Rules by Product and UseCase

April 15, 2026 · View on GitHub

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
6	2	4	3	6

Event Type	Rules	Models
account-deleted	T1136 - Create Account ↳ A-ACCT-CR-DEL: Account created and deleted on asset T1531 - Account Access Removal ↳ AM-UA-AD-F: First account deletion activity for user	• AE-UA: All activity for users
account-password-reset	T1098 - Account Manipulation ↳ AM-UA-APLocU-F: First account password change for local user
app-activity	T1098 - Account Manipulation ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions T1098.002 - Account Manipulation: Exchange Email Delegate Permissions ↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user ↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own ↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions	• EM-InB-Perm-N: Models users who give mailbox permissions

Vendor: LiquidFiles