2_ds_accellion_kiteworks.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1 file-delete ↳q-kiteworks-file-delete ↳accelion-kite-app-file-delete ↳accelion-kite-app-file-delete-1 file-permission-change ↳q-kiteworks-file-permission-change file-read ↳accelion-kite-app-activity-6 ↳q-kiteworks-file-read ↳q-kiteworks-file-read-1 file-write ↳q-kiteworks-file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models
Data Access	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1 file-delete ↳q-kiteworks-file-delete ↳accelion-kite-app-file-delete ↳accelion-kite-app-file-delete-1 file-permission-change ↳q-kiteworks-file-permission-change file-read ↳accelion-kite-app-activity-6 ↳q-kiteworks-file-read ↳q-kiteworks-file-read-1 file-write ↳q-kiteworks-file-write	T1078 - Valid Accounts T1083 - File and Directory Discovery	44 Rules 24 Models
Data Leak	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 dlp-alert ↳accelion-dlp-alert dlp-email-alert-out ↳q-kiteworks-email-out ↳accelion-kite-app-activity-email-alert ↳q-kiteworks-email-out-1 file-write ↳q-kiteworks-file-write	T1020 - Automated Exfiltration T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071 - Application Layer Protocol T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule TA0010 - TA0010	65 Rules 33 Models
Lateral Movement	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1	T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Malware	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login dlp-alert ↳accelion-dlp-alert dlp-email-alert-out ↳q-kiteworks-email-out ↳accelion-kite-app-activity-email-alert ↳q-kiteworks-email-out-1 file-write ↳q-kiteworks-file-write	T1003.002 - T1003.002 T1078 - Valid Accounts T1190 - Exploit Public Fasing Application T1505.003 - Server Software Component: Web Shell T1547.001 - T1547.001 TA0002 - TA0002	15 Rules 5 Models
Privilege Abuse	account-password-change ↳accelion-kite-app-password-change ↳q-kiteworks-password-change ↳kiteworks-password-change-1 account-password-reset ↳accelion-kite-app-reset-password app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login dlp-email-alert-out ↳q-kiteworks-email-out ↳accelion-kite-app-activity-email-alert ↳q-kiteworks-email-out-1 failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1 file-delete ↳q-kiteworks-file-delete ↳accelion-kite-app-file-delete ↳accelion-kite-app-file-delete-1 file-download ↳q-kiteworks-file-download-2 ↳q-kiteworks-file-download-1 ↳accelion-kite-app-download-1 ↳q-kiteworks-file-download ↳accelion-kite-app-download file-permission-change ↳q-kiteworks-file-permission-change file-read ↳accelion-kite-app-activity-6 ↳q-kiteworks-file-read ↳q-kiteworks-file-read-1 file-upload ↳q-kiteworks-file-upload ↳q-kiteworks-file-upload-1 ↳accelion-kite-app-3 file-write ↳q-kiteworks-file-write	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	8 Rules 2 Models
Privilege Escalation	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Activity	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login dlp-email-alert-out ↳q-kiteworks-email-out ↳accelion-kite-app-activity-email-alert ↳q-kiteworks-email-out-1 failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1 file-delete ↳q-kiteworks-file-delete ↳accelion-kite-app-file-delete ↳accelion-kite-app-file-delete-1 file-download ↳q-kiteworks-file-download-2 ↳q-kiteworks-file-download-1 ↳accelion-kite-app-download-1 ↳q-kiteworks-file-download ↳accelion-kite-app-download file-permission-change ↳q-kiteworks-file-permission-change file-read ↳accelion-kite-app-activity-6 ↳q-kiteworks-file-read ↳q-kiteworks-file-read-1 file-upload ↳q-kiteworks-file-upload ↳q-kiteworks-file-upload-1 ↳accelion-kite-app-3 file-write ↳q-kiteworks-file-write	T1078 - Valid Accounts	3 Rules 1 Models
Ransomware	app-activity ↳accelion-kite-app-activity-5 ↳q-kiteworks-app-activity ↳accelion-kite-app-activity-2 ↳accelion-kite-app-activity-4 ↳accelion-kite-app-activity-3 ↳accelion-kite-app-delete-draft ↳accelion-kite-app-setting ↳accelion-kite-app-user-delete ↳q-kiteworks-app-activity-4 ↳q-kiteworks-app-activity-5 ↳accelion-kite-app-network-setting ↳accelion-kite-app-file-withdraw ↳q-kiteworks-app-activity-1 ↳q-kiteworks-app-activity-2 ↳q-kiteworks-app-activity-3 ↳accelion-kite-app-system ↳accelion-kite-app-3 app-login ↳accelion-kite-app-login-1 ↳q-kiteworks-app-login-1 ↳accelion-kite-app-admin-login ↳q-kiteworks-app-login failed-app-login ↳accelion-kite-failed-app-login ↳kiteworks-failed-app-login-1 file-write ↳q-kiteworks-file-write	T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules