Rules by Product and UseCase
April 15, 2026 · View on GitHub
Vendor: Darktrace
Product: Darktrace
Use-Case: Privileged Activity
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 3 | 1 | 2 | 6 | 6 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account ↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • APP-AT-PRIV: Privileged application activities |
| app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-in | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| dlp-email-alert-out | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| failed-app-login | T1078 - Valid Accounts ↳ APP-Account-deactivated: Activity from a de-activated user account | |
| security-alert | T1068 - Exploitation for Privilege Escalation ↳ ALERT-EXEC: Security violation by Executive |