2_ds_trend_micro_officescan.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Lateral Movement	security-alert ↳q-trendmicro-syslog-alert ↳s-trendmicro-epp-alert-1 ↳s-trendmicro-epp-alert ↳s-trendmicro-epp-alert-2 ↳q-trendmicro-epp-alert ↳trendmicro-cef-alert ↳trend-micro-alert-2 ↳trend-micro-alert-3 ↳trend-micro-alert-4 ↳trend-micro-alert-5 ↳trend-micro-alert-6 ↳trend-micro-alert-7 ↳trend-micro-alert-8 ↳s-trendmicro-security-alert-2 ↳s-trendmicro-security-alert-3 ↳cef-trendmicro-security-alert ↳trend-micro-alert-1 ↳s-trendmicro-security-alert-1 ↳leef-trendmicro-security-alert ↳s-trendmicro-security-alert web-activity-allowed ↳trendmicro-cef-web-activity	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application	12 Rules
Malware	dlp-alert ↳q-trendmicro-dlp-alert ↳cef-trendmicro-dlp-alert-1 ↳cef-trendmicro-dlp-alert dlp-email-alert-in ↳trendmicro-cef-alert dlp-email-alert-out ↳trendmicro-cef-alert privileged-object-access ↳leef-trendmicro-privileged-object-access security-alert ↳q-trendmicro-syslog-alert ↳s-trendmicro-epp-alert-1 ↳s-trendmicro-epp-alert ↳s-trendmicro-epp-alert-2 ↳q-trendmicro-epp-alert ↳trendmicro-cef-alert ↳trend-micro-alert-2 ↳trend-micro-alert-3 ↳trend-micro-alert-4 ↳trend-micro-alert-5 ↳trend-micro-alert-6 ↳trend-micro-alert-7 ↳trend-micro-alert-8 ↳s-trendmicro-security-alert-2 ↳s-trendmicro-security-alert-3 ↳cef-trendmicro-security-alert ↳trend-micro-alert-1 ↳s-trendmicro-security-alert-1 ↳leef-trendmicro-security-alert ↳s-trendmicro-security-alert usb-write ↳cef-trendmicro-usb-write web-activity-allowed ↳trendmicro-cef-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	29 Rules 9 Models
Privileged Activity	dlp-email-alert-in ↳trendmicro-cef-alert dlp-email-alert-out ↳trendmicro-cef-alert security-alert ↳q-trendmicro-syslog-alert ↳s-trendmicro-epp-alert-1 ↳s-trendmicro-epp-alert ↳s-trendmicro-epp-alert-2 ↳q-trendmicro-epp-alert ↳trendmicro-cef-alert ↳trend-micro-alert-2 ↳trend-micro-alert-3 ↳trend-micro-alert-4 ↳trend-micro-alert-5 ↳trend-micro-alert-6 ↳trend-micro-alert-7 ↳trend-micro-alert-8 ↳s-trendmicro-security-alert-2 ↳s-trendmicro-security-alert-3 ↳cef-trendmicro-security-alert ↳trend-micro-alert-1 ↳s-trendmicro-security-alert-1 ↳leef-trendmicro-security-alert ↳s-trendmicro-security-alert web-activity-allowed ↳trendmicro-cef-web-activity	T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	4 Rules