Vendor: CrowdStrike
June 14, 2023 · View on GitHub
Product: Falcon
Use-Case: Data Leak
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 47 | 22 | 7 | 5 | 5 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1114.003 - Email Collection: Email Forwarding Rule ↳ EM-InRule-EX: User has created an inbox forwarding rule to forward email to an external domain email ↳ EM-InRule-Public: User has created an inbox forwarding rule to forward email to a public email domain ↳ EM-InRule-Fin: User has created an inbox forwarding rule to forward emails containing financial keywords | |
| dlp-alert | T1071 - Application Layer Protocol ↳ DLP-PT-F: First target domain for protocol TA0010 - TA0010 ↳ A-DLP-AN-ALERT-F: First DLP alert name on the asset ↳ A-DLP-AN-ALERT-A: Abnormal DLP alert name on the asset ↳ A-DLP-ON-ALERT-F: First DLP alert (by name) in the organization ↳ A-DLP-ON-ALERT-A: Abnormal DLP alert (by name) in the organization ↳ A-DLP-ZN-ALERT-F: First DLP alert (by name) in the zone ↳ A-DLP-ZN-ALERT-A: Abnormal DLP alert (by name) in the zone ↳ A-DLP-HN-ALERT-A: Abnormal DLP alert (by name) in the asset ↳ A-DLP-OA-ALERT-F: First DLP alert triggered for asset in the organization ↳ A-DLP-OA-ALERT-A: Abnormal asset triggering DLP alert in the organization ↳ DLP-OU-ALERT-F: First DLP alert triggered for this user ↳ DLP-OU-ALERT-A: Abnormal user triggering DLP alert ↳ DLP-OG-ALERT-F: First DLP alert triggered for peer group in the organization ↳ DLP-OG-ALERT-A: Abnormal peer group triggering DLP alert in the organization ↳ DLP-UPolicy-F: First DLP alert name for user ↳ DLP-UPolicy-A: Abnormal DLP alert name for user ↳ DLP-UProtocol-F: First DLP protocol violation for user ↳ DLP-UProtocol-A: Abnormal DLP protocol violation for user ↳ DLP-GP-F: First DLP policy violation for peer group ↳ DLP-GP-A: Abnormal DLP policy violation for peer group ↳ DLP-OP-F: First DLP alert name in the organization ↳ DLP-OP-A: Abnormal DLP alert name in the organization ↳ DLP-UA-F: First DLP policy violation from asset for user ↳ DLP-GA-F: First DLP policy violation from asset for the peer group ↳ DLP-OA-F: First DLP policy violation from asset for the organization ↳ DLP-OBp-F: First blocked process for the organization ↳ DLP-GBp-F: First blocked process for the peer group ↳ DLP-UBp-F: First blocked process for the user T1020 - Automated Exfiltration ↳ A-DLP-HN-ALERT-F: First DLP alert (by name) in the asset | • DLP-PT: Models the target domains accessed using this protocol • DLP-UBp: Processes that are blocked from execution for the user • DLP-GBp: Processes that are blocked from execution in the peer group • DLP-OBp: Processes that are blocked from execution in the organization • DLP-OA: Assets on which DLP policy violations occurred in the organization • DLP-GA: Assets on which DLP policy violations occurred in the peer group • DLP-UA: Assets on which DLP policy violations occurred for user • DLP-OP: DLP alert names in the organization • DLP-GP: DLP policy violations by peer group • DLP-UProtocol: DLP protocol violations by user • DLP-UPolicy: DLP alert names for user • DLP-OG-ALERT: Peer groups triggering DLP alerts in the organization • DLP-OU-ALERT: Users triggering DLP alerts in the organization • A-DLP-OA-ALERT: Assets triggering DLP alerts in the organization • A-DLP-HN-ALERT: DLP alert names triggered in the asset • A-DLP-ZN-ALERT: DLP alert names triggered in the zone • A-DLP-ON-ALERT: DLP alert names triggered in the organization • A-DLP-AN-ALERT: DLP alert names on asset |
| file-write | T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost | |
| usb-insert | T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device T1091 - Replication Through Removable Media ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device | • UW-DH: Hosts that were used with USB Device • UW-UD: USB Devices per User • UW-UH: Hosts used with USB Device per User • UW-UHD: Assets and USB Devices for users |
| usb-write | T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device ↳ UW-PST: A file ending with either pst or ost has been written into USB T1091 - Replication Through Removable Media ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device | • UW-DH: Hosts that were used with USB Device • UW-UD: USB Devices per User • UW-UH: Hosts used with USB Device per User • UW-UHD: Assets and USB Devices for users |