Vendor: Symantec

July 25, 2023 · View on GitHub

Product: Symantec DLP

Rules	Models	MITRE TTPs	Event Types	Parsers
130	59	17	16	16

Use-Case	Event Types/Parsers	MITRE TTP	Content
Account Manipulation	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1098 - Account Manipulation	9 Rules 7 Models
Brute Force Attack	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1021.001 - Remote Services: Remote Desktop Protocol T1110 - Brute Force	5 Rules
Compromised Credentials	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1059.001 - Command and Scripting Interperter: PowerShell T1078 - Valid Accounts T1110 - Brute Force	34 Rules 15 Models
Data Exfiltration	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1204 - User Execution	15 Rules 9 Models
Data Leak	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1204 - User Execution	54 Rules 28 Models
Evasion	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1090.003 - Proxy: Multi-hop Proxy	1 Rules
Lateral Movement	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1021.001 - Remote Services: Remote Desktop Protocol T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1110 - Brute Force T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1550.004 - Use Alternate Authentication Material: Web Session Cookie	10 Rules 1 Models
Malware	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1204 - User Execution T1210 - Exploitation of Remote Services	15 Rules 8 Models
Phishing	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Privilege Abuse	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1078 - Valid Accounts T1098 - Account Manipulation	12 Rules 8 Models
Privilege Escalation	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1210 - Exploitation of Remote Services	1 Rules
Privileged Activity	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts	2 Rules
Ransomware	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1078 - Valid Accounts	1 Rules
Workforce Protection	config-change ↳ symantec-account-config-change ↳ symantec-primary-group-changed ↳ symantec-group-member-changed dlp-alert ↳ symantec-usb-activity ↳ vontu-email-dlp-1 ↳ symantec-dlp-alert-1 ↳ s-symantec-dlp-alert-1 ↳ symantec-dlp-alert ↳ symantec-message-alert ↳ syslog-symantec-dlp-alert-6 ↳ syslog-symantec-dlp-alert-7 ↳ vontu-dlp ↳ cef-symantec-dlp-alert ↳ cef-vontu-dlp-alert ↳ s-vontu-dlp-alert ↳ cef-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-symantec-dlp-alert-2 ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ q-symantec-dlp-alert ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ cef-vontu-dlp-alert-2 ↳ cef-vontu-dlp-alert-3 ↳ symantec-dlp-cit-alert ↳ q-symantec-dlp-alert-1 ↳ s-vontu-email-dlp ↳ r-syslog-vontu-dlp ↳ syslog-vontu-dlp-alert ↳ r-syslog-vontu-dlp-1 dlp-email-alert-in ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-in ↳ symantec-dlp-email-alert-in dlp-email-alert-in-failed ↳ s-symantec-dlp-email-alert dlp-email-alert-out ↳ syslog-symantec-dlp-alert-7 ↳ syslog-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ symantec-email-alert-out ↳ syslog-vontu-dlp-alert ↳ q-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ syslog-symantec-dlp-alert-1 ↳ syslog-symantec-dlp-alert-4 ↳ syslog-symantec-dlp-alert-3 ↳ r-syslog-vontu-dlp-1 ↳ q-symantec-dlp-alert ↳ q-symantec-dlp-email-out ↳ vontu-email-dlp ↳ q-dlp-alert ↳ s-symantec-dlp-alert ↳ s-symantec-dlp-email-alert ↳ messagelabs-email-out dlp-email-alert-out-failed ↳ q-symantec-dlp-alert ↳ r-syslog-vontu-dlp ↳ vontu-email-dlp ↳ q-dlp-alert ↳ symantec-email-alert-out ↳ s-symantec-dlp-alert ↳ q-vontu-dlp-alert ↳ syslog-vontu-dlp-alert ↳ s-vontu-dlp-email-alert ↳ r-syslog-vontu-dlp-1 ↳ s-symantec-dlp-email-alert failed-logon ↳ symantec-account-switch-failed failed-usb-activity ↳ symantec-usb-block member-added ↳ symantec-group-created ↳ symantec-account-member-added member-removed ↳ symantec-group-member-deleted ↳ symantec-account-member-removed network-alert ↳ s-symantec-network-alert process-alert ↳ s-symantec-process-alert security-alert ↳ symantec-security-alert ↳ s-symantec-security-alert-2 ↳ s-symantec-security-alert-1 ↳ s-symantec-security-alert ↳ cef-symantec-sep-alert-2 ↳ cef-symantec-sep-alert-3 ↳ cef-symantec-sep-alert-4 ↳ symantec-alert-jp-2 usb-activity ↳ symantec-usb-delete-1 usb-insert ↳ symantec-usb-insert ↳ symantec-usb-insert-1 usb-read ↳ symantec-usb-read ↳ symantec-usb-read-1 usb-write ↳ symantec-usb-write-2 ↳ syslog-symantec-usb-write ↳ symantec-usb-delete ↳ symantec-usb-write-1 ↳ symantec-usb-write ↳ symantec-usb-activity	T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 1 Models

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Valid Accounts	Command and Scripting Interperter User Execution Command and Scripting Interperter: PowerShell	Valid Accounts Account Manipulation	Valid Accounts Exploitation for Privilege Escalation	Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash Use Alternate Authentication Material: Web Session Cookie Use Alternate Authentication Material: Pass the Ticket Obfuscated Files or Information	Brute Force		Exploitation of Remote Services Remote Services Use Alternate Authentication Material Remote Services: Remote Desktop Protocol		Proxy: Multi-hop Proxy Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over Physical Medium Automated Exfiltration