Rules by Product and UseCase
September 3, 2025 · View on GitHub
Vendor: Dropbox
Product: Dropbox
Use-Case: Privilege Escalation
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 5 | 4 | 2 | 10 |
| Event Type | Rules | Models |
|---|---|---|
| app-activity | T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
| vpn-logout | T1555 - Credentials from Password Stores ↳ AS-PV-USCOUNT-A: Abnormal number of password safes used by user ↳ AS-PV-OSize-A: Abnormal number of password retrievals in the organization ↳ AS-PV-GSize-A: Abnormal number of password retrievals in the peer group ↳ AS-PV-USize-A: Abnormal number of password retrievals in the user T1555.005 - T1555.005 ↳ AS-PV-USCOUNT-A: Abnormal number of password safes used by user ↳ AS-PV-OSize-A: Abnormal number of password retrievals in the organization ↳ AS-PV-GSize-A: Abnormal number of password retrievals in the peer group ↳ AS-PV-USize-A: Abnormal number of password retrievals in the user T1098 - Account Manipulation ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Perm-A: Abnormal number of mailbox permission given by user. | • AS-PV-USize: Count of password retrievals in a session for the user • AS-PV-GSize: Count of password retrievals in a session for the peer group • AS-PV-OSize: Count of password retrievals in a session for the organization • AS-PV-USCOUNT: Count of safe values accessed in a session • EM-InB-Perm: Models the number of mailbox permissions given by this user. |