Vendor: Cisco

July 25, 2023 · View on GitHub

Product: Cisco Firepower

Rules	Models	MITRE TTPs	Event Types	Parsers
174	83	32	13	13

Use-Case	Event Types/Parsers	MITRE TTP	Content
Account Manipulation	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	4 Rules 4 Models
Brute Force Attack	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1003 - OS Credential Dumping	4 Rules 4 Models
Compromised Credentials	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1021 - Remote Services T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1046 - Network Service Scanning T1059.001 - Command and Scripting Interperter: PowerShell T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1550.002 - Use Alternate Authentication Material: Pass the Hash	78 Rules 41 Models
Cryptomining	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	3 Rules
Data Access	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1078 - Valid Accounts T1110 - Brute Force	2 Rules 2 Models
Data Exfiltration	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1030 - Data Transfer Size Limits T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1071.002 - Application Layer Protocol: File Transfer Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution	5 Rules
Data Leak	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1030 - Data Transfer Size Limits T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	10 Rules 7 Models
Evasion	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy	4 Rules 1 Models
Lateral Movement	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1043 - Commonly Used Port T1046 - Network Service Scanning T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.002 - Proxy: External Proxy T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting T1571 - Non-Standard Port	49 Rules 23 Models
Malware	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1071.004 - Application Layer Protocol: DNS T1078 - Valid Accounts T1204 - User Execution T1550.002 - Use Alternate Authentication Material: Pass the Hash T1568.002 - Dynamic Resolution: Domain Generation Algorithms	36 Rules 10 Models
Phishing	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models
Privilege Abuse	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	1 Rules 1 Models
Privilege Escalation	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1003 - OS Credential Dumping T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	5 Rules 5 Models
Privileged Activity	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1068 - Exploitation for Privilege Escalation T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	3 Rules 1 Models
Ransomware	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071 - Application Layer Protocol T1078 - Valid Accounts	4 Rules
Workforce Protection	authentication-successful ↳ meraki-firepower-active-dir ↳ cisco-ftd-722041 dns-query ↳ estreamer-dns-query dns-response ↳ s-opendns-dns-response ↳ s-opendns-dns-response-7 ↳ s-opendns-dns-response-6 ↳ s-opendns-dns-response-5 ↳ s-opendns-dns-response-4 ↳ s-opendns-dns-response-3 ↳ s-opendns-dns-response-2 ↳ s-opendns-dns-response-1 ↳ s-opendns-dns-response-10 ↳ s-opendns-dns-response-9 ↳ s-opendns-dns-response-8 ↳ cisco-dns-response ↳ firepower-dns-response nac-logon ↳ cisco-ftd-113004 netflow-connection ↳ cisco-netflow-connection-1 network-alert ↳ sourcefire-network-alert ↳ firepower-network-alert-1 ↳ firepower-network-alert ↳ sourcefire-network-alert-5 ↳ sourcefire-network-alert-4 ↳ sourcefire-network-alert-3 ↳ sourcefire-network-alert-2 ↳ sourcefire-network-alert-1 network-connection-failed ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-5 network-connection-successful ↳ s-estreamer-network-connection-1 ↳ s-estreamer-network-connection-2 ↳ s-estreamer-network-connection ↳ cisco-ftd-firewall-3 ↳ cisco-ftd-firewall-2 ↳ cisco-ftd-firewall-4 ↳ cisco-ftd-firewall-6 ↳ cisco-ftd-firewall-9 ↳ cisco-ftd-firewall-1 ↳ cisco-ftd-permit-any security-alert ↳ json-cisco-firesight-alert-1 ↳ q-firesight-alert-2 ↳ q-firesight-alert-3 ↳ sourcefire-security-alert ↳ q-firesight-alert-4 ↳ cisco-firesight-alert ↳ q-firesight-alert ↳ cef-sourcefire-estreamer-alert ↳ sourcefire-estreamer-alert-2 ↳ cisco-sourcefire-alert ↳ sourcefire-estreamer-alert ↳ s-cisco-amp-alert-8 ↳ s-cisco-amp-alert-9 ↳ s-cisco-amp-alert-2 ↳ s-cisco-amp-alert-3 ↳ s-cisco-amp-alert-11 ↳ s-cisco-amp-alert-14 ↳ s-cisco-amp-alert-1 ↳ s-cisco-amp-alert-13 ↳ s-cisco-amp-alert-6 ↳ s-cisco-amp-alert-7 ↳ s-cisco-amp-alert-15 ↳ s-cisco-amp-alert-5 ↳ s-cisco-amp-alert-10 ↳ s-estreamer-security-alert vpn-login ↳ cisco-ftd-firewall-7 vpn-logout ↳ cisco-ftd-firewall-8 web-activity-allowed ↳ sourcefire-proxy ↳ sourcefire-proxy-1 web-activity-denied ↳ sourcefire-proxy ↳ sourcefire-proxy-1	T1071.001 - Application Layer Protocol: Web Protocols	3 Rules 2 Models

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Phishing	Command and Scripting Interperter User Execution Command and Scripting Interperter: PowerShell	External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts Exploitation for Privilege Escalation	Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Obfuscated Files or Information	OS Credential Dumping Brute Force Steal or Forge Kerberos Tickets Steal or Forge Kerberos Tickets: Kerberoasting	Network Service Scanning	Remote Services Use Alternate Authentication Material		Web Service Non-Standard Port Commonly Used Port Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Proxy: External Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over Physical Medium: Exfiltration over USB Data Transfer Size Limits Exfiltration Over Physical Medium Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking