Use Case: Ransomware

November 7, 2023 · View on GitHub

Use Case: Ransomware

Vendor: APC

ProductEvent TypesMITRE ATT&CK® TTPContent
APC
  • authentication-failed
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • network-alert
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: AVI Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
Load Balancer
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Absolute

ProductEvent TypesMITRE ATT&CK® TTPContent
Absolute SIEM Connector
  • app-activity
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Accellion

ProductEvent TypesMITRE ATT&CK® TTPContent
Kiteworks
  • account-lockout
  • account-password-change
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Adaxes

ProductEvent TypesMITRE ATT&CK® TTPContent
Adaxes
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Airlock

ProductEvent TypesMITRE ATT&CK® TTPContent
Application Whitelisting
  • app-activity
T1078 - Valid Accounts
  • 1 Rules
Web Application Firewall
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • vpn-logout
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Akamai

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Akamai
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Amazon

ProductEvent TypesMITRE ATT&CK® TTPContent
AWS Bastion
  • failed-logon
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
AWS CloudTrail
  • app-activity
  • app-activity-failed
  • app-login
  • aws-bucket-cors
  • aws-bucket-cors-failed
  • aws-bucket-create
  • aws-bucket-create-failed
  • aws-bucket-policy
  • aws-bucket-policy-failed
  • aws-bucket-putaccessblock
  • aws-bucket-putaccessblock-failed
  • aws-compute-list
  • aws-compute-list-failed
  • aws-function-write
  • aws-function-write-failed
  • aws-general-activity
  • aws-general-activity-failed
  • aws-identity-addtogroup
  • aws-identity-addtogroup-failed
  • aws-identity-creds-write
  • aws-identity-creds-write-failed
  • aws-identity-list
  • aws-identity-list-failed
  • aws-identity-loginprofile
  • aws-identity-loginprofile-failed
  • aws-identity-write
  • aws-identity-write-failed
  • aws-image-create
  • aws-image-create-failed
  • aws-image-modify
  • aws-image-modify-failed
  • aws-instance-command
  • aws-instance-command-failed
  • aws-instance-create
  • aws-instance-create-failed
  • aws-instance-creds-read
  • aws-instance-creds-read-failed
  • aws-instance-creds-write
  • aws-instance-creds-write-failed
  • aws-instance-login
  • aws-instance-login-failed
  • aws-instance-modify
  • aws-instance-modify-failed
  • aws-instance-screenshot
  • aws-instance-screenshot-failed
  • aws-key-policy
  • aws-key-policy-failed
  • aws-login
  • aws-login-failed
  • aws-policy-attach
  • aws-policy-attach-failed
  • aws-policy-list
  • aws-policy-list-failed
  • aws-policy-setversion
  • aws-policy-setversion-failed
  • aws-policy-write
  • aws-policy-write-failed
  • aws-role-assume
  • aws-role-assume-failed
  • aws-role-assumepolicy
  • aws-role-assumepolicy-failed
  • aws-role-switch
  • aws-role-switch-failed
  • aws-role-write
  • aws-role-write-failed
  • aws-snapshot-create
  • aws-snapshot-create-failed
  • aws-snapshot-modify
  • aws-snapshot-modify-failed
  • aws-storage-acl
  • aws-storage-acl-failed
  • aws-storage-list
  • aws-storage-list-failed
  • aws-storageobject-copy
  • aws-storageobject-copy-failed
  • aws-storageobject-read
  • aws-storageobject-read-failed
  • aws-storageobject-write
  • aws-storageobject-write-failed
  • aws-volume-attach
  • aws-volume-attach-failed
  • aws-volume-create
  • aws-volume-create-failed
  • aws-volume-modify
  • aws-volume-modify-failed
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • failed-app-login
  • storage-access
  • storage-activity
  • storage-activity-failed
T1078 - Valid Accounts
  • 2 Rules
AWS WAF
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Anywhere365

ProductEvent TypesMITRE ATT&CK® TTPContent
Anywhere365
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Apache

ProductEvent TypesMITRE ATT&CK® TTPContent
Apache
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Apache Guacamole
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Apache Subversion
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 2 Rules

Vendor: AssetView

ProductEvent TypesMITRE ATT&CK® TTPContent
AssetView
  • file-download
  • file-write
  • print-activity
  • security-alert
  • usb-insert
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Atlassian

ProductEvent TypesMITRE ATT&CK® TTPContent
Atlassian BitBucket
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Auth0

ProductEvent TypesMITRE ATT&CK® TTPContent
Auth0
  • account-password-change-failed
  • app-login
  • failed-logon
  • security-alert
T1078 - Valid Accounts
  • 2 Rules

Vendor: Avaya

ProductEvent TypesMITRE ATT&CK® TTPContent
Avaya Ethernet Routing Switch
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
Avaya VPN
  • failed-vpn-login
  • vpn-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Axway

ProductEvent TypesMITRE ATT&CK® TTPContent
Axway SFTP
  • file-upload
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: Barracuda

ProductEvent TypesMITRE ATT&CK® TTPContent
Barracuda Firewall
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: BeyondTrust

ProductEvent TypesMITRE ATT&CK® TTPContent
BeyondInsight
  • account-creation
  • account-deleted
  • account-password-change-failed
  • account-switch
  • account-unlocked
  • app-activity
  • app-login
  • failed-app-login
  • privileged-access
T1078 - Valid Accounts
  • 2 Rules
BeyondTrust PasswordSafe
  • account-switch
  • app-login
  • failed-app-login
  • privileged-access
T1078 - Valid Accounts
  • 2 Rules
BeyondTrust PowerBroker
  • privileged-access
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
BeyondTrust Privilege Management
  • local-logon
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
BeyondTrust Privileged Identity
  • account-password-change
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • privileged-access
T1078 - Valid Accounts
  • 2 Rules
BeyondTrust Secure Remote Access
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Secure Remote Access
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Bitdefender

ProductEvent TypesMITRE ATT&CK® TTPContent
GravityZone
  • app-login
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Bitglass

ProductEvent TypesMITRE ATT&CK® TTPContent
Bitglass CASB
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-download
  • file-read
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: BlackBerry

ProductEvent TypesMITRE ATT&CK® TTPContent
BlackBerry Protect
  • app-activity
  • app-login
  • dlp-alert
  • file-alert
  • process-alert
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Box

ProductEvent TypesMITRE ATT&CK® TTPContent
Box Cloud Content Management
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Bromium

ProductEvent TypesMITRE ATT&CK® TTPContent
Bromium Secure Platform
  • file-permission-change
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: CA Technologies

ProductEvent TypesMITRE ATT&CK® TTPContent
CA Privileged Access Manager Server Control
  • account-switch
  • app-login
  • authentication-failed
  • authentication-successful
  • remote-logon
T1078 - Valid Accounts
  • 2 Rules

Vendor: CDS

ProductEvent TypesMITRE ATT&CK® TTPContent
CDS
  • failed-logon
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: CatoNetworks

ProductEvent TypesMITRE ATT&CK® TTPContent
Cato Cloud
  • network-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Check Point

ProductEvent TypesMITRE ATT&CK® TTPContent
Identity Awareness
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
NGFW
  • app-login
  • authentication-failed
  • authentication-successful
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-vpn-login
  • local-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Security Gateway
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
Security Gateway Virtual Edition (vSEC)
  • authentication-failed
  • authentication-successful
  • vpn-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Cimtrak

ProductEvent TypesMITRE ATT&CK® TTPContent
Cimtrak
  • file-delete
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Cisco

ProductEvent TypesMITRE ATT&CK® TTPContent
ACI
  • authentication-failed
  • authentication-successful
  • config-change
T1078 - Valid Accounts
  • 1 Rules
ACS
  • app-activity
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 2 Rules
ADC
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Adaptive Security Appliance
  • authentication-failed
  • authentication-successful
  • dns-response
  • failed-logon
  • failed-vpn-login
  • file-download
  • file-upload
  • nac-logon
  • network-connection-successful
  • process-created
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-denied
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
AnyConnect
  • process-network
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
Call Manager
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 2 Rules
Catalyst Wireless Controller
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Cisco
  • app-activity
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Cloud Web Security
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Duo Access Security
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-vpn-login
  • vpn-login
T1078 - Valid Accounts
  • 2 Rules
Firepower
  • authentication-successful
  • dns-query
  • dns-response
  • failed-vpn-login
  • file-download
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
ISE
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • config-change
  • failed-logon
  • failed-vpn-login
  • nac-failed-logon
  • nac-logon
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 2 Rules
IronPort Web Security
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
NPE
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Proxy Umbrella
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Secure Web Appliance
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
TACACS
  • authentication-failed
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Umbrella
  • dns-response
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Unified Computing System
  • authentication-failed
T1078 - Valid Accounts
  • 1 Rules

Vendor: Citrix

ProductEvent TypesMITRE ATT&CK® TTPContent
Citrix Endpoint Management
  • app-activity
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Citrix Gateway ActiveSync Connector
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 2 Rules
Citrix Netscaler
  • app-login
  • authentication-failed
  • failed-vpn-login
  • process-created
  • vpn-login
  • vpn-logout
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Citrix Netscaler VPN
  • authentication-failed
  • authentication-successful
  • remote-access
  • remote-logon
  • vpn-connection
  • vpn-logout
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Citrix ShareFile
  • app-activity
  • app-login
  • failed-app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 2 Rules
Citrix XenApp
  • app-login
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Citrix XenDesktop
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Web Logging
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Clearsense

ProductEvent TypesMITRE ATT&CK® TTPContent
Clearsense
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Click Studios

ProductEvent TypesMITRE ATT&CK® TTPContent
Passwordstate
  • account-disabled
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • app-activity
  • authentication-successful
  • member-removed
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: Cloud Application

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Application
  • account-password-change
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Cloudflare

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloudflare Insights
  • app-activity
  • app-login
  • member-added
  • member-removed
T1078 - Valid Accounts
  • 1 Rules
Cloudflare WAF
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Code42

ProductEvent TypesMITRE ATT&CK® TTPContent
Code42 Incydr
  • "app-activity"
  • "file-delete"
  • "file-download"
  • "file-read"
  • "file-upload"
  • "file-write"
  • "print-activity"
  • "usb-activity"
  • app-activity
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • security-alert
  • usb-activity
  • usb-insert
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
ProductEvent TypesMITRE ATT&CK® TTPContent
Cognitas CrossLink
  • vpn-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: CrowdStrike

ProductEvent TypesMITRE ATT&CK® TTPContent
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • config-change
  • dlp-alert
  • dns-query
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • task-created
  • usb-activity
  • usb-insert
  • usb-write
  • workstation-unlocked
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules

Vendor: CyberArk

ProductEvent TypesMITRE ATT&CK® TTPContent
CyberArk Vault
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • failed-logon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • remote-logon
  • security-alert
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Privileged Session Manager
  • account-switch
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Darktrace

ProductEvent TypesMITRE ATT&CK® TTPContent
Darktrace
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Delinea

ProductEvent TypesMITRE ATT&CK® TTPContent
Centrify Audit and Monitoring Service
  • file-delete
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules
Centrify Authentication Service
  • account-password-reset
  • authentication-failed
  • authentication-successful
  • failed-logon
  • local-logon
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Centrify Infrastructure Services
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Centrify Zero Trust Privilege Services
  • account-switch
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Secret Server
  • account-switch
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Dell

ProductEvent TypesMITRE ATT&CK® TTPContent
EMC Isilon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • remote-access
T1486 - Data Encrypted for Impact
  • 1 Rules
One Identity Manager
  • account-password-change
  • account-switch
  • app-activity
T1078 - Valid Accounts
  • 1 Rules
RSA Authentication Manager
  • account-lockout
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
SonicWALL Aventail
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: Digital Arts

ProductEvent TypesMITRE ATT&CK® TTPContent
Digital Arts i-FILTER for Business
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Digital Guardian

ProductEvent TypesMITRE ATT&CK® TTPContent
Digital Guardian Endpoint Protection
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • print-activity
  • process-created
  • usb-insert
  • usb-write
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules

Vendor: Dropbox

ProductEvent TypesMITRE ATT&CK® TTPContent
Dropbox
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
  • vpn-logout
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Dtex Systems

ProductEvent TypesMITRE ATT&CK® TTPContent
DTEX InTERCEPT
  • file-delete
  • file-read
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules

Vendor: EMP

ProductEvent TypesMITRE ATT&CK® TTPContent
EMP
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: ESET

ProductEvent TypesMITRE ATT&CK® TTPContent
ESET Endpoint Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • network-alert
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: ESector

ProductEvent TypesMITRE ATT&CK® TTPContent
ESector DEFESA
  • file-delete
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: EdgeWave

ProductEvent TypesMITRE ATT&CK® TTPContent
EdgeWave iPrism
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Egnyte

ProductEvent TypesMITRE ATT&CK® TTPContent
Egnyte
  • app-activity
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Entrust

ProductEvent TypesMITRE ATT&CK® TTPContent
IdentityGuard
  • account-lockout
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Epic

ProductEvent TypesMITRE ATT&CK® TTPContent
Epic SIEM
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-login
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Exabeam

ProductEvent TypesMITRE ATT&CK® TTPContent
Exabeam Advanced Analytics
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Exabeam DL
  • app-activity
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Extreme Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
Zebra wireless LAN management
  • failed-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: F5

ProductEvent TypesMITRE ATT&CK® TTPContent
F5 Advanced Web Application Firewall (WAF)
  • account-switch
  • dlp-email-alert-out
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • remote-logon
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
F5 BIG-IP
  • account-password-change-failed
  • authentication-failed
  • authentication-successful
  • failed-logon
  • failed-vpn-login
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
F5 BIG-IP Access Policy Manager (APM)
  • authentication-failed
  • authentication-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
F5 BIG-IP Application Security Manager (ASM)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
WebSafe
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FTP

ProductEvent TypesMITRE ATT&CK® TTPContent
FTP
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • file-delete
  • file-read
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Fast Enterprises

ProductEvent TypesMITRE ATT&CK® TTPContent
Fast Enterprises GenTax
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: FileAuditor

ProductEvent TypesMITRE ATT&CK® TTPContent
FileAuditor
  • file-delete
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: FireEye

ProductEvent TypesMITRE ATT&CK® TTPContent
FireEye Endpoint Security (HX)
  • file-write
  • network-alert
  • process-alert
  • security-alert
T1486 - Data Encrypted for Impact
  • 1 Rules
FireEye Network Security (NX)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: FireMon

ProductEvent TypesMITRE ATT&CK® TTPContent
FireMon
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Forcepoint

ProductEvent TypesMITRE ATT&CK® TTPContent
Forcepoint CASB
  • app-activity
  • app-login
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 2 Rules
Websense Secure Gateway
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Forescout

ProductEvent TypesMITRE ATT&CK® TTPContent
EyeInspect
  • failed-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: Fortinet

ProductEvent TypesMITRE ATT&CK® TTPContent
FortiAuthenticator
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
FortiGate
  • network-connection-successful
  • vpn-connection
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Fortinet Enterprise Firewall
  • app-activity
  • app-activity-failed
  • computer-logon
  • netflow-connection
  • network-connection-failed
  • network-connection-successful
T1078 - Valid Accounts
  • 2 Rules
Fortinet FortiWeb
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Fortinet UTM
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-alert
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Fortinet VPN
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 2 Rules

Vendor: Gemalto

ProductEvent TypesMITRE ATT&CK® TTPContent
Gemalto MFA
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: GitHub

ProductEvent TypesMITRE ATT&CK® TTPContent
GitHub
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: GoAnywhere

ProductEvent TypesMITRE ATT&CK® TTPContent
GoAnywhere MFT
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: Google

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Platform
  • app-activity
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • gcp-disk-attach
  • gcp-disk-create
  • gcp-image-create
  • gcp-instance-create
  • gcp-instance-setmachinetype
  • gcp-instance-setmetadata
  • gcp-policy-write
  • gcp-role-write
  • gcp-serviceaccount-creds-write
  • gcp-serviceaccount-write
  • gcp-snapshot-create
  • gcp-storageobject-acl
  • netflow-connection
  • network-alert
  • storage-access
  • storage-activity
  • storage-activity-failed
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Workspace
  • account-password-change
  • account-password-reset
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: HP

ProductEvent TypesMITRE ATT&CK® TTPContent
Aruba ClearPass Access Control and Policy Management
  • app-login
  • authentication-failed
  • computer-logon
  • nac-failed-logon
  • nac-logon
T1078 - Valid Accounts
  • 2 Rules
Aruba Mobility Master
  • local-logon
  • nac-failed-logon
  • nac-logon
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Aruba Wireless controller
  • authentication-successful
  • computer-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
T1078 - Valid Accounts
  • 1 Rules
HP Comware
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
HP Virtual Connect Enterprise Manager
  • app-login
T1078 - Valid Accounts
  • 1 Rules
HP iLO
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: HashiCorp

ProductEvent TypesMITRE ATT&CK® TTPContent
HashiCorp Vault
  • account-password-reset
  • app-login
T1078 - Valid Accounts
  • 1 Rules
Terraform
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: HelpSystems

ProductEvent TypesMITRE ATT&CK® TTPContent
Powertech Identity Access Manager (BoKs)
  • account-switch
  • file-delete
  • file-read
  • file-write
  • local-logon
  • process-created
  • remote-logon
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules

Vendor: Huawei

ProductEvent TypesMITRE ATT&CK® TTPContent
Unified Security Gateway
  • authentication-successful
  • network-alert
  • process-created
  • vpn-login
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: IBM

ProductEvent TypesMITRE ATT&CK® TTPContent
IBM
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
IBM DB2
  • authentication-failed
  • file-read
  • remote-logon
  • security-alert
T1078 - Valid Accounts
  • 1 Rules
IBM Mainframe
  • account-disabled
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
IBM Racf
  • app-activity
  • app-login
  • database-access
  • database-delete
  • database-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
IBM Sametime
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
IBM Security Access Manager
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
IBM Sterling B2B Integrator
  • app-activity
  • failed-logon
  • member-added
  • member-removed
  • remote-logon
T1078 - Valid Accounts
  • 2 Rules
Lotus Mobile Connect
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: ICDB

ProductEvent TypesMITRE ATT&CK® TTPContent
ICDB
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Imperva

ProductEvent TypesMITRE ATT&CK® TTPContent
Imperva File Activity Monitoring (FAM)
  • file-delete
  • file-permission-change
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules
Imperva SecureSphere
  • app-login
  • database-alert
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • failed-app-login
  • network-alert
  • security-alert
T1078 - Valid Accounts
  • 2 Rules
Incapsula
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Imprivata

ProductEvent TypesMITRE ATT&CK® TTPContent
Imprivata
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: InfoWatch

ProductEvent TypesMITRE ATT&CK® TTPContent
InfoWatch
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • print-activity
  • usb-write
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Infoblox

ProductEvent TypesMITRE ATT&CK® TTPContent
BloxOne
  • computer-logon
  • dns-query
  • dns-response
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-connection
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Ipswitch

ProductEvent TypesMITRE ATT&CK® TTPContent
IPswitch MoveIt
  • app-activity
  • app-login
  • failed-app-login
  • file-read
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
MoveIt DMZ
  • account-password-change
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • file-write
  • member-added
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Jumpcloud

ProductEvent TypesMITRE ATT&CK® TTPContent
Jumpcloud
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Juniper Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
Juniper Networks
  • config-change
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules
Juniper Networks Pulse Secure
  • account-deleted
  • app-activity
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • network-connection-failed
  • vpn-connection
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 2 Rules
Juniper OWA
  • app-login
T1078 - Valid Accounts
  • 1 Rules
Juniper SRX
  • authentication-successful
  • failed-vpn-login
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules
Juniper VPN
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Kemp

ProductEvent TypesMITRE ATT&CK® TTPContent
Kemp LoadMaster
  • app-activity
  • remote-logon
  • security-alert
T1078 - Valid Accounts
  • 1 Rules
Load Balancer
  • authentication-failed
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: LEAP

ProductEvent TypesMITRE ATT&CK® TTPContent
LEAP
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: LOGBinder

ProductEvent TypesMITRE ATT&CK® TTPContent
SharePoint
  • app-activity
  • file-read
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: LanScope

ProductEvent TypesMITRE ATT&CK® TTPContent
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • file-delete
  • file-write
  • local-logon
  • print-activity
  • process-created
  • process-created-failed
  • process-network
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules

Vendor: LastPass

ProductEvent TypesMITRE ATT&CK® TTPContent
LastPass
  • account-creation
  • account-password-change
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Linux

ProductEvent TypesMITRE ATT&CK® TTPContent
SSH
  • failed-logon
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: LiquidFiles

ProductEvent TypesMITRE ATT&CK® TTPContent
LiquidFiles
  • app-login
  • failed-app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 2 Rules

Vendor: LogMeIn

ProductEvent TypesMITRE ATT&CK® TTPContent
RemotelyAnywhere
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: LogRhythm

ProductEvent TypesMITRE ATT&CK® TTPContent
LogRhythm
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Malwarebytes

ProductEvent TypesMITRE ATT&CK® TTPContent
Malwarebytes Endpoint Protection
  • network-alert
  • security-alert
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: ManageEngine

ProductEvent TypesMITRE ATT&CK® TTPContent
ADSSP
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 1 Rules
PAM360
  • app-activity
  • app-login
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
Password Manager Pro
  • account-password-change
  • account-switch
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: MasterSAM

ProductEvent TypesMITRE ATT&CK® TTPContent
MasterSAM PAM
  • account-password-change
  • authentication-failed
  • authentication-successful
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: McAfee

ProductEvent TypesMITRE ATT&CK® TTPContent
McAfee Endpoint Security
  • dlp-alert
  • file-write
  • process-alert
  • process-created-failed
  • remote-logon
  • security-alert
  • usb-activity
  • usb-insert
  • usb-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
McAfee NSM
  • app-login
  • failed-app-login
  • network-alert
T1078 - Valid Accounts
  • 2 Rules
McAfee Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Skyhigh Networks CASB
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-download
  • security-alert
T1078 - Valid Accounts
  • 2 Rules

Vendor: Microsoft

ProductEvent TypesMITRE ATT&CK® TTPContent
Azure
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • database-query
  • dns-query
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • image-loaded
  • member-added
  • member-removed
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • remote-logon
  • security-alert
  • storage-access
  • storage-activity
  • storage-activity-failed
  • usb-activity
  • usb-insert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
Azure Active Directory
  • account-disabled
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • failed-app-login
  • member-added
  • member-removed
T1078 - Valid Accounts
  • 2 Rules
Azure MFA
  • app-activity
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 2 Rules
Cloud App Security (MCAS)
  • account-password-change
  • account-password-reset
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • security-alert
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Defender ATP
  • app-login
  • batch-logon
  • failed-logon
  • file-delete
  • file-write
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
DirectAccess
  • failed-vpn-login
  • vpn-login
T1078 - Valid Accounts
  • 1 Rules
Exchange
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
IIS
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Office 365
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • process-created
  • security-alert
  • usb-write
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
OneDrive
  • app-activity
  • app-activity-failed
  • file-read
T1078 - Valid Accounts
  • 2 Rules
Routing and Remote Access Service
  • authentication-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules
SQL Server
  • authentication-failed
  • authentication-successful
  • database-access
  • database-activity-failed
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • failed-app-login
T1078 - Valid Accounts
  • 1 Rules
Sysmon
  • dns-query
  • file-delete
  • file-write
  • image-loaded
  • process-alert
  • process-created
  • process-network
  • registry-write
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Web Application Proxy
  • remote-logon
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Web Application Proxy-TLS Gateway
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • config-change
  • dcom-activation-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-failed-logon
  • nac-logon
  • network-connection-successful
  • ntlm-logon
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • registry-write
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • share-access-denied
  • task-created
  • usb-activity
  • usb-insert
  • vpn-login
  • vpn-logout
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules

Vendor: Mimecast

ProductEvent TypesMITRE ATT&CK® TTPContent
Email Security
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Targeted Threat Protection - URL
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: NCP

ProductEvent TypesMITRE ATT&CK® TTPContent
NCP
  • authentication-failed
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: NNT

ProductEvent TypesMITRE ATT&CK® TTPContent
NNT ChangeTracker
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Nasuni

ProductEvent TypesMITRE ATT&CK® TTPContent
Nasuni
  • file-delete
  • file-permission-change
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetApp

ProductEvent TypesMITRE ATT&CK® TTPContent
NetApp
  • file-alert
  • file-delete
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: NetDocs

ProductEvent TypesMITRE ATT&CK® TTPContent
NetDocs
  • app-activity
  • file-delete
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: NetIQ

ProductEvent TypesMITRE ATT&CK® TTPContent
NetIQ
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: NetMotion Wireless

ProductEvent TypesMITRE ATT&CK® TTPContent
NetMotion Wireless
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: Netskope

ProductEvent TypesMITRE ATT&CK® TTPContent
Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: Netwrix

ProductEvent TypesMITRE ATT&CK® TTPContent
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • ds-access
  • failed-app-login
  • failed-logon
  • file-delete
  • file-write
  • member-added
  • member-removed
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: NextDLP

ProductEvent TypesMITRE ATT&CK® TTPContent
Reveal
  • authentication-failed
  • dlp-alert
  • member-added
  • remote-logon
  • security-alert
  • usb-insert
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Nortel Contivity

ProductEvent TypesMITRE ATT&CK® TTPContent
Nortel Contivity VPN
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: Novell

ProductEvent TypesMITRE ATT&CK® TTPContent
eDirectory
  • account-disabled
  • account-enabled
  • account-password-change
  • account-unlocked
  • authentication-failed
  • authentication-successful
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Nutanix

ProductEvent TypesMITRE ATT&CK® TTPContent
Nutanix Files
  • file-delete
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: ObserveIT

ProductEvent TypesMITRE ATT&CK® TTPContent
ObserveIT
  • app-activity
  • app-login
  • database-access
  • dlp-alert
  • failed-app-login
  • process-created
  • remote-logon
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules

Vendor: Okta

ProductEvent TypesMITRE ATT&CK® TTPContent
Okta Adaptive MFA
  • account-creation
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-reset
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • member-added
  • member-removed
  • security-alert
T1078 - Valid Accounts
  • 2 Rules

Vendor: Onapsis

ProductEvent TypesMITRE ATT&CK® TTPContent
Onapsis
  • app-login
  • database-update
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 2 Rules

Vendor: OneLogin

ProductEvent TypesMITRE ATT&CK® TTPContent
OneLogin
  • account-password-reset
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: OneSpan

ProductEvent TypesMITRE ATT&CK® TTPContent
Digipass
  • app-login
  • nac-failed-logon
  • nac-logon
T1078 - Valid Accounts
  • 1 Rules
OneSpan
  • failed-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: OneWelcome

ProductEvent TypesMITRE ATT&CK® TTPContent
OneWelcome
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: OpenDJ

ProductEvent TypesMITRE ATT&CK® TTPContent
OpenDJ LDAP
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Oracle

ProductEvent TypesMITRE ATT&CK® TTPContent
Access Manager
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
PeopleSoft
  • authentication-failed
T1078 - Valid Accounts
  • 1 Rules
Solaris
  • process-created
  • process-created-failed
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 5 Rules

Vendor: Osirium

ProductEvent TypesMITRE ATT&CK® TTPContent
Osirium
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Palo Alto Networks

ProductEvent TypesMITRE ATT&CK® TTPContent
Cortex XDR
  • app-activity
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 1 Rules
GlobalProtect
  • app-activity
  • authentication-failed
  • authentication-successful
  • config-change
  • failed-logon
  • failed-vpn-login
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 2 Rules
NGFW
  • authentication-failed
  • authentication-successful
  • config-change
  • dlp-alert
  • file-alert
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Palo Alto Aperture
  • app-activity
  • app-login
  • dlp-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • security-alert
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules
Prisma Access
  • dns-query
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Perforce

ProductEvent TypesMITRE ATT&CK® TTPContent
Perforce
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Ping Identity

ProductEvent TypesMITRE ATT&CK® TTPContent
Ping Identity
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
PingOne
  • app-login
  • authentication-successful
  • failed-app-login
  • vpn-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: PowerSentry

ProductEvent TypesMITRE ATT&CK® TTPContent
PowerSentry
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Procad

ProductEvent TypesMITRE ATT&CK® TTPContent
Pro.File DMS
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Progress

ProductEvent TypesMITRE ATT&CK® TTPContent
Progress Database
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: ProxySG

ProductEvent TypesMITRE ATT&CK® TTPContent
ProxySG
  • authentication-failed
T1078 - Valid Accounts
  • 1 Rules

Vendor: QUSH

ProductEvent TypesMITRE ATT&CK® TTPContent
Reveal
  • dlp-alert
  • file-upload
  • file-write
  • nac-logon
  • print-activity
  • remote-logon
  • usb-insert
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Quest Software

ProductEvent TypesMITRE ATT&CK® TTPContent
Change Auditor
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-unlocked
  • ds-access
  • failed-ds-access
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • local-logon
  • member-added
  • member-removed
  • remote-logon
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: RSA

ProductEvent TypesMITRE ATT&CK® TTPContent
RSA Authentication Manager
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
RSA NetWitness
  • app-login
T1078 - Valid Accounts
  • 1 Rules
SecurID
  • authentication-failed
  • authentication-successful
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: RUID

ProductEvent TypesMITRE ATT&CK® TTPContent
RUID
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Radius

ProductEvent TypesMITRE ATT&CK® TTPContent
Radius
  • authentication-failed
  • authentication-successful
  • computer-logon
  • nac-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: RangerAudit

ProductEvent TypesMITRE ATT&CK® TTPContent
RangerAudit
  • app-activity
  • app-login
  • database-activity-failed
  • database-query
  • failed-app-login
  • file-read
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: Rubrik

ProductEvent TypesMITRE ATT&CK® TTPContent
Rubrik CDM
  • account-creation
  • app-login
  • privileged-access
T1078 - Valid Accounts
  • 1 Rules

Vendor: SAP

ProductEvent TypesMITRE ATT&CK® TTPContent
SAP
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-unlocked
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-download
  • file-write
  • gcp-bucket-create
  • gcp-compute-list
  • gcp-function-write
  • gcp-general-activity
  • gcp-instance-screenshot
  • gcp-role-list
  • gcp-serviceaccount-creds-write
  • gcp-storage-list
  • gcp-storageobject-read
  • gcp-storageobject-write
  • remote-logon
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: SFTP

ProductEvent TypesMITRE ATT&CK® TTPContent
SFTP
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules

Vendor: SIGSCI

ProductEvent TypesMITRE ATT&CK® TTPContent
SIGSCI
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: SSL Open VPN

ProductEvent TypesMITRE ATT&CK® TTPContent
SSL Open VPN
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 2 Rules

Vendor: Sailpoint

ProductEvent TypesMITRE ATT&CK® TTPContent
FAM
  • file-delete
  • file-permission-change
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules
IdentityNow
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 2 Rules
SailPoint IIQ
  • app-activity
T1078 - Valid Accounts
  • 1 Rules
SecurityIQ
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Salesforce

ProductEvent TypesMITRE ATT&CK® TTPContent
Salesforce
  • account-switch
  • app-activity
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 2 Rules

Vendor: Sangfor

ProductEvent TypesMITRE ATT&CK® TTPContent
NGAF
  • network-alert
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Seclore

ProductEvent TypesMITRE ATT&CK® TTPContent
Seclore
  • file-permission-change
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Secomea

ProductEvent TypesMITRE ATT&CK® TTPContent
Secomea
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Secure Computing

ProductEvent TypesMITRE ATT&CK® TTPContent
Secure Computing SafeWord
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Secure Envoy

ProductEvent TypesMITRE ATT&CK® TTPContent
Secure Envoy
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: SecureAuth

ProductEvent TypesMITRE ATT&CK® TTPContent
SecureAuth Login
  • app-login
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
ProductEvent TypesMITRE ATT&CK® TTPContent
SecureLink
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: SecureNet

ProductEvent TypesMITRE ATT&CK® TTPContent
SecureNet
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: Semperis

ProductEvent TypesMITRE ATT&CK® TTPContent
DSP
  • app-login
  • ds-access
  • failed-app-login
  • privileged-object-access
T1078 - Valid Accounts
  • 2 Rules

Vendor: SentinelOne

ProductEvent TypesMITRE ATT&CK® TTPContent
Singularity Platform
  • "app-activity"
  • "process-created"
  • "process-network"
  • "security-alert"
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • registry-write
  • security-alert
  • task-created
  • web-activity-allowed
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
Vigilance
  • account-creation
  • app-activity
  • app-login
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 2 Rules

Vendor: ServiceNow

ProductEvent TypesMITRE ATT&CK® TTPContent
ServiceNow
  • app-activity
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
T1078 - Valid Accounts
  • 2 Rules

Vendor: Shibboleth

ProductEvent TypesMITRE ATT&CK® TTPContent
Shibboleth IdP
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules
Shibboleth SSO
  • account-password-change
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Silverfort

ProductEvent TypesMITRE ATT&CK® TTPContent
Silverfort
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: SiteMinder

ProductEvent TypesMITRE ATT&CK® TTPContent
SiteMinder
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: SkySea

ProductEvent TypesMITRE ATT&CK® TTPContent
ClientView
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • process-created
  • security-alert
  • share-access
  • usb-activity
  • web-activity-allowed
  • web-activity-denied
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules

Vendor: Skybox

ProductEvent TypesMITRE ATT&CK® TTPContent
Skybox
  • app-login
T1078 - Valid Accounts
  • 1 Rules

Vendor: Skyhigh Security

ProductEvent TypesMITRE ATT&CK® TTPContent
Skyhigh Security Cloud
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Slack

ProductEvent TypesMITRE ATT&CK® TTPContent
Slack
  • app-activity
  • app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 1 Rules

Vendor: Sonicwall

ProductEvent TypesMITRE ATT&CK® TTPContent
Sonicwall
  • failed-vpn-login
  • network-alert
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules

Vendor: Sophos

ProductEvent TypesMITRE ATT&CK® TTPContent
Sophos Endpoint Protection
  • app-activity-failed
  • dlp-alert
  • failed-usb-activity
  • file-alert
  • network-alert
  • network-connection-failed
  • process-alert
  • security-alert
  • usb-insert
  • usb-read
  • usb-write
T1078 - Valid Accounts
  • 1 Rules
Sophos SafeGuard
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 2 Rules
Sophos UTM
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Sophos XG Firewall
  • app-login
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules

Vendor: Squid

ProductEvent TypesMITRE ATT&CK® TTPContent
Squid
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: StealthBits

ProductEvent TypesMITRE ATT&CK® TTPContent
StealthIntercept
  • account-disabled
  • account-enabled
  • authentication-failed
  • authentication-successful
  • ds-access
  • failed-ds-access
  • file-permission-change
  • file-read
  • file-write
  • member-added
  • member-removed
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 2 Rules

Vendor: Sun One

ProductEvent TypesMITRE ATT&CK® TTPContent
LDAP
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Swift

ProductEvent TypesMITRE ATT&CK® TTPContent
Swift
  • account-password-change
  • account-password-change-failed
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Swivel

ProductEvent TypesMITRE ATT&CK® TTPContent
Swivel
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Symantec

ProductEvent TypesMITRE ATT&CK® TTPContent
Symantec Blue Coat ProxySG Appliance
  • network-connection-failed
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Symantec CloudSOC
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 2 Rules
Symantec Critical System Protection
  • account-switch
  • config-change
  • failed-logon
  • local-logon
  • member-added
  • member-removed
T1078 - Valid Accounts
  • 1 Rules
Symantec EDR
  • authentication-successful
  • file-alert
  • file-delete
  • file-write
  • process-created
  • remote-logon
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Symantec Endpoint Protection
  • app-activity
  • failed-usb-activity
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • security-alert
  • usb-write
T1078 - Valid Accounts
  • 1 Rules
Symantec Fireglass
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Symantec Secure Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
Symantec VIP
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 2 Rules
Symantec WSS
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Tanium

ProductEvent TypesMITRE ATT&CK® TTPContent
Cloud Platform
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules
Endpoint Platform
  • authentication-failed
  • authentication-successful
  • dns-response
  • process-created
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
Integrity Monitor
  • file-delete
  • file-permission-change
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: TitanFTP

ProductEvent TypesMITRE ATT&CK® TTPContent
TitanFTP
  • app-activity
  • file-delete
  • file-read
T1078 - Valid Accounts
  • 1 Rules

Vendor: Trend Micro

ProductEvent TypesMITRE ATT&CK® TTPContent
Deep Discovery Inspector
  • account-password-change
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 1 Rules
InterScan Web Security
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules
OfficeScan
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • privileged-object-access
  • security-alert
  • usb-write
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Tufin

ProductEvent TypesMITRE ATT&CK® TTPContent
SecureTrack
  • authentication-successful
T1078 - Valid Accounts
  • 1 Rules

Vendor: Tyco

ProductEvent TypesMITRE ATT&CK® TTPContent
CCURE Building Management System
  • app-activity
  • app-login
  • failed-physical-access
  • physical-access
T1078 - Valid Accounts
  • 1 Rules

Vendor: Unix

ProductEvent TypesMITRE ATT&CK® TTPContent
Auditbeat
  • app-activity
  • app-activity-failed
  • authentication-successful
  • process-created
  • process-network
  • process-network-failed
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Unix
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-switch
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-logon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • network-connection-failed
  • process-created
  • process-created-failed
  • remote-access
  • remote-logon
  • security-alert
  • task-created
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Unix Auditd
  • account-creation
  • account-deleted
  • account-password-change
  • account-switch
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • failed-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-logon
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules

Vendor: VMS Software

ProductEvent TypesMITRE ATT&CK® TTPContent
OpenVMS
  • batch-logon
  • failed-logon
  • file-delete
  • file-read
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules

Vendor: VMware

ProductEvent TypesMITRE ATT&CK® TTPContent
AirWatch
  • app-activity
  • authentication-failed
  • authentication-successful
  • security-alert
T1078 - Valid Accounts
  • 2 Rules
Carbon Black App Control
  • app-login
  • file-alert
  • file-download
  • file-write
  • local-logon
  • process-alert
  • process-created
  • security-alert
  • usb-activity
  • usb-insert
  • workstation-locked
  • workstation-unlocked
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Carbon Black Cloud Endpoint Standard
  • app-login
  • authentication-successful
  • failed-app-login
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-created
  • registry-write
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 8 Rules
Carbon Black Cloud Enterprise EDR
  • authentication-successful
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • registry-write
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Carbon Black EDR
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-created-failed
  • process-network
  • security-alert
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 6 Rules
VMWare ID Manager (VIDM)
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • privileged-object-access
T1078 - Valid Accounts
  • 2 Rules
VMware ESXi
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
VMware Horizon
  • authentication-failed
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules
VMware VCenter
  • app-activity
  • app-login
  • failed-logon
  • remote-logon
T1078 - Valid Accounts
  • 2 Rules
VMware View
  • account-password-change
  • app-activity
  • app-login
  • failed-app-login
  • remote-logon
T1078 - Valid Accounts
  • 2 Rules

Vendor: Varonis

ProductEvent TypesMITRE ATT&CK® TTPContent
Data Security Platform
  • dlp-alert
  • file-delete
  • file-permission-change
  • file-read
  • file-write
T1486 - Data Encrypted for Impact
  • 1 Rules

Vendor: Vectra

ProductEvent TypesMITRE ATT&CK® TTPContent
Cognito Stream
  • authentication-failed
  • authentication-successful
  • dlp-email-alert-out
  • file-delete
  • file-read
  • file-write
  • ntlm-logon
  • remote-logon
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules
Vectra Cognito Detect
  • app-activity
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Watchguard

ProductEvent TypesMITRE ATT&CK® TTPContent
Watchguard
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Weblogin

ProductEvent TypesMITRE ATT&CK® TTPContent
Weblogin
  • web-activity-allowed
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: Wiz

ProductEvent TypesMITRE ATT&CK® TTPContent
Wiz
  • account-deleted
  • app-activity
  • app-login
  • network-alert
  • security-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: Workday

ProductEvent TypesMITRE ATT&CK® TTPContent
Workday
  • app-activity
  • app-login
  • authentication-failed
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Xceedium

ProductEvent TypesMITRE ATT&CK® TTPContent
Xceedium
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Xiting

ProductEvent TypesMITRE ATT&CK® TTPContent
XAMS
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: Zeek

ProductEvent TypesMITRE ATT&CK® TTPContent
Zeek Network Security Monitor
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • ntlm-logon
  • remote-access
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 4 Rules

Vendor: Zendesk

ProductEvent TypesMITRE ATT&CK® TTPContent
Zendesk
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Zlock

ProductEvent TypesMITRE ATT&CK® TTPContent
Zlock
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: Zoom

ProductEvent TypesMITRE ATT&CK® TTPContent
Zoom
  • web-meeting-created
  • web-meeting-ended
  • web-meeting-participant-joined
  • web-meeting-started
  • web-meeting-updated
  • webconference-login
  • webconference-operations-activity
T1078.004 - Valid Accounts: Cloud Accounts
  • 1 Rules

Vendor: Zscaler

ProductEvent TypesMITRE ATT&CK® TTPContent
Zscaler Internet Access
  • app-login
  • dlp-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 2 Rules
Zscaler Private Access
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
  • 1 Rules

Vendor: eDocs

ProductEvent TypesMITRE ATT&CK® TTPContent
eDocs
  • app-activity
T1078 - Valid Accounts
  • 1 Rules

Vendor: iBoss

ProductEvent TypesMITRE ATT&CK® TTPContent
Secure Web Gateway
  • web-activity-allowed
  • web-activity-denied
T1071.001 - Application Layer Protocol: Web Protocols
  • 1 Rules

Vendor: iManage

ProductEvent TypesMITRE ATT&CK® TTPContent
iManage
  • app-activity
  • dlp-alert
T1078 - Valid Accounts
  • 1 Rules

Vendor: oVirt

ProductEvent TypesMITRE ATT&CK® TTPContent
oVirt
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 2 Rules

Vendor: xsuite

ProductEvent TypesMITRE ATT&CK® TTPContent
xsuite
  • remote-logon
T1078 - Valid Accounts
  • 1 Rules