-failed file-write local-logon network-alert process-alert security-alert usb-insert usb-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	26 Rules 11 Models
McAfee Enterprise Security Manager	security-alert	TA0002 - TA0002	4 Rules 2 Models
McAfee NSM	app-login dlp-alert file-delete	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
McAfee Network Security Platform (IPS)	dlp-alert	TA0002 - TA0002	4 Rules 2 Models
McAfee Solidifier	local-logon	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models
McAfee Web Gateway	alert-iot web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Skyhigh Networks CASB	account-creation app-activity app-login dlp-alert failed-app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
365 Defender	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	TA0002 - TA0002	4 Rules 2 Models
Advanced Threat Analytics (ATA)	process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models
Advanced Threat Protection	security-alert	TA0002 - TA0002	4 Rules 2 Models
AppLocker	security-alert	TA0002 - TA0002	4 Rules 2 Models
Azure	account-password-change account-password-reset app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed database-query dlp-email-alert-in-failed dns-response failed-app-login failed-logon failed-usb-activity file-delete file-download file-read file-write member-added member-removed network-connection-failed network-connection-successful privileged-access process-created remote-logon security-alert storage-activity storage-activity-failed usb-activity usb-insert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	237 Rules 33 Models
Azure AD Identity Protection	remote-access	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models
Azure Active Directory	account-password-change account-unlocked app-activity app-activity-failed app-login dlp-email-alert-out failed-app-login member-added process-created security-alert usb-insert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	226 Rules 33 Models
Azure Advanced Threat Protection	security-alert	TA0002 - TA0002	4 Rules 2 Models
Azure MFA	account-password-reset authentication-successful	T1078 - Valid Accounts	1 Rules
Azure Security Center	app-activity-failed dlp-email-alert-out-failed process-alert security-alert	TA0002 - TA0002	22 Rules 11 Models
Cloud App Security (MCAS)	account-password-change app-activity app-activity-failed app-login dlp-email-alert-in-failed failed-app-login file-delete file-download file-read file-upload file-write security-alert	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	10 Rules 3 Models
Defender ATP	app-login batch-logon file-delete file-write local-logon member-removed network-alert process-alert process-created process-network process-network-failed remote-access remote-logon security-alert usb-write web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	260 Rules 42 Models
Defender Antivirus	file-alert	TA0002 - TA0002	2 Rules 1 Models
DirectAccess	security-alert vpn-login	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Exchange	app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login member-removed	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
IIS	network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	25 Rules 6 Models
Office 365	account-disabled app-activity app-activity-failed app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login failed-logon file-delete file-download file-permission-change file-read file-upload file-write ntlm-logon process-created remote-logon security-alert web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	254 Rules 39 Models
OneDrive	app-activity file-read file-upload local-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Routing and Remote Access Service	authentication-successful vpn-login	T1078 - Valid Accounts	1 Rules
SQL Server	database-access database-failed-login database-login database-query failed-app-login file-read web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
Sysmon	app-activity dns-response file-delete process-created process-network web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	256 Rules 39 Models
Web Application Proxy	failed-logon network-connection-failed web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	26 Rules 6 Models
Web Application Proxy-TLS Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-reset account-switch account-unlocked app-activity app-login audit-log-clear audit-policy-change authentication-failed authentication-successful computer-logon database-query dcom-activation-failed dlp-alert dlp-email-alert-out-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-logon netflow-connection network-alert network-connection-successful privileged-access privileged-object-access process-created process-network process-network-failed remote-access remote-logon security-alert service-created service-logon share-access task-created usb-activity usb-write vpn-login vpn-logout web-activity-denied winsession-disconnect workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1569.002 - T1569.002 T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 T1583.001 - T1583.001 TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	304 Rules 62 Models
Windows DNSServer	dns-query	T1071 - Application Layer Protocol T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	3 Rules
Windows Defender	computer-logon file-alert process-created security-alert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models

Vendor: Mimecast

Product	Event Types	MITRE TTP	Content
Email Security	account-password-reset app-activity app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login network-alert process-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	44 Rules 16 Models
Targeted Threat Protection - URL	physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: MobileIron

Product	Event Types	MITRE TTP	Content
MobileIron	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Morphisec

Product	Event Types	MITRE TTP	Content
Morphisec EPTP	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: N3K

Product	Event Types	MITRE TTP	Content
N3K	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: NCP

Product	Event Types	MITRE TTP	Content
NCP	authentication-successful vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules

Vendor: NNT

Product	Event Types	MITRE TTP	Content
NNT ChangeTracker	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Namespace rDirectory

Product	Event Types	MITRE TTP	Content
Namespace rDirectory	account-deleted account-disabled account-enabled account-password-change-failed app-login member-added security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Nasuni

Product	Event Types	MITRE TTP	Content
Nasuni	authentication-failed file-delete file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: NetApp

Product	Event Types	MITRE TTP	Content
NetApp	app-activity file-delete file-read security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: NetDocs

Product	Event Types	MITRE TTP	Content
NetDocs	app-activity authentication-failed failed-app-login file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: NetIQ

Product	Event Types	MITRE TTP	Content
NetIQ	app-login failed-physical-access	T1078 - Valid Accounts	1 Rules

Vendor: NetMotion Wireless

Product	Event Types	MITRE TTP	Content
NetMotion Wireless	nac-logon vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: Netskope

Product	Event Types	MITRE TTP	Content
Netskope Security Cloud	app-activity app-login dlp-alert dlp-email-alert-in dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	256 Rules 39 Models

Vendor: Netwrix

Product	Event Types	MITRE TTP	Content
Netwrix Auditor	account-disabled account-lockout account-password-reset account-unlocked app-activity app-login database-access database-failed-login dns-query ds-access file-write member-added member-removed nac-logon security-alert	T1003.002 - T1003.002 T1071 - Application Layer Protocol T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002	13 Rules 3 Models

Vendor: Nexthink

Product	Event Types	MITRE TTP	Content
Nexthink	task-created	T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1059.001 - Command and Scripting Interperter: PowerShell TA0002 - TA0002	13 Rules 9 Models

Vendor: Nokia VitalQIP

Product	Event Types	MITRE TTP	Content
Nokia VitalQIP	app-login computer-logon	T1078 - Valid Accounts	1 Rules

Vendor: Nortel Contivity

Product	Event Types	MITRE TTP	Content
Nortel Contivity VPN	computer-logon vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: Novell

Product	Event Types	MITRE TTP	Content
eDirectory	account-disabled account-enabled account-password-change account-unlocked app-activity authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules

Vendor: ObserveIT

Product	Event Types	MITRE TTP	Content
ObserveIT	app-activity app-login dlp-alert failed-app-login member-added process-created remote-logon security-alert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	225 Rules 32 Models

Vendor: Okta

Product	Event Types	MITRE TTP	Content
Okta Adaptive MFA	account-creation account-enabled account-lockout app-activity app-activity-failed app-login authentication-failed failed-app-login failed-logon nac-logon network-alert security-alert	T1078 - Valid Accounts T1210 - Exploitation of Remote Services TA0002 - TA0002	6 Rules 2 Models

Vendor: Onapsis

Product	Event Types	MITRE TTP	Content
Onapsis	app-login dns-query security-alert vpn-logout	T1071 - Application Layer Protocol T1078 - Valid Accounts T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002	8 Rules 2 Models

Vendor: OneLogin

Product	Event Types	MITRE TTP	Content
OneLogin	app-login failed-app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: OneSpan

Product	Event Types	MITRE TTP	Content
Digipass	account-password-reset app-login nac-logon	T1078 - Valid Accounts	1 Rules
OneSpan	authentication-successful	T1078 - Valid Accounts	1 Rules

Vendor: OpenDJ

Product	Event Types	MITRE TTP	Content
OpenDJ LDAP	authentication-failed network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Oracle

Product	Event Types	MITRE TTP	Content
Access Manager	app-activity app-login authentication-successful failed-app-login failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules
Oracle Database	database-access database-failed-login database-login database-query database-update failed-physical-access local-logon	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models
Solaris	computer-logon process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models

Vendor: Ordr

Product	Event Types	MITRE TTP	Content
Ordr SCE	file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: Osirium

Product	Event Types	MITRE TTP	Content
Osirium	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
Cortex XDR	app-login authentication-failed security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
GlobalProtect	authentication-failed authentication-successful dlp-alert dns-query failed-vpn-login network-alert physical-access remote-logon security-alert vpn-login	T1071 - Application Layer Protocol T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002	9 Rules 2 Models
Magnifier	remote-access	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models
NGFW	account-password-change app-activity authentication-failed authentication-successful config-change dlp-email-alert-out file-alert local-logon network-connection-successful security-alert vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	34 Rules 8 Models
Palo Alto Aperture	app-login dlp-email-alert-out file-delete file-read file-write network-alert security-alert	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	10 Rules 3 Models
Prisma Cloud	app-login	T1078 - Valid Accounts	1 Rules
Traps	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
WildFire	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Password Manager Pro

Product	Event Types	MITRE TTP	Content
Password Manager Pro	account-switch failed-app-login	TA0002 - TA0002	4 Rules 2 Models

Vendor: Paxton

Product	Event Types	MITRE TTP	Content
NET2DOOR	netflow-connection physical-access	TA0011 - TA0011	3 Rules

Vendor: Phantom

Product	Event Types	MITRE TTP	Content
Phantom	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Ping Identity

Product	Event Types	MITRE TTP	Content
Ping Identity	app-activity app-activity-failed app-login authentication-failed authentication-successful dlp-email-alert-in-failed failed-app-login service-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
PingID	account-password-change account-password-change-failed authentication-failed authentication-successful dlp-email-alert-in-failed	T1078 - Valid Accounts	1 Rules
PingOne	app-login dns-response network-alert service-logon	T1071 - Application Layer Protocol T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	8 Rules 2 Models

Vendor: Portnox

Product	Event Types	MITRE TTP	Content
Portnox CLEAR	nac-logon registry-write	T1574.010 - T1574.010 T1574.011 - T1574.011	2 Rules 1 Models

Vendor: PostScript

Product	Event Types	MITRE TTP	Content
PostScript	app-login	T1078 - Valid Accounts	1 Rules

Vendor: PostgreSQL

Product	Event Types	MITRE TTP	Content
PostgreSQL	database-access database-login database-query file-read security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: PowerSentry

Product	Event Types	MITRE TTP	Content
PowerSentry	app-login failed-app-login network-connection-failed	T1078 - Valid Accounts TA0011 - TA0011	3 Rules

Vendor: Procad

Product	Event Types	MITRE TTP	Content
Pro.File DMS	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Proofpoint

Product	Event Types	MITRE TTP	Content
ObserveIT	app-activity remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Proofpoint CASB	dlp-alert network-alert	TA0002 - TA0002	4 Rules 2 Models
Proofpoint DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed	TA0002 - TA0002	4 Rules 2 Models
Proofpoint TAP/POD	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Qualys

Product	Event Types	MITRE TTP	Content
Qualys	network-connection-failed	TA0011 - TA0011	2 Rules

Vendor: Quest Software

Product	Event Types	MITRE TTP	Content
Change Auditor	account-lockout account-unlocked ds-access failed-app-login file-delete file-write local-logon member-added member-removed nac-failed-logon physical-access remote-logon security-alert	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	11 Rules 3 Models

Vendor: RS2

Product	Event Types	MITRE TTP	Content
RS2	app-login physical-access	T1078 - Valid Accounts	1 Rules

Vendor: RSA

Product	Event Types	MITRE TTP	Content
RSA	app-activity	T1078 - Valid Accounts	1 Rules
RSA DLP	dlp-alert	TA0002 - TA0002	4 Rules 2 Models
SecurID	authentication-successful dlp-email-alert-in task-created	T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1059.001 - Command and Scripting Interperter: PowerShell T1078 - Valid Accounts TA0002 - TA0002	14 Rules 9 Models

Vendor: Radius

Product	Event Types	MITRE TTP	Content
Radius	authentication-successful nac-logon vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: RangerAudit

Product	Event Types	MITRE TTP	Content
RangerAudit	app-activity app-login database-activity-failed database-query dlp-alert file-read file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	10 Rules 3 Models

Vendor: Rapid7

Product	Event Types	MITRE TTP	Content
InsightVM	process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models
Nexpose	process-created	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	223 Rules 32 Models

Vendor: Red Canary

Product	Event Types	MITRE TTP	Content
Red Canary	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Ricoh

Product	Event Types	MITRE TTP	Content
Ricoh	network-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: SAP

Product	Event Types	MITRE TTP	Content
SAP	account-creation account-deleted account-lockout account-unlocked app-login authentication-failed authentication-successful failed-app-login file-download remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: SFTP

Product	Event Types	MITRE TTP	Content
SFTP	app-activity app-login file-delete file-download file-read file-upload file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: SIGSCI

Product	Event Types	MITRE TTP	Content
SIGSCI	file-download web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: SSL Open VPN

Product	Event Types	MITRE TTP	Content
SSL Open VPN	app-activity authentication-failed authentication-successful failed-app-login failed-vpn-login network-alert vpn-login vpn-logout	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Safend

Product	Event Types	MITRE TTP	Content
Data Protection Suite (DPS)	dlp-email-alert-in usb-write	TA0002 - TA0002	4 Rules 2 Models

Vendor: Sailpoint

Product	Event Types	MITRE TTP	Content
FAM	account-lockout file-delete file-read file-write	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models
IdentityNow	account-password-change account-password-change-failed app-activity app-login authentication-successful vpn-logout	T1078 - Valid Accounts	1 Rules
SecurityIQ	account-creation account-deleted account-lockout account-password-reset dlp-email-alert-in-failed file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	7 Rules 2 Models

Vendor: Salesforce

Product	Event Types	MITRE TTP	Content
Salesforce	account-password-change app-activity app-login failed-app-login file-upload security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Sangfor

Product	Event Types	MITRE TTP	Content
NGAF	network-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	29 Rules 8 Models

Vendor: Seclore

Product	Event Types	MITRE TTP	Content
Seclore	file-read file-write share-access	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell T1569 - System Services T1569.002 - T1569.002 TA0002 - TA0002	9 Rules 2 Models

Vendor: Secure Computing

Product	Event Types	MITRE TTP	Content
Secure Computing SafeWord	remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: Secure Envoy

Product	Event Types	MITRE TTP	Content
Secure Envoy	authentication-successful network-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: SecureAuth

Product	Event Types	MITRE TTP	Content
SecureAuth Login	authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules

Vendor: SecureLink

Product	Event Types	MITRE TTP	Content
SecureLink	app-login file-download security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: SecureNet

Product	Event Types	MITRE TTP	Content
SecureNet	failed-app-login vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: SecureWorks

Product	Event Types	MITRE TTP	Content
iSensor IPS	network-connection-failed	TA0011 - TA0011	2 Rules

Vendor: SecurityExpert

Product	Event Types	MITRE TTP	Content
SecurityExpert	network-connection-successful	TA0011 - TA0011	3 Rules

Vendor: SentinelOne

Product	Event Types	MITRE TTP	Content
Singularity	app-activity dns-query dns-response file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-created security-alert web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 T1583.001 - T1583.001 TA0002 - TA0002 TA0011 - TA0011	263 Rules 39 Models

Vendor: ServiceNow

Product	Event Types	MITRE TTP	Content
ServiceNow	account-switch app-login file-delete file-download file-read file-upload security-alert storage-access	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Shibboleth

Product	Event Types	MITRE TTP	Content
Shibboleth IdP	network-connection-successful	TA0011 - TA0011	3 Rules
Shibboleth SSO	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Siemens

Product	Event Types	MITRE TTP	Content
Siemens	authentication-successful failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules

Vendor: Silverfort

Product	Event Types	MITRE TTP	Content
Silverfort	app-login authentication-successful failed-app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: SiteMinder

Product	Event Types	MITRE TTP	Content
SiteMinder	authentication-failed authentication-successful database-access	T1078 - Valid Accounts	1 Rules

Vendor: SkySea

Product	Event Types	MITRE TTP	Content
ClientView	app-activity app-login computer-logon dlp-email-alert-out dns-query file-delete file-read file-upload file-write security-alert usb-activity web-activity-allowed	T1003.002 - T1003.002 T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001 TA0002 - TA0002	36 Rules 9 Models

Vendor: Slack

Product	Event Types	MITRE TTP	Content
Slack	app-login failed-vpn-login file-download file-upload	T1078 - Valid Accounts	1 Rules

Vendor: Snort

Product	Event Types	MITRE TTP	Content
Snort	app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: Sonicwall

Product	Event Types	MITRE TTP	Content
Sonicwall	failed-logon failed-vpn-login network-alert vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	29 Rules 8 Models

Vendor: Sophos

Product	Event Types	MITRE TTP	Content
Sophos Endpoint Protection	app-activity-failed dlp-alert failed-app-login network-connection-successful security-alert usb-insert usb-write web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	30 Rules 8 Models
Sophos Firewall	authentication-successful network-connection-successful	T1078 - Valid Accounts TA0011 - TA0011	4 Rules
Sophos SafeGuard	app-activity database-delete	T1078 - Valid Accounts	1 Rules
Sophos UTM	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Sophos XG Firewall	authentication-successful failed-vpn-login network-connection-failed network-connection-successful vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	30 Rules 6 Models

Vendor: Specops

Product	Event Types	MITRE TTP	Content
Specops Password Reset	account-unlocked network-connection-successful	TA0011 - TA0011	3 Rules

Vendor: Splunk

Product	Event Types	MITRE TTP	Content
Splunk Stream	dlp-alert dns-response	T1071 - Application Layer Protocol T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	6 Rules 2 Models

Vendor: Squid

Product	Event Types	MITRE TTP	Content
Squid	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models

Vendor: StealthBits

Product	Event Types	MITRE TTP	Content
StealthIntercept	account-disabled account-enabled authentication-successful ds-access file-read file-write member-added member-removed network-connection-failed web-activity-allowed	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	33 Rules 8 Models

Vendor: Sun One

Product	Event Types	MITRE TTP	Content
LDAP	authentication-successful usb-activity	T1078 - Valid Accounts	1 Rules

Vendor: Suricata

Product	Event Types	MITRE TTP	Content
Suricata	app-login	T1078 - Valid Accounts	1 Rules
Suricata IDS	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Swivel

Product	Event Types	MITRE TTP	Content
Swivel	app-login file-upload vpn-logout	T1078 - Valid Accounts	1 Rules

Vendor: Sybase

Product	Event Types	MITRE TTP	Content
Sybase	database-login dlp-email-alert-out security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Advanced Threat Protection	app-activity	T1078 - Valid Accounts	1 Rules
Symantec Blue Coat Content Analysis System	authentication-successful	T1078 - Valid Accounts	1 Rules
Symantec Blue Coat ProxySG Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Symantec Brightmail	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out	TA0002 - TA0002	4 Rules 2 Models
Symantec CloudSOC	app-login dlp-alert failed-app-login file-delete file-download file-upload usb-insert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Symantec Critical System Protection	account-switch config-change dlp-alert failed-logon local-logon member-added	T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Symantec DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed ds-access failed-logon security-alert usb-activity usb-read usb-write	T1210 - Exploitation of Remote Services TA0002 - TA0002	5 Rules 2 Models
Symantec EDR	failed-logon file-alert file-delete file-write remote-logon web-activity-denied	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	35 Rules 9 Models
Symantec Email Security.cloud	app-activity dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed process-created-failed security-alert	T1047 - Windows Management Instrumentation T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.010 - Signed Binary Proxy Execution: Regsvr32 TA0002 - TA0002	12 Rules 4 Models
Symantec Endpoint Protection	authentication-successful config-change failed-logon network-connection-failed network-connection-successful process-alert remote-logon security-alert	T1078 - Valid Accounts T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002 TA0011 - TA0011	29 Rules 11 Models
Symantec Endpoint Protection Mobile	app-login	T1078 - Valid Accounts	1 Rules
Symantec Fireglass	failed-physical-access web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
Symantec Managed Security Services	network-alert	TA0002 - TA0002	4 Rules 2 Models
Symantec Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Symantec VIP	app-activity authentication-failed authentication-successful dns-query	T1071 - Application Layer Protocol T1078 - Valid Accounts T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1583.001 - T1583.001	4 Rules
Symantec WSS	process-created web-activity-allowed	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	246 Rules 38 Models

Vendor: Tanium

Product	Event Types	MITRE TTP	Content
Endpoint Platform	authentication-failed authentication-successful file-write process-created security-alert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	229 Rules 33 Models
Integrity Monitor	database-activity-failed file-write process-alert	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	23 Rules 10 Models

Vendor: Tenable.io

Product	Event Types	MITRE TTP	Content
Tenable.io	network-connection-failed	TA0011 - TA0011	2 Rules

Vendor: Teradata

Product	Event Types	MITRE TTP	Content
Teradata RDBMS	database-login dlp-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Thycotic Software

Product	Event Types	MITRE TTP	Content
Secret Server	account-switch app-login failed-app-login file-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: TitanFTP

Product	Event Types	MITRE TTP	Content
TitanFTP	file-delete file-read web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: TrapX

Product	Event Types	MITRE TTP	Content
TrapX	remote-access	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models

Vendor: Trend Micro

Product	Event Types	MITRE TTP	Content
Apex One	app-login dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Cloud App Security	security-alert	TA0002 - TA0002	4 Rules 2 Models
Deep Discovery Email Inspector	dlp-alert	TA0002 - TA0002	4 Rules 2 Models
Deep Discovery Inspector	app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Deep Security Agent	network-connection-successful privileged-object-access security-alert	TA0002 - TA0002 TA0011 - TA0011	7 Rules 2 Models
InterScan Web Security	account-password-change web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models
OfficeScan	account-password-change dlp-alert dlp-email-alert-out security-alert usb-insert usb-read web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	27 Rules 8 Models
ScanMail	network-alert	TA0002 - TA0002	4 Rules 2 Models
TippingPoint NGIPS	app-activity database-delete network-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Trend Micro	network-alert network-connection-successful privileged-object-access	TA0002 - TA0002 TA0011 - TA0011	7 Rules 2 Models

Vendor: Tripwire Enterprise

Product	Event Types	MITRE TTP	Content
Tripwire Enterprise	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Tufin

Product	Event Types	MITRE TTP	Content
SecureTrack	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Tyco

Product	Event Types	MITRE TTP	Content
CCURE Building Management System	app-activity app-login dns-response failed-physical-access	T1071 - Application Layer Protocol T1078 - Valid Accounts T1568.002 - Dynamic Resolution: Domain Generation Algorithms	3 Rules

Vendor: USB

Product	Event Types	MITRE TTP	Content
USB	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: Unix

Product	Event Types	MITRE TTP	Content
Auditbeat	app-activity app-login process-created-failed process-network remote-logon web-activity-denied	T1047 - Windows Management Instrumentation T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1189 - Drive-by Compromise T1204.001 - T1204.001 T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0010 - TA0010 TA0011 - TA0011	54 Rules 15 Models
Unix	account-creation account-deleted account-password-reset authentication-failed authentication-successful batch-logon config-change database-access database-query dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login failed-logon file-permission-change file-read kerberos-logon local-logon member-added member-removed netflow-connection network-alert process-created process-created-failed remote-logon security-alert	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	229 Rules 32 Models
Unix Auditd	account-creation account-deleted app-activity authentication-failed authentication-successful config-change database-login dlp-alert failed-logon local-logon member-added member-removed process-created process-created-failed remote-logon	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	226 Rules 32 Models
Unix Privilege Management	dlp-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: VMS Software

Product	Event Types	MITRE TTP	Content
OpenVMS	app-activity-failed batch-logon failed-logon file-delete file-read	T1210 - Exploitation of Remote Services T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: VMware

Product	Event Types	MITRE TTP	Content
App Control	app-activity batch-logon dlp-email-alert-out-failed failed-physical-access file-alert file-delete file-write local-logon netflow-connection process-alert process-created security-alert usb-write workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	233 Rules 35 Models
Carbon Black Cloud Endpoint Standard	app-login config-change failed-app-login file-write network-connection-failed network-connection-successful process-created process-created-failed security-alert usb-write	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002 TA0011 - TA0011	233 Rules 33 Models
Endpoint Detection and Response	config-change file-read file-write process-created web-activity-denied	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1071.001 - Application Layer Protocol: Web Protocols T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1189 - Drive-by Compromise T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.001 - T1204.001 T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	249 Rules 38 Models
NSX FW	network-connection-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0011 - TA0011	26 Rules 6 Models
VMWare ID Manager (VIDM)	app-activity app-login remote-logon security-alert	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
VMware ESXi	computer-logon remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
VMware Horizon	authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
VMware NSX	app-activity-failed network-connection-successful	TA0011 - TA0011	3 Rules
VMware VCenter	account-password-change app-activity-failed ds-access remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
VMware View	account-password-change app-login authentication-failed failed-app-login remote-logon	T1078 - Valid Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models

Vendor: Varonis

Product	Event Types	MITRE TTP	Content
Data Security Platform	file-delete file-permission-change file-read file-write network-alert	T1003.002 - T1003.002 T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	9 Rules 3 Models

Vendor: Vectra

Product	Event Types	MITRE TTP	Content
Vectra Cognito Detect	network-connection-failed security-alert	TA0002 - TA0002 TA0011 - TA0011	6 Rules 2 Models

Vendor: Vormetric

Product	Event Types	MITRE TTP	Content
Vormetric	account-switch file-read	TA0002 - TA0002	4 Rules 2 Models

Vendor: Watchguard

Product	Event Types	MITRE TTP	Content
Watchguard	app-activity-failed network-alert network-connection-successful web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	30 Rules 8 Models

Vendor: Weblogin

Product	Event Types	MITRE TTP	Content
Weblogin	security-alert	TA0002 - TA0002	4 Rules 2 Models

Vendor: Workday

Product	Event Types	MITRE TTP	Content
Workday	account-password-change app-login failed-app-login file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1505.003 - Server Software Component: Web Shell TA0002 - TA0002	8 Rules 2 Models

Vendor: XPS

Product	Event Types	MITRE TTP	Content
XPS	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Xceedium

Product	Event Types	MITRE TTP	Content
Xceedium	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: Xerox

Product	Event Types	MITRE TTP	Content
Xerox	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity app-login authentication-failed authentication-successful computer-logon dlp-alert dlp-email-alert-in dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-successful ntlm-logon remote-logon share-access web-activity-allowed web-activity-denied	T1003.002 - T1003.002 T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1210 - Exploitation of Remote Services T1505.003 - Server Software Component: Web Shell T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms T1569 - System Services T1569.002 - T1569.002 T1583.001 - T1583.001 TA0002 - TA0002 TA0011 - TA0011	47 Rules 9 Models

Vendor: Zlock

Product	Event Types	MITRE TTP	Content
Zlock	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Zscaler

Product	Event Types	MITRE TTP	Content
Zscaler Internet Access	database-update dlp-alert image-loaded network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1072 - Software Deployment Tools T1189 - Drive-by Compromise T1204.001 - T1204.001 T1546.003 - T1546.003 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002 TA0011 - TA0011	36 Rules 8 Models
Zscaler Private Access	process-created vpn-login	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1012 - Query Registry T1021.002 - Remote Services: SMB/Windows Admin Shares T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.004 - T1036.004 T1047 - Windows Management Instrumentation T1053 - Scheduled Task/Job T1053.005 - Scheduled Task/Job: Scheduled Task T1055 - Process Injection T1055.001 - Process Injection: Dynamic-link Library Injection T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1059.005 - T1059.005 T1059.007 - T1059.007 T1078 - Valid Accounts T1083 - File and Directory Discovery T1105 - Ingress Tool Transfer T1112 - Modify Registry T1113 - Screen Capture T1123 - Audio Capture T1127 - Trusted Developer Utilities Proxy Execution T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1134.001 - Access Token Manipulation: Token Impersonation/Theft T1134.002 - T1134.002 T1135 - Network Share Discovery T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1204.002 - T1204.002 T1210 - Exploitation of Remote Services T1218 - Signed Binary Proxy Execution T1218.001 - Signed Binary Proxy Execution: Compiled HTML File T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.005 - T1218.005 T1218.007 - Signed Binary Proxy Execution: Msiexec T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1482 - Domain Trust Discovery T1490 - Inhibit System Recovery T1505.003 - Server Software Component: Web Shell T1543.003 - Create or Modify System Process: Windows Service T1546.001 - T1546.001 T1546.003 - T1546.003 T1546.011 - T1546.011 T1547.001 - T1547.001 T1547.002 - T1547.002 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1562 - Impair Defenses T1563.002 - T1563.002 T1569 - System Services T1574 - Hijack Execution Flow T1574.002 - Hijack Execution Flow: DLL Side-Loading T1574.010 - T1574.010 T1574.011 - T1574.011 TA0002 - TA0002	224 Rules 32 Models

Vendor: eDocs

Product	Event Types	MITRE TTP	Content
eDocs	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: iBoss

Product	Event Types	MITRE TTP	Content
Secure Web Gateway	account-deleted web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models

Vendor: iManage

Product	Event Types	MITRE TTP	Content
iManage	app-activity authentication-failed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	24 Rules 6 Models

Vendor: jSONAR

Product	Event Types	MITRE TTP	Content
SonarG	local-logon	T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	5 Rules 2 Models

Vendor: oVirt

Product	Event Types	MITRE TTP	Content
oVirt	app-activity app-login failed-app-login security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models

Vendor: xsuite

Product	Event Types	MITRE TTP	Content
xsuite	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	23 Rules 6 Models