Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: AssetView
Product: AssetView
Use-Case: Data Leak
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 18 | 6 | 5 | 3 | 0 |
| Event Type | Rules | Models |
|---|---|---|
| file-write | T1114 - Email Collection ↳ FA-Outlook-pst: A file ends with either pst or ost T1114.001 - T1114.001 ↳ FA-Outlook-pst: A file ends with either pst or ost | |
| print-activity | T1052 - Exfiltration Over Physical Medium ↳ PR-UP-F: First print activity from printer for user ↳ PR-UP-A: Abnormal printer for user ↳ PR-UT-TOW: Abnormal print activity time for user ↳ PR-SRC-CODE: Printed document with source code file extension | • PR-UT-TOW: Print activity time for user • PR-UP: Printers for user |
| usb-insert | T1052 - Exfiltration Over Physical Medium ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device T1091 - Replication Through Removable Media ↳ UW-UHD-000: First USB activity event for user, asset and USB device ↳ UW-UHD-001: First USB activity event for user and asset. The USB device (if present) has been used by/with other users/assets in the past. ↳ UW-UHD-010: First USB activity event for user and USB device. The asset has been used with other USB devices in other USB events ↳ UW-UHD-011: First USB activity event for user. The asset and the USB device (if present) have been seen in other USB events ↳ UW-UHD-100: First USB activity event for USB device and asset. The user has been seen performing USB activity in other USB events ↳ UW-UHD-101: First USB activity event for asset. The user and the USB device (if present) have been seen in other USB events ↳ UW-UHD-110: First USB activity event for USB device. The user and the asset have been seen in other USB events ↳ UW-UD-F: First device for user in USB event ↳ UW-DH-F: First asset for device in USB event ↳ UW-UHD-F: First asset and device for user in USB event ↳ UW-UH-A: Abnormal asset for user in USB event ↳ UW-UD-A: Abnormal USB device for user ↳ UW-DH-A: Abnormal asset for USB device | • UW-DH: Hosts that were used with USB Device • UW-UD: USB Devices per User • UW-UH: Hosts used with USB Device per User • UW-UHD: Assets and USB Devices for users |