Use Case: Compromised Credentials

November 7, 2023 · View on GitHub

Use Case: Compromised Credentials

Vendor: APC

Product	Event Types	MITRE ATT&CK® TTP	Content
APC	authentication-failed dlp-email-alert-in dlp-email-alert-in-failed network-alert remote-logon	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	58 Rules 25 Models

Vendor: AVI Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Load Balancer	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Abnormal Security

Product	Event Types	MITRE ATT&CK® TTP	Content
Abnormal Security	dlp-email-alert-out security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Absolute

Product	Event Types	MITRE ATT&CK® TTP	Content
Absolute SIEM Connector	app-activity app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	67 Rules 34 Models

Vendor: Accellion

Product	Event Types	MITRE ATT&CK® TTP	Content
Kiteworks	account-lockout account-password-change account-password-reset account-unlocked app-activity app-login dlp-alert dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models

Vendor: Adaxes

Product	Event Types	MITRE ATT&CK® TTP	Content
Adaxes	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Airlock

Product	Event Types	MITRE ATT&CK® TTP	Content
Application Whitelisting	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Web Application Firewall	app-activity-failed app-login failed-app-login file-delete file-download file-upload file-write network-connection-failed network-connection-successful vpn-logout	T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1110 - Brute Force T1133 - External Remote Services T1190 - Exploit Public Fasing Application	71 Rules 34 Models

Vendor: Akamai

Product	Event Types	MITRE ATT&CK® TTP	Content
Akamai Siem	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Cloud Akamai	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Alert Logic

Product	Event Types	MITRE ATT&CK® TTP	Content
Alert Logic	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: AlgoSec

Product	Event Types	MITRE ATT&CK® TTP	Content
Firewall Analyzer	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Amazon

Product	Event Types	MITRE ATT&CK® TTP	Content
AWS Bastion	failed-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	39 Rules 17 Models
AWS CloudTrail	app-activity app-activity-failed app-login aws-bucket-cors aws-bucket-cors-failed aws-bucket-create aws-bucket-create-failed aws-bucket-policy aws-bucket-policy-failed aws-bucket-putaccessblock aws-bucket-putaccessblock-failed aws-compute-list aws-compute-list-failed aws-function-write aws-function-write-failed aws-general-activity aws-general-activity-failed aws-identity-addtogroup aws-identity-addtogroup-failed aws-identity-creds-write aws-identity-creds-write-failed aws-identity-list aws-identity-list-failed aws-identity-loginprofile aws-identity-loginprofile-failed aws-identity-write aws-identity-write-failed aws-image-create aws-image-create-failed aws-image-modify aws-image-modify-failed aws-instance-command aws-instance-command-failed aws-instance-create aws-instance-create-failed aws-instance-creds-read aws-instance-creds-read-failed aws-instance-creds-write aws-instance-creds-write-failed aws-instance-login aws-instance-login-failed aws-instance-modify aws-instance-modify-failed aws-instance-screenshot aws-instance-screenshot-failed aws-key-policy aws-key-policy-failed aws-login aws-login-failed aws-policy-attach aws-policy-attach-failed aws-policy-list aws-policy-list-failed aws-policy-setversion aws-policy-setversion-failed aws-policy-write aws-policy-write-failed aws-role-assume aws-role-assume-failed aws-role-assumepolicy aws-role-assumepolicy-failed aws-role-switch aws-role-switch-failed aws-role-write aws-role-write-failed aws-snapshot-create aws-snapshot-create-failed aws-snapshot-modify aws-snapshot-modify-failed aws-storage-acl aws-storage-acl-failed aws-storage-list aws-storage-list-failed aws-storageobject-copy aws-storageobject-copy-failed aws-storageobject-read aws-storageobject-read-failed aws-storageobject-write aws-storageobject-write-failed aws-volume-attach aws-volume-attach-failed aws-volume-create aws-volume-create-failed aws-volume-modify aws-volume-modify-failed cloud-admin-activity cloud-admin-activity-failed failed-app-login storage-access storage-activity storage-activity-failed	T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1535 - Unused/Unsupported Cloud Regions TA0001 - TA0001	52 Rules 32 Models
AWS CloudWatch	netflow-connection	T1046 - Network Service Scanning	1 Rules 1 Models
AWS GuardDuty	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
AWS Redshift	database-query	T1213 - Data from Information Repositories	18 Rules 10 Models
AWS WAF	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Amazon RDS	database-login database-query database-update	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: Anywhere365

Product	Event Types	MITRE ATT&CK® TTP	Content
Anywhere365	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Apache

Product	Event Types	MITRE ATT&CK® TTP	Content
Apache	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Apache Guacamole	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
Apache Subversion	app-activity app-activity-failed	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Cassandra	database-activity-failed database-login database-update	T1213 - Data from Information Repositories	10 Rules 5 Models

Vendor: AppSense Application Manager

Product	Event Types	MITRE ATT&CK® TTP	Content
AppSense Application Manager	process-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools TA0002 - TA0002	7 Rules 2 Models

Vendor: Apple

Product	Event Types	MITRE ATT&CK® TTP	Content
macOS	local-logon	T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	27 Rules 12 Models

Vendor: Arista Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Awake Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Armis

Product	Event Types	MITRE ATT&CK® TTP	Content
Armis	alert-iot	T1078 - Valid Accounts	3 Rules 2 Models

Vendor: AssetView

Product	Event Types	MITRE ATT&CK® TTP	Content
AssetView	file-download file-write print-activity security-alert usb-insert	T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	56 Rules 24 Models

Vendor: Atlassian

Product	Event Types	MITRE ATT&CK® TTP	Content
Atlassian BitBucket	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Attivo

Product	Event Types	MITRE ATT&CK® TTP	Content
BOTsink	network-connection-successful security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Auth0

Product	Event Types	MITRE ATT&CK® TTP	Content
Auth0	account-password-change-failed app-login failed-logon security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	55 Rules 27 Models

Vendor: Avaya

Product	Event Types	MITRE ATT&CK® TTP	Content
Avaya Ethernet Routing Switch	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
Avaya VPN	failed-vpn-login vpn-login	T1078 - Valid Accounts T1133 - External Remote Services	14 Rules 8 Models

Vendor: Axway

Product	Event Types	MITRE ATT&CK® TTP	Content
Axway SFTP	file-upload remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models

Vendor: Barracuda

Product	Event Types	MITRE ATT&CK® TTP	Content
Barracuda Firewall	failed-vpn-login network-connection-failed network-connection-successful remote-logon vpn-login vpn-logout	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	58 Rules 27 Models

Vendor: BeyondTrust

Product	Event Types	MITRE ATT&CK® TTP	Content
BeyondInsight	account-creation account-deleted account-password-change-failed account-switch account-unlocked app-activity app-login failed-app-login privileged-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
BeyondTrust PasswordSafe	account-switch app-login failed-app-login privileged-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
BeyondTrust PowerBroker	privileged-access process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
BeyondTrust Privilege Management	local-logon process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	75 Rules 17 Models
BeyondTrust Privileged Identity	account-password-change account-switch app-activity app-activity-failed app-login failed-app-login privileged-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
BeyondTrust Secure Remote Access	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Secure Remote Access	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Bitdefender

Product	Event Types	MITRE ATT&CK® TTP	Content
GravityZone	app-login security-alert web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	78 Rules 39 Models

Vendor: Bitglass

Product	Event Types	MITRE ATT&CK® TTP	Content
Bitglass CASB	app-login dlp-alert dlp-email-alert-out failed-app-login file-download file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	61 Rules 30 Models

Vendor: BlackBerry

Product	Event Types	MITRE ATT&CK® TTP	Content
BlackBerry Protect	app-activity app-login dlp-alert file-alert process-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application TA0002 - TA0002	72 Rules 36 Models

Vendor: Box

Product	Event Types	MITRE ATT&CK® TTP	Content
Box Cloud Content Management	app-activity app-login file-delete file-download file-permission-change file-read file-upload file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	75 Rules 38 Models

Vendor: Bromium

Product	Event Types	MITRE ATT&CK® TTP	Content
Bromium Advanced Endpoint Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Bromium Secure Platform	file-permission-change file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: CA Technologies

Product	Event Types	MITRE ATT&CK® TTP	Content
CA Privileged Access Manager Server Control	account-switch app-login authentication-failed authentication-successful remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	59 Rules 31 Models

Vendor: CDS

Product	Event Types	MITRE ATT&CK® TTP	Content
CDS	failed-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	39 Rules 17 Models

Vendor: CatoNetworks

Product	Event Types	MITRE ATT&CK® TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	89 Rules 44 Models

Vendor: CenturyLink

Product	Event Types	MITRE ATT&CK® TTP	Content
Adaptive Threat Intelligence	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Check Point

Product	Event Types	MITRE ATT&CK® TTP	Content
Avanan	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Endpoint Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	26 Rules 12 Models
NGFW	app-login authentication-failed authentication-successful dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	137 Rules 68 Models
Security Gateway	failed-vpn-login vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	26 Rules 12 Models
Security Gateway Virtual Edition (vSEC)	authentication-failed authentication-successful vpn-login	T1078 - Valid Accounts T1133 - External Remote Services	13 Rules 8 Models
Threat Prevention	network-alert network-connection-failed network-connection-successful	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Cimtrak

Product	Event Types	MITRE ATT&CK® TTP	Content
Cimtrak	file-delete file-write	T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	31 Rules 14 Models

Vendor: Cisco

Product	Event Types	MITRE ATT&CK® TTP	Content
ACI	authentication-failed authentication-successful config-change	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
ACS	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
ADC	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	37 Rules 23 Models
Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1040 - Network Sniffing T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	141 Rules 48 Models
Advance Malware Protection (AMP)	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Airespace	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
AnyConnect	process-network vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services TA0002 - TA0002	26 Rules 13 Models
Call Manager	app-activity app-activity-failed authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Catalyst Wireless Controller	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models
Cisco	app-activity remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	71 Rules 39 Models
Cloud Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Duo Access Security	account-creation account-deleted account-lockout account-password-reset app-activity app-login authentication-failed authentication-successful failed-app-login failed-vpn-login vpn-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	50 Rules 28 Models
Firepower	authentication-successful dns-query dns-response failed-vpn-login file-download nac-logon netflow-connection network-alert network-connection-failed network-connection-successful process-created security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1046 - Network Service Scanning T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	166 Rules 63 Models
ISE	app-activity authentication-failed authentication-successful computer-logon config-change failed-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	99 Rules 50 Models
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	89 Rules 44 Models
NPE	process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
Netflow	netflow-connection	T1046 - Network Service Scanning	1 Rules 1 Models
Proxy Umbrella	network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Secure Endpoint	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Secure Network Analytics	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
Secure Web Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
TACACS	authentication-failed process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
Umbrella	dns-response web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Citrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Citrix Endpoint Management	app-activity remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	71 Rules 39 Models
Citrix Gateway ActiveSync Connector	app-activity app-activity-failed	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Citrix Netscaler	app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	94 Rules 29 Models
Citrix Netscaler VPN	authentication-failed authentication-successful remote-access remote-logon vpn-connection vpn-logout web-activity-allowed	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	92 Rules 47 Models
Citrix ShareFile	app-activity app-login failed-app-login file-download file-upload	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Citrix XenApp	app-login remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	59 Rules 31 Models
Citrix XenDesktop	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models
Web Logging	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Clearsense

Product	Event Types	MITRE ATT&CK® TTP	Content
Clearsense	app-activity app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models

Vendor: Click Studios

Product	Event Types	MITRE ATT&CK® TTP	Content
Passwordstate	account-disabled account-password-change account-password-change-failed account-password-reset app-activity authentication-successful member-removed remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	71 Rules 39 Models

Vendor: Cloud Application

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloud Application	account-password-change app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: Cloudflare

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloudflare CDN	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
Cloudflare Insights	app-activity app-login member-added member-removed	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models
Cloudflare WAF	network-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	64 Rules 32 Models

Vendor: Code42

Product	Event Types	MITRE ATT&CK® TTP	Content
Code42 Incydr	"app-activity" "file-delete" "file-download" "file-read" "file-upload" "file-write" "print-activity" "usb-activity" app-activity dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity security-alert usb-activity usb-insert	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	97 Rules 48 Models

Vendor: Cofense

Product	Event Types	MITRE ATT&CK® TTP	Content
Phishme	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Cognitas CrossLink

Product	Event Types	MITRE ATT&CK® TTP	Content
Cognitas CrossLink	vpn-login	T1078 - Valid Accounts T1133 - External Remote Services	13 Rules 8 Models

Vendor: Contrast Security

Product	Event Types	MITRE ATT&CK® TTP	Content
Contrast Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: CrowdStrike

Product	Event Types	MITRE ATT&CK® TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon config-change dlp-alert dns-query failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon task-created usb-activity usb-insert usb-write workstation-unlocked	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	194 Rules 73 Models

Vendor: CyberArk

Product	Event Types	MITRE ATT&CK® TTP	Content
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login failed-app-login failed-logon file-delete file-permission-change file-read file-write remote-logon security-alert	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	136 Rules 64 Models
Endpoint Privilege Management	privileged-access privileged-object-access process-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools TA0002 - TA0002	7 Rules 2 Models
Privileged Session Manager	account-switch app-activity app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models
Privileged Threat Analytics	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Cybereason

Product	Event Types	MITRE ATT&CK® TTP	Content
Cybereason	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Damballa

Product	Event Types	MITRE ATT&CK® TTP	Content
Failsafe	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Darktrace

Product	Event Types	MITRE ATT&CK® TTP	Content
Darktrace	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
Darktrace Enterprise Immune System	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Delinea

Product	Event Types	MITRE ATT&CK® TTP	Content
Centrify Audit and Monitoring Service	file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models
Centrify Authentication Service	account-password-reset authentication-failed authentication-successful failed-logon local-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	47 Rules 23 Models
Centrify Infrastructure Services	process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
Centrify Zero Trust Privilege Services	account-switch app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Secret Server	account-switch app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Dell

Product	Event Types	MITRE ATT&CK® TTP	Content
EMC Isilon	file-delete file-permission-change file-read file-write remote-access	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1083 - File and Directory Discovery T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	41 Rules 18 Models
One Identity Manager	account-password-change account-switch app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
RSA Authentication Manager	account-lockout app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
SonicWALL Aventail	vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: Digital Arts

Product	Event Types	MITRE ATT&CK® TTP	Content
Digital Arts i-FILTER for Business	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Digital Guardian

Product	Event Types	MITRE ATT&CK® TTP	Content
Digital Guardian Endpoint Protection	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity process-created usb-insert usb-write	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	150 Rules 55 Models

Vendor: Dropbox

Product	Event Types	MITRE ATT&CK® TTP	Content
Dropbox	app-activity app-login file-delete file-download file-permission-change file-read file-write vpn-logout	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1110 - Brute Force T1133 - External Remote Services T1190 - Exploit Public Fasing Application	87 Rules 42 Models

Vendor: Dtex Systems

Product	Event Types	MITRE ATT&CK® TTP	Content
DTEX InTERCEPT	file-delete file-read file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1040 - Network Sniffing T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	158 Rules 60 Models

Vendor: EMP

Product	Event Types	MITRE ATT&CK® TTP	Content
EMP	app-activity app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models

Vendor: ESET

Product	Event Types	MITRE ATT&CK® TTP	Content
ESET Endpoint Security	app-login authentication-failed authentication-successful failed-logon network-alert security-alert web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	99 Rules 49 Models

Vendor: ESector

Product	Event Types	MITRE ATT&CK® TTP	Content
ESector DEFESA	file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: EdgeWave

Product	Event Types	MITRE ATT&CK® TTP	Content
EdgeWave iPrism	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Egnyte

Product	Event Types	MITRE ATT&CK® TTP	Content
Egnyte	app-activity app-login failed-app-login file-delete file-download file-permission-change file-upload file-write	T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	74 Rules 38 Models

Vendor: EnSilo

Product	Event Types	MITRE ATT&CK® TTP	Content
EnSilo	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Endgame

Product	Event Types	MITRE ATT&CK® TTP	Content
Endgame EDR	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Entrust

Product	Event Types	MITRE ATT&CK® TTP	Content
IdentityGuard	account-lockout authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Epic

Product	Event Types	MITRE ATT&CK® TTP	Content
Epic SIEM	account-password-change account-password-change-failed app-activity app-login authentication-successful failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Exabeam

Product	Event Types	MITRE ATT&CK® TTP	Content
Correlation Rule	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Exabeam Advanced Analytics	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Exabeam DL	app-activity security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	64 Rules 34 Models

Vendor: Extrahop

Product	Event Types	MITRE ATT&CK® TTP	Content
Reveal(x)	dns-query network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models

Vendor: Extreme Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Zebra wireless LAN management	failed-logon	T1078 - Valid Accounts	3 Rules 1 Models

Vendor: F-Secure

Product	Event Types	MITRE ATT&CK® TTP	Content
F-Secure Client Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: F5

Product	Event Types	MITRE ATT&CK® TTP	Content
F5 Advanced Web Application Firewall (WAF)	account-switch dlp-email-alert-out network-alert network-connection-failed network-connection-successful process-created remote-logon	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	106 Rules 30 Models
F5 BIG-IP	account-password-change-failed authentication-failed authentication-successful failed-logon failed-vpn-login network-connection-successful remote-logon vpn-login vpn-logout	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	61 Rules 27 Models
F5 BIG-IP Access Policy Manager (APM)	authentication-failed authentication-successful vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models
F5 BIG-IP Advanced Firewall Module (AFM)	network-connection-failed network-connection-successful security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
F5 BIG-IP Application Security Manager (ASM)	security-alert web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	67 Rules 33 Models
F5 IP Intelligence	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
F5 Silverline	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
WebSafe	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: FTP

Product	Event Types	MITRE ATT&CK® TTP	Content
FTP	app-activity app-activity-failed app-login failed-app-login file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models

Vendor: Fast Enterprises

Product	Event Types	MITRE ATT&CK® TTP	Content
Fast Enterprises GenTax	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Fidelis

Product	Event Types	MITRE ATT&CK® TTP	Content
Fidelis Network	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Fidelis XPS	dlp-email-alert-in dlp-email-alert-out security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: FileAuditor

Product	Event Types	MITRE ATT&CK® TTP	Content
FileAuditor	file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: FireEye

Product	Event Types	MITRE ATT&CK® TTP	Content
FireEye Email Gateway	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
FireEye Email Security (EX)	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
FireEye Endpoint Security (CM)	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
FireEye Endpoint Security (HX)	file-write network-alert process-alert security-alert	T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application TA0002 - TA0002	78 Rules 35 Models
FireEye Helix	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
FireEye Network Security (Helix)	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
FireEye Network Security (NX)	security-alert web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	67 Rules 33 Models

Vendor: FireMon

Product	Event Types	MITRE ATT&CK® TTP	Content
FireMon	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Forcepoint

Product	Event Types	MITRE ATT&CK® TTP	Content
Forcepoint CASB	app-activity app-login failed-app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	68 Rules 34 Models
Websense Secure Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Forescout

Product	Event Types	MITRE ATT&CK® TTP	Content
EyeInspect	failed-logon	T1078 - Valid Accounts	3 Rules 1 Models
Forescout CounterACT	config-change nac-logon network-alert network-connection-failed network-connection-successful	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1190 - Exploit Public Fasing Application	28 Rules 12 Models

Vendor: Fortinet

Product	Event Types	MITRE ATT&CK® TTP	Content
FortiAuthenticator	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
FortiGate	network-connection-successful vpn-connection web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Fortinet Enterprise Firewall	app-activity app-activity-failed computer-logon netflow-connection network-connection-failed network-connection-successful	T1046 - Network Service Scanning T1078 - Valid Accounts T1133 - External Remote Services	40 Rules 25 Models
Fortinet FortiWeb	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Fortinet UTM	app-activity app-activity-failed authentication-failed authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-alert security-alert web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	124 Rules 66 Models
Fortinet VPN	authentication-successful failed-vpn-login vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	26 Rules 12 Models

Vendor: Gamma

Product	Event Types	MITRE ATT&CK® TTP	Content
Gamma	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Gemalto

Product	Event Types	MITRE ATT&CK® TTP	Content
Gemalto MFA	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: GitHub

Product	Event Types	MITRE ATT&CK® TTP	Content
GitHub	app-activity app-activity-failed app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: GoAnywhere

Product	Event Types	MITRE ATT&CK® TTP	Content
GoAnywhere MFT	failed-logon file-delete file-download file-upload remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	62 Rules 29 Models

Vendor: Google

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloud Platform	app-activity cloud-admin-activity cloud-admin-activity-failed gcp-disk-attach gcp-disk-create gcp-image-create gcp-instance-create gcp-instance-setmachinetype gcp-instance-setmetadata gcp-policy-write gcp-role-write gcp-serviceaccount-creds-write gcp-serviceaccount-write gcp-snapshot-create gcp-storageobject-acl netflow-connection network-alert storage-access storage-activity storage-activity-failed web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1046 - Network Service Scanning T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1535 - Unused/Unsupported Cloud Regions T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	109 Rules 62 Models
Workspace	account-password-change account-password-reset app-activity app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login file-delete file-download file-permission-change file-read file-upload file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models

Vendor: HP

Product	Event Types	MITRE ATT&CK® TTP	Content
Aruba ClearPass Access Control and Policy Management	app-login authentication-failed computer-logon nac-failed-logon nac-logon	T1021 - Remote Services T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	33 Rules 19 Models
Aruba Mobility Master	local-logon nac-failed-logon nac-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	47 Rules 22 Models
Aruba Wireless controller	authentication-successful computer-logon nac-failed-logon nac-logon network-alert	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	35 Rules 16 Models
HP Comware	process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
HP Virtual Connect Enterprise Manager	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models
HP iLO	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: HashiCorp

Product	Event Types	MITRE ATT&CK® TTP	Content
HashiCorp Vault	account-password-reset app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models
Terraform	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: HelpSystems

Product	Event Types	MITRE ATT&CK® TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon process-created remote-logon	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	121 Rules 37 Models

Vendor: Hornet

Product	Event Types	MITRE ATT&CK® TTP	Content
Hornet Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Huawei

Product	Event Types	MITRE ATT&CK® TTP	Content
Unified Security Gateway	authentication-successful network-alert process-created vpn-login	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	83 Rules 22 Models

Vendor: IBM

Product	Event Types	MITRE ATT&CK® TTP	Content
IBM	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
IBM DB2	authentication-failed file-read remote-logon security-alert	T1003.001 - T1003.001 T1003.003 - T1003.003 T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	89 Rules 39 Models
IBM Endpoint Manager	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
IBM Mainframe	account-disabled app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
IBM Racf	app-activity app-login database-access database-delete database-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories	53 Rules 29 Models
IBM Sametime	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models
IBM Security Access Manager	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
IBM Sense	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
IBM Sterling B2B Integrator	app-activity failed-logon member-added member-removed remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	74 Rules 40 Models
Infosphere Guardium	database-alert database-failed-login database-login database-query	T1213 - Data from Information Repositories	38 Rules 20 Models
Lotus Mobile Connect	authentication-failed authentication-successful failed-vpn-login vpn-login	T1078 - Valid Accounts T1133 - External Remote Services	14 Rules 8 Models
Proventia Network IPS	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
QRadar Network Security	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: ICDB

Product	Event Types	MITRE ATT&CK® TTP	Content
ICDB	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: IMSS

Product	Event Types	MITRE ATT&CK® TTP	Content
IMSS	dlp-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Imperva

Product	Event Types	MITRE ATT&CK® TTP	Content
Attack Analytics	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
CounterBreach	database-alert	T1213 - Data from Information Repositories	32 Rules 17 Models
Imperva File Activity Monitoring (FAM)	file-delete file-permission-change file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models
Imperva SecureSphere	app-login database-alert database-delete database-failed-login database-login database-query database-update failed-app-login network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories	109 Rules 55 Models
Incapsula	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Imprivata

Product	Event Types	MITRE ATT&CK® TTP	Content
Imprivata	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: InfoWatch

Product	Event Types	MITRE ATT&CK® TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out print-activity usb-write web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	64 Rules 39 Models

Vendor: Infoblox

Product	Event Types	MITRE ATT&CK® TTP	Content
BloxOne	computer-logon dns-query dns-response file-write network-alert network-connection-failed network-connection-successful remote-logon vpn-connection	T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	88 Rules 38 Models

Vendor: Inky

Product	Event Types	MITRE ATT&CK® TTP	Content
Inky Anti-Phishing	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Ipswitch

Product	Event Types	MITRE ATT&CK® TTP	Content
IPswitch MoveIt	app-activity app-login failed-app-login file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	76 Rules 38 Models
MoveIt DMZ	account-password-change authentication-failed authentication-successful failed-logon file-delete file-download file-upload file-write member-added	T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	41 Rules 19 Models

Vendor: IronNet

Product	Event Types	MITRE ATT&CK® TTP	Content
IronDefense	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Jumpcloud

Product	Event Types	MITRE ATT&CK® TTP	Content
Jumpcloud	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: Juniper Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Juniper Networks	config-change process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models
Juniper Networks ATP	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Juniper Networks Pulse Secure	account-deleted app-activity authentication-failed authentication-successful failed-vpn-login network-connection-failed vpn-connection vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	58 Rules 32 Models
Juniper OWA	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models
Juniper SRX	authentication-successful failed-vpn-login network-alert network-connection-failed network-connection-successful security-alert vpn-login web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	99 Rules 50 Models
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	63 Rules 35 Models

Vendor: Kaspersky

Product	Event Types	MITRE ATT&CK® TTP	Content
Kaspersky AV	dlp-email-alert-in file-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Kaspersky Endpoint Security for Business	dlp-alert network-alert security-alert usb-insert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models

Vendor: Kemp

Product	Event Types	MITRE ATT&CK® TTP	Content
Kemp LoadMaster	app-activity remote-logon security-alert	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	96 Rules 49 Models
Load Balancer	authentication-failed remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models

Vendor: LEAP

Product	Event Types	MITRE ATT&CK® TTP	Content
LEAP	app-activity app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models

Vendor: LOGBinder

Product	Event Types	MITRE ATT&CK® TTP	Content
SharePoint	app-activity file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	72 Rules 38 Models

Vendor: LanScope

Product	Event Types	MITRE ATT&CK® TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity file-delete file-write local-logon print-activity process-created process-created-failed process-network usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	182 Rules 78 Models

Vendor: LastPass

Product	Event Types	MITRE ATT&CK® TTP	Content
LastPass	account-creation account-password-change app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Linux

Product	Event Types	MITRE ATT&CK® TTP	Content
SSH	failed-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	39 Rules 17 Models

Vendor: LiquidFiles

Product	Event Types	MITRE ATT&CK® TTP	Content
LiquidFiles	app-login failed-app-login file-download file-upload	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: LogMeIn

Product	Event Types	MITRE ATT&CK® TTP	Content
RemotelyAnywhere	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models

Vendor: LogRhythm

Product	Event Types	MITRE ATT&CK® TTP	Content
LogRhythm	process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models

Vendor: Malwarebytes

Product	Event Types	MITRE ATT&CK® TTP	Content
Malwarebytes Endpoint Protection	network-alert security-alert web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	69 Rules 32 Models
Malwarebytes Incident Response	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: ManageEngine

Product	Event Types	MITRE ATT&CK® TTP	Content
ADSSP	app-activity app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models
PAM360	app-activity app-login remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	74 Rules 39 Models
Password Manager Pro	account-password-change account-switch app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: MariaDB

Product	Event Types	MITRE ATT&CK® TTP	Content
MariaDB	database-access database-delete database-failed-login database-login database-query database-update	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: MasterSAM

Product	Event Types	MITRE ATT&CK® TTP	Content
MasterSAM PAM	account-password-change authentication-failed authentication-successful remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	39 Rules 19 Models

Vendor: McAfee

Product	Event Types	MITRE ATT&CK® TTP	Content
MDAM	database-alert database-delete database-query database-update	T1213 - Data from Information Repositories	38 Rules 20 Models
McAfee Endpoint Security	dlp-alert file-write process-alert process-created-failed remote-logon security-alert usb-activity usb-insert usb-write	T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	96 Rules 41 Models
McAfee Enterprise Security Manager	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
McAfee IDPS	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
McAfee NSM	app-login failed-app-login network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	50 Rules 25 Models
McAfee Network Security Platform (IPS)	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
McAfee Solidifier	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
McAfee Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Mcafee EPO	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Skyhigh Networks CASB	app-activity app-login dlp-alert failed-app-login file-download security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	68 Rules 34 Models

Vendor: Medigate

Product	Event Types	MITRE ATT&CK® TTP	Content
Medigate	alert-iot security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 9 Models

Vendor: Microsoft

Product	Event Types	MITRE ATT&CK® TTP	Content
365 Defender	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Advanced Threat Analytics (ATA)	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Advanced Threat Protection	network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models
AppLocker	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Azure	account-password-change app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed database-query dns-query failed-app-login file-delete file-download file-read file-upload file-write image-loaded member-added member-removed network-alert network-connection-failed network-connection-successful process-created remote-logon security-alert storage-access storage-activity storage-activity-failed usb-activity usb-insert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	217 Rules 87 Models
Azure AD Identity Protection	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Azure Active Directory	account-disabled account-password-change account-password-change-failed account-password-reset account-unlocked app-activity app-activity-failed app-login authentication-failed failed-app-login member-added member-removed	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Azure Advanced Threat Protection	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Azure MFA	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Azure Security Center	database-alert dlp-alert network-alert process-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories TA0002 - TA0002	79 Rules 38 Models
Azure Sentinel	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Cloud App Security (MCAS)	account-password-change account-password-reset app-activity app-login dlp-alert failed-app-login file-delete file-download file-read file-upload file-write security-alert	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	101 Rules 48 Models
Defender ATP	app-login batch-logon failed-logon file-delete file-write local-logon member-added member-removed process-created process-network process-network-failed remote-access remote-logon security-alert service-logon	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	175 Rules 65 Models
Defender Antivirus	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
DirectAccess	failed-vpn-login vpn-login	T1078 - Valid Accounts T1133 - External Remote Services	14 Rules 8 Models
Exchange	app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
IIS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Microsoft Azure	azure-blob-read azure-blob-write azure-container-acl azure-disk-write azure-image-write azure-instance-creds-write azure-instance-write azure-keyvault-read azure-keyvault-write azure-metrics azure-role-assign azure-role-write azure-snapshot-write azure-storage-list	T1078.004 - Valid Accounts: Cloud Accounts T1535 - Unused/Unsupported Cloud Regions	5 Rules 5 Models
Network Policy Server	nac-failed-logon nac-logon	T1021 - Remote Services T1078 - Valid Accounts	6 Rules 3 Models
Office 365	account-password-change app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login file-delete file-download file-permission-change file-read file-upload file-write process-created security-alert usb-write	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	149 Rules 53 Models
OneDrive	app-activity app-activity-failed file-read	T1003.001 - T1003.001 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	68 Rules 38 Models
Routing and Remote Access Service	authentication-successful vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models
SQL Server	authentication-failed authentication-successful database-access database-activity-failed database-delete database-failed-login database-login database-query database-update failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1213 - Data from Information Repositories	26 Rules 14 Models
Sysmon	dns-query file-delete file-write image-loaded process-alert process-created process-network registry-write	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1083 - File and Directory Discovery T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	85 Rules 20 Models
Web Application Proxy	remote-logon web-activity-allowed web-activity-denied	T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	78 Rules 39 Models
Web Application Proxy-TLS Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1003.006 - OS Credential Dumping: DCSync T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1110 - Brute Force T1133 - External Remote Services T1187 - Forced Authentication T1190 - Exploit Public Fasing Application T1207 - Rogue Domain Controller T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	214 Rules 76 Models
Windows Defender	dlp-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Windows Defender Application Control	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Mimecast

Product	Event Types	MITRE ATT&CK® TTP	Content
Email Security	app-activity app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Targeted Threat Protection - URL	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: MobileIron

Product	Event Types	MITRE ATT&CK® TTP	Content
MobileIron	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Morphisec

Product	Event Types	MITRE ATT&CK® TTP	Content
Morphisec EPTP	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Mysql

Product	Event Types	MITRE ATT&CK® TTP	Content
Mysql	database-activity-failed database-delete database-query database-update	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: NCP

Product	Event Types	MITRE ATT&CK® TTP	Content
NCP	authentication-failed vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: NNT

Product	Event Types	MITRE ATT&CK® TTP	Content
NNT ChangeTracker	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Namespace rDirectory

Product	Event Types	MITRE ATT&CK® TTP	Content
Namespace rDirectory	account-creation account-deleted account-disabled account-enabled account-password-change ds-access member-added	T1003.006 - OS Credential Dumping: DCSync T1207 - Rogue Domain Controller T1558 - Steal or Forge Kerberos Tickets	7 Rules 1 Models

Vendor: Nasuni

Product	Event Types	MITRE ATT&CK® TTP	Content
Nasuni	file-delete file-permission-change file-write	T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	31 Rules 14 Models

Vendor: NetApp

Product	Event Types	MITRE ATT&CK® TTP	Content
NetApp	file-alert file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: NetDocs

Product	Event Types	MITRE ATT&CK® TTP	Content
NetDocs	app-activity file-delete file-read file-upload file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	72 Rules 38 Models

Vendor: NetIQ

Product	Event Types	MITRE ATT&CK® TTP	Content
NetIQ	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: NetMotion Wireless

Product	Event Types	MITRE ATT&CK® TTP	Content
NetMotion Wireless	vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: Netskope

Product	Event Types	MITRE ATT&CK® TTP	Content
IoT Security	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
Security Cloud	app-activity app-login dlp-alert dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	143 Rules 71 Models

Vendor: Netwrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Netwrix Auditor	account-disabled account-lockout account-password-reset account-unlocked app-activity app-login database-access database-failed-login ds-access failed-app-login failed-logon file-delete file-write member-added member-removed	T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1207 - Rogue Domain Controller T1558 - Steal or Forge Kerberos Tickets	84 Rules 40 Models

Vendor: NextDLP

Product	Event Types	MITRE ATT&CK® TTP	Content
Reveal	authentication-failed dlp-alert member-added remote-logon security-alert usb-insert web-activity-allowed	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	98 Rules 49 Models

Vendor: Nexthink

Product	Event Types	MITRE ATT&CK® TTP	Content
Nexthink	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Nortel Contivity

Product	Event Types	MITRE ATT&CK® TTP	Content
Nortel Contivity VPN	vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: Novell

Product	Event Types	MITRE ATT&CK® TTP	Content
eDirectory	account-disabled account-enabled account-password-change account-unlocked authentication-failed authentication-successful security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	32 Rules 14 Models

Vendor: Nozomi Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Guardian	network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models

Vendor: Nutanix

Product	Event Types	MITRE ATT&CK® TTP	Content
Nutanix Files	file-delete file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: OSSEC

Product	Event Types	MITRE ATT&CK® TTP	Content
OSSEC	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: ObserveIT

Product	Event Types	MITRE ATT&CK® TTP	Content
ObserveIT	app-activity app-login database-access dlp-alert failed-app-login process-created remote-logon security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	148 Rules 54 Models

Vendor: Okta

Product	Event Types	MITRE ATT&CK® TTP	Content
Okta Adaptive MFA	account-creation account-enabled account-lockout account-password-change account-password-reset app-activity app-activity-failed app-login authentication-failed authentication-successful failed-app-login member-added member-removed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	68 Rules 34 Models

Vendor: Onapsis

Product	Event Types	MITRE ATT&CK® TTP	Content
Onapsis	app-login database-update failed-app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	53 Rules 26 Models

Vendor: OneLogin

Product	Event Types	MITRE ATT&CK® TTP	Content
OneLogin	account-password-reset app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: OneSpan

Product	Event Types	MITRE ATT&CK® TTP	Content
Digipass	app-login nac-failed-logon nac-logon	T1021 - Remote Services T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	33 Rules 19 Models
OneSpan	failed-logon	T1078 - Valid Accounts	3 Rules 1 Models

Vendor: OneWelcome

Product	Event Types	MITRE ATT&CK® TTP	Content
OneWelcome	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: OpenDJ

Product	Event Types	MITRE ATT&CK® TTP	Content
OpenDJ LDAP	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Oracle

Product	Event Types	MITRE ATT&CK® TTP	Content
AVDF	database-login database-query	T1213 - Data from Information Repositories	18 Rules 10 Models
Access Manager	app-activity app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Oracle Database	database-access database-delete database-failed-login database-login database-query database-update	T1213 - Data from Information Repositories	18 Rules 10 Models
Public Cloud	netflow-connection	T1046 - Network Service Scanning	1 Rules 1 Models
Solaris	process-created process-created-failed	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	48 Rules 5 Models

Vendor: Ordr

Product	Event Types	MITRE ATT&CK® TTP	Content
Ordr SCE	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Osirium

Product	Event Types	MITRE ATT&CK® TTP	Content
Osirium	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Cortex XDR	app-activity app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	67 Rules 34 Models
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login remote-logon vpn-login vpn-logout	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	93 Rules 47 Models
Magnifier	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
NGFW	authentication-failed authentication-successful config-change dlp-alert file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	130 Rules 65 Models
Palo Alto Aperture	app-activity app-login dlp-alert file-delete file-download file-read file-write security-alert	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	100 Rules 48 Models
Prisma Access	dns-query web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Prisma Cloud	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Traps	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
WildFire	file-alert network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models

Vendor: Perforce

Product	Event Types	MITRE ATT&CK® TTP	Content
Perforce	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Ping Identity

Product	Event Types	MITRE ATT&CK® TTP	Content
Ping Identity	account-password-change account-password-change-failed account-password-reset app-activity app-activity-failed app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
PingOne	app-login authentication-successful failed-app-login vpn-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	34 Rules 20 Models

Vendor: Portnox

Product	Event Types	MITRE ATT&CK® TTP	Content
Portnox CLEAR	nac-failed-logon nac-logon	T1021 - Remote Services T1078 - Valid Accounts	6 Rules 3 Models

Vendor: PostgreSQL

Product	Event Types	MITRE ATT&CK® TTP	Content
PostgreSQL	database-access database-delete database-login database-query	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: PowerSentry

Product	Event Types	MITRE ATT&CK® TTP	Content
PowerSentry	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Procad

Product	Event Types	MITRE ATT&CK® TTP	Content
Pro.File DMS	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Progress

Product	Event Types	MITRE ATT&CK® TTP	Content
Progress Database	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models

Vendor: Proofpoint

Product	Event Types	MITRE ATT&CK® TTP	Content
ObserveIT	dlp-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Proofpoint CASB	dlp-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Proofpoint Enterprise Protection	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: QUSH

Product	Event Types	MITRE ATT&CK® TTP	Content
Reveal	dlp-alert file-upload file-write nac-logon print-activity remote-logon usb-insert web-activity-allowed	T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	109 Rules 55 Models

Vendor: Qualys

Product	Event Types	MITRE ATT&CK® TTP	Content
Qualys	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Quest Software

Product	Event Types	MITRE ATT&CK® TTP	Content
Change Auditor	account-lockout account-password-change account-password-change-failed account-unlocked ds-access failed-ds-access failed-logon file-delete file-read file-write local-logon member-added member-removed remote-logon	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.006 - OS Credential Dumping: DCSync T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1207 - Rogue Domain Controller T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	83 Rules 34 Models

Vendor: RSA

Product	Event Types	MITRE ATT&CK® TTP	Content
RSA	netflow-connection	T1046 - Network Service Scanning	1 Rules 1 Models
RSA Authentication Manager	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
RSA ECAT	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
RSA NetWitness	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models
SecurID	authentication-failed authentication-successful vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	19 Rules 8 Models

Vendor: RUID

Product	Event Types	MITRE ATT&CK® TTP	Content
RUID	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Radius

Product	Event Types	MITRE ATT&CK® TTP	Content
Radius	authentication-failed authentication-successful computer-logon nac-logon	T1021 - Remote Services T1078 - Valid Accounts T1133 - External Remote Services	13 Rules 7 Models

Vendor: RangerAudit

Product	Event Types	MITRE ATT&CK® TTP	Content
RangerAudit	app-activity app-login database-activity-failed database-query failed-app-login file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1213 - Data from Information Repositories	94 Rules 48 Models

Vendor: Rapid7

Product	Event Types	MITRE ATT&CK® TTP	Content
InsightVM	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Nexpose	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Red Canary

Product	Event Types	MITRE ATT&CK® TTP	Content
Red Canary	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Rubrik

Product	Event Types	MITRE ATT&CK® TTP	Content
Rubrik CDM	account-creation app-login privileged-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Ruckus

Product	Event Types	MITRE ATT&CK® TTP	Content
Ruckus	nac-logon	T1021 - Remote Services T1078 - Valid Accounts	6 Rules 3 Models

Vendor: SAP

Product	Event Types	MITRE ATT&CK® TTP	Content
SAP	account-creation account-deleted account-lockout account-password-change account-unlocked app-activity app-login authentication-failed authentication-successful failed-app-login file-download file-write gcp-bucket-create gcp-compute-list gcp-function-write gcp-general-activity gcp-instance-screenshot gcp-role-list gcp-serviceaccount-creds-write gcp-storage-list gcp-storageobject-read gcp-storageobject-write remote-logon	T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1078.004 - Valid Accounts: Cloud Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1535 - Unused/Unsupported Cloud Regions T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	111 Rules 58 Models

Vendor: SFTP

Product	Event Types	MITRE ATT&CK® TTP	Content
SFTP	app-login failed-app-login file-delete file-download file-read file-upload file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	61 Rules 30 Models

Vendor: SIGSCI

Product	Event Types	MITRE ATT&CK® TTP	Content
SIGSCI	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: SSL Open VPN

Product	Event Types	MITRE ATT&CK® TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	58 Rules 32 Models

Vendor: Sailpoint

Product	Event Types	MITRE ATT&CK® TTP	Content
FAM	file-delete file-permission-change file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models
IdentityNow	account-password-change account-password-change-failed app-activity app-login authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models
SailPoint IIQ	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
SecurityIQ	account-creation account-deleted account-lockout account-password-reset file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: Salesforce

Product	Event Types	MITRE ATT&CK® TTP	Content
Salesforce	account-switch app-activity app-login dlp-email-alert-out failed-app-login file-download file-upload	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Sangfor

Product	Event Types	MITRE ATT&CK® TTP	Content
NGAF	network-alert web-activity-allowed web-activity-denied	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	64 Rules 32 Models

Vendor: Seclore

Product	Event Types	MITRE ATT&CK® TTP	Content
Seclore	file-permission-change file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: Secomea

Product	Event Types	MITRE ATT&CK® TTP	Content
Secomea	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Secure Computing

Product	Event Types	MITRE ATT&CK® TTP	Content
Secure Computing SafeWord	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Secure Envoy

Product	Event Types	MITRE ATT&CK® TTP	Content
Secure Envoy	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: SecureAuth

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureAuth Login	app-login authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: SecureLink

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureLink	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: SecureNet

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureNet	vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: SecureWorks

Product	Event Types	MITRE ATT&CK® TTP	Content
iSensor IPS	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Semperis

Product	Event Types	MITRE ATT&CK® TTP	Content
DSP	app-login ds-access failed-app-login privileged-object-access	T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1207 - Rogue Domain Controller T1558 - Steal or Forge Kerberos Tickets	35 Rules 17 Models

Vendor: SentinelOne

Product	Event Types	MITRE ATT&CK® TTP	Content
SentinelOne	process-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools TA0002 - TA0002	7 Rules 2 Models
Singularity Platform	"app-activity" "process-created" "process-network" "security-alert" app-activity dns-query dns-response file-alert file-delete file-read file-write network-alert network-connection-failed network-connection-successful process-alert process-created registry-write security-alert task-created web-activity-allowed	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	203 Rules 86 Models
Vigilance	account-creation app-activity app-login failed-app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	68 Rules 34 Models

Vendor: ServiceNow

Product	Event Types	MITRE ATT&CK® TTP	Content
ServiceNow	app-activity app-login failed-app-login file-delete file-download file-read file-upload	T1003.001 - T1003.001 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	72 Rules 38 Models

Vendor: Shibboleth

Product	Event Types	MITRE ATT&CK® TTP	Content
Shibboleth IdP	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models
Shibboleth SSO	account-password-change app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Silverfort

Product	Event Types	MITRE ATT&CK® TTP	Content
Silverfort	app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: SiteMinder

Product	Event Types	MITRE ATT&CK® TTP	Content
SiteMinder	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: SkySea

Product	Event Types	MITRE ATT&CK® TTP	Content
ClientView	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity process-created security-alert share-access usb-activity web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1187 - Forced Authentication T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	192 Rules 76 Models

Vendor: Skybox

Product	Event Types	MITRE ATT&CK® TTP	Content
Skybox	app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	27 Rules 16 Models

Vendor: Skyhigh Security

Product	Event Types	MITRE ATT&CK® TTP	Content
Skyhigh Security Cloud	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	26 Rules 13 Models

Vendor: Slack

Product	Event Types	MITRE ATT&CK® TTP	Content
Slack	app-activity app-login file-download file-upload	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models

Vendor: Snort

Product	Event Types	MITRE ATT&CK® TTP	Content
Snort	network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models

Vendor: Snowflake

Product	Event Types	MITRE ATT&CK® TTP	Content
Snowflake	database-login database-query	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: Sonicwall

Product	Event Types	MITRE ATT&CK® TTP	Content
Sonicwall	failed-vpn-login network-alert remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	122 Rules 59 Models

Vendor: Sophos

Product	Event Types	MITRE ATT&CK® TTP	Content
Sophos Endpoint Protection	app-activity-failed dlp-alert failed-usb-activity file-alert network-alert network-connection-failed process-alert security-alert usb-insert usb-read usb-write	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application TA0002 - TA0002	47 Rules 21 Models
Sophos Invincea	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Sophos SafeGuard	app-activity app-activity-failed	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Sophos UTM	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Sophos XG Firewall	app-login failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	88 Rules 47 Models

Vendor: Squid

Product	Event Types	MITRE ATT&CK® TTP	Content
Squid	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: StealthBits

Product	Event Types	MITRE ATT&CK® TTP	Content
StealthIntercept	account-disabled account-enabled authentication-failed authentication-successful ds-access failed-ds-access file-permission-change file-read file-write member-added member-removed	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1207 - Rogue Domain Controller T1558 - Steal or Forge Kerberos Tickets	47 Rules 19 Models

Vendor: Sun One

Product	Event Types	MITRE ATT&CK® TTP	Content
LDAP	authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Suricata

Product	Event Types	MITRE ATT&CK® TTP	Content
Suricata	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models
Suricata IDS	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Swift

Product	Event Types	MITRE ATT&CK® TTP	Content
Swift	account-password-change account-password-change-failed app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: Swivel

Product	Event Types	MITRE ATT&CK® TTP	Content
Swivel	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Sybase

Product	Event Types	MITRE ATT&CK® TTP	Content
Sybase	database-access database-login database-query	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: Symantec

Product	Event Types	MITRE ATT&CK® TTP	Content
ICDx	network-alert process-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application TA0002 - TA0002	47 Rules 21 Models
Symantec Advanced Threat Protection	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec Blue Coat Content Analysis System	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec Blue Coat ProxySG Appliance	network-connection-failed web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Symantec CloudSOC	app-activity app-login dlp-alert failed-app-login file-delete file-download file-upload	T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	67 Rules 37 Models
Symantec Critical System Protection	account-switch config-change failed-logon local-logon member-added member-removed	T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	30 Rules 13 Models
Symantec DLP	dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed print-activity security-alert usb-activity usb-insert usb-read usb-write	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec EDR	authentication-successful file-alert file-delete file-write process-created remote-logon security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	143 Rules 48 Models
Symantec Email Security.cloud	dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec Endpoint Protection	app-activity failed-usb-activity network-alert network-connection-failed network-connection-successful process-alert security-alert usb-write	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application TA0002 - TA0002	86 Rules 45 Models
Symantec Endpoint Protection Mobile	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec Fireglass	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Symantec Managed Security Services	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Symantec Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
Symantec VIP	app-activity app-activity-failed authentication-failed authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models
Symantec WSS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Synology NAS

Product	Event Types	MITRE ATT&CK® TTP	Content
Synology NAS	share-access	T1187 - Forced Authentication	2 Rules

Vendor: Tanium

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloud Platform	app-activity app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
Endpoint Platform	authentication-failed authentication-successful dns-response process-created security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	80 Rules 19 Models
Integrity Monitor	file-delete file-permission-change file-write network-connection-failed network-connection-successful process-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1083 - File and Directory Discovery T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	79 Rules 19 Models
Threat Response	process-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools TA0002 - TA0002	7 Rules 2 Models

Vendor: Tenable.io

Product	Event Types	MITRE ATT&CK® TTP	Content
Tenable.io	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Teradata

Product	Event Types	MITRE ATT&CK® TTP	Content
Teradata RDBMS	database-login database-query	T1213 - Data from Information Repositories	18 Rules 10 Models

Vendor: TitanFTP

Product	Event Types	MITRE ATT&CK® TTP	Content
TitanFTP	app-activity file-delete file-read	T1003.001 - T1003.001 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	68 Rules 38 Models

Vendor: TrapX

Product	Event Types	MITRE ATT&CK® TTP	Content
TrapX	network-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1190 - Exploit Public Fasing Application	22 Rules 9 Models

Vendor: Trend Micro

Product	Event Types	MITRE ATT&CK® TTP	Content
Apex One	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Cloud App Security	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
Deep Discovery Inspector	account-password-change app-login security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	52 Rules 26 Models
Deep Security Agent	network-connection-failed network-connection-successful security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
InterScan Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models
OfficeScan	dlp-alert dlp-email-alert-in dlp-email-alert-out privileged-object-access security-alert usb-write web-activity-allowed	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	62 Rules 33 Models
ScanMail	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
TippingPoint NGIPS	network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 19 Models
Vision One	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Tufin

Product	Event Types	MITRE ATT&CK® TTP	Content
SecureTrack	authentication-successful	T1078 - Valid Accounts T1133 - External Remote Services	7 Rules 4 Models

Vendor: Tyco

Product	Event Types	MITRE ATT&CK® TTP	Content
CCURE Building Management System	app-activity app-login failed-physical-access physical-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	42 Rules 24 Models

Vendor: Unix

Product	Event Types	MITRE ATT&CK® TTP	Content
Auditbeat	app-activity app-activity-failed authentication-successful process-created process-network process-network-failed	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1040 - Network Sniffing T1078 - Valid Accounts T1133 - External Remote Services T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	87 Rules 29 Models
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-permission-change file-read file-write kerberos-logon local-logon member-added member-removed network-connection-failed process-created process-created-failed remote-access remote-logon security-alert task-created	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	158 Rules 53 Models
Unix Auditd	account-creation account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon local-logon member-added member-removed process-created process-created-failed remote-logon	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1021 - Remote Services T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	95 Rules 28 Models

Vendor: VBCorp

Product	Event Types	MITRE ATT&CK® TTP	Content
VBCorp	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: VMS Software

Product	Event Types	MITRE ATT&CK® TTP	Content
OpenVMS	batch-logon failed-logon file-delete file-read remote-logon	T1003.001 - T1003.001 T1003.003 - T1003.003 T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	67 Rules 30 Models

Vendor: VMware

Product	Event Types	MITRE ATT&CK® TTP	Content
AirWatch	app-activity authentication-failed authentication-successful security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	64 Rules 34 Models
Carbon Black App Control	app-login file-alert file-download file-write local-logon process-alert process-created security-alert usb-activity usb-insert workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1555 - Credentials from Password Stores T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	162 Rules 58 Models
Carbon Black Cloud Endpoint Standard	app-login authentication-successful failed-app-login file-write network-connection-failed network-connection-successful process-created registry-write security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	132 Rules 45 Models
Carbon Black Cloud Enterprise EDR	authentication-successful file-write network-connection-failed network-connection-successful process-alert process-created registry-write security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	115 Rules 34 Models
Carbon Black EDR	file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-alert process-created process-created-failed process-network security-alert	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1003.005 - T1003.005 T1016 - System Network Configuration Discovery T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1040 - Network Sniffing T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1218.011 - Signed Binary Proxy Execution: Rundll32 T1555 - Credentials from Password Stores TA0002 - TA0002	110 Rules 30 Models
NSX Advanced Threat Prevention	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models
VMWare ID Manager (VIDM)	app-activity app-activity-failed app-login failed-app-login privileged-object-access	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models
VMware ESXi	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models
VMware Horizon	authentication-failed remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models
VMware VCenter	app-activity app-login failed-logon remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	77 Rules 40 Models
VMware View	account-password-change app-activity app-login failed-app-login remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	75 Rules 39 Models

Vendor: Varonis

Product	Event Types	MITRE ATT&CK® TTP	Content
Data Security Platform	dlp-alert file-delete file-permission-change file-read file-write	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1083 - File and Directory Discovery	33 Rules 14 Models

Vendor: Vectra

Product	Event Types	MITRE ATT&CK® TTP	Content
Cognito Stream	authentication-failed authentication-successful dlp-email-alert-out file-delete file-read file-write ntlm-logon remote-logon web-activity-allowed web-activity-denied	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	114 Rules 56 Models
Vectra Cognito Detect	app-activity security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	64 Rules 34 Models

Vendor: Vormetric

Product	Event Types	MITRE ATT&CK® TTP	Content
Vormetric	file-alert file-read	T1003.001 - T1003.001 T1003.003 - T1003.003 T1083 - File and Directory Discovery	29 Rules 14 Models

Vendor: Watchguard

Product	Event Types	MITRE ATT&CK® TTP	Content
Watchguard	network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: Weblogin

Product	Event Types	MITRE ATT&CK® TTP	Content
Weblogin	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	37 Rules 23 Models

Vendor: Wiz

Product	Event Types	MITRE ATT&CK® TTP	Content
Wiz	account-deleted app-activity app-login network-alert security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	85 Rules 43 Models

Vendor: Workday

Product	Event Types	MITRE ATT&CK® TTP	Content
Workday	app-activity app-login authentication-failed failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: Xceedium

Product	Event Types	MITRE ATT&CK® TTP	Content
Xceedium	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: Xiting

Product	Event Types	MITRE ATT&CK® TTP	Content
XAMS	app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	28 Rules 16 Models

Vendor: Zeek

Product	Event Types	MITRE ATT&CK® TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1083 - File and Directory Discovery T1102 - Web Service T1133 - External Remote Services T1187 - Forced Authentication T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	184 Rules 90 Models

Vendor: Zendesk

Product	Event Types	MITRE ATT&CK® TTP	Content
Zendesk	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Zimperium

Product	Event Types	MITRE ATT&CK® TTP	Content
MOBILE ENDPOINT SECURITY	security-alert	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	25 Rules 10 Models

Vendor: Zlock

Product	Event Types	MITRE ATT&CK® TTP	Content
Zlock	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: Zscaler

Product	Event Types	MITRE ATT&CK® TTP	Content
Zscaler Internet Access	app-login dlp-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	69 Rules 39 Models
Zscaler Private Access	vpn-login vpn-logout	T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services	25 Rules 12 Models

Vendor: eDocs

Product	Event Types	MITRE ATT&CK® TTP	Content
eDocs	app-activity	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: iBoss

Product	Event Types	MITRE ATT&CK® TTP	Content
Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms	42 Rules 23 Models

Vendor: iManage

Product	Event Types	MITRE ATT&CK® TTP	Content
iManage	app-activity dlp-alert	T1078 - Valid Accounts T1133 - External Remote Services	39 Rules 24 Models

Vendor: jSONAR

Product	Event Types	MITRE ATT&CK® TTP	Content
SonarG	database-failed-login database-login	T1213 - Data from Information Repositories	10 Rules 5 Models

Vendor: oVirt

Product	Event Types	MITRE ATT&CK® TTP	Content
oVirt	app-activity app-activity-failed app-login failed-app-login	T1078 - Valid Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application	43 Rules 24 Models

Vendor: xsuite

Product	Event Types	MITRE ATT&CK® TTP	Content
xsuite	remote-logon	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	36 Rules 16 Models