Use Case: Data Exfiltration

November 7, 2023 · View on GitHub

Use Case: Data Exfiltration

Vendor: Accellion

ProductEvent TypesMITRE ATT&CK® TTPContent
Kiteworks
  • account-lockout
  • account-password-change
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models

Vendor: Airlock

ProductEvent TypesMITRE ATT&CK® TTPContent
Web Application Firewall
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • vpn-logout
T1133 - External Remote Services
TA0002 - TA0002
TA0010 - TA0010
  • 6 Rules
  • 5 Models

Vendor: Akamai

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Akamai
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Amazon

ProductEvent TypesMITRE ATT&CK® TTPContent
AWS CloudWatch
  • netflow-connection
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
AWS WAF
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Apache

ProductEvent TypesMITRE ATT&CK® TTPContent
Apache
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: AssetView

ProductEvent TypesMITRE ATT&CK® TTPContent
AssetView
  • file-download
  • file-write
  • print-activity
  • security-alert
  • usb-insert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Barracuda

ProductEvent TypesMITRE ATT&CK® TTPContent
Barracuda Firewall
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: BeyondTrust

ProductEvent TypesMITRE ATT&CK® TTPContent
BeyondTrust PowerBroker
  • privileged-access
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
BeyondTrust Privilege Management
  • local-logon
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: Bitdefender

ProductEvent TypesMITRE ATT&CK® TTPContent
GravityZone
  • app-login
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 6 Rules
  • 2 Models

Vendor: Bitglass

ProductEvent TypesMITRE ATT&CK® TTPContent
Bitglass CASB
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-download
  • file-read
  • file-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models

Vendor: BlackBerry

ProductEvent TypesMITRE ATT&CK® TTPContent
BlackBerry Protect
  • app-activity
  • app-login
  • dlp-alert
  • file-alert
  • process-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models

Vendor: Box

ProductEvent TypesMITRE ATT&CK® TTPContent
Box Cloud Content Management
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Bromium

ProductEvent TypesMITRE ATT&CK® TTPContent
Bromium Secure Platform
  • file-permission-change
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Carbon Black EDR

ProductEvent TypesMITRE ATT&CK® TTPContent
Carbon Black EDR
  • file-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: CatoNetworks

ProductEvent TypesMITRE ATT&CK® TTPContent
Cato Cloud
  • network-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 12 Rules
  • 6 Models

Vendor: Check Point

ProductEvent TypesMITRE ATT&CK® TTPContent
Avanan
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Identity Awareness
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
NGFW
  • app-login
  • authentication-failed
  • authentication-successful
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-vpn-login
  • local-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 12 Rules
  • 6 Models
Security Gateway
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Cimtrak

ProductEvent TypesMITRE ATT&CK® TTPContent
Cimtrak
  • file-delete
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Cisco

ProductEvent TypesMITRE ATT&CK® TTPContent
ADC
  • web-activity-allowed
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 7 Rules
  • 2 Models
Adaptive Security Appliance
  • authentication-failed
  • authentication-successful
  • dns-response
  • failed-logon
  • failed-vpn-login
  • file-download
  • file-upload
  • nac-logon
  • network-connection-successful
  • process-created
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-denied
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1133 - External Remote Services
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0010 - TA0010
  • 23 Rules
  • 6 Models
AnyConnect
  • process-network
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
Cloud Web Security
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
CloudLock
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Firepower
  • authentication-successful
  • dns-query
  • dns-response
  • failed-vpn-login
  • file-download
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1133 - External Remote Services
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0010 - TA0010
  • 26 Rules
  • 6 Models
ISE
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • config-change
  • failed-logon
  • failed-vpn-login
  • nac-failed-logon
  • nac-logon
  • remote-logon
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
IronPort Web Security
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 12 Rules
  • 6 Models
NPE
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
Netflow
  • netflow-connection
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
Proxy Umbrella
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Secure Web Appliance
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
TACACS
  • authentication-failed
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
Umbrella
  • dns-response
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Citrix

ProductEvent TypesMITRE ATT&CK® TTPContent
Citrix Netscaler
  • app-login
  • authentication-failed
  • failed-vpn-login
  • process-created
  • vpn-login
  • vpn-logout
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1133 - External Remote Services
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0010 - TA0010
  • 17 Rules
  • 4 Models
Citrix Netscaler VPN
  • authentication-failed
  • authentication-successful
  • remote-access
  • remote-logon
  • vpn-connection
  • vpn-logout
  • web-activity-allowed
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 11 Rules
  • 6 Models
Web Logging
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Cloudflare

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloudflare WAF
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Code42

ProductEvent TypesMITRE ATT&CK® TTPContent
Code42 Incydr
  • "app-activity"
  • "file-delete"
  • "file-download"
  • "file-read"
  • "file-upload"
  • "file-write"
  • "print-activity"
  • "usb-activity"
  • app-activity
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • security-alert
  • usb-activity
  • usb-insert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: CrowdStrike

ProductEvent TypesMITRE ATT&CK® TTPContent
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • config-change
  • dlp-alert
  • dns-query
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • task-created
  • usb-activity
  • usb-insert
  • usb-write
  • workstation-unlocked
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 44 Rules
  • 19 Models

Vendor: CyberArk

ProductEvent TypesMITRE ATT&CK® TTPContent
CyberArk Vault
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • failed-logon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • remote-logon
  • security-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Delinea

ProductEvent TypesMITRE ATT&CK® TTPContent
Centrify Audit and Monitoring Service
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Centrify Infrastructure Services
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: Dell

ProductEvent TypesMITRE ATT&CK® TTPContent
EMC Isilon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • remote-access
TA0002 - TA0002
  • 2 Rules
  • 1 Models
SonicWALL Aventail
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Digital Arts

ProductEvent TypesMITRE ATT&CK® TTPContent
Digital Arts i-FILTER for Business
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Digital Guardian

ProductEvent TypesMITRE ATT&CK® TTPContent
Digital Guardian Endpoint Protection
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • process-created
  • usb-insert
  • usb-write
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Digital Guardian Network DLP
  • dlp-alert
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Dropbox

ProductEvent TypesMITRE ATT&CK® TTPContent
Dropbox
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
  • vpn-logout
T1133 - External Remote Services
TA0002 - TA0002
TA0010 - TA0010
  • 6 Rules
  • 5 Models

Vendor: Dtex Systems

ProductEvent TypesMITRE ATT&CK® TTPContent
DTEX InTERCEPT
  • file-delete
  • file-read
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 22 Rules
  • 3 Models

Vendor: ESET

ProductEvent TypesMITRE ATT&CK® TTPContent
ESET Endpoint Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • network-alert
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 6 Rules
  • 2 Models

Vendor: ESector

ProductEvent TypesMITRE ATT&CK® TTPContent
ESector DEFESA
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: EdgeWave

ProductEvent TypesMITRE ATT&CK® TTPContent
EdgeWave iPrism
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Egnyte

ProductEvent TypesMITRE ATT&CK® TTPContent
Egnyte
  • app-activity
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-upload
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: EndPoint

ProductEvent TypesMITRE ATT&CK® TTPContent
EndPoint
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: F5

ProductEvent TypesMITRE ATT&CK® TTPContent
F5 Advanced Web Application Firewall (WAF)
  • account-switch
  • dlp-email-alert-out
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • remote-logon
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
F5 BIG-IP
  • account-password-change-failed
  • authentication-failed
  • authentication-successful
  • failed-logon
  • failed-vpn-login
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
F5 BIG-IP Access Policy Manager (APM)
  • authentication-failed
  • authentication-successful
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
F5 BIG-IP Application Security Manager (ASM)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
WebSafe
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: FTP

ProductEvent TypesMITRE ATT&CK® TTPContent
FTP
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: FileAuditor

ProductEvent TypesMITRE ATT&CK® TTPContent
FileAuditor
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: FireEye

ProductEvent TypesMITRE ATT&CK® TTPContent
FireEye Endpoint Security (HX)
  • file-write
  • network-alert
  • process-alert
  • security-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models
FireEye Network Security (NX)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Forcepoint

ProductEvent TypesMITRE ATT&CK® TTPContent
Forcepoint DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • usb-insert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Forcepoint Insider Threat
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Websense Secure Gateway
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Fortinet

ProductEvent TypesMITRE ATT&CK® TTPContent
FortiGate
  • network-connection-successful
  • vpn-connection
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Fortinet Enterprise Firewall
  • app-activity
  • app-activity-failed
  • computer-logon
  • netflow-connection
  • network-connection-failed
  • network-connection-successful
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
Fortinet FortiWeb
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Fortinet UTM
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-alert
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 37 Rules
  • 20 Models
Fortinet VPN
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: GTB

ProductEvent TypesMITRE ATT&CK® TTPContent
GTBInspector
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Google

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Platform
  • app-activity
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • gcp-disk-attach
  • gcp-disk-create
  • gcp-image-create
  • gcp-instance-create
  • gcp-instance-setmachinetype
  • gcp-instance-setmetadata
  • gcp-policy-write
  • gcp-role-write
  • gcp-serviceaccount-creds-write
  • gcp-serviceaccount-write
  • gcp-snapshot-create
  • gcp-storageobject-acl
  • netflow-connection
  • network-alert
  • storage-access
  • storage-activity
  • storage-activity-failed
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 9 Rules
  • 2 Models
Workspace
  • account-password-change
  • account-password-reset
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: HP

ProductEvent TypesMITRE ATT&CK® TTPContent
HP Comware
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: HashiCorp

ProductEvent TypesMITRE ATT&CK® TTPContent
Terraform
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: HelpSystems

ProductEvent TypesMITRE ATT&CK® TTPContent
Powertech Identity Access Manager (BoKs)
  • account-switch
  • file-delete
  • file-read
  • file-write
  • local-logon
  • process-created
  • remote-logon
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models

Vendor: Huawei

ProductEvent TypesMITRE ATT&CK® TTPContent
Unified Security Gateway
  • authentication-successful
  • network-alert
  • process-created
  • vpn-login
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: IBM

ProductEvent TypesMITRE ATT&CK® TTPContent
IBM Security Access Manager
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Infosphere Guardium
  • database-alert
  • database-failed-login
  • database-login
  • database-query
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: IMSS

ProductEvent TypesMITRE ATT&CK® TTPContent
IMSS
  • dlp-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Imperva

ProductEvent TypesMITRE ATT&CK® TTPContent
CounterBreach
  • database-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Imperva File Activity Monitoring (FAM)
  • file-delete
  • file-permission-change
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Imperva SecureSphere
  • app-login
  • database-alert
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • failed-app-login
  • network-alert
  • security-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Incapsula
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: InfoWatch

ProductEvent TypesMITRE ATT&CK® TTPContent
InfoWatch
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • print-activity
  • usb-write
  • web-activity-allowed
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 7 Rules
  • 2 Models

Vendor: Infoblox

ProductEvent TypesMITRE ATT&CK® TTPContent
BloxOne
  • computer-logon
  • dns-query
  • dns-response
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-connection
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Ipswitch

ProductEvent TypesMITRE ATT&CK® TTPContent
IPswitch MoveIt
  • app-activity
  • app-login
  • failed-app-login
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models
MoveIt DMZ
  • account-password-change
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • file-write
  • member-added
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Juniper Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
Juniper Networks
  • config-change
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
Juniper Networks Pulse Secure
  • account-deleted
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • network-connection-failed
  • vpn-connection
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
Juniper SRX
  • authentication-successful
  • failed-vpn-login
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Juniper VPN
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-allowed
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 11 Rules
  • 6 Models

Vendor: Kaspersky

ProductEvent TypesMITRE ATT&CK® TTPContent
Kaspersky AV
  • dlp-email-alert-in
  • file-alert
  • security-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models
Kaspersky Endpoint Security for Business
  • dlp-alert
  • network-alert
  • security-alert
  • usb-insert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: LOGBinder

ProductEvent TypesMITRE ATT&CK® TTPContent
SharePoint
  • app-activity
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: LanScope

ProductEvent TypesMITRE ATT&CK® TTPContent
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • file-delete
  • file-write
  • local-logon
  • print-activity
  • process-created
  • process-created-failed
  • process-network
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 51 Rules
  • 21 Models

Vendor: LogRhythm

ProductEvent TypesMITRE ATT&CK® TTPContent
LogRhythm
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: Malwarebytes

ProductEvent TypesMITRE ATT&CK® TTPContent
Malwarebytes Endpoint Protection
  • network-alert
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 6 Rules
  • 2 Models

Vendor: McAfee

ProductEvent TypesMITRE ATT&CK® TTPContent
MDAM
  • database-alert
  • database-delete
  • database-query
  • database-update
TA0002 - TA0002
  • 2 Rules
  • 1 Models
McAfee Advanced Threat Defense
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
McAfee DLP
  • dlp-alert
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-usb-activity
  • print-activity
  • usb-insert
  • usb-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
McAfee Endpoint Security
  • dlp-alert
  • file-write
  • process-alert
  • process-created-failed
  • remote-logon
  • security-alert
  • usb-activity
  • usb-insert
  • usb-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models
McAfee Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Skyhigh Networks CASB
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-download
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Microsoft

ProductEvent TypesMITRE ATT&CK® TTPContent
Azure
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • database-query
  • dns-query
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • image-loaded
  • member-added
  • member-removed
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • remote-logon
  • security-alert
  • storage-access
  • storage-activity
  • storage-activity-failed
  • usb-activity
  • usb-insert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Azure Security Center
  • database-alert
  • dlp-alert
  • network-alert
  • process-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models
Cloud App Security (MCAS)
  • account-password-change
  • account-password-reset
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models
Defender ATP
  • app-login
  • batch-logon
  • failed-logon
  • file-delete
  • file-write
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Exchange
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
IIS
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Office 365
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • process-created
  • security-alert
  • usb-write
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 44 Rules
  • 19 Models
Routing and Remote Access Service
  • authentication-successful
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
Sysmon
  • dns-query
  • file-delete
  • file-write
  • image-loaded
  • process-alert
  • process-created
  • process-network
  • registry-write
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Web Application Proxy
  • remote-logon
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Web Application Proxy-TLS Gateway
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • config-change
  • dcom-activation-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-failed-logon
  • nac-logon
  • network-connection-successful
  • ntlm-logon
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • registry-write
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • share-access-denied
  • task-created
  • usb-activity
  • usb-insert
  • vpn-login
  • vpn-logout
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1133 - External Remote Services
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 19 Rules
  • 5 Models
Windows Defender
  • dlp-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Mimecast

ProductEvent TypesMITRE ATT&CK® TTPContent
Targeted Threat Protection - URL
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Mvision

ProductEvent TypesMITRE ATT&CK® TTPContent
Mvision
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: NCP

ProductEvent TypesMITRE ATT&CK® TTPContent
NCP
  • authentication-failed
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Nasuni

ProductEvent TypesMITRE ATT&CK® TTPContent
Nasuni
  • file-delete
  • file-permission-change
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: NetApp

ProductEvent TypesMITRE ATT&CK® TTPContent
NetApp
  • file-alert
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: NetDocs

ProductEvent TypesMITRE ATT&CK® TTPContent
NetDocs
  • app-activity
  • file-delete
  • file-read
  • file-upload
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: NetMotion Wireless

ProductEvent TypesMITRE ATT&CK® TTPContent
NetMotion Wireless
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Netskope

ProductEvent TypesMITRE ATT&CK® TTPContent
Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
  • 39 Rules
  • 21 Models

Vendor: Netwrix

ProductEvent TypesMITRE ATT&CK® TTPContent
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • ds-access
  • failed-app-login
  • failed-logon
  • file-delete
  • file-write
  • member-added
  • member-removed
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: NextDLP

ProductEvent TypesMITRE ATT&CK® TTPContent
Reveal
  • authentication-failed
  • dlp-alert
  • member-added
  • remote-logon
  • security-alert
  • usb-insert
  • web-activity-allowed
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 36 Rules
  • 20 Models

Vendor: Nortel Contivity

ProductEvent TypesMITRE ATT&CK® TTPContent
Nortel Contivity VPN
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Nutanix

ProductEvent TypesMITRE ATT&CK® TTPContent
Nutanix Files
  • file-delete
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: ObserveIT

ProductEvent TypesMITRE ATT&CK® TTPContent
ObserveIT
  • app-activity
  • app-login
  • database-access
  • dlp-alert
  • failed-app-login
  • process-created
  • remote-logon
  • security-alert
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0010 - TA0010
  • 42 Rules
  • 18 Models

Vendor: Oracle

ProductEvent TypesMITRE ATT&CK® TTPContent
Public Cloud
  • netflow-connection
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
Solaris
  • process-created
  • process-created-failed
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: Palo Alto Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
GlobalProtect
  • app-activity
  • authentication-failed
  • authentication-successful
  • config-change
  • failed-logon
  • failed-vpn-login
  • remote-logon
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models
NGFW
  • authentication-failed
  • authentication-successful
  • config-change
  • dlp-alert
  • file-alert
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
  • 39 Rules
  • 21 Models
Palo Alto Aperture
  • app-activity
  • app-login
  • dlp-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models
Prisma Access
  • dns-query
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
WildFire
  • file-alert
  • network-alert
  • security-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Proofpoint

ProductEvent TypesMITRE ATT&CK® TTPContent
ObserveIT
  • dlp-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Proofpoint CASB
  • dlp-alert
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Proofpoint Enterprise Protection
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • security-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Proofpoint TAP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: QUSH

ProductEvent TypesMITRE ATT&CK® TTPContent
Reveal
  • dlp-alert
  • file-upload
  • file-write
  • nac-logon
  • print-activity
  • remote-logon
  • usb-insert
  • web-activity-allowed
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0010 - TA0010
  • 38 Rules
  • 21 Models

Vendor: Quest Software

ProductEvent TypesMITRE ATT&CK® TTPContent
Change Auditor
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-unlocked
  • ds-access
  • failed-ds-access
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • local-logon
  • member-added
  • member-removed
  • remote-logon
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: RSA

ProductEvent TypesMITRE ATT&CK® TTPContent
RSA
  • netflow-connection
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
  • 1 Rules
RSA DLP
  • dlp-alert
  • dlp-email-alert-out
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
SecurID
  • authentication-failed
  • authentication-successful
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: RangerAudit

ProductEvent TypesMITRE ATT&CK® TTPContent
RangerAudit
  • app-activity
  • app-login
  • database-activity-failed
  • database-query
  • failed-app-login
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: SAP

ProductEvent TypesMITRE ATT&CK® TTPContent
SAP
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-unlocked
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-download
  • file-write
  • gcp-bucket-create
  • gcp-compute-list
  • gcp-function-write
  • gcp-general-activity
  • gcp-instance-screenshot
  • gcp-role-list
  • gcp-serviceaccount-creds-write
  • gcp-storage-list
  • gcp-storageobject-read
  • gcp-storageobject-write
  • remote-logon
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: SFTP

ProductEvent TypesMITRE ATT&CK® TTPContent
SFTP
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: SIGSCI

ProductEvent TypesMITRE ATT&CK® TTPContent
SIGSCI
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: SSL Open VPN

ProductEvent TypesMITRE ATT&CK® TTPContent
SSL Open VPN
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: Safend

ProductEvent TypesMITRE ATT&CK® TTPContent
Data Protection Suite (DPS)
  • dlp-alert
  • usb-insert
  • usb-read
  • usb-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Sailpoint

ProductEvent TypesMITRE ATT&CK® TTPContent
FAM
  • file-delete
  • file-permission-change
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models
SecurityIQ
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Sangfor

ProductEvent TypesMITRE ATT&CK® TTPContent
NGAF
  • network-alert
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Seclore

ProductEvent TypesMITRE ATT&CK® TTPContent
Seclore
  • file-permission-change
  • file-read
  • file-write
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: SecureNet

ProductEvent TypesMITRE ATT&CK® TTPContent
SecureNet
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: SentinelOne

ProductEvent TypesMITRE ATT&CK® TTPContent
Singularity Platform
  • "app-activity"
  • "process-created"
  • "process-network"
  • "security-alert"
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • registry-write
  • security-alert
  • task-created
  • web-activity-allowed
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 22 Rules
  • 3 Models

Vendor: SkySea

ProductEvent TypesMITRE ATT&CK® TTPContent
ClientView
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • process-created
  • security-alert
  • share-access
  • usb-activity
  • web-activity-allowed
  • web-activity-denied
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 23 Rules
  • 3 Models

Vendor: Skyhigh Security

ProductEvent TypesMITRE ATT&CK® TTPContent
Skyhigh Security Cloud
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 6 Rules
  • 2 Models

Vendor: Sonicwall

ProductEvent TypesMITRE ATT&CK® TTPContent
Sonicwall
  • failed-vpn-login
  • network-alert
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 12 Rules
  • 6 Models

Vendor: Sophos

ProductEvent TypesMITRE ATT&CK® TTPContent
Sophos Endpoint Protection
  • app-activity-failed
  • dlp-alert
  • failed-usb-activity
  • file-alert
  • network-alert
  • network-connection-failed
  • process-alert
  • security-alert
  • usb-insert
  • usb-read
  • usb-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models
Sophos UTM
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Sophos XG Firewall
  • app-login
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 12 Rules
  • 6 Models

Vendor: Squid

ProductEvent TypesMITRE ATT&CK® TTPContent
Squid
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: StealthBits

ProductEvent TypesMITRE ATT&CK® TTPContent
StealthIntercept
  • account-disabled
  • account-enabled
  • authentication-failed
  • authentication-successful
  • ds-access
  • failed-ds-access
  • file-permission-change
  • file-read
  • file-write
  • member-added
  • member-removed
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Symantec

ProductEvent TypesMITRE ATT&CK® TTPContent
Symantec Blue Coat ProxySG Appliance
  • network-connection-failed
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Symantec CloudSOC
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Symantec DLP
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • print-activity
  • security-alert
  • usb-activity
  • usb-insert
  • usb-read
  • usb-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models
Symantec EDR
  • authentication-successful
  • file-alert
  • file-delete
  • file-write
  • process-created
  • remote-logon
  • security-alert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Symantec Fireglass
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Symantec Secure Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
Symantec WSS
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Tanium

ProductEvent TypesMITRE ATT&CK® TTPContent
Endpoint Platform
  • authentication-failed
  • authentication-successful
  • dns-response
  • process-created
  • security-alert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
Integrity Monitor
  • file-delete
  • file-permission-change
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models

Vendor: Trend Micro

ProductEvent TypesMITRE ATT&CK® TTPContent
InterScan Web Security
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models
OfficeScan
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • privileged-object-access
  • security-alert
  • usb-write
  • web-activity-allowed
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 36 Rules
  • 20 Models

Vendor: Tripwire Enterprise

ProductEvent TypesMITRE ATT&CK® TTPContent
Tripwire Enterprise
  • file-alert
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Unix

ProductEvent TypesMITRE ATT&CK® TTPContent
Auditbeat
  • app-activity
  • app-activity-failed
  • authentication-successful
  • process-created
  • process-network
  • process-network-failed
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules
Unix
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-switch
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-logon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • network-connection-failed
  • process-created
  • process-created-failed
  • remote-access
  • remote-logon
  • security-alert
  • task-created
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Unix Auditd
  • account-creation
  • account-deleted
  • account-password-change
  • account-switch
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • failed-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-logon
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
  • 13 Rules

Vendor: VMware

ProductEvent TypesMITRE ATT&CK® TTPContent
Carbon Black App Control
  • app-login
  • file-alert
  • file-download
  • file-write
  • local-logon
  • process-alert
  • process-created
  • security-alert
  • usb-activity
  • usb-insert
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Carbon Black Cloud Endpoint Standard
  • app-login
  • authentication-successful
  • failed-app-login
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • registry-write
  • security-alert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Carbon Black Cloud Enterprise EDR
  • authentication-successful
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • registry-write
  • security-alert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models
Carbon Black EDR
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-created-failed
  • process-network
  • security-alert
T1003 - OS Credential Dumping
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1572 - Protocol Tunneling
TA0002 - TA0002
  • 15 Rules
  • 1 Models

Vendor: Varonis

ProductEvent TypesMITRE ATT&CK® TTPContent
Data Security Platform
  • dlp-alert
  • file-delete
  • file-permission-change
  • file-read
  • file-write
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0002 - TA0002
TA0010 - TA0010
  • 31 Rules
  • 19 Models

Vendor: Vectra

ProductEvent TypesMITRE ATT&CK® TTPContent
Cognito Stream
  • authentication-failed
  • authentication-successful
  • dlp-email-alert-out
  • file-delete
  • file-read
  • file-write
  • ntlm-logon
  • remote-logon
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 10 Rules
  • 3 Models

Vendor: Virtru

ProductEvent TypesMITRE ATT&CK® TTPContent
Virtru
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models

Vendor: Vormetric

ProductEvent TypesMITRE ATT&CK® TTPContent
Vormetric
  • file-alert
  • file-read
TA0002 - TA0002
  • 2 Rules
  • 1 Models

Vendor: Watchguard

ProductEvent TypesMITRE ATT&CK® TTPContent
Watchguard
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: Weblogin

ProductEvent TypesMITRE ATT&CK® TTPContent
Weblogin
  • web-activity-allowed
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 7 Rules
  • 2 Models

Vendor: Zeek

ProductEvent TypesMITRE ATT&CK® TTPContent
Zeek Network Security Monitor
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • ntlm-logon
  • remote-access
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 10 Rules
  • 3 Models

Vendor: Zscaler

ProductEvent TypesMITRE ATT&CK® TTPContent
Zscaler Internet Access
  • app-login
  • dlp-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0010 - TA0010
  • 37 Rules
  • 20 Models
Zscaler Private Access
  • vpn-login
  • vpn-logout
T1133 - External Remote Services
TA0010 - TA0010
  • 4 Rules
  • 4 Models

Vendor: iBoss

ProductEvent TypesMITRE ATT&CK® TTPContent
Secure Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1041 - Exfiltration Over C2 Channel
T1071.001 - Application Layer Protocol: Web Protocols
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 8 Rules
  • 2 Models

Vendor: iManage

ProductEvent TypesMITRE ATT&CK® TTPContent
iManage
  • app-activity
  • dlp-alert
T1020 - Automated Exfiltration
T1071 - Application Layer Protocol
TA0010 - TA0010
  • 29 Rules
  • 18 Models