Vendor: Vectra

June 14, 2023 · View on GitHub

Product: Cognito Stream

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
256	98	39	10	10

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	authentication-failed ↳vectra-authentication-attempt authentication-successful ↳vectra-authentication-attempt ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services	41 Rules 20 Models
Compromised Credentials	authentication-successful ↳vectra-authentication-attempt file-delete ↳vectra-file-operations file-read ↳vectra-file-operations file-write ↳vectra-file-operations ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	114 Rules 56 Models
Cryptomining	web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Data Access	file-delete ↳vectra-file-operations file-read ↳vectra-file-operations file-write ↳vectra-file-operations	T1083 - File and Directory Discovery	24 Rules 13 Models
Data Exfiltration	file-write ↳vectra-file-operations web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1041 - Exfiltration Over C2 Channel T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	10 Rules 3 Models
Data Leak	dlp-email-alert-out ↳vectra-dlp-email-alert file-write ↳vectra-file-operations web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1041 - Exfiltration Over C2 Channel T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1114.001 - T1114.001 T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	39 Rules 17 Models
Destruction of Data	file-delete ↳vectra-file-operations	T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction	1 Rules
Phishing	dlp-email-alert-out ↳vectra-dlp-email-alert web-activity-allowed ↳vectra-web-activity web-activity-denied ↳vectra-web-activity	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1189 - Drive-by Compromise T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566.002 - Phishing: Spearphishing Link T1598.003 - T1598.003	5 Rules 1 Models
Privilege Escalation	ntlm-logon ↳vectra-ntlm-logon remote-logon ↳rdp-vectra-meta-data ↳ssh-vectra-meta-data	T1078 - Valid Accounts T1555.005 - T1555.005	2 Rules 1 Models
Workforce Protection	dlp-email-alert-out ↳vectra-dlp-email-alert web-activity-allowed ↳vectra-web-activity	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols	8 Rules 3 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing	User Execution	External Remote Services Valid Accounts Server Software Component: Web Shell Server Software Component Boot or Logon Autostart Execution	Valid Accounts Exploitation for Privilege Escalation Boot or Logon Autostart Execution	Indicator Removal on Host: File Deletion Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Valid Accounts: Local Accounts	OS Credential Dumping Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting	File and Directory Discovery Remote System Discovery	Remote Services Use Alternate Authentication Material Internal Spearphishing	Email Collection	Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Data Destruction Resource Hijacking Data Encrypted for Impact