Vendor: SentinelOne

May 13, 2026 · View on GitHub

Product: Singularity Platform

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
684	191	173	22	46

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-password-change ↳sentinelone-singularityp-json-user-password-modify-success-3711 account-password-reset ↳sentinelone-singularityp-json-user-password-reset-success-3710 account-switch ↳sentinelone-singularityp-json-user-switch-success-usersubstitution app-activity ↳sentinelone-singularityp-kv-app-activity-success-malware ↳sentinelone-singularityp-json-app-activity-success-entitymanagement ↳sentinelone-singularityp-json-file-edreventcategory ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-app-activity-success-activitytype4008 ↳sentinelone-singularityp-json-app-activity-success-activitytype2001 ↳sentinelone-singularityp-json-app-activity-success-activitytype2004 ↳sentinelone-singularityp-json-user-role-assign-success-37 ↳sentinelone-singularityp-json-user-role-assign-success-23 ↳sentinelone-singularityp-json-app-activity-success-30-catchall ↳sentinelone-singularityp-json-rule-create-success-3600 app-login ↳sentinelone-singularityp-json-app-login-success-27 authentication-successful ↳sentinelone-singularityp-json-app-authentication-apiactivity failed-app-login ↳sentinelone-singularityp-json-app-login-fail-133 failed-logon ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt remote-logon ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-logins ↳sentinelone-singularityp-json-endpoint-login-success-winlogonattempt ↳sentinelone-singularityp-json-endpoint-login-success-logins web-activity-allowed ↳sentinelone-singularityp-json-alert-trigger-success-url-1	T1021 - Remote Services T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1110 - Brute Force T1133 - External Remote Services	46 Rules 22 Models
Account Manipulation	account-password-change ↳sentinelone-singularityp-json-user-password-modify-success-3711 account-password-reset ↳sentinelone-singularityp-json-user-password-reset-success-3710 app-activity ↳sentinelone-singularityp-kv-app-activity-success-malware ↳sentinelone-singularityp-json-app-activity-success-entitymanagement ↳sentinelone-singularityp-json-file-edreventcategory ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-scheduled_task-scheduledtask ↳sentinelone-singularityp-json-app-activity-success-activitytype4008 ↳sentinelone-singularityp-json-app-activity-success-activitytype2001 ↳sentinelone-singularityp-json-app-activity-success-activitytype2004 ↳sentinelone-singularityp-json-user-role-assign-success-37 ↳sentinelone-singularityp-json-user-role-assign-success-23 ↳sentinelone-singularityp-json-app-activity-success-30-catchall ↳sentinelone-singularityp-json-rule-create-success-3600 process-created ↳sentinelone-singularityp-json-process-create-success-processcreation-2 ↳sentinelone-singularityp-json-process-create-success-processcreation ↳sentinelone-singularityp-json-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process ↳sentinelone-singularityp-json-process-create-success-process	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021 - Remote Services T1021.003 - T1021.003 T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1218 - Signed Binary Proxy Execution T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1531 - Account Access Removal T1559 - Inter-Process Communication T1559.002 - T1559.002	17 Rules 7 Models
Workforce Protection	web-activity-allowed ↳sentinelone-singularityp-json-alert-trigger-success-url-1	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing	Windows Management Instrumentation Command and Scripting Interperter Scheduled Task/Job Inter-Process Communication System Services Exploitation for Client Execution User Execution Scheduled Task/Job: Scheduled Task Command and Scripting Interperter: PowerShell Software Deployment Tools Scheduled Task/Job: At (Windows)	Pre-OS Boot Create Account Create or Modify System Process External Remote Services Valid Accounts Hijack Execution Flow Server Software Component: Web Shell Account Manipulation BITS Jobs Create or Modify System Process: Windows Service Scheduled Task/Job Server Software Component Event Triggered Execution Boot or Logon Autostart Execution Create Account: Create: Local Account Account Manipulation: Exchange Email Delegate Permissions	Access Token Manipulation: Token Impersonation/Theft Create or Modify System Process Valid Accounts Access Token Manipulation Exploitation for Privilege Escalation Hijack Execution Flow Group Policy Modification Process Injection Scheduled Task/Job Abuse Elevation Control Mechanism Event Triggered Execution Boot or Logon Autostart Execution Process Injection: Dynamic-link Library Injection Abuse Elevation Control Mechanism: Bypass User Account Control	Hide Artifacts Indirect Command Execution Impair Defenses Indicator Removal on Host: Clear Windows Event Logs Group Policy Modification Trusted Developer Utilities Proxy Execution Masquerading: Match Legitimate Name or Location Masquerading: Rename System Utilities File and Directory Permissions Modification: Windows File and Directory Permissions Modification Obfuscated Files or Information: Compile After Delivery Obfuscated Files or Information: Indicator Removal from Tools Hijack Execution Flow: DLL Side-Loading Indicator Removal on Host: File Deletion Masquerading Valid Accounts Modify Registry BITS Jobs Use Alternate Authentication Material Hide Artifacts: NTFS File Attributes Use Alternate Authentication Material: Pass the Hash Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Pre-OS Boot File and Directory Permissions Modification Deobfuscate/Decode Files or Information Abuse Elevation Control Mechanism Impair Defenses: Disable or Modify System Firewall Obfuscated Files or Information Signed Binary Proxy Execution: Compiled HTML File Access Token Manipulation Hijack Execution Flow Process Injection Valid Accounts: Local Accounts Signed Binary Proxy Execution: Msiexec Signed Binary Proxy Execution Signed Binary Proxy Execution: Regsvcs/Regasm Signed Binary Proxy Execution: CMSTP Signed Binary Proxy Execution: Control Panel Signed Binary Proxy Execution: InstallUtil Signed Binary Proxy Execution: Regsvr32 Trusted Developer Utilities Proxy Execution: MSBuild Signed Binary Proxy Execution: Rundll32	OS Credential Dumping Unsecured Credentials Brute Force Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting Network Sniffing	Account Discovery Domain Trust Discovery System Service Discovery System Network Connections Discovery Account Discovery: Local Account Account Discovery: Domain Account File and Directory Discovery Network Sniffing System Information Discovery Network Share Discovery Query Registry Process Discovery System Owner/User Discovery Software Discovery Remote System Discovery System Network Configuration Discovery	Exploitation of Remote Services Remote Service Session Hijacking Remote Services Remote Services: SMB/Windows Admin Shares Use Alternate Authentication Material Remote Services: Remote Desktop Protocol Software Deployment Tools Internal Spearphishing	Screen Capture Email Collection Audio Capture Archive Collected Data Email Collection: Email Forwarding Rule	Web Service Protocol Tunneling Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Remote Access Software Dynamic Resolution Ingress Tool Transfer Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service	Account Access Removal Data Destruction Resource Hijacking Data Encrypted for Impact Inhibit System Recovery