Use Case: Cryptomining

November 7, 2023 · View on GitHub

Use Case: Cryptomining

Vendor: Akamai

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloud Akamai	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Amazon

Product	Event Types	MITRE ATT&CK® TTP	Content
AWS CloudTrail	app-activity app-activity-failed app-login aws-bucket-cors aws-bucket-cors-failed aws-bucket-create aws-bucket-create-failed aws-bucket-policy aws-bucket-policy-failed aws-bucket-putaccessblock aws-bucket-putaccessblock-failed aws-compute-list aws-compute-list-failed aws-function-write aws-function-write-failed aws-general-activity aws-general-activity-failed aws-identity-addtogroup aws-identity-addtogroup-failed aws-identity-creds-write aws-identity-creds-write-failed aws-identity-list aws-identity-list-failed aws-identity-loginprofile aws-identity-loginprofile-failed aws-identity-write aws-identity-write-failed aws-image-create aws-image-create-failed aws-image-modify aws-image-modify-failed aws-instance-command aws-instance-command-failed aws-instance-create aws-instance-create-failed aws-instance-creds-read aws-instance-creds-read-failed aws-instance-creds-write aws-instance-creds-write-failed aws-instance-login aws-instance-login-failed aws-instance-modify aws-instance-modify-failed aws-instance-screenshot aws-instance-screenshot-failed aws-key-policy aws-key-policy-failed aws-login aws-login-failed aws-policy-attach aws-policy-attach-failed aws-policy-list aws-policy-list-failed aws-policy-setversion aws-policy-setversion-failed aws-policy-write aws-policy-write-failed aws-role-assume aws-role-assume-failed aws-role-assumepolicy aws-role-assumepolicy-failed aws-role-switch aws-role-switch-failed aws-role-write aws-role-write-failed aws-snapshot-create aws-snapshot-create-failed aws-snapshot-modify aws-snapshot-modify-failed aws-storage-acl aws-storage-acl-failed aws-storage-list aws-storage-list-failed aws-storageobject-copy aws-storageobject-copy-failed aws-storageobject-read aws-storageobject-read-failed aws-storageobject-write aws-storageobject-write-failed aws-volume-attach aws-volume-attach-failed aws-volume-create aws-volume-create-failed aws-volume-modify aws-volume-modify-failed cloud-admin-activity cloud-admin-activity-failed failed-app-login storage-access storage-activity storage-activity-failed	T1074 - Data Staged T1496 - Resource Hijacking	1 Rules 1 Models
AWS WAF	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Apache

Product	Event Types	MITRE ATT&CK® TTP	Content
Apache	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: BeyondTrust

Product	Event Types	MITRE ATT&CK® TTP	Content
BeyondTrust PowerBroker	privileged-access process-created	T1496 - Resource Hijacking	2 Rules
BeyondTrust Privilege Management	local-logon process-created	T1496 - Resource Hijacking	2 Rules

Vendor: Bitdefender

Product	Event Types	MITRE ATT&CK® TTP	Content
GravityZone	app-login security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: CatoNetworks

Product	Event Types	MITRE ATT&CK® TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Check Point

Product	Event Types	MITRE ATT&CK® TTP	Content
NGFW	app-login authentication-failed authentication-successful dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Cisco

Product	Event Types	MITRE ATT&CK® TTP	Content
ADC	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules
Cloud Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Firepower	authentication-successful dns-query dns-response failed-vpn-login file-download nac-logon netflow-connection network-alert network-connection-failed network-connection-successful process-created security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
NPE	process-created	T1496 - Resource Hijacking	2 Rules
Proxy Umbrella	network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Secure Web Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
TACACS	authentication-failed process-created	T1496 - Resource Hijacking	2 Rules
Umbrella	dns-response web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Citrix

Product	Event Types	MITRE ATT&CK® TTP	Content
Citrix Netscaler	app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1496 - Resource Hijacking	2 Rules
Citrix Netscaler VPN	authentication-failed authentication-successful remote-access remote-logon vpn-connection vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Web Logging	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Cloudflare

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloudflare WAF	network-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: CrowdStrike

Product	Event Types	MITRE ATT&CK® TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon config-change dlp-alert dns-query failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon task-created usb-activity usb-insert usb-write workstation-unlocked	T1496 - Resource Hijacking	2 Rules

Vendor: Delinea

Product	Event Types	MITRE ATT&CK® TTP	Content
Centrify Infrastructure Services	process-created	T1496 - Resource Hijacking	2 Rules

Vendor: Digital Arts

Product	Event Types	MITRE ATT&CK® TTP	Content
Digital Arts i-FILTER for Business	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Digital Guardian

Product	Event Types	MITRE ATT&CK® TTP	Content
Digital Guardian Endpoint Protection	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon network-connection-failed network-connection-successful print-activity process-created usb-insert usb-write	T1496 - Resource Hijacking	2 Rules

Vendor: Dtex Systems

Product	Event Types	MITRE ATT&CK® TTP	Content
DTEX InTERCEPT	file-delete file-read file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules

Vendor: ESET

Product	Event Types	MITRE ATT&CK® TTP	Content
ESET Endpoint Security	app-login authentication-failed authentication-successful failed-logon network-alert security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: EdgeWave

Product	Event Types	MITRE ATT&CK® TTP	Content
EdgeWave iPrism	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: F5

Product	Event Types	MITRE ATT&CK® TTP	Content
F5 Advanced Web Application Firewall (WAF)	account-switch dlp-email-alert-out network-alert network-connection-failed network-connection-successful process-created remote-logon	T1496 - Resource Hijacking	2 Rules
F5 BIG-IP Application Security Manager (ASM)	security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
WebSafe	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: FireEye

Product	Event Types	MITRE ATT&CK® TTP	Content
FireEye Network Security (NX)	security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Forcepoint

Product	Event Types	MITRE ATT&CK® TTP	Content
Websense Secure Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Fortinet

Product	Event Types	MITRE ATT&CK® TTP	Content
FortiGate	network-connection-successful vpn-connection web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Fortinet FortiWeb	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Fortinet UTM	app-activity app-activity-failed authentication-failed authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-alert security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Google

Product	Event Types	MITRE ATT&CK® TTP	Content
Cloud Platform	app-activity cloud-admin-activity cloud-admin-activity-failed gcp-disk-attach gcp-disk-create gcp-image-create gcp-instance-create gcp-instance-setmachinetype gcp-instance-setmetadata gcp-policy-write gcp-role-write gcp-serviceaccount-creds-write gcp-serviceaccount-write gcp-snapshot-create gcp-storageobject-acl netflow-connection network-alert storage-access storage-activity storage-activity-failed web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1074 - Data Staged T1496 - Resource Hijacking	3 Rules 1 Models

Vendor: HP

Product	Event Types	MITRE ATT&CK® TTP	Content
HP Comware	process-created	T1496 - Resource Hijacking	2 Rules

Vendor: HashiCorp

Product	Event Types	MITRE ATT&CK® TTP	Content
Terraform	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: HelpSystems

Product	Event Types	MITRE ATT&CK® TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon process-created remote-logon	T1496 - Resource Hijacking	2 Rules

Vendor: Huawei

Product	Event Types	MITRE ATT&CK® TTP	Content
Unified Security Gateway	authentication-successful network-alert process-created vpn-login	T1496 - Resource Hijacking	2 Rules

Vendor: IBM

Product	Event Types	MITRE ATT&CK® TTP	Content
IBM Security Access Manager	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Imperva

Product	Event Types	MITRE ATT&CK® TTP	Content
Incapsula	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: InfoWatch

Product	Event Types	MITRE ATT&CK® TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out print-activity usb-write web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Juniper Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
Juniper Networks	config-change process-created	T1496 - Resource Hijacking	2 Rules
Juniper SRX	authentication-successful failed-vpn-login network-alert network-connection-failed network-connection-successful security-alert vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: LanScope

Product	Event Types	MITRE ATT&CK® TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity file-delete file-write local-logon print-activity process-created process-created-failed process-network usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules

Vendor: LogRhythm

Product	Event Types	MITRE ATT&CK® TTP	Content
LogRhythm	process-created	T1496 - Resource Hijacking	2 Rules

Vendor: Malwarebytes

Product	Event Types	MITRE ATT&CK® TTP	Content
Malwarebytes Endpoint Protection	network-alert security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: McAfee

Product	Event Types	MITRE ATT&CK® TTP	Content
McAfee Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Microsoft

Product	Event Types	MITRE ATT&CK® TTP	Content
Azure	account-password-change app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed database-query dns-query failed-app-login file-delete file-download file-read file-upload file-write image-loaded member-added member-removed network-alert network-connection-failed network-connection-successful process-created remote-logon security-alert storage-access storage-activity storage-activity-failed usb-activity usb-insert	T1496 - Resource Hijacking	2 Rules
Defender ATP	app-login batch-logon failed-logon file-delete file-write local-logon member-added member-removed process-created process-network process-network-failed remote-access remote-logon security-alert service-logon	T1496 - Resource Hijacking	2 Rules
IIS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Microsoft Azure	azure-blob-read azure-blob-write azure-container-acl azure-disk-write azure-image-write azure-instance-creds-write azure-instance-write azure-keyvault-read azure-keyvault-write azure-metrics azure-role-assign azure-role-write azure-snapshot-write azure-storage-list	T1496 - Resource Hijacking	1 Rules 1 Models
Office 365	account-password-change app-activity app-activity-failed app-login dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login file-delete file-download file-permission-change file-read file-upload file-write process-created security-alert usb-write	T1496 - Resource Hijacking	2 Rules
Sysmon	dns-query file-delete file-write image-loaded process-alert process-created process-network registry-write	T1496 - Resource Hijacking	2 Rules
Web Application Proxy	remote-logon web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Web Application Proxy-TLS Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1496 - Resource Hijacking	2 Rules

Vendor: Mimecast

Product	Event Types	MITRE ATT&CK® TTP	Content
Targeted Threat Protection - URL	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Netskope

Product	Event Types	MITRE ATT&CK® TTP	Content
Security Cloud	app-activity app-login dlp-alert dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: NextDLP

Product	Event Types	MITRE ATT&CK® TTP	Content
Reveal	authentication-failed dlp-alert member-added remote-logon security-alert usb-insert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: ObserveIT

Product	Event Types	MITRE ATT&CK® TTP	Content
ObserveIT	app-activity app-login database-access dlp-alert failed-app-login process-created remote-logon security-alert	T1496 - Resource Hijacking	2 Rules

Vendor: Oracle

Product	Event Types	MITRE ATT&CK® TTP	Content
Solaris	process-created process-created-failed	T1496 - Resource Hijacking	2 Rules

Vendor: Palo Alto Networks

Product	Event Types	MITRE ATT&CK® TTP	Content
NGFW	authentication-failed authentication-successful config-change dlp-alert file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Prisma Access	dns-query web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: QUSH

Product	Event Types	MITRE ATT&CK® TTP	Content
Reveal	dlp-alert file-upload file-write nac-logon print-activity remote-logon usb-insert web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: SIGSCI

Product	Event Types	MITRE ATT&CK® TTP	Content
SIGSCI	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Sangfor

Product	Event Types	MITRE ATT&CK® TTP	Content
NGAF	network-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: SentinelOne

Product	Event Types	MITRE ATT&CK® TTP	Content
Singularity Platform	"app-activity" "process-created" "process-network" "security-alert" app-activity dns-query dns-response file-alert file-delete file-read file-write network-alert network-connection-failed network-connection-successful process-alert process-created registry-write security-alert task-created web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules

Vendor: SkySea

Product	Event Types	MITRE ATT&CK® TTP	Content
ClientView	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity process-created security-alert share-access usb-activity web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	4 Rules

Vendor: Skyhigh Security

Product	Event Types	MITRE ATT&CK® TTP	Content
Skyhigh Security Cloud	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Sonicwall

Product	Event Types	MITRE ATT&CK® TTP	Content
Sonicwall	failed-vpn-login network-alert remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Sophos

Product	Event Types	MITRE ATT&CK® TTP	Content
Sophos UTM	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Sophos XG Firewall	app-login failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Squid

Product	Event Types	MITRE ATT&CK® TTP	Content
Squid	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Symantec

Product	Event Types	MITRE ATT&CK® TTP	Content
Symantec Blue Coat ProxySG Appliance	network-connection-failed web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Symantec EDR	authentication-successful file-alert file-delete file-write process-created remote-logon security-alert	T1496 - Resource Hijacking	2 Rules
Symantec Fireglass	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Symantec Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
Symantec WSS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Tanium

Product	Event Types	MITRE ATT&CK® TTP	Content
Endpoint Platform	authentication-failed authentication-successful dns-response process-created security-alert	T1496 - Resource Hijacking	2 Rules
Integrity Monitor	file-delete file-permission-change file-write network-connection-failed network-connection-successful process-created	T1496 - Resource Hijacking	2 Rules

Vendor: Trend Micro

Product	Event Types	MITRE ATT&CK® TTP	Content
InterScan Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules
OfficeScan	dlp-alert dlp-email-alert-in dlp-email-alert-out privileged-object-access security-alert usb-write web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Unix

Product	Event Types	MITRE ATT&CK® TTP	Content
Auditbeat	app-activity app-activity-failed authentication-successful process-created process-network process-network-failed	T1496 - Resource Hijacking	2 Rules
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-permission-change file-read file-write kerberos-logon local-logon member-added member-removed network-connection-failed process-created process-created-failed remote-access remote-logon security-alert task-created	T1496 - Resource Hijacking	2 Rules
Unix Auditd	account-creation account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon local-logon member-added member-removed process-created process-created-failed remote-logon	T1496 - Resource Hijacking	2 Rules

Vendor: VMware

Product	Event Types	MITRE ATT&CK® TTP	Content
Carbon Black App Control	app-login file-alert file-download file-write local-logon process-alert process-created security-alert usb-activity usb-insert workstation-locked workstation-unlocked	T1496 - Resource Hijacking	2 Rules
Carbon Black Cloud Endpoint Standard	app-login authentication-successful failed-app-login file-write network-connection-failed network-connection-successful process-created registry-write security-alert	T1496 - Resource Hijacking	2 Rules
Carbon Black Cloud Enterprise EDR	authentication-successful file-write network-connection-failed network-connection-successful process-alert process-created registry-write security-alert	T1496 - Resource Hijacking	2 Rules
Carbon Black EDR	file-alert file-delete file-read file-write network-connection-failed network-connection-successful process-alert process-created process-created-failed process-network security-alert	T1496 - Resource Hijacking	2 Rules

Vendor: Vectra

Product	Event Types	MITRE ATT&CK® TTP	Content
Cognito Stream	authentication-failed authentication-successful dlp-email-alert-out file-delete file-read file-write ntlm-logon remote-logon web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Watchguard

Product	Event Types	MITRE ATT&CK® TTP	Content
Watchguard	network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Weblogin

Product	Event Types	MITRE ATT&CK® TTP	Content
Weblogin	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Zeek

Product	Event Types	MITRE ATT&CK® TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: Zscaler

Product	Event Types	MITRE ATT&CK® TTP	Content
Zscaler Internet Access	app-login dlp-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules

Vendor: iBoss

Product	Event Types	MITRE ATT&CK® TTP	Content
Secure Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	2 Rules