Vendor: Symantec

July 25, 2023 · View on GitHub

Product: Symantec Fireglass

Rules	Models	MITRE TTPs	Event Types	Parsers
58	20	10	2	2

Use-Case	Event Types/Parsers	MITRE TTP	Content
Compromised Credentials	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols T1102 - Web Service T1550.002 - Use Alternate Authentication Material: Pass the Hash	37 Rules 18 Models
Cryptomining	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	3 Rules
Data Exfiltration	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution	4 Rules
Data Leak	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	4 Rules 1 Models
Evasion	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy	3 Rules 1 Models
Lateral Movement	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	5 Rules 2 Models
Malware	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1550.002 - Use Alternate Authentication Material: Pass the Hash T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 6 Models
Phishing	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Privileged Activity	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols T1102 - Web Service	1 Rules
Ransomware	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071 - Application Layer Protocol	3 Rules
Workforce Protection	web-activity-allowed ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2 web-activity-denied ↳ s-symantec-web-activity-1 ↳ s-symantec-web-activity ↳ cef-symantec-web-activity-2	T1071.001 - Application Layer Protocol: Web Protocols	3 Rules 2 Models

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link Phishing				Use Alternate Authentication Material Use Alternate Authentication Material: Pass the Hash			Use Alternate Authentication Material		Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Data Transfer Size Limits Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Resource Hijacking