2_ds_vectra_cognito_stream.md

June 14, 2023 · View on GitHub

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Lateral Movement	authentication-failed ↳vectra-authentication-attempt authentication-successful ↳vectra-authentication-attempt ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1018 - Remote System Discovery T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	47 Rules 16 Models
Malware	authentication-successful ↳vectra-authentication-attempt dlp-email-alert-out ↳vectra-dlp-email-alert file-write ↳vectra-file-operations ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1003.002 - T1003.002 T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1505.003 - Server Software Component: Web Shell T1547.001 - T1547.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	42 Rules 12 Models
Privilege Abuse	dlp-email-alert-out ↳vectra-dlp-email-alert file-delete ↳vectra-file-operations file-read ↳vectra-file-operations file-write ↳vectra-file-operations ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002	12 Rules 6 Models
Privileged Activity	dlp-email-alert-out ↳vectra-dlp-email-alert file-delete ↳vectra-file-operations file-read ↳vectra-file-operations file-write ↳vectra-file-operations ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1102 - Web Service	19 Rules 7 Models
Ransomware	authentication-failed ↳vectra-authentication-attempt authentication-successful ↳vectra-authentication-attempt file-write ↳vectra-file-operations remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules