2_ds_sentinelone_vigilance.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login security-alert ↳cef-sentinelone-vigilance-security-alert-1 ↳cef-sentinelone-vigilance-security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	68 Rules 34 Models
Data Access	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login	T1078 - Valid Accounts	20 Rules 11 Models
Lateral Movement	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login security-alert ↳cef-sentinelone-vigilance-security-alert-1 ↳cef-sentinelone-vigilance-security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy	6 Rules
Malware	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login security-alert ↳cef-sentinelone-vigilance-security-alert-1 ↳cef-sentinelone-vigilance-security-alert	T1078 - Valid Accounts TA0002 - TA0002	5 Rules 2 Models
Privilege Abuse	account-creation ↳cef-sentinelone-vigilance-account-creation app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.002 - T1136.002	23 Rules 9 Models
Privileged Activity	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login security-alert ↳cef-sentinelone-vigilance-security-alert-1 ↳cef-sentinelone-vigilance-security-alert	T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts	3 Rules 1 Models
Ransomware	app-activity ↳cef-sentinelone-vigilance-app-activity-1 ↳cef-sentinelone-vigilance-app-activity-2 ↳cef-sentinelone-vigilance-app-activity app-login ↳cef-sentinelone-vigilance-app-login failed-app-login ↳cef-sentinelone-vigilance-failed-app-login	T1078 - Valid Accounts	2 Rules