Vendor: CatoNetworks

June 14, 2023 · View on GitHub

Product: Cato Cloud

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
176	79	28	5	5

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	vpn-login ↳cef-catonetworks-vpn-login vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1133 - External Remote Services	32 Rules 13 Models
Account Manipulation	vpn-logout ↳cef-catonetworks-vpn-end	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1484 - Group Policy Modification	7 Rules 7 Models
Brute Force Attack	vpn-logout ↳cef-catonetworks-vpn-end	T1110 - Brute Force	1 Rules 1 Models
Compromised Credentials	network-alert ↳cef-catonetworks-network-alert vpn-login ↳cef-catonetworks-vpn-login vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	89 Rules 44 Models
Cryptomining	web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Data Access	vpn-logout ↳cef-catonetworks-vpn-end	T1110 - Brute Force	1 Rules 1 Models
Data Exfiltration	vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1133 - External Remote Services T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0010 - TA0010	12 Rules 6 Models
Data Leak	vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1041 - Exfiltration Over C2 Channel T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1071.001 - Application Layer Protocol: Web Protocols T1133 - External Remote Services T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage TA0010 - TA0010	17 Rules 13 Models
Lateral Movement	vpn-login ↳cef-catonetworks-vpn-login vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	18 Rules 3 Models
Malware	network-alert ↳cef-catonetworks-network-alert vpn-login ↳cef-catonetworks-vpn-login web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	31 Rules 9 Models
Phishing	vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003	6 Rules 2 Models
Physical Security	vpn-login ↳cef-catonetworks-vpn-login	T1133 - External Remote Services	1 Rules 1 Models
Privilege Abuse	vpn-login ↳cef-catonetworks-vpn-login vpn-logout ↳cef-catonetworks-vpn-end web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1133 - External Remote Services	4 Rules 2 Models
Privilege Escalation	vpn-logout ↳cef-catonetworks-vpn-end	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1555.005 - T1555.005	5 Rules 5 Models
Privileged Activity	web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	2 Rules
Ransomware	vpn-login ↳cef-catonetworks-vpn-login web-activity-allowed ↳cef-catonetworks-web-activity web-activity-denied ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	2 Rules
Workforce Protection	web-activity-allowed ↳cef-catonetworks-web-activity	T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing	User Execution	External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts Group Policy Modification	Group Policy Modification Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Obfuscated Files or Information	Brute Force Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting		Remote Services Internal Spearphishing		Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over C2 Channel Exfiltration Over Physical Medium Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking