2_ds_progress_progress_sharefile.md

April 15, 2026 · View on GitHub

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1003.003 - T1003.003 T1078 - Valid Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	74 Rules 38 Models
Data Access	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1078 - Valid Accounts T1083 - File and Directory Discovery	44 Rules 24 Models
Data Leak	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1114 - Email Collection T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule	4 Rules
Lateral Movement	app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked	T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Malware	app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1078 - Valid Accounts T1505 - Server Software Component T1505.003 - Server Software Component: Web Shell T1547 - Boot or Logon Autostart Execution T1547.001 - T1547.001 TA0002 - TA0002	11 Rules 4 Models
Privilege Abuse	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked file-download ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-cef-file-download-success-download file-upload ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-cef-file-upload-success-fileupload file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	7 Rules 2 Models
Privilege Escalation	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Activity	app-activity ↳citrix-sharefile-sk4-app-activity-success-editnote ↳citrix-sharefile-sk4-app-activity-success-usermodifiedpermission ↳progress-sharefile-json-app-activity-success-shareid ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked file-download ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-cef-file-download-success-download file-upload ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-cef-file-upload-success-fileupload file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1078 - Valid Accounts	3 Rules 1 Models
Ransomware	app-login ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-success-tfalogin ↳citrix-sharefile-sk4-app-login-success-loginactivity failed-app-login ↳citrix-sharefile-sk4-app-login-fail-tfaloginfail ↳citrix-sharefile-sk4-app-login-fail-failedlogin ↳progress-sharefile-json-app-activity-eventid ↳citrix-sharefile-sk4-app-login-fail-loginlocked file-write ↳progress-sharefile-json-app-activity-success-usermakingchange ↳progress-sharefile-json-app-activity-eventid	T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules