| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 158 | 70 | 23 | 7 | 3 |
| Use-Case | Activity Types (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | app-login:success (app-login) ↳bitglass-casb-mix-app-login-success-allowlogin ↳bitglass-casb-sk4-app-login-success-loginsuccess app-login:fail (failed-app-login) ↳bitglass-casb-mix-app-login-fail-loginfailure ↳bitglass-casb-kv-app-login-fail-login |
T1078 - Valid Accounts T1133 - External Remote Services |
|
| Compromised Credentials | app-login:success (app-login) ↳bitglass-casb-mix-app-login-success-allowlogin ↳bitglass-casb-sk4-app-login-success-loginsuccess app-login:fail (failed-app-login) ↳bitglass-casb-mix-app-login-fail-loginfailure ↳bitglass-casb-kv-app-login-fail-login file-read:success (file-read) ↳bitglass-casb-json-file-read-success-download file-write:success (file-write) ↳bitglass-casb-json-file-write-success-uploaded |
T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application |
|
| Data Exfiltration | alert-trigger:success (dlp-alert) ↳bitglass-casb-cef-alert-trigger-success-filelink file-write:success (file-write) ↳bitglass-casb-json-file-write-success-uploaded |
T1020 - Automated Exfiltration T1071 - Application Layer Protocol TA0002 - TA0002 TA0010 - TA0010 |
|
| Data Leak | alert-trigger:success (dlp-alert) ↳bitglass-casb-cef-alert-trigger-success-filelink email-send:success (dlp-email-alert-out) ↳bitglass-casb-json-email-send-success-emailsend file-write:success (file-write) ↳bitglass-casb-json-file-write-success-uploaded |
T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071 - Application Layer Protocol T1114 - Email Collection T1114.001 - T1114.001 TA0010 - TA0010 |
|
| Lateral Movement | app-login:success (app-login) ↳bitglass-casb-mix-app-login-success-allowlogin ↳bitglass-casb-sk4-app-login-success-loginsuccess app-login:fail (failed-app-login) ↳bitglass-casb-mix-app-login-fail-loginfailure ↳bitglass-casb-kv-app-login-fail-login |
T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy |
|
| Phishing | email-send:success (dlp-email-alert-out) ↳bitglass-casb-json-email-send-success-emailsend |
T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
| Workforce Protection | email-send:success (dlp-email-alert-out) ↳bitglass-casb-json-email-send-success-emailsend |
T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
| Next Page -->> |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| External Remote Services Valid Accounts Exploit Public Fasing Application |
External Remote Services Valid Accounts Server Software Component: Web Shell Server Software Component Boot or Logon Autostart Execution |
Valid Accounts Boot or Logon Autostart Execution |
Valid Accounts |
OS Credential Dumping |
File and Directory Discovery |
Email Collection |
Proxy: Multi-hop Proxy Application Layer Protocol Proxy |
Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Automated Exfiltration |
Data Encrypted for Impact |