Vendor: Apple

June 14, 2023 · View on GitHub

Product: macOS

Use-Case: Privileged Activity

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
115211
Event TypeRulesModels
local-logonT1078 - Valid Accounts
AL-F-F-CS: First logon to a critical system for user
AL-F-A-CS: Abnormal logon to a critical system for user
AL-UH-CS-NC: Logon to a critical system for a user with no information
AL-OU-F-CS: First logon to a critical system that user has not previously accessed
AL-HT-PRIV: Non-Privileged logon to privileged asset
AL-HT-EXEC-new: New user logon to executive asset

T1078.002 - T1078.002
AL-F-F-DC-G: First logon to a Domain Controller for peer group
AL-F-A-DC-G: Abnormal logon to a Domain Controller for Peer Group
AL-UH-F-DC: First logon to this Domain Controller for user
AL-UH-A-DC: Abnormal logon to a Domain Controller that user has not accessed often previously
AL-UH-DC-NC: Logon to a Domain Controller for user with no information		AL-HT-EXEC: Executive Assets
AL-HT-PRIV: Privilege Users Assets
RA-UH: Assets accessed by this user remotely
AL-UH-DC: Logons to Domain Controllers
AL-OU-CS: Logon to critical servers