Use Case: Data Access

July 25, 2023 ยท View on GitHub

Use Case: Data Access

Vendor: Accellion

ProductEvent TypesMITRE TTPContent
Accellion
  • account-password-change
  • account-password-reset
  • app-activity
  • app-login
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Adaxes

ProductEvent TypesMITRE TTPContent
Adaxes
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Airlock

ProductEvent TypesMITRE TTPContent
Airlock
  • app-activity-failed
  • failed-app-login
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models

Vendor: Amazon

ProductEvent TypesMITRE TTPContent
AWS CloudTrail
  • app-activity
  • app-activity-failed
  • app-login
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • failed-app-login
  • storage-access
  • storage-activity
  • storage-activity-failed
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
AWS CloudWatch
  • app-activity
  • file-alert
  • netflow-connection
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Apache Subversion

ProductEvent TypesMITRE TTPContent
Apache Subversion
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: AssetView

ProductEvent TypesMITRE TTPContent
AssetView
  • file-download
  • file-write
  • print-activity
  • security-alert
  • usb-insert
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Atlassian

ProductEvent TypesMITRE TTPContent
Atlassian BitBucket
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Barracuda

ProductEvent TypesMITRE TTPContent
Barracuda Firewall
  • account-password-change
  • account-password-change-failed
  • failed-logon
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: BeyondTrust

ProductEvent TypesMITRE TTPContent
BeyondTrust
  • account-switch
  • app-activity
  • app-login
  • failed-app-login
  • privileged-access
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
BeyondTrust PowerBroker
  • privileged-access
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
BeyondTrust Privilege Management
  • local-logon
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
BeyondTrust Privileged Identity
  • account-switch
  • app-activity
  • app-login
  • privileged-access
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Bitdefender

ProductEvent TypesMITRE TTPContent
Bitdefender
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Bitglass

ProductEvent TypesMITRE TTPContent
Bitglass CASB
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 14 Rules
  • 10 Models

Vendor: BlackBerry

ProductEvent TypesMITRE TTPContent
BlackBerry Protect
  • app-activity
  • app-login
  • dlp-alert
  • file-alert
  • file-delete
  • file-read
  • process-alert
  • security-alert
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: Box

ProductEvent TypesMITRE TTPContent
Box Cloud Content Management
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: Bromium

ProductEvent TypesMITRE TTPContent
Bromium Secure Platform
  • file-permission-change
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: CatoNetworks

ProductEvent TypesMITRE TTPContent
Cato Cloud
  • network-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Centrify

ProductEvent TypesMITRE TTPContent
Centrify Audit and Monitoring Service
  • file-delete
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Centrify Infrastructure Services
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
Centrify Zero Trust Privilege Services
  • account-switch
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Check Point Software

ProductEvent TypesMITRE TTPContent
Check Point Identity Awareness
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Check Point NGFW
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-vpn-login
  • local-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 12 Rules
  • 9 Models
Check Point Security Gateway
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Check Point Threat Prevention
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Cisco

ProductEvent TypesMITRE TTPContent
AnyConnect
  • process-network
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Cisco ACS
  • app-activity
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Cisco Adaptive Security Appliance
  • authentication-failed
  • authentication-successful
  • dns-response
  • failed-logon
  • failed-vpn-login
  • file-download
  • file-upload
  • nac-logon
  • network-connection-successful
  • process-created
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-denied
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1110 - Brute Force
  • 3 Rules
  • 2 Models
Cisco Call Manager
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Cisco Firepower
  • authentication-successful
  • dns-query
  • dns-response
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Cisco ISE
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • failed-vpn-login
  • nac-failed-logon
  • nac-logon
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 28 Rules
  • 17 Models
Cisco Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Cisco NPE
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
Cisco TACACS
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
Duo Access Security
  • account-creation
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Citrix

ProductEvent TypesMITRE TTPContent
Citrix Endpoint Management
  • app-activity
  • remote-logon
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Citrix Gateway ActiveSync Connector
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Citrix Netscaler
  • app-activity
  • app-login
  • authentication-failed
  • failed-vpn-login
  • process-created
  • vpn-login
  • vpn-logout
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1110 - Brute Force
  • 29 Rules
  • 17 Models
Citrix Netscaler VPN
  • authentication-failed
  • authentication-successful
  • remote-access
  • remote-logon
  • vpn-connection
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Citrix ShareFile
  • app-activity
  • app-login
  • failed-app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Citrix XenApp
  • app-login
  • remote-logon
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Cloud Application

ProductEvent TypesMITRE TTPContent
Cloud Application
  • account-password-change
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: Cloudflare

ProductEvent TypesMITRE TTPContent
Cloudflare Insights
  • app-activity
  • app-login
  • member-added
  • member-removed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Code42

ProductEvent TypesMITRE TTPContent
Code42 Incydr
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • usb-activity
  • usb-insert
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: CrowdStrike

ProductEvent TypesMITRE TTPContent
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • config-change
  • dlp-alert
  • dns-query
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • task-created
  • usb-activity
  • usb-insert
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 31 Rules
  • 18 Models

Vendor: CyberArk

ProductEvent TypesMITRE TTPContent
CyberArk Vault
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
  • failed-logon
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • remote-logon
  • security-alert
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models
Privileged Session Manager
  • account-switch
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: DTEX InTERCEPT

ProductEvent TypesMITRE TTPContent
DTEX InTERCEPT
  • file-delete
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Darktrace

ProductEvent TypesMITRE TTPContent
Darktrace
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: Dell

ProductEvent TypesMITRE TTPContent
Dell EMC Isilon
  • file-delete
  • file-read
  • file-write
  • remote-access
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
One Identity Manager
  • account-password-change
  • account-switch
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
SonicWALL Aventail
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Digital Guardian

ProductEvent TypesMITRE TTPContent
Digital Guardian Endpoint Protection
  • app-activity
  • dlp-alert
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • local-logon
  • print-activity
  • process-created
  • usb-insert
  • usb-write
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Dropbox

ProductEvent TypesMITRE TTPContent
Dropbox
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
  • vpn-logout
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1110 - Brute Force
  • 31 Rules
  • 20 Models

Vendor: Dtex Systems

ProductEvent TypesMITRE TTPContent
DTEX InTERCEPT
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models

Vendor: Duo Access Security

ProductEvent TypesMITRE TTPContent
Duo Access Security
  • app-activity
  • failed-vpn-login
  • vpn-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: EMP

ProductEvent TypesMITRE TTPContent
EMP
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: ESET

ProductEvent TypesMITRE TTPContent
ESET Endpoint Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • security-alert
  • web-activity-denied
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: ESector

ProductEvent TypesMITRE TTPContent
ESector DEFESA
  • file-delete
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Egnyte

ProductEvent TypesMITRE TTPContent
Egnyte
  • app-login
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-upload
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 14 Rules
  • 10 Models

Vendor: Epic

ProductEvent TypesMITRE TTPContent
Epic SIEM
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-login
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: F5

ProductEvent TypesMITRE TTPContent
F5 BIG-IP Access Policy Manager (APM)
  • authentication-failed
  • authentication-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: FTP

ProductEvent TypesMITRE TTPContent
FTP
  • app-login
  • failed-app-login
  • file-delete
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 14 Rules
  • 10 Models

Vendor: Fast Enterprises

ProductEvent TypesMITRE TTPContent
Fast Enterprises GenTax
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: FireEye

ProductEvent TypesMITRE TTPContent
FireEye Endpoint Security (HX)
  • file-write
  • network-alert
  • process-alert
  • security-alert
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Forcepoint

ProductEvent TypesMITRE TTPContent
Forcepoint CASB
  • app-activity
  • app-login
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Fortinet

ProductEvent TypesMITRE TTPContent
Fortinet Enterprise Firewall
  • app-activity
  • app-activity-failed
  • computer-logon
  • netflow-connection
  • network-connection-failed
  • network-connection-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Fortinet UTM
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-vpn-login
  • network-alert
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 28 Rules
  • 17 Models
Fortinet VPN
  • authentication-successful
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: GitHub

ProductEvent TypesMITRE TTPContent
GitHub
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Google

ProductEvent TypesMITRE TTPContent
Google
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models
Google Calendar
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Google Cloud Platform
  • app-activity
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • storage-access
  • storage-activity
  • storage-activity-failed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Google Drive
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: HP

ProductEvent TypesMITRE TTPContent
HP Comware
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules
HP Virtual Connect Enterprise Manager
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: HashiCorp

ProductEvent TypesMITRE TTPContent
HashiCorp Vault
  • account-password-reset
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: HelpSystems

ProductEvent TypesMITRE TTPContent
Powertech Identity Access Manager (BoKs)
  • account-switch
  • file-delete
  • file-read
  • file-write
  • local-logon
  • process-created
  • remote-logon
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models

Vendor: Huawei

ProductEvent TypesMITRE TTPContent
Unified Security Gateway
  • authentication-successful
  • network-alert
  • process-created
  • vpn-login
T1003 - OS Credential Dumping
  • 1 Rules

Vendor: IBM

ProductEvent TypesMITRE TTPContent
IBM DB2
  • authentication-failed
  • file-read
  • remote-logon
  • security-alert
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
IBM Racf
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • database-update
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
IBM Sametime
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models
IBM Sterling B2B Integrator
  • app-activity
  • failed-logon
  • member-added
  • member-removed
  • remote-logon
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Infosphere Guardium
  • database-alert
  • database-failed-login
  • database-login
  • database-query
T1213 - Data from Information Repositories
  • 5 Rules
  • 5 Models

Vendor: ICDB

ProductEvent TypesMITRE TTPContent
ICDB
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Imperva

ProductEvent TypesMITRE TTPContent
CounterBreach
  • database-alert
T1213 - Data from Information Repositories
  • 5 Rules
  • 5 Models
Imperva File Activity Monitoring (FAM)
  • file-delete
  • file-permission-change
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Imperva SecureSphere
  • app-login
  • database-alert
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • database-update
  • failed-app-login
  • network-alert
  • security-alert
T1078 - Valid Accounts
T1213 - Data from Information Repositories
  • 16 Rules
  • 12 Models

Vendor: InfoWatch

ProductEvent TypesMITRE TTPContent
InfoWatch
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • print-activity
  • usb-write
  • web-activity-allowed
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Infoblox

ProductEvent TypesMITRE TTPContent
Infoblox BloxOne
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Ipswitch

ProductEvent TypesMITRE TTPContent
IPswitch MoveIt
  • app-activity
  • app-login
  • failed-app-login
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models
MoveIt DMZ
  • account-password-change
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-delete
  • file-download
  • file-upload
  • file-write
  • member-added
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Johnson Controls

ProductEvent TypesMITRE TTPContent
Johnson Controls P2000
  • account-password-change-failed
  • app-login
  • failed-logon
  • physical-access
  • security-alert
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Juniper Networks

ProductEvent TypesMITRE TTPContent
Juniper Networks Pulse Secure
  • account-deleted
  • app-activity
  • vpn-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Juniper OWA
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models
Juniper SRX
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models
Juniper VPN
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-allowed
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Kemp

ProductEvent TypesMITRE TTPContent
Kemp LoadMaster
  • app-activity
  • remote-logon
  • security-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Kiteworks

ProductEvent TypesMITRE TTPContent
Kiteworks
  • account-password-change
  • app-activity
  • app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: LEAP

ProductEvent TypesMITRE TTPContent
LEAP
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: LOGBinder

ProductEvent TypesMITRE TTPContent
SharePoint
  • app-activity
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: LanScope Cat

ProductEvent TypesMITRE TTPContent
LanScope Cat
  • app-activity
  • file-delete
  • file-write
  • process-created
  • process-created-failed
  • process-network
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: LanScope

ProductEvent TypesMITRE TTPContent
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • local-logon
  • print-activity
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: LastPass

ProductEvent TypesMITRE TTPContent
LastPass
  • app-activity
  • app-login
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: LogRhythm

ProductEvent TypesMITRE TTPContent
LogRhythm
  • process-created
T1003 - OS Credential Dumping
  • 1 Rules

Vendor: Lumension

ProductEvent TypesMITRE TTPContent
Lumension
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-usb-activity
  • usb-activity
  • usb-insert
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: McAfee

ProductEvent TypesMITRE TTPContent
MDAM
  • database-alert
  • database-delete
  • database-query
  • database-update
T1213 - Data from Information Repositories
  • 5 Rules
  • 5 Models
McAfee Endpoint Security
  • dlp-alert
  • failed-app-login
  • file-write
  • print-activity
  • process-alert
  • process-created-failed
  • remote-logon
  • security-alert
  • usb-activity
  • usb-insert
  • usb-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models
Skyhigh Networks CASB
  • app-activity
  • app-login
  • dlp-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Microsoft

ProductEvent TypesMITRE TTPContent
Exchange
  • app-activity
  • app-activity-failed
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Microsoft Azure
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • cloud-admin-activity
  • cloud-admin-activity-failed
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • storage-access
  • storage-activity
  • storage-activity-failed
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 31 Rules
  • 18 Models
Microsoft Azure Active Directory
  • account-password-change
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Microsoft Azure MFA
  • app-activity
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Microsoft Cloud App Security (MCAS)
  • app-activity
  • app-login
  • failed-app-login
  • file-delete
  • file-upload
  • file-write
  • member-added
  • member-removed
  • process-created
  • process-network
  • process-network-failed
  • security-alert
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 31 Rules
  • 18 Models
Microsoft Defender ATP
  • process-created
  • security-alert
T1003 - OS Credential Dumping
  • 1 Rules
Microsoft Office 365
  • account-disabled
  • account-password-change
  • account-unlocked
  • app-activity
  • app-activity-failed
  • app-login
  • database-query
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dns-query
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
  • network-connection-failed
  • network-connection-successful
  • process-created
  • remote-logon
  • security-alert
  • usb-activity
  • usb-insert
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 31 Rules
  • 18 Models
Microsoft OneDrive
  • app-activity
  • file-read
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models
Microsoft SQL Server
  • database-access
  • database-activity-failed
  • database-delete
  • database-failed-login
  • database-login
  • database-query
  • failed-app-login
T1078 - Valid Accounts
  • 1 Rules
Microsoft Sysmon
  • dns-query
  • file-delete
  • file-write
  • image-loaded
  • process-created
  • process-network
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models
Microsoft Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • config-change
  • database-login
  • dcom-activation-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-failed-logon
  • nac-logon
  • network-connection-successful
  • ntlm-logon
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • share-access-denied
  • task-created
  • usb-activity
  • usb-insert
  • vpn-login
  • vpn-logout
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1110 - Brute Force
  • 17 Rules
  • 12 Models
NetApp
  • file-alert
  • file-delete
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Windows Defender
  • app-activity
  • app-activity-failed
  • app-login
  • dlp-alert
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Mimecast

ProductEvent TypesMITRE TTPContent
Mimecast
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Mimecast Email Security
  • app-activity
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • failed-app-login
  • file-delete
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: NCP

ProductEvent TypesMITRE TTPContent
NCP
  • authentication-failed
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: NNT

ProductEvent TypesMITRE TTPContent
NNT ChangeTracker
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: NetApp

ProductEvent TypesMITRE TTPContent
NetApp
  • file-delete
  • file-read
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: NetDocs

ProductEvent TypesMITRE TTPContent
NetDocs
  • app-activity
  • file-delete
  • file-read
  • file-upload
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: NetIQ

ProductEvent TypesMITRE TTPContent
NetIQ
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: NetMotion Wireless

ProductEvent TypesMITRE TTPContent
NetMotion Wireless
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Netskope

ProductEvent TypesMITRE TTPContent
Netskope Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • failed-app-login
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Netwrix

ProductEvent TypesMITRE TTPContent
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • ds-access
  • failed-app-login
  • failed-logon
  • file-delete
  • file-write
  • member-added
  • member-removed
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Nortel Contivity

ProductEvent TypesMITRE TTPContent
Nortel Contivity VPN
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: ObserveIT

ProductEvent TypesMITRE TTPContent
ObserveIT
  • app-activity
  • app-login
  • database-access
  • dlp-alert
  • failed-app-login
  • process-created
  • remote-logon
  • security-alert
T1003 - OS Credential Dumping
T1078 - Valid Accounts
  • 28 Rules
  • 15 Models

Vendor: Okta

ProductEvent TypesMITRE TTPContent
Okta Adaptive MFA
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • member-added
  • security-alert
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Onapsis

ProductEvent TypesMITRE TTPContent
Onapsis
  • app-login
  • database-update
  • failed-app-login
  • security-alert
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: OneLogin

ProductEvent TypesMITRE TTPContent
OneLogin
  • account-password-reset
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Oracle

ProductEvent TypesMITRE TTPContent
Oracle Access Manager
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Oracle Solaris
  • process-created
  • process-created-failed
T1003 - OS Credential Dumping
  • 1 Rules

Vendor: Osirium

ProductEvent TypesMITRE TTPContent
Osirium
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Palo Alto Networks

ProductEvent TypesMITRE TTPContent
Cortex XDR
  • app-activity
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
GlobalProtect
  • app-activity
  • authentication-failed
  • authentication-successful
  • config-change
  • failed-logon
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 28 Rules
  • 17 Models
NGFW
  • app-activity
  • config-change
  • dlp-alert
  • failed-vpn-login
  • file-alert
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Palo Alto Aperture
  • app-activity
  • app-login
  • dlp-alert
  • file-delete
  • file-download
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: Paxton

ProductEvent TypesMITRE TTPContent
NET2DOOR
  • account-password-change
  • account-password-change-failed
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • failed-physical-access
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • physical-access
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Perforce

ProductEvent TypesMITRE TTPContent
Perforce
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Ping Identity

ProductEvent TypesMITRE TTPContent
Ping Identity
  • app-login
  • authentication-failed
  • authentication-successful
  • computer-logon
  • nac-logon
  • network-alert
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models
PingOne
  • app-login
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: PowerSentry

ProductEvent TypesMITRE TTPContent
PowerSentry
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Procad

ProductEvent TypesMITRE TTPContent
Pro.File DMS
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: ProtectWise

ProductEvent TypesMITRE TTPContent
NDR
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: Quest InTrust

ProductEvent TypesMITRE TTPContent
Quest InTrust
  • computer-logon
  • process-created
  • usb-activity
T1003 - OS Credential Dumping
  • 1 Rules

Vendor: RSA

ProductEvent TypesMITRE TTPContent
RSA NetWitness
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models
SecurID
  • authentication-failed
  • authentication-successful
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: RangerAudit

ProductEvent TypesMITRE TTPContent
RangerAudit
  • app-activity
  • app-login
  • database-activity-failed
  • database-query
  • failed-app-login
  • file-read
  • file-write
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: SAP

ProductEvent TypesMITRE TTPContent
SAP
  • account-creation
  • account-deleted
  • account-lockout
  • account-unlocked
  • app-activity
  • authentication-failed
  • authentication-successful
  • file-download
  • remote-logon
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: SSL Open VPN

ProductEvent TypesMITRE TTPContent
Nasuni
  • file-delete
  • file-permission-change
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
SSL Open VPN
  • app-activity
  • app-activity-failed
  • authentication-failed
  • failed-vpn-login
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 28 Rules
  • 17 Models

Vendor: Sailpoint

ProductEvent TypesMITRE TTPContent
IdentityNow
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
SecurityIQ
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-reset
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • member-added
  • member-removed
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Salesforce

ProductEvent TypesMITRE TTPContent
Salesforce
  • app-activity
  • app-login
  • failed-app-login
  • file-download
  • file-upload
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: SecureAuth

ProductEvent TypesMITRE TTPContent
SecureAuth Login
  • app-login
  • authentication-successful
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models
ProductEvent TypesMITRE TTPContent
SecureLink
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: SecureNet

ProductEvent TypesMITRE TTPContent
SecureNet
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: SentinelOne

ProductEvent TypesMITRE TTPContent
SentinelOne
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • task-created
  • web-activity-allowed
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: ServiceNow

ProductEvent TypesMITRE TTPContent
ServiceNow
  • account-switch
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • remote-logon
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Shibboleth

ProductEvent TypesMITRE TTPContent
Shibboleth SSO
  • account-password-change
  • app-login
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Silverfort

ProductEvent TypesMITRE TTPContent
Silverfort
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: SkySea

ProductEvent TypesMITRE TTPContent
ClientView
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • security-alert
  • share-access
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: Slack

ProductEvent TypesMITRE TTPContent
BeyondTrust Secure Remote Access
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
Epic SIEM
  • app-activity
  • failed-physical-access
  • file-delete
  • file-write
  • physical-access
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models
Exabeam Advanced Analytics
  • account-disabled
  • account-enabled
  • account-password-change
  • account-unlocked
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • nac-logon
  • security-alert
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models
Slack
  • account-password-change
  • app-activity
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-app-login
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • remote-logon
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models

Vendor: Sonicwall

ProductEvent TypesMITRE TTPContent
Sonicwall
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Sophos

ProductEvent TypesMITRE TTPContent
Sophos SafeGuard
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Sophos XG Firewall
  • dlp-alert
  • failed-vpn-login
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-login
  • vpn-logout
  • web-activity-denied
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: StealthBits

ProductEvent TypesMITRE TTPContent
StealthIntercept
  • account-disabled
  • account-enabled
  • ds-access
  • failed-ds-access
  • file-permission-change
  • file-read
  • file-write
  • member-added
  • member-removed
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Swift

ProductEvent TypesMITRE TTPContent
Swift
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: Swipes

ProductEvent TypesMITRE TTPContent
Sonicwall
  • failed-vpn-login
  • remote-logon
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: Swivel

ProductEvent TypesMITRE TTPContent
Swivel
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Symantec

ProductEvent TypesMITRE TTPContent
Symantec CloudSOC
  • app-activity
  • app-login
  • dlp-alert
  • failed-app-login
  • file-delete
  • file-download
  • file-upload
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 30 Rules
  • 18 Models
Symantec Endpoint Protection
  • app-activity
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • security-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Symantec VIP
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Tanium

ProductEvent TypesMITRE TTPContent
Endpoint Platform
  • authentication-failed
  • authentication-successful
  • dns-response
  • process-created
  • security-alert
T1003 - OS Credential Dumping
  • 1 Rules

Vendor: Thycotic Secret Server

ProductEvent TypesMITRE TTPContent
Thycotic Secret Server
  • account-switch
  • app-activity
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Trend Micro

ProductEvent TypesMITRE TTPContent
Deep Discovery Inspector
  • account-password-change
  • app-login
  • security-alert
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models

Vendor: Tyco

ProductEvent TypesMITRE TTPContent
CCURE Building Management System
  • app-activity
  • app-login
  • failed-physical-access
  • physical-access
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Unix

ProductEvent TypesMITRE TTPContent
Auditbeat
  • app-activity
  • app-activity-failed
  • authentication-successful
  • process-created
  • process-network
  • process-network-failed
T1003 - OS Credential Dumping
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models
FTP
  • app-activity
  • app-activity-failed
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
Unix
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-switch
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-access
  • remote-logon
  • security-alert
  • task-created
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models
Unix Auditd
  • account-deleted
  • account-password-change
  • account-switch
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • failed-logon
  • file-read
  • file-write
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-logon
  • security-alert
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models

Vendor: VMware

ProductEvent TypesMITRE TTPContent
VMware Carbon Black App Control
  • app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-failed
  • network-connection-successful
  • process-alert
  • process-created
  • process-created-failed
  • process-network
  • security-alert
  • usb-insert
  • workstation-locked
  • workstation-unlocked
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 14 Rules
  • 10 Models
VMware Carbon Black Cloud Endpoint Standard
  • file-read
  • file-write
  • network-alert
  • network-connection-successful
  • process-created
  • security-alert
T1003 - OS Credential Dumping
T1083 - File and Directory Discovery
  • 4 Rules
  • 3 Models
VMware Carbon Black EDR
  • process-alert
  • process-created
  • security-alert
T1003 - OS Credential Dumping
  • 1 Rules
VMware VCenter
  • app-activity
  • app-login
  • failed-logon
  • remote-logon
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models
VMware View
  • account-password-change
  • app-activity
  • app-login
  • failed-app-login
  • remote-logon
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Varonis

ProductEvent TypesMITRE TTPContent
Data Security Platform
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • file-delete
  • file-permission-change
  • file-read
  • file-write
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1110 - Brute Force
  • 5 Rules
  • 5 Models

Vendor: Vectra

ProductEvent TypesMITRE TTPContent
Vectra Cognito Detect
  • app-activity
  • security-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Vormetric

ProductEvent TypesMITRE TTPContent
Vormetric
  • file-alert
  • file-read
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Weblogin

ProductEvent TypesMITRE TTPContent
NetApp
  • file-delete
  • file-read
  • file-write
T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models

Vendor: Workday

ProductEvent TypesMITRE TTPContent
Workday
  • app-activity
  • app-login
  • authentication-failed
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models

Vendor: Xceedium

ProductEvent TypesMITRE TTPContent
Xceedium
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 11 Rules
  • 7 Models

Vendor: Zeek

ProductEvent TypesMITRE TTPContent
Zeek Network Security Monitor
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • ntlm-logon
  • remote-access
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 29 Rules
  • 18 Models

Vendor: Zlock

ProductEvent TypesMITRE TTPContent
Zlock
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: Zscaler

ProductEvent TypesMITRE TTPContent
Zscaler Internet Access
  • app-login
  • dlp-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
T1078 - Valid Accounts
  • 10 Rules
  • 7 Models
Zscaler Private Access
  • vpn-login
  • vpn-logout
T1078 - Valid Accounts
T1110 - Brute Force
  • 2 Rules
  • 2 Models

Vendor: eDocs

ProductEvent TypesMITRE TTPContent
eDocs
  • app-activity
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: iManage

ProductEvent TypesMITRE TTPContent
iManage
  • app-activity
  • dlp-alert
T1078 - Valid Accounts
  • 26 Rules
  • 15 Models

Vendor: oVirt

ProductEvent TypesMITRE TTPContent
oVirt
  • app-activity
  • app-activity-failed
  • app-login
  • failed-app-login
T1078 - Valid Accounts
  • 27 Rules
  • 15 Models