Use Case: Phishing

July 25, 2023 · View on GitHub

Use Case: Phishing

Vendor: Abnormal Security

Product	Event Types	MITRE TTP	Content
Abnormal Security	dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Accellion

Product	Event Types	MITRE TTP	Content
Accellion	account-password-change account-password-reset app-activity app-login dlp-email-alert-out failed-app-login file-delete file-download file-read file-upload	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Kiteworks	dlp-alert dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Akamai

Product	Event Types	MITRE TTP	Content
Cloud Akamai	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Apache

Product	Event Types	MITRE TTP	Content
Apache	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Barracuda

Product	Event Types	MITRE TTP	Content
Barracuda Firewall	account-password-change account-password-change-failed failed-logon failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Bitdefender

Product	Event Types	MITRE TTP	Content
Bitdefender GravityZone	security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Bitglass

Product	Event Types	MITRE TTP	Content
Bitglass CASB	app-login dlp-alert dlp-email-alert-out failed-app-login file-read file-write	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: CatoNetworks

Product	Event Types	MITRE TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models

Vendor: Check Point Software

Product	Event Types	MITRE TTP	Content
Check Point Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
Check Point NGFW	app-login dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	17 Rules 9 Models
Check Point Security Gateway	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
Check Point Threat Prevention	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
AnyConnect	process-network vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
Cisco ADC	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Cisco Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models
Cisco Cloud Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Cisco Firepower	authentication-successful dns-query dns-response nac-logon netflow-connection network-alert network-connection-failed network-connection-successful security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models
Cisco ISE	app-activity authentication-failed authentication-successful computer-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
Cisco Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models
Cisco Secure Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Cisco Secure Web Appliance	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Cisco Umbrella	config-change dns-query dns-response failed-logon network-connection-failed network-connection-successful remote-logon web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
IronPort Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Proxy Umbrella	network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Citrix Netscaler	app-activity app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
Citrix Netscaler VPN	authentication-failed authentication-successful remote-access remote-logon vpn-connection vpn-logout	T1566 - Phishing	2 Rules 2 Models
Web Logging	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Clearswift SEG

Product	Event Types	MITRE TTP	Content
Clearswift SEG	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Cloudflare

Product	Event Types	MITRE TTP	Content
Cloudflare WAF	network-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Code42

Product	Event Types	MITRE TTP	Content
Code42 Incydr	dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity usb-activity usb-insert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Dell

Product	Event Types	MITRE TTP	Content
SonicWALL Aventail	vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Digital Arts

Product	Event Types	MITRE TTP	Content
Digital Arts i-FILTER for Business	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-activity dlp-alert dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon print-activity process-created usb-insert usb-write	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Digital Guardian Network DLP	dlp-alert dlp-email-alert-out dlp-email-alert-out-failed print-activity	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Dropbox

Product	Event Types	MITRE TTP	Content
Dropbox	app-activity app-login file-delete file-download file-permission-change file-read file-write vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Dtex Systems

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: ESET

Product	Event Types	MITRE TTP	Content
ESET Endpoint Security	app-login authentication-failed authentication-successful failed-logon security-alert web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: EdgeWave

Product	Event Types	MITRE TTP	Content
EdgeWave iPrism	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: F5

Product	Event Types	MITRE TTP	Content
F5 BIG-IP Access Policy Manager (APM)	authentication-failed authentication-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
WebSafe	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Fidelis

Product	Event Types	MITRE TTP	Content
Fidelis XPS	dlp-email-alert-in dlp-email-alert-out security-alert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: FireEye

Product	Event Types	MITRE TTP	Content
FireEye Network Security (NX)	security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Forcepoint

Product	Event Types	MITRE TTP	Content
Forcepoint DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed usb-insert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Forcepoint Email Security	dlp-email-alert-in dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Websense Secure Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Fortinet

Product	Event Types	MITRE TTP	Content
Fortinet FortiWeb	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Fortinet UTM	app-activity app-activity-failed authentication-failed authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-vpn-login network-alert security-alert vpn-login vpn-logout web-activity-allowed web-activity-denied	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	17 Rules 9 Models
Fortinet VPN	authentication-successful vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Google

Product	Event Types	MITRE TTP	Content
GCP Squid Proxy	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: HP

Product	Event Types	MITRE TTP	Content
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: HashiCorp

Product	Event Types	MITRE TTP	Content
Terraform	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM Security Access Manager	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: IMSVA

Product	Event Types	MITRE TTP	Content
IMSVA	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Imperva

Product	Event Types	MITRE TTP	Content
Incapsula	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: InfoWatch

Product	Event Types	MITRE TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out print-activity usb-write web-activity-allowed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	15 Rules 7 Models

Vendor: IronPort Web Security

Product	Event Types	MITRE TTP	Content
IronPort Web Security	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Juniper Networks

Product	Event Types	MITRE TTP	Content
Juniper SRX	account-deleted authentication-failed authentication-successful failed-vpn-login network-alert network-connection-failed network-connection-successful security-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models

Vendor: LanScope

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity local-logon print-activity usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee DLP	dlp-alert dlp-email-alert-out dlp-email-alert-out-failed failed-usb-activity print-activity usb-write	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
McAfee Email Protection	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
McAfee Web Gateway	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
Exchange	app-activity app-activity-failed dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
IIS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Microsoft Office 365	account-disabled account-password-change account-unlocked app-activity app-activity-failed app-login database-query dlp-alert dlp-email-alert-in dlp-email-alert-out dns-query failed-app-login file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed network-connection-failed network-connection-successful process-created remote-logon security-alert usb-activity usb-insert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Microsoft Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon config-change database-login dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login vpn-logout winsession-disconnect workstation-locked workstation-unlocked	T1566 - Phishing	2 Rules 2 Models
Web Application Proxy	remote-logon web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Web Application Proxy-TLS Gateway	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Mimecast

Product	Event Types	MITRE TTP	Content
Targeted Threat Protection - URL	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: NCP

Product	Event Types	MITRE TTP	Content
NCP	authentication-failed vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: NetMotion Wireless

Product	Event Types	MITRE TTP	Content
NetMotion Wireless	vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Netskope

Product	Event Types	MITRE TTP	Content
Netskope Security Cloud	app-activity app-login dlp-alert dlp-email-alert-out failed-app-login file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	15 Rules 7 Models

Vendor: Nortel Contivity

Product	Event Types	MITRE TTP	Content
Nortel Contivity VPN	vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login network-connection-failed network-connection-successful remote-logon vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models
NGFW	app-activity config-change dlp-alert failed-vpn-login file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Proofpoint

Product	Event Types	MITRE TTP	Content
Proofpoint TAP	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: RSA

Product	Event Types	MITRE TTP	Content
RSA DLP	dlp-alert dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
SecurID	authentication-failed authentication-successful vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: SIGSCI

Product	Event Types	MITRE TTP	Content
SIGSCI	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: SSL Open VPN

Product	Event Types	MITRE TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed failed-vpn-login vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: SafeSend

Product	Event Types	MITRE TTP	Content
SafeSend	dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Sangfor

Product	Event Types	MITRE TTP	Content
NGAF	network-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: SecureNet

Product	Event Types	MITRE TTP	Content
SecureNet	vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: SentinelOne

Product	Event Types	MITRE TTP	Content
SentinelOne	app-activity dns-query dns-response file-alert file-delete file-read file-write network-alert network-connection-failed network-connection-successful process-created security-alert task-created web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: SkySea

Product	Event Types	MITRE TTP	Content
ClientView	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity security-alert share-access web-activity-allowed web-activity-denied	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	15 Rules 7 Models

Vendor: Sonicwall

Product	Event Types	MITRE TTP	Content
Sonicwall	authentication-failed authentication-successful failed-vpn-login remote-logon vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Sophos

Product	Event Types	MITRE TTP	Content
Sophos UTM	web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Sophos XG Firewall	dlp-alert failed-vpn-login network-connection-failed network-connection-successful security-alert vpn-login vpn-logout web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566 - Phishing T1566.002 - Phishing: Spearphishing Link	3 Rules 2 Models

Vendor: Squid

Product	Event Types	MITRE TTP	Content
Squid	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Swipes

Product	Event Types	MITRE TTP	Content
Sonicwall	failed-vpn-login remote-logon vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Blue Coat ProxySG Appliance	network-connection-failed web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Symantec Brightmail	dlp-email-alert-in dlp-email-alert-out	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Symantec DLP	config-change dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon failed-usb-activity member-added member-removed network-alert process-alert security-alert usb-activity usb-insert usb-read usb-write	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Symantec Email Security.cloud	dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models
Symantec Fireglass	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Symantec WSS	web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Trend Micro

Product	Event Types	MITRE TTP	Content
OfficeScan	dlp-alert dlp-email-alert-in dlp-email-alert-out privileged-object-access security-alert usb-write web-activity-allowed	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	15 Rules 7 Models
Trend Micro Apex One	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Unix

Product	Event Types	MITRE TTP	Content
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-read file-write kerberos-logon local-logon member-added member-removed process-created process-created-failed remote-access remote-logon security-alert task-created	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	14 Rules 7 Models

Vendor: Varonis

Product	Event Types	MITRE TTP	Content
Data Security Platform	authentication-failed authentication-successful dlp-alert file-delete file-permission-change file-read file-write vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models

Vendor: Watchguard

Product	Event Types	MITRE TTP	Content
Watchguard	security-alert web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Weblogin

Product	Event Types	MITRE TTP	Content
Weblogin	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Websense Secure Gateway

Product	Event Types	MITRE TTP	Content
Websense Secure Gateway	web-activity-allowed	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	15 Rules 7 Models

Vendor: Zscaler

Product	Event Types	MITRE TTP	Content
Zscaler Internet Access	app-login dlp-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link	1 Rules
Zscaler Private Access	vpn-login vpn-logout	T1566 - Phishing	2 Rules 2 Models