Vendor: SkySea
June 14, 2023 · View on GitHub
Product: ClientView
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 8 | 1 | 5 | 12 | 12 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • APP-AT-PRIV: Privileged application activities |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-out | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| file-delete | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-download | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-read | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-upload | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| file-write | T1078 - Valid Accounts ↳ FA-Account-deactivated: File Activity from a de-activated user account | |
| process-created | T1482 - Domain Trust Discovery ↳ A-Trickbot-Recon: Trickbot malware domain recon activity on this asset ↳ Trickbot-Recon: Trickbot malware domain recon activity | |
| security-alert | T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive | |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller | |
| web-activity-denied | T1071.001 - Application Layer Protocol: Web Protocols ↳ A-WEB-DC: Web activity event on a Domain Controller ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1078 - Valid Accounts ↳ WEB-ALERT-EXEC: Security violation by Executive in web activity T1102 - Web Service ↳ A-WEB-DC: Web activity event on a Domain Controller |