2_ds_beyondtrust_beyondinsight.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Data Access	app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1	T1078 - Valid Accounts	20 Rules 11 Models
Data Leak	app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10	T1114.003 - Email Collection: Email Forwarding Rule	3 Rules
Lateral Movement	app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1	T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Malware	account-switch ↳beyond-account-retrieve app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login privileged-access ↳beyond-account-retrieve	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Privilege Abuse	account-creation ↳beyond-account-add ↳beyondtrust-account-add account-deleted ↳beyond-account-delete account-switch ↳beyond-account-retrieve app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1 privileged-access ↳beyond-account-retrieve	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002 T1531 - Account Access Removal	31 Rules 14 Models
Privilege Escalation	account-switch ↳beyond-account-retrieve app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10	T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1555.005 - T1555.005	13 Rules 8 Models
Privileged Activity	account-switch ↳beyond-account-retrieve app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1 privileged-access ↳beyond-account-retrieve	T1078 - Valid Accounts TA0002 - TA0002	13 Rules 8 Models
Ransomware	app-activity ↳beyond-activity-deny ↳beyond-activity-update ↳beyondtrust-app-activity-7 ↳beyond-activity-expire ↳beyondtrust-app-activity-6 ↳beyondtrust-app-activity-8 ↳beyond-activity-cancel ↳beyond-activity-approve ↳leef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-6 ↳leef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-5 ↳leef-beyondtrust-app-activity-4 ↳cef-beyondtrust-app-activity-1 ↳leef-beyondtrust-app-activity-3 ↳cef-beyondtrust-app-activity-2 ↳leef-beyondtrust-app-activity-9 ↳cef-beyondtrust-app-activity ↳leef-beyondtrust-app-activity-8 ↳leef-beyondtrust-app-activity-7 ↳leef-beyondtrust-app-activity-10 app-login ↳leef-beyondtrust-app-login-1 ↳leef-beyondtrust-app-login ↳cef-beyondtrust-app-login failed-app-login ↳leef-beyondtrust-failed-logon ↳leef-beyondtrust-failed-app-login ↳leef-beyondtrust-failed-logon-1	T1078 - Valid Accounts	2 Rules