2_ds__.md

May 13, 2026 · View on GitHub

Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Compromised Credentialsapp-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

app-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

authentication-successful
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
stealthbits-s-kv-vpn-login-success-loginsucceed
beyondtrust-sra-kv-endpoint-login-success-challenge
pan-ngfw-leef-endpoint-authentication-success-authsuccess
pan-ngfw-leef-endpoint-authentication-success-signvalidated

azure-keyvault-read
microsoft-azure-sk4-file-read-success-keyget
microsoft-azure-sk4-file-read-success-keyget
microsoft-evsecurity-kv-ds-object-activity-success-4662-3

batch-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

database-alert
imperva-securesphere-cef-database-alert-success-security

database-login
postgresql-p-str-database-login-success-authenticated
ibm-db2-kv-database-login-fail-validate
microsoft-mssql-kv-database-login-success-33205

database-query
oracle-db-json-database-query-success-userhost
oracle-db-json-database-query-success-osusername
microsoft-mssql-xml-database-query-success-33205-1
microsoft-mssql-xml-database-query-success-33205
microsoft-mssql-kv-database-query-success-33205-1
microsoft-mssql-kv-database-query-success-33205-2
microsoft-mssql-xml-database-query-success-30205-2

ds-access
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

failed-logon
auth0-a-json-endpoint-login-fail-fp

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

file-delete
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-mcas-cef-file-delete-success-deletefile

file-read
dg-ep-json-file-success-time
microsoft-azure-sk4-file-read-success-vaultget
microsoft-azure-sk4-file-read-success-resourceid
microsoft-mcas-cef-file-read-success-modifyfile
microsoft-mcas-cef-file-read-success-mcas
microsoft-mcas-cef-file-read-success-sharefile
microsoft-mcas-cef-file-read-success-movefile
microsoft-azure-cef-file-read-success-actiontype

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

network-alert
sonicwall-sw-kv-alert-trigger-success-2

process-alert
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

security-alert
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
trendmicro-officescan-leef-alert-trigger-success-antimalware
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-alert-trigger-success-attacktype
abnormalsecurity-as-json-alert-trigger-success-attacktype
cyberark-pam-kv-alert-trigger-success-nonauthorizedimpersonation
cyberark-pam-kv-alert-trigger-success-keystrokelogging
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
crowdstrike-falcon-leef-alert-trigger-success-0
crowdstrike-falcon-leef-alert-trigger-success-0
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-packed
sentinelone-singularityp-json-alert-trigger-success-classification
sentinelone-singularityp-json-alert-trigger-success-backdoor
sentinelone-singularityp-json-alert-trigger-success-ransomware
sentinelone-singularityp-json-alert-trigger-success-threatname
sentinelone-singularityp-json-alert-trigger-success-url
sentinelone-singularityp-json-alert-trigger-success-virus
sentinelone-singularityp-json-alert-trigger-success-process
sentinelone-singularityp-json-alert-trigger-success-security
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-ngfw-json-alert-trigger-success-spyware
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint

service-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

share-access
microsoft-evsecurity-cef-share-access-success-5144
microsoft-evsecurity-json-share-access-success-5140-1

vpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1003.006 - OS Credential Dumping: DCSync
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1110 - Brute Force
T1133 - External Remote Services
T1187 - Forced Authentication
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1207 - Rogue Domain Controller
T1213 - Data from Information Repositories
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 298 Rules
  • 134 Models
Cryptominingprocess-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 2 Rules
Data Accessapp-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

app-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

database-alert
imperva-securesphere-cef-database-alert-success-security

database-login
postgresql-p-str-database-login-success-authenticated
ibm-db2-kv-database-login-fail-validate
microsoft-mssql-kv-database-login-success-33205

database-query
oracle-db-json-database-query-success-userhost
oracle-db-json-database-query-success-osusername
microsoft-mssql-xml-database-query-success-33205-1
microsoft-mssql-xml-database-query-success-33205
microsoft-mssql-kv-database-query-success-33205-1
microsoft-mssql-kv-database-query-success-33205-2
microsoft-mssql-xml-database-query-success-30205-2

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

file-delete
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-mcas-cef-file-delete-success-deletefile

file-read
dg-ep-json-file-success-time
microsoft-azure-sk4-file-read-success-vaultget
microsoft-azure-sk4-file-read-success-resourceid
microsoft-mcas-cef-file-read-success-modifyfile
microsoft-mcas-cef-file-read-success-mcas
microsoft-mcas-cef-file-read-success-sharefile
microsoft-mcas-cef-file-read-success-movefile
microsoft-azure-cef-file-read-success-actiontype

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1110 - Brute Force
T1213 - Data from Information Repositories
  • 82 Rules
  • 44 Models
Data Exfiltrationdatabase-alert
imperva-securesphere-cef-database-alert-success-security

dlp-alert
microsoft-exchange-csv-alert-trigger-success-filteredasspam
microsoft-exchange-csv-alert-trigger-success-quarantined
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation

file-alert
pan-wildfire-cef-alert-trigger-success-filethreat
pan-wildfire-cef-alert-trigger-success-filethreat
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1133 - External Remote Services
T1552 - Unsecured Credentials
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 52 Rules
  • 25 Models
Data Leakapp-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

dlp-alert
microsoft-exchange-csv-alert-trigger-success-filteredasspam
microsoft-exchange-csv-alert-trigger-success-quarantined
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation

dlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

dlp-email-alert-out-failed
proofpoint-tap-json-email-emailthreat
microsoft-o365-cef-email-send-workload

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

print-activity
dg-ep-kv-printer-activity-success-22

usb-insert
crowdstrike-falcon-cef-peripheral-storage-insert-success-dcusbdeviceconnected
crowdstrike-falcon-cef-peripheral-storage-insert-success-dcusbdeviceconnected
crowdstrike-falcon-cef-peripheral-storage-insert-success-dcusbdeviceconnected
crowdstrike-falcon-cef-peripheral-storage-insert-success-dcusbdeviceconnected
microsoft-evsecurity-xml-peripheral-storage-insert-success-devicewasrecognized

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1091 - Replication Through Removable Media
T1114 - Email Collection
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
T1133 - External Remote Services
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
TA0010 - TA0010
  • 100 Rules
  • 50 Models
Evasionaudit-log-clear
microsoft-evsecurity-json-log-clear-success-auditlogcleared
microsoft-evsecurity-kv-log-clear-success-1102-2

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

registry-write
microsoft-sysmon-xml-file-write-success-13
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1542 - Pre-OS Boot
T1542.003 - T1542.003
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1552 - Unsecured Credentials
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564 - Hide Artifacts
T1564.001 - T1564.001
T1564.002 - T1564.002
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 47 Rules
  • 3 Models
Lateral Movementapp-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

authentication-failed
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
ipswitch-moveittransfer-str-endpoint-authentication-fail-authfailed
stealthbits-s-kv-vpn-login-fail-failedlogin
pan-ngfw-leef-endpoint-authentication-fail-authfail

authentication-successful
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
stealthbits-s-kv-vpn-login-success-loginsucceed
beyondtrust-sra-kv-endpoint-login-success-challenge
pan-ngfw-leef-endpoint-authentication-success-authsuccess
pan-ngfw-leef-endpoint-authentication-success-signvalidated

batch-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

failed-logon
auth0-a-json-endpoint-login-fail-fp

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

logout-remote
fortinet-fortigate-kv-endpoint-logout-success-systemevent

network-connection-failed
juniper-srx-kv-network-traffic-fail-actiondeny
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
fortinet-fortigate-kv-network-app-fortigate
fortinet-fortigate-kv-network-app-fortigate
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
pan-ngfw-kv-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny
pan-ngfw-leef-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny-1
vmware-esxi-str-network-session-fail-iofiltervpd
symantec-bcpa-str-network-traffic-fail-ssl
checkpoint-ngfw-json-network-traffic-fail-drop
checkpoint-ngfw-kv-network-traffic-fail-drop-1
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1

network-connection-successful
zeek-z-json-network-traffic-success-dpd
zeek-z-json-network-traffic-success-http
juniper-srx-kv-network-traffic-success-actionpermit
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
fortinet-fortigate-kv-network-app-fortigate
pan-ngfw-kv-network-traffic-success-end
symantec-bcpa-str-network-traffic-fail-ssl
checkpoint-ngfw-kv-network-traffic-success-accept-4
checkpoint-ngfw-kv-network-traffic-success-accept-2
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

security-alert
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
trendmicro-officescan-leef-alert-trigger-success-antimalware
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-alert-trigger-success-attacktype
abnormalsecurity-as-json-alert-trigger-success-attacktype
cyberark-pam-kv-alert-trigger-success-nonauthorizedimpersonation
cyberark-pam-kv-alert-trigger-success-keystrokelogging
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
crowdstrike-falcon-leef-alert-trigger-success-0
crowdstrike-falcon-leef-alert-trigger-success-0
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-packed
sentinelone-singularityp-json-alert-trigger-success-classification
sentinelone-singularityp-json-alert-trigger-success-backdoor
sentinelone-singularityp-json-alert-trigger-success-ransomware
sentinelone-singularityp-json-alert-trigger-success-threatname
sentinelone-singularityp-json-alert-trigger-success-url
sentinelone-singularityp-json-alert-trigger-success-virus
sentinelone-singularityp-json-alert-trigger-success-process
sentinelone-singularityp-json-alert-trigger-success-security
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-ngfw-json-alert-trigger-success-spyware
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint

service-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

share-access
microsoft-evsecurity-cef-share-access-success-5144
microsoft-evsecurity-json-share-access-success-5140-1

vpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1021.003 - T1021.003
T1021.006 - T1021.006
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1047 - Windows Management Instrumentation
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
T1219 - Remote Access Software
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
TA0010 - TA0010
TA0011 - TA0011
  • 152 Rules
  • 44 Models
Malwareaccount-switch
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

app-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

authentication-successful
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
stealthbits-s-kv-vpn-login-success-loginsucceed
beyondtrust-sra-kv-endpoint-login-success-challenge
pan-ngfw-leef-endpoint-authentication-success-authsuccess
pan-ngfw-leef-endpoint-authentication-success-signvalidated

batch-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

database-alert
imperva-securesphere-cef-database-alert-success-security

dlp-alert
microsoft-exchange-csv-alert-trigger-success-filteredasspam
microsoft-exchange-csv-alert-trigger-success-quarantined
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation
crowdstrike-falcon-sk4-alert-trigger-success-dcusbdevicepolicyviolation

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-email-send-success-spam
microsoft-o365-json-email-receive-success-emailreceive

dlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

dns-query
crowdstrike-falcon-leef-dns-request-success-dnsrequests
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy

dns-response
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
cisco-umbrella-cef-dns-response-success-roamingcomputers
cisco-umbrella-cef-dns-response-success-allowed
cisco-umbrella-cef-dns-response-success-internalnetworks
cisco-umbrella-cef-dns-response-success-adcomputers
cisco-umbrella-cef-dns-response-success-adusers
cisco-umbrella-cef-dns-response-success-networks
cisco-umbrella-cef-dns-response-success-roamingcomputers
cisco-umbrella-cef-dns-response-success-internalnetworks
cisco-umbrella-cef-dns-response-success-allowed
cisco-umbrella-cef-dns-response-success-adcomputers
cisco-umbrella-cef-dns-response-success-adusers
cisco-umbrella-cef-dns-response-success-networks
cisco-umbrella-sk4-dns-response-success-roamingclient
cisco-umbrella-sk4-dns-response-success-roamingclient

failed-logon
auth0-a-json-endpoint-login-fail-fp

file-alert
pan-wildfire-cef-alert-trigger-success-filethreat
pan-wildfire-cef-alert-trigger-success-filethreat
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

network-alert
sonicwall-sw-kv-alert-trigger-success-2

network-connection-failed
juniper-srx-kv-network-traffic-fail-actiondeny
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
fortinet-fortigate-kv-network-app-fortigate
fortinet-fortigate-kv-network-app-fortigate
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
pan-ngfw-kv-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny
pan-ngfw-leef-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny-1
vmware-esxi-str-network-session-fail-iofiltervpd
symantec-bcpa-str-network-traffic-fail-ssl
checkpoint-ngfw-json-network-traffic-fail-drop
checkpoint-ngfw-kv-network-traffic-fail-drop-1
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1

network-connection-successful
zeek-z-json-network-traffic-success-dpd
zeek-z-json-network-traffic-success-http
juniper-srx-kv-network-traffic-success-actionpermit
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
fortinet-fortigate-kv-network-app-fortigate
pan-ngfw-kv-network-traffic-success-end
symantec-bcpa-str-network-traffic-fail-ssl
checkpoint-ngfw-kv-network-traffic-success-accept-4
checkpoint-ngfw-kv-network-traffic-success-accept-2
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1

privileged-access
rubrik-cdm-kv-user-privilege-assign-success-assignedroles
microsoft-windows-kv-user-privilege-use-success-578
microsoft-evsecurity-json-user-privilege-assign-success-4673-1
microsoft-evsecurity-json-user-privilege-assign-success-4673-1

privileged-object-access
microsoft-windows-kv-user-privilege-use-success-578

process-alert
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule
crowdstrike-falcon-json-alert-trigger-success-lsasshandlefromunsignedmodule

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

registry-write
microsoft-sysmon-xml-file-write-success-13

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

security-alert
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
trendmicro-officescan-leef-alert-trigger-success-antimalware
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-alert-trigger-success-attacktype
abnormalsecurity-as-json-alert-trigger-success-attacktype
cyberark-pam-kv-alert-trigger-success-nonauthorizedimpersonation
cyberark-pam-kv-alert-trigger-success-keystrokelogging
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
crowdstrike-falcon-leef-alert-trigger-success-0
crowdstrike-falcon-leef-alert-trigger-success-0
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-packed
sentinelone-singularityp-json-alert-trigger-success-classification
sentinelone-singularityp-json-alert-trigger-success-backdoor
sentinelone-singularityp-json-alert-trigger-success-ransomware
sentinelone-singularityp-json-alert-trigger-success-threatname
sentinelone-singularityp-json-alert-trigger-success-url
sentinelone-singularityp-json-alert-trigger-success-virus
sentinelone-singularityp-json-alert-trigger-success-process
sentinelone-singularityp-json-alert-trigger-success-security
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-ngfw-json-alert-trigger-success-spyware
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint

service-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

share-access
microsoft-evsecurity-cef-share-access-success-5144
microsoft-evsecurity-json-share-access-success-5140-1

task-created
crowdstrike-falcon-cef-scheduled-task-create-success-win

vpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204 - User Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1546 - Event Triggered Execution
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563 - Remote Service Session Hijacking
T1563.002 - T1563.002
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1569.002 - T1569.002
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583 - T1583
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 225 Rules
  • 47 Models
Phishingdlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1189 - Drive-by Compromise
T1204 - User Execution
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566 - Phishing
T1566.001 - T1566.001
T1566.002 - Phishing: Spearphishing Link
T1598 - T1598
T1598.003 - T1598.003
  • 7 Rules
  • 3 Models
Physical Securityvpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded
T1133 - External Remote Services
  • 1 Rules
  • 1 Models
Privilege Abuseaccount-deleted
microsoft-evsecurity-json-user-delete-success-4726

account-password-change
cyberark-pam-kv-user-password-modify-success-cpmpasswordchanged
sailpoint-identitynow-json-user-password-modify-passwordactivity
microsoft-azuread-json-user-password-reset-fail-changepassword
microsoft-o365-cef-user-password-modify-success-changeuserpassword
azure-azuread-json-user-password-modify-success-selfservice

account-password-reset
cyberark-pam-kv-user-password-reset-success-setpassword

account-switch
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

app-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

app-activity-failed
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
vmware-idm-json-app-activity-success-user

app-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

batch-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-email-send-success-spam
microsoft-o365-json-email-receive-success-emailreceive

dlp-email-alert-in-failed
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1

dlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

dlp-email-alert-out-failed
proofpoint-tap-json-email-emailthreat
microsoft-o365-cef-email-send-workload

ds-access
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

failed-logon
auth0-a-json-endpoint-login-fail-fp

file-alert
pan-wildfire-cef-alert-trigger-success-filethreat
pan-wildfire-cef-alert-trigger-success-filethreat
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce

file-delete
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-mcas-cef-file-delete-success-deletefile

file-download
slack-s-json-file-download-success-filedownloaded
dg-ep-json-file-success-time
microsoft-mcas-cef-file-download-success-syncfiledownload
microsoft-mcas-cef-file-download-success-downloadfile

file-read
dg-ep-json-file-success-time
microsoft-azure-sk4-file-read-success-vaultget
microsoft-azure-sk4-file-read-success-resourceid
microsoft-mcas-cef-file-read-success-modifyfile
microsoft-mcas-cef-file-read-success-mcas
microsoft-mcas-cef-file-read-success-sharefile
microsoft-mcas-cef-file-read-success-movefile
microsoft-azure-cef-file-read-success-actiontype

file-upload
slack-s-json-file-upload-success-fileuploaded
dg-ep-json-file-success-time
microsoft-mcas-cef-file-upload-success-uploadfile
microsoft-mcas-cef-file-upload-success-fileupload

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

member-added
microsoft-evsecurity-kv-group-member-add-success-4756-1

member-removed
microsoft-evsecurity-json-group-member-remove-success-4757

privileged-access
rubrik-cdm-kv-user-privilege-assign-success-assignedroles
microsoft-windows-kv-user-privilege-use-success-578
microsoft-evsecurity-json-user-privilege-assign-success-4673-1
microsoft-evsecurity-json-user-privilege-assign-success-4673-1

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

service-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

task-created
crowdstrike-falcon-cef-scheduled-task-create-success-win

vpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1021 - Remote Services
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
  • 73 Rules
  • 34 Models
Privilege Escalationaccount-switch
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

app-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

failed-logon
auth0-a-json-endpoint-login-fail-fp

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

share-access
microsoft-evsecurity-cef-share-access-success-5144
microsoft-evsecurity-json-share-access-success-5140-1

vpn-logout
microsoft-windows-xml-vpn-logout-success-4304
microsoft-windows-xml-vpn-logout-success-2001
T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021 - Remote Services
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053 - Scheduled Task/Job
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134 - Access Token Manipulation
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484 - Group Policy Modification
T1484.001 - T1484.001
T1518 - Software Discovery
T1518.001 - T1518.001
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
T1547 - Boot or Logon Autostart Execution
T1547.002 - T1547.002
T1548 - Abuse Elevation Control Mechanism
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552 - Unsecured Credentials
T1552.006 - T1552.006
T1555 - Credentials from Password Stores
T1555.005 - T1555.005
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 70 Rules
  • 19 Models
Privileged Activityaccount-switch
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

app-activity
epic-siem-cef-app-activity-success-browserexternalpage
epic-siem-cef-app-activity-success-icserviceaudit
epic-siem-cef-app-activity-success-accessgranted
epic-seim-cef-app-activity-success-secure
epic-siem-cef-app-activity-success-maskeddatadisplay
epic-seim-cef-app-activity-success-switchuser
epic-siem-cef-app-activity-success-unsecure
epic-siem-cef-app-activity-success-acbreaktheglassaccess
epic-siem-cef-app-activity-success-startup
beyondtrust-sra-kv-app-activity-success-connectionterminated
egnyte-e-cef-app-activity-success-create
engyte-e-cef-app-activity-success-update
egnyte-e-cef-app-activity-success-disable
slack-s-json-app-activity-success-userlogout
slack-s-json-app-activity-success-userchanneljoin
slack-s-json-app-activity-success-userchannelleave
slack-s-json-app-activity-success-fileshared
slack-s-json-app-activity-success-userdeactivated
slack-s-json-app-activity-success-publicchannelcreated
slack-s-json-app-activity-success-privatechannelcreated
forcepoint-ngfw-cef-app-activity-log
github-g-csv-app-activity-success-teamremovem
github-g-csv-app-activity-success-orgmem
github-g-csv-app-activity-success-teamadd
github-g-csv-app-activity-success-paymethod
github-g-csv-app-activity-success-billingemail
github-g-csv-app-activity-success-hookcreate
github-g-csv-app-activity-success-repocreate
github-g-csv-app-activity-success-branchupdate
github-g-csv-app-activity-success-parentteam
github-g-csv-app-activity-success-hookconfig
github-g-csv-app-activity-success-orginvite
github-g-csv-app-activity-success-createteam
beyondtrust-prividentity-cef-app-activity-success-idpassword
imprivata-i-kv-app-activity-success-primarylockout
imprivata-i-kv-app-activity-success-selfenroldeclined
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
egnyte-egnyte-sk4-app-activity-success-addedtogroup
egnyte-egnyte-sk4-app-activity-success-removedfromgroup
egnyte-egnyte-sk4-app-activity-success-verificationdisable
egnyte-egnyte-sk4-app-activity-success-verified
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
forcepoint-ngfw-cef-network-traffic-catchall
fortinet-fortigate-kv-network-app-fortigate
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-usercreatedrole
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-xml-configuration-modify-success-4742
microsoft-azuremon-json-endpoint-activity-success-catchall
microsoft-azure-mix-app-activity-success-caller
microsoft-o365-sk4-app-activity-success-office365-1
microsoft-o365-sk4-app-activity-success-office365
microsoft-o365-sk4-app-activity-success-usermanagement
microsoft-o365-sk4-app-activity-success-groupmanagement-1
microsoft-o365-sk4-app-activity-success-graphdirectoryauditlogs-1
microsoft-o365-sk4-app-activity-success-authzgrouprenamed
microsoft-o365-sk4-app-activity-success-groupmanagement
microsoft-o365-sk4-app-activity-success-authzgrouprenamed-1
microsoft-mcas-cef-app-activity-success-purgemessages
microsoft-mcas-cef-app-activity-success-unspecified
microsoft-mcas-cef-app-activity-success-mailboxpermission
microsoft-mcas-str-app-activity-success-serviceaccessenforcementtriggered
microsoft-mcas-cef-app-activity-success-azureoperation
microsoft-mcas-cef-app-activity-success-removemember
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
azure-azuread-json-app-notification-activitydisplayname
azure-azuread-json-user-password-modify-success-selfservice
pan-gp-cef-app-activity-success-globalprotect
vmware-idm-json-app-activity-success-user
exabeam-aa-json-app-activity-success-search
exabeam-search-json-app-activity-success-rule
exabeam-search-json-app-activity-success-search
exabeam-search-json-app-activity-success-role
exabeam-search-json-app-activity-success-addededited
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-restarting
exabeam-search-json-app-activity-success-logsourceadded

app-activity-failed
beyondtrust-prividentity-cef-app-activity-listaddedaccount
beyondtrust-prividentity-cef-app-activity-elevationfailed
beyondtrust-prividentity-cef-app-activity-jobaccount
beyondtrust-prividentity-cef-app-activity-accountdeelevated
crowdstrike-falcon-json-app-activity-awsec2networkacl
crowdstrike-falcon-sk4-app-activity-updateuser
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
vmware-idm-json-app-activity-success-user

app-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-email-send-success-spam
microsoft-o365-json-email-receive-success-emailreceive

dlp-email-alert-in-failed
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1

dlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

dlp-email-alert-out-failed
proofpoint-tap-json-email-emailthreat
microsoft-o365-cef-email-send-workload

ds-access
microsoft-evsecurity-kv-ds-object-delete-success-5141-1
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3
microsoft-evsecurity-kv-ds-object-activity-success-4662-3

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

failed-logon
auth0-a-json-endpoint-login-fail-fp

file-alert
pan-wildfire-cef-alert-trigger-success-filethreat
pan-wildfire-cef-alert-trigger-success-filethreat
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce
vmware-carbonblackappctrl-cef-alert-trigger-success-policy_enforce

file-delete
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-mcas-cef-file-delete-success-deletefile

file-download
slack-s-json-file-download-success-filedownloaded
dg-ep-json-file-success-time
microsoft-mcas-cef-file-download-success-syncfiledownload
microsoft-mcas-cef-file-download-success-downloadfile

file-read
dg-ep-json-file-success-time
microsoft-azure-sk4-file-read-success-vaultget
microsoft-azure-sk4-file-read-success-resourceid
microsoft-mcas-cef-file-read-success-modifyfile
microsoft-mcas-cef-file-read-success-mcas
microsoft-mcas-cef-file-read-success-sharefile
microsoft-mcas-cef-file-read-success-movefile
microsoft-azure-cef-file-read-success-actiontype

file-upload
slack-s-json-file-upload-success-fileuploaded
dg-ep-json-file-success-time
microsoft-mcas-cef-file-upload-success-uploadfile
microsoft-mcas-cef-file-upload-success-fileupload

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

local-logon
microsoft-evsecurity-json-endpoint-login-success-4624-6

privileged-access
rubrik-cdm-kv-user-privilege-assign-success-assignedroles
microsoft-windows-kv-user-privilege-use-success-578
microsoft-evsecurity-json-user-privilege-assign-success-4673-1
microsoft-evsecurity-json-user-privilege-assign-success-4673-1

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-access
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4624-6

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

security-alert
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
fireeye-endpointsecurity-cef-alert-trigger-success-containmentcancelled
trendmicro-officescan-leef-alert-trigger-success-antimalware
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
abnormalsecurity-as-json-alert-trigger-success-attacktype
abnormalsecurity-as-json-alert-trigger-success-attacktype
cyberark-pam-kv-alert-trigger-success-nonauthorizedimpersonation
cyberark-pam-kv-alert-trigger-success-keystrokelogging
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
crowdstrike-falcon-leef-alert-trigger-success-0
crowdstrike-falcon-leef-alert-trigger-success-0
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-datasourcecategorysecurity-2
sentinelone-singularityp-json-alert-trigger-success-packed
sentinelone-singularityp-json-alert-trigger-success-classification
sentinelone-singularityp-json-alert-trigger-success-backdoor
sentinelone-singularityp-json-alert-trigger-success-ransomware
sentinelone-singularityp-json-alert-trigger-success-threatname
sentinelone-singularityp-json-alert-trigger-success-url
sentinelone-singularityp-json-alert-trigger-success-virus
sentinelone-singularityp-json-alert-trigger-success-process
sentinelone-singularityp-json-alert-trigger-success-security
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-azureatp-kv-alert-trigger-success-bruteforcesecurityalert
microsoft-azureatp-kv-alert-trigger-success-dnsreconnaissancesecurityalert
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
microsoft-defenderep-kv-alert-trigger-success-1117
microsoft-defenderep-kv-alert-trigger-success-1116
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-panos
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-wildfire-cef-alert-trigger-success-lsardeleteaccess
pan-ngfw-json-alert-trigger-success-spyware
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint
checkpoint-am-leef-alert-trigger-success-antimalware
checkpoint-es-leef-alert-trigger-success-checkpoint

task-created
crowdstrike-falcon-cef-scheduled-task-create-success-win

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1003 - OS Credential Dumping
T1003.006 - OS Credential Dumping: DCSync
T1021 - Remote Services
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1068 - Exploitation for Privilege Escalation
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1102 - Web Service
T1207 - Rogue Domain Controller
T1482 - Domain Trust Discovery
T1484 - Group Policy Modification
T1543 - Create or Modify System Process
T1543.003 - Create or Modify System Process: Windows Service
TA0002 - TA0002
  • 46 Rules
  • 17 Models
Ransomwareapp-login
unix-unix-str-cron-session-success-sessionopened
securelink-s-str-app-login-success-loggedin
rubrik-cdm-kv-app-login-success-loggedin-1
swift-s-cef-app-login-success-web
slack-s-json-app-login-success-userlogin
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-success-successauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-success-loginsuccess
exabeam-aa-json-app-login-success-applogin
exabeam-search-json-app-login-success-activitylogin

authentication-failed
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
ipswitch-moveittransfer-str-endpoint-authentication-fail-authfailed
stealthbits-s-kv-vpn-login-fail-failedlogin
pan-ngfw-leef-endpoint-authentication-fail-authfail

authentication-successful
unix-unixauditd-json-endpoint-login-authentication
sailpoint-identitynow-json-endpoint-authentication-auth
stealthbits-s-kv-vpn-login-success-loginsucceed
beyondtrust-sra-kv-endpoint-login-success-challenge
pan-ngfw-leef-endpoint-authentication-success-authsuccess
pan-ngfw-leef-endpoint-authentication-success-signvalidated

failed-app-login
securelink-s-str-app-login-fail-loginfailed
epic-siem-cef-app-activity-success-roverfailedlogin
okta-amfa-json-app-login-fail-userlogintookta
okta-amfa-json-app-login-fail-authenticateuserwithadagent
beyondtrust-prividentity-cef-app-login-privilegedidentity
microsoft-mcas-kv-app-login-fail-failedauth
microsoft-o365-cef-app-login-success-user
microsoft-o365-json-app-login-fail-loginfail
exabeam-aa-json-app-login-fail-failedlogin

failed-logon
auth0-a-json-endpoint-login-fail-fp

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

file-write
dg-ep-json-file-success-time
microsoft-azure-kv-file-success-vmid
microsoft-azure-kv-file-success-vmid
microsoft-sysmon-xml-file-write-success-11
microsoft-evsystem-xml-file-write-success-11

process-created
dg-ep-json-file-success-time
vmware-carbonblackceedr-sk4-process-create-success-crossproc

remote-logon
unix-unix-str-ssh-traffic-success-sftpsessionopened
dell-sw-kv-rdp-traffic-success-sslvpn
microsoft-evsecurity-json-endpoint-login-success-4624-6
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2
microsoft-evsecurity-json-endpoint-login-success-4648
microsoft-evsecurity-json-endpoint-login-success-4648-2

vpn-login
microsoft-windows-xml-vpn-login-success-2002
microsoft-windows-xml-vpn-login-success-2000
microsoft-evdhcpserver-xml-vpn-login-success-4303
pan-gp-csv-vpn-login-success-connected
pan-ngfw-cef-vpn-login-success-clientswitchtossltunnelmodesucceeded

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get

web-activity-denied
eset-es-leef-http-session-fail-eset
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1059 - Command and Scripting Interperter
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218 - Signed Binary Proxy Execution
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222 - File and Directory Permissions Modification
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Workforce Protectiondlp-email-alert-out
proofpoint-tap-json-email-emailthreat
dg-ndlp-json-email-send-success-sendmail
microsoft-o365-cef-email-send-workload

web-activity-allowed
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
symantec-bcpa-mix-http-session-ssldenied
symantec-bcpa-mix-http-session-deniedtcp
symantec-bcpa-mix-http-session-connect
symantec-bcpa-mix-http-session-get
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 8 Rules
  • 3 Models