Vendor: Google

June 14, 2023 · View on GitHub

Product: Workspace

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
15462191515
Use-CaseEvent Types/ParsersMITRE ATT&CK® TTPContent
Abnormal Authentication & Accessaccount-password-change
cef-google-password-update

account-password-reset
cef-google-password-update

app-activity
u-googlecalendar-app-activity
cef-google-app-activity-1
cef-google-app-activity-2
cef-google-app-activity-3
cef-google-app-activity-6
cef-google-app-login
cef-google-app-activity-4
cef-google-app-activity-5
cef-google-app-activity-7

app-login
cef-google-app-login-1
u-google-auth-successful
u-google-app-login
cef-google-app-activity-3
cef-google-app-activity-6
cef-google-app-login

failed-app-login
u-google-auth-failed
cef-google-app-login
T1078 - Valid Accounts
T1133 - External Remote Services
  • 15 Rules
  • 4 Models
Account Manipulationaccount-password-change
cef-google-password-update

account-password-reset
cef-google-password-update

app-activity
u-googlecalendar-app-activity
cef-google-app-activity-1
cef-google-app-activity-2
cef-google-app-activity-3
cef-google-app-activity-6
cef-google-app-login
cef-google-app-activity-4
cef-google-app-activity-5
cef-google-app-activity-7
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 4 Rules
  • 1 Models
Data Exfiltrationfile-write
cef-google-file-activity
u-googledrive-file-activity
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Destruction of Datafile-delete
cef-google-file-activity
u-googledrive-file-activity
T1070.004 - Indicator Removal on Host: File Deletion
T1485 - Data Destruction
  • 1 Rules
Phishingdlp-email-alert-out
cef-skyformation-gmail-out-1
cef-skyformation-gmail-out
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 1 Rules
  • 1 Models
Workforce Protectiondlp-email-alert-out
cef-skyformation-gmail-out-1
cef-skyformation-gmail-out
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 4 Rules
  • 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Account Manipulation: Exchange Email Delegate Permissions

Valid Accounts

Boot or Logon Autostart Execution

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

OS Credential Dumping

File and Directory Discovery

Email Collection

Email Collection: Email Forwarding Rule

Proxy: Multi-hop Proxy

Proxy

Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Data Destruction

Data Encrypted for Impact