Vendor: Slack

July 25, 2023 · View on GitHub

Product: Epic SIEM

Rules	Models	MITRE TTPs	Event Types	Parsers
68	32	11	4	4

Use-Case	Event Types/Parsers	MITRE TTP	Content
Account Manipulation	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Compromised Credentials	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services	47 Rules 26 Models
Data Access	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1078 - Valid Accounts T1083 - File and Directory Discovery	29 Rules 18 Models
Data Exfiltration	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1204 - User Execution	2 Rules 1 Models
Data Leak	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1114.003 - Email Collection: Email Forwarding Rule	2 Rules
Evasion	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1090.003 - Proxy: Multi-hop Proxy	1 Rules
Malware	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1003.002 - T1003.002 T1027 - Obfuscated Files or Information T1078 - Valid Accounts T1085 - Signed Binary Proxy Execution: Rundll32 T1204 - User Execution	7 Rules 2 Models
Physical Security	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1078 - Valid Accounts	1 Rules
Privilege Abuse	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	6 Rules 1 Models
Privilege Escalation	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Activity	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	5 Rules 2 Models
Ransomware	app-activity ↳ cef-epic-app-activity-11 ↳ cef-epic-app-activity-10 ↳ cef-epic-app-activity-12 ↳ cef-epic-app-activity-5 ↳ cef-epic-app-activity-6 ↳ cef-epic-app-activity-3 ↳ cef-epic-app-activity-4 ↳ cef-epic-app-activity-9 ↳ cef-epic-app-activity-7 ↳ cef-epic-app-activity-8 ↳ cef-epic-app-activity-1 ↳ cef-epic-app-activity-2 failed-physical-access ↳ rs2-badge-failed-physical-access-1 ↳ rs2-badge-failed-physical-access-2 file-delete ↳ cimtrak-file-delete file-write ↳ cimtrak-file-write-1 ↳ cimtrak-file-write-2 physical-access ↳ rs2-badge-physical-access-2 ↳ rs2-badge-physical-access-1	T1078 - Valid Accounts	1 Rules

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts	User Execution	External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts	Signed Binary Proxy Execution: Rundll32 Valid Accounts Obfuscated Files or Information	OS Credential Dumping	File and Directory Discovery		Email Collection Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy