Vendor: Cisco

Product: Netflow

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
53	21	12	1	1

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	netflow-connection ↳json-cisco-netflow-connection-1 ↳cisco-netflow-connection ↳json-cisco-netflow-connection ↳cisco-netflow-connection-2	T1046 - Network Service Scanning	1 Rules 1 Models
Data Exfiltration	netflow-connection ↳json-cisco-netflow-connection-1 ↳cisco-netflow-connection ↳json-cisco-netflow-connection ↳cisco-netflow-connection-2	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.002 - Application Layer Protocol: File Transfer Protocols	1 Rules
Lateral Movement	netflow-connection ↳json-cisco-netflow-connection-1 ↳cisco-netflow-connection ↳json-cisco-netflow-connection ↳cisco-netflow-connection-2	T1018 - Remote System Discovery T1021 - Remote Services T1021.001 - Remote Services: Remote Desktop Protocol T1046 - Network Service Scanning T1071 - Application Layer Protocol T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1210 - Exploitation of Remote Services TA0008 - TA0008 TA0010 - TA0010 TA0011 - TA0011	51 Rules 21 Models
Malware	netflow-connection ↳json-cisco-netflow-connection-1 ↳cisco-netflow-connection ↳json-cisco-netflow-connection ↳cisco-netflow-connection-2	TA0011 - TA0011	3 Rules

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Exploit Public Fasing Application						Network Service Scanning Remote System Discovery	Exploitation of Remote Services Remote Services Remote Services: Remote Desktop Protocol		Application Layer Protocol: File Transfer Protocols Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol