2_ds_code42_code42_incydr.md

June 14, 2023 · View on GitHub

Use-CaseEvent Types/ParsersMITRE ATT&CK® TTPContent
Compromised Credentialsapp-activity
code42-app-activity

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-read
code42-file-operations

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

security-alert
code42-alert-1
code42-alert-2
code42-alert-3
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 97 Rules
  • 48 Models
Data Accessapp-activity
code42-app-activity

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-read
code42-file-operations

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 43 Rules
  • 24 Models
Data Leakapp-activity
code42-app-activity

dlp-email-alert-out
code42-email-out-operations

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

print-activity
code42-print-operations

usb-insert
code42-usb-insert
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1091 - Replication Through Removable Media
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
  • 53 Rules
  • 21 Models
Malwareapp-activity
code42-app-activity

dlp-email-alert-out
code42-email-out-operations

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

security-alert
code42-alert-1
code42-alert-2
code42-alert-3
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505.003 - Server Software Component: Web Shell
T1547.001 - T1547.001
TA0002 - TA0002
  • 15 Rules
  • 5 Models
Privilege Abuseapp-activity
code42-app-activity

dlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-read
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 7 Rules
  • 2 Models
Privileged Activityapp-activity
code42-app-activity

dlp-email-alert-out
code42-email-out-operations

file-delete
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

file-download
code42-file-operations-2
code42-file-operations-3

file-read
code42-file-operations-4
code42-file-operations-3
code42-file-read
code42-file-operations

file-upload
code42-file-operations-2
code42-file-operations-3

file-write
code42-file-operations-4
code42-file-operations-2
code42-file-operations-3
code42-file-operations

security-alert
code42-alert-1
code42-alert-2
code42-alert-3
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 4 Rules
  • 1 Models