Vendor: Fidelis
July 25, 2023 · View on GitHub
Product: Fidelis XPS
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|---|---|---|---|---|
| 59 | 26 | 8 | 3 | 3 |
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|---|---|---|---|
| Compromised Credentials | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1059.001 - Command and Scripting Interperter: PowerShell T1078 - Valid Accounts |
|
| Data Leak | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
| Lateral Movement | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools |
|
| Malware | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1078 - Valid Accounts T1204 - User Execution |
|
| Phishing | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
| Privilege Abuse | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1078 - Valid Accounts |
|
| Privileged Activity | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts |
|
| Workforce Protection | dlp-email-alert-in ↳ fidelis-email-alert dlp-email-alert-out ↳ fidelis-email-alert security-alert ↳ n-forwarded-cef-fidelis-alert ↳ fidelis-leef-alert | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
ATT&CK Matrix for Enterprise
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Valid Accounts | Command and Scripting Interperter User Execution Command and Scripting Interperter: PowerShell | Valid Accounts | Valid Accounts Exploitation for Privilege Escalation | Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Obfuscated Files or Information | Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Automated Exfiltration |