Vendor: SFTP

June 14, 2023 · View on GitHub

Product: SFTP

Use-Case: Data Access

RulesModelsMITRE ATT&CK® TTPsEvent TypesParsers
3017255
Event TypeRulesModels
app-loginT1078 - Valid Accounts
APP-UApp-F: First login or activity within an application for user
APP-UApp-A: Abnormal login or activity within an application for user
APP-AppU-F: First login to an application for a user with no history
APP-AppG-F: First login to an application for group
APP-GApp-A: Abnormal login to an application for group		APP-GApp: Group Logons to Applications
APP-AppG: Groups per Application
APP-AppU: User Logons to Applications
APP-UApp: Applications per User
failed-app-loginT1078 - Valid Accounts
APP-F-FL: Failed login to application
file-deleteT1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity
file-readT1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity
file-writeT1083 - File and Directory Discovery
FA-UA-UI-F: First file activity from ISP
FA-UA-UC-F: First file activity from country for user
FA-UA-UC-A: Abnormal file activity from country for user
FA-UA-GC-F: First file activity from country for group
FA-UA-GC-A: Abnormal file activity from country for group
FA-UA-OC-F: First file activity from country for organization
FA-UA-OC-A: Abnormal file activity from country for organization
FA-UTi: Abnormal user file activity time
FA-UH-F: First file access from asset for user
FA-UH-A: Abnormal file access from asset for user
FA-OZ-F: First file access from network zone for organization
FA-OZ-A: Abnormal file access from network zone for organization
FA-UZ-F: First file access from network zone for user
FA-UZ-A: Abnormal file access from network zone for user
FA-UA-F: First file access activity for user
FA-UA-A: Abnormal file access activity for user
FA-OU-F: First access to source code files for user in the organization
FA-OU-A: Abnormal access to source code files for user in the organization
FA-OG-F: First access to source code files for user in the peer group
FA-OG-A: Abnormal access to source code files for user in the peer group
FA-UD-F: First file server access for user
FA-UD-A: Abnormal file server access for user
FA-GD-F: First file server access for group
FA-GD-A: Abnormal file server access for group		FA-GD: File server access per group
FA-UD: File server access per user
FA-OG: Users accessing source code files in the peer group
FA-OU: Users accessing source code files in the organization
FA-UA: File access activities for user
FA-UZ: File accesses from network zone for user
FA-OZ: File accesses from network zone for organization
FA-UH: User file access source host
FA-UTi: File activity time for user
FA-UA-OC: Countries for organization file activities
FA-UA-GC: Countries for peer groups file activities
FA-UA-UC: Countries for user file activity
FA-UA-UI-new: ISP of users during file activity