2_ds__.md

December 5, 2023 · View on GitHub

Use-CaseActivity Types/ParsersMITRE ATT&CK® TTPContent
Audit Tamperingaudit-log-clear
microsoft-defenderep-cef-process-memory-allocate-advancedhunting
microsoft-evsecurity-json-log-clear-success-auditlogcleared
microsoft-evsecurity-kv-log-clear-success-1102-2

process-created
microsoft-defenderep-json-process-create-success-processevents
T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.002 - T1562.002
T1562.006 - T1562.006
  • 8 Rules
  • 2 Models
Compromised Credentialsapp-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

authentication-successful
wazuh-w-json-endpoint-activity-success-typewazuhalerts
pan-ngfw-leef-endpoint-authentication-success-authsuccess
github-g-json-app-authentication-success-orgssoresponse

database-login
microsoft-mssql-kv-database-login-success-33205
oracle-avdf-json-database-login-success-loginsucceeded
ibm-db2-kv-database-login-fail-validate

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

file-delete
cyberark-pam-kv-file-delete-success-deletefile
microsoft-defenderep-cef-file-devicefileevents
sftp-s-csv-file-delete-success-filedeleted
sentinelone-singularityp-json-file-edreventcategory

file-read
cyberark-pam-kv-file-read-success-openfile
cyberark-pam-kv-file-read-success-retrievefile

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

security-alert
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
pan-ngfw-json-alert-trigger-success-spyware
pan-ngfw-json-alert-trigger-success-vulnerability-1
symantec-endpointprotection-cef-alert-trigger-success-sepproxyipsevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxyinsightevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxysonarevent
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-windowsfirewallblock
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-cef-alert-trigger-success-exploitprevented
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
trendmicro-officescan-kv-alert-trigger-success-graywarefound
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-threat
sophos-ep-sk4-alert-trigger-success-threatdetected-1
kaspersky-endpointsecurity-cef-alert-trigger-success-endpointsecurity
pan-wildfire-cef-alert-trigger-success-filethreat
checkpoint-ngfw-kv-network-traffic-outbound

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1040 - Network Sniffing
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204.001 - T1204.001
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 219 Rules
  • 98 Models
Cryptominingprocess-created
microsoft-defenderep-json-process-create-success-processevents

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 2 Rules
Data Accessapp-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

database-login
microsoft-mssql-kv-database-login-success-33205
oracle-avdf-json-database-login-success-loginsucceeded
ibm-db2-kv-database-login-fail-validate

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

file-delete
cyberark-pam-kv-file-delete-success-deletefile
microsoft-defenderep-cef-file-devicefileevents
sftp-s-csv-file-delete-success-filedeleted
sentinelone-singularityp-json-file-edreventcategory

file-read
cyberark-pam-kv-file-read-success-openfile
cyberark-pam-kv-file-read-success-retrievefile

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

process-created
microsoft-defenderep-json-process-create-success-processevents
T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1213 - Data from Information Repositories
  • 55 Rules
  • 29 Models
Data Exfiltrationdlp-alert
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
proofpoint-pep-cef-email-alert-success-emaildelivery

file-alert
vmware-carbonblackappctrl-cef-alert-trigger-success-protection
vmware-carbonblackappctrl-cef-alert-trigger-success-appcontrol
pan-wildfire-cef-alert-trigger-success-filethreat

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

process-created
microsoft-defenderep-json-process-create-success-processevents

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1003 - OS Credential Dumping
T1020 - Automated Exfiltration
T1040 - Network Sniffing
T1041 - Exfiltration Over C2 Channel
T1048 - Exfiltration Over Alternative Protocol
T1059 - Command and Scripting Interperter
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1071.002 - Application Layer Protocol: File Transfer Protocols
T1071.004 - Application Layer Protocol: DNS
T1552.001 - T1552.001
T1560 - Archive Collected Data
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1572 - Protocol Tunneling
TA0002 - TA0002
TA0010 - TA0010
  • 46 Rules
  • 20 Models
Data Leakapp-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

dlp-alert
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
proofpoint-pep-cef-email-alert-success-emaildelivery

dlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

dlp-email-alert-out-failed
microsoft-o365-cef-email-send-workload
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

print-activity
dg-ep-kv-printer-activity-success-22

usb-insert
dg-ep-kv-peripheral-storage-insert-success-deviceadded-1

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1020 - Automated Exfiltration
T1041 - Exfiltration Over C2 Channel
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1052 - Exfiltration Over Physical Medium
T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1091 - Replication Through Removable Media
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
T1567 - Exfiltration Over Web Service
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
TA0010 - TA0010
  • 90 Rules
  • 41 Models
Evasionaudit-log-clear
microsoft-defenderep-cef-process-memory-allocate-advancedhunting
microsoft-evsecurity-json-log-clear-success-auditlogcleared
microsoft-evsecurity-kv-log-clear-success-1102-2

process-created
microsoft-defenderep-json-process-create-success-processevents

registry-write
vmware-carbonblackedr-sk4-dll-load-moduleload
checkpoint-ngfw-kv-network-traffic-outbound
sentinelone-singularityp-json-registry-create-success-keycreate
sentinelone-singularityp-json-registry-create-success-valuecreate
sentinelone-singularityp-json-registry-modify-success-keysecuritychanges
sentinelone-singularityp-json-registry-modify-success-valuemodifies
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.003 - Masquerading: Rename System Utilities
T1036.005 - Masquerading: Match Legitimate Name or Location
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.005 - T1059.005
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1105 - Ingress Tool Transfer
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1140 - Deobfuscate/Decode Files or Information
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1218 - Signed Binary Proxy Execution
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.008 - T1218.008
T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1484.001 - T1484.001
T1542.003 - T1542.003
T1543.003 - Create or Modify System Process: Windows Service
T1552.006 - T1552.006
T1562 - Impair Defenses
T1562.001 - T1562.001
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1562.006 - T1562.006
T1564.001 - T1564.001
T1564.002 - T1564.002
T1564.004 - Hide Artifacts: NTFS File Attributes
T1574 - Hijack Execution Flow
  • 47 Rules
  • 3 Models
Lateral Movementapp-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-activity-failed
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

authentication-failed
zscaler-pa-json-app-activity-success-create
zscaler-pa-json-app-activity-success-delete
zscaler-pa-json-app-activity-success-update
forcepoint-ngfw-cef-network-close-connectionclosed
forcepoint-ngfw-cef-app-activity-log
rsa-ram-kv-app-logout-success-sessiontimeout
rsa-ram-kv-app-logout-success-userlogout
rsa-ram-kv-user-modify-success-condition
rsa-ram-kv-app-login-success-userlogin
rsa-ram-kv-app-login-success-singlepoint
rsa-ram-kv-app-authentication-success-userauthenticated-1
rsa-ram-kv-app-authentication-success-userstepup
rsa-ram-csv-app-authentication-success-request
rsa-ram-csv-app-authentication-success-validuser
rsa-ram-kv-app-authentication-success-radius
rsa-ram-kv-app-authentication-success-userauthenticated
rsa-ram-kv-app-authentication-success-decisionpoint
rsa-ram-kv-app-authentication-fail-singlepoint
rsa-ram-kv-app-authentication-fail-userprotected
rsa-ram-csv-app-notification-success-servertest
rsa-ram-csv-app-notification-success-resourcecheck
rsa-ram-csv-app-notification-success-validgroup
rsa-ram-csv-app-notification-success-notingroup
rsa-ram-csv-app-notification-success-checkresource
rsa-ram-str-configuration-routing-modify-success-systemconfig
rsa-ram-kv-configuration-modify-success-confighost
rsa-ram-str-configuration-modify-success-configupdate
banyansecurity-bnn-json-endpoint-authentication-fail-connectionunauthorized
banyansecurity-bnn-json-app-authentication-fail-accessunauthorized
banyansecurity-bnn-json-app-authentication-fail-identitydeny

authentication-successful
wazuh-w-json-endpoint-activity-success-typewazuhalerts
pan-ngfw-leef-endpoint-authentication-success-authsuccess
github-g-json-app-authentication-success-orgssoresponse

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

network-connection-failed
checkpoint-ngfw-json-network-traffic-fail-drop
checkpoint-ngfw-kv-network-traffic-fail-drop-1
checkpoint-ngfw-kv-network-traffic-fail-reject
checkpoint-ngfw-json-network-traffic-fail-reject
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1
pan-ngfw-csv-network-traffic-fail-drop
pan-ngfw-kv-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny
pan-ngfw-leef-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny-1
pan-ngfw-cef-network-traffic-fail-deny
pan-ngfw-cef-network-traffic-fail-drop
symantec-bcpa-str-network-traffic-fail-ssl
juniper-srx-kv-network-traffic-fail-actiondeny
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004

network-connection-successful
checkpoint-ngfw-kv-network-traffic-success-accept-4
checkpoint-ngfw-kv-network-traffic-success-accept-3
checkpoint-ngfw-kv-network-traffic-success-accept-2
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1
pan-ngfw-cef-network-traffic-success-end
pan-ngfw-csv-network-traffic-success-allow
juniper-srx-kv-network-traffic-success-actionpermit
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
pan-ngfw-kv-network-traffic-success-end
pan-ngfw-cef-network-traffic-success-traffic

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

security-alert
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
pan-ngfw-json-alert-trigger-success-spyware
pan-ngfw-json-alert-trigger-success-vulnerability-1
symantec-endpointprotection-cef-alert-trigger-success-sepproxyipsevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxyinsightevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxysonarevent
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-windowsfirewallblock
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-cef-alert-trigger-success-exploitprevented
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
trendmicro-officescan-kv-alert-trigger-success-graywarefound
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-threat
sophos-ep-sk4-alert-trigger-success-threatdetected-1
kaspersky-endpointsecurity-cef-alert-trigger-success-endpointsecurity
pan-wildfire-cef-alert-trigger-success-filethreat
checkpoint-ngfw-kv-network-traffic-outbound

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1021.003 - T1021.003
T1021.006 - T1021.006
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1047 - Windows Management Instrumentation
T1059.001 - Command and Scripting Interperter: PowerShell
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
T1219 - Remote Access Software
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1563.002 - T1563.002
TA0010 - TA0010
TA0011 - TA0011
  • 126 Rules
  • 34 Models
Malwareaccount-switch
unix-unixauditd-cef-user-switch-success-userrolechange
unix-unixauditd-json-user-switch-success-sessionopen
unix-unix-json-user-switch-success-pamsessionopen

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

authentication-successful
wazuh-w-json-endpoint-activity-success-typewazuhalerts
pan-ngfw-leef-endpoint-authentication-success-authsuccess
github-g-json-app-authentication-success-orgssoresponse

dlp-alert
sophos-ep-sk4-alert-trigger-success-peripheralblock
sophos-ep-sk4-alert-trigger-success-encryptionsuspened
proofpoint-pep-cef-email-alert-success-emaildelivery

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
checkpoint-avanan-json-email-receive-avanansecurityevent
checkpoint-avanan-json-email-receive-securityevent

dlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

dns-query
zeek-z-json-dns-request-success-zeekdns
crowdstrike-falcon-leef-dns-request-success-dnsrequests
sophos-ep-cef-app-notification-reprotected
microsoft-azuremon-sk4-http-request-success-azurefirewallapplicationrule
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
microsoft-azuremon-sk4-dns-success-azurefirewalldnsproxy
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee

dns-response
cisco-umbrella-kv-dns-response-success-proxied
cisco-umbrella-sk4-dns-response-success-roamingclient

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

file-alert
vmware-carbonblackappctrl-cef-alert-trigger-success-protection
vmware-carbonblackappctrl-cef-alert-trigger-success-appcontrol
pan-wildfire-cef-alert-trigger-success-filethreat

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

network-connection-failed
checkpoint-ngfw-json-network-traffic-fail-drop
checkpoint-ngfw-kv-network-traffic-fail-drop-1
checkpoint-ngfw-kv-network-traffic-fail-reject
checkpoint-ngfw-json-network-traffic-fail-reject
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1
pan-ngfw-csv-network-traffic-fail-drop
pan-ngfw-kv-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny
pan-ngfw-leef-network-traffic-fail-drop
pan-ngfw-leef-network-traffic-fail-deny-1
pan-ngfw-cef-network-traffic-fail-deny
pan-ngfw-cef-network-traffic-fail-drop
symantec-bcpa-str-network-traffic-fail-ssl
juniper-srx-kv-network-traffic-fail-actiondeny
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004

network-connection-successful
checkpoint-ngfw-kv-network-traffic-success-accept-4
checkpoint-ngfw-kv-network-traffic-success-accept-3
checkpoint-ngfw-kv-network-traffic-success-accept-2
checkpoint-ngfw-leef-network-traffic-applicationcontrol
checkpoint-ngfw-leef-network-traffic-firewall
checkpoint-ngfw-kv-network-traffic-vpn-1
pan-ngfw-cef-network-traffic-success-end
pan-ngfw-csv-network-traffic-success-allow
juniper-srx-kv-network-traffic-success-actionpermit
watchguard-w-kv-network-traffic-firewall-1
watchguard-w-kv-network-traffic-firewall-2
watchguard-w-kv-network-traffic-firewall
forcepoint-ngfw-cef-network-traffic-1004
pan-ngfw-kv-network-traffic-success-end
pan-ngfw-cef-network-traffic-success-traffic

privileged-access
onapsis-o-json-alert-trigger-erphost
onapsis-o-json-app-notification-logline
onapsis-o-json-app-notification-usermaintenance
onapsis-o-str-app-activity-satori
rubrik-cdm-kv-user-privilege-assign-success-assignedroles

process-created
microsoft-defenderep-json-process-create-success-processevents

registry-write
vmware-carbonblackedr-sk4-dll-load-moduleload
checkpoint-ngfw-kv-network-traffic-outbound
sentinelone-singularityp-json-registry-create-success-keycreate
sentinelone-singularityp-json-registry-create-success-valuecreate
sentinelone-singularityp-json-registry-modify-success-keysecuritychanges
sentinelone-singularityp-json-registry-modify-success-valuemodifies

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

security-alert
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
pan-ngfw-json-alert-trigger-success-spyware
pan-ngfw-json-alert-trigger-success-vulnerability-1
symantec-endpointprotection-cef-alert-trigger-success-sepproxyipsevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxyinsightevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxysonarevent
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-windowsfirewallblock
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-cef-alert-trigger-success-exploitprevented
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
trendmicro-officescan-kv-alert-trigger-success-graywarefound
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-threat
sophos-ep-sk4-alert-trigger-success-threatdetected-1
kaspersky-endpointsecurity-cef-alert-trigger-success-endpointsecurity
pan-wildfire-cef-alert-trigger-success-filethreat
checkpoint-ngfw-kv-network-traffic-outbound

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.003 - T1053.003
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.001 - T1204.001
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.008 - T1218.008
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1562.004 - Impair Defenses: Disable or Modify System Firewall
T1563.002 - T1563.002
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
T1583.001 - T1583.001
TA0002 - TA0002
TA0011 - TA0011
  • 215 Rules
  • 38 Models
Phishingdlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

process-created
microsoft-defenderep-json-process-create-success-processevents

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566.001 - T1566.001
T1566.002 - Phishing: Spearphishing Link
T1598.003 - T1598.003
  • 5 Rules
  • 1 Models
Privilege Abuseaccount-creation
unix-unix-json-user-create-success-adduser
sailpoint-securityiq-kv-user-create-success-create

account-password-change
microsoft-azuread-sk4-user-password-modify-success-changepassword
microsoft-azuread-sk4-user-password-modify-success-userpasswordchange
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess
manageengine-adssp-cef-user-password-modify-success-changepasswordsuccess-1

account-password-reset
secureauth-idp-kv-user-password-reset-fail-passwordreset

account-switch
unix-unixauditd-cef-user-switch-success-userrolechange
unix-unixauditd-json-user-switch-success-sessionopen
unix-unix-json-user-switch-success-pamsessionopen

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-activity-failed
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
checkpoint-avanan-json-email-receive-avanansecurityevent
checkpoint-avanan-json-email-receive-securityevent

dlp-email-alert-in-failed
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
checkpoint-avanan-json-email-receive-avanansecurityevent
checkpoint-avanan-json-email-receive-securityevent

dlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

dlp-email-alert-out-failed
microsoft-o365-cef-email-send-workload
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

file-alert
vmware-carbonblackappctrl-cef-alert-trigger-success-protection
vmware-carbonblackappctrl-cef-alert-trigger-success-appcontrol
pan-wildfire-cef-alert-trigger-success-filethreat

file-delete
cyberark-pam-kv-file-delete-success-deletefile
microsoft-defenderep-cef-file-devicefileevents
sftp-s-csv-file-delete-success-filedeleted
sentinelone-singularityp-json-file-edreventcategory

file-read
cyberark-pam-kv-file-read-success-openfile
cyberark-pam-kv-file-read-success-retrievefile

file-upload
accellion-kw-json-file-upload-success-addfile

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

member-removed
github-g-json-group-member-remove-success-teamremovemember

privileged-access
onapsis-o-json-alert-trigger-erphost
onapsis-o-json-app-notification-logline
onapsis-o-json-app-notification-usermaintenance
onapsis-o-str-app-activity-satori
rubrik-cdm-kv-user-privilege-assign-success-assignedroles

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1047 - Windows Management Instrumentation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 70 Rules
  • 32 Models
Privilege Escalationaccount-switch
unix-unixauditd-cef-user-switch-success-userrolechange
unix-unixauditd-json-user-switch-success-sessionopen
unix-unix-json-user-switch-success-pamsessionopen

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn
T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
  • 60 Rules
  • 15 Models
Privileged Activityaccount-switch
unix-unixauditd-cef-user-switch-success-userrolechange
unix-unixauditd-json-user-switch-success-sessionopen
unix-unix-json-user-switch-success-pamsessionopen

app-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-activity-failed
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

dlp-email-alert-in
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
checkpoint-avanan-json-email-receive-avanansecurityevent
checkpoint-avanan-json-email-receive-securityevent

dlp-email-alert-in-failed
proofpoint-tap-json-email-emailthreat
proofpoint-tap-sk4-email-receive-threatdetected
proofpoint-tap-json-email-receive-emailthreat-1
checkpoint-avanan-json-email-receive-avanansecurityevent
checkpoint-avanan-json-email-receive-securityevent

dlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

dlp-email-alert-out-failed
microsoft-o365-cef-email-send-workload
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

file-alert
vmware-carbonblackappctrl-cef-alert-trigger-success-protection
vmware-carbonblackappctrl-cef-alert-trigger-success-appcontrol
pan-wildfire-cef-alert-trigger-success-filethreat

file-delete
cyberark-pam-kv-file-delete-success-deletefile
microsoft-defenderep-cef-file-devicefileevents
sftp-s-csv-file-delete-success-filedeleted
sentinelone-singularityp-json-file-edreventcategory

file-read
cyberark-pam-kv-file-read-success-openfile
cyberark-pam-kv-file-read-success-retrievefile

file-upload
accellion-kw-json-file-upload-success-addfile

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

privileged-access
onapsis-o-json-alert-trigger-erphost
onapsis-o-json-app-notification-logline
onapsis-o-json-app-notification-usermaintenance
onapsis-o-str-app-activity-satori
rubrik-cdm-kv-user-privilege-assign-success-assignedroles

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

security-alert
cisco-secureendpoint-sk4-alert-trigger-success-majorfaultraised
cisco-secureendpoint-sk4-alert-trigger-success-threatdetection
pan-ngfw-json-alert-trigger-success-spyware
pan-ngfw-json-alert-trigger-success-vulnerability-1
symantec-endpointprotection-cef-alert-trigger-success-sepproxyipsevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxyinsightevent
symantec-endpointprotection-cef-alert-trigger-success-sepproxysonarevent
sophos-ep-sk4-alert-trigger-success-threatdetected
sophos-ep-cef-alert-trigger-success-windowsfirewallblock
sophos-ep-cef-alert-trigger-success-puadetected
sophos-ep-sk4-alert-trigger-success-hmpacrypyguard
sophos-ep-cef-alert-trigger-success-safebrowsing
sophos-ep-sk4-alert-trigger-success-corepua
sophos-ep-sk4-alert-trigger-success-event
sophos-ep-sk4-alert-trigger-success-endpointevent
sophos-ep-sk4-alert-trigger-success-enc
sophos-ep-cef-alert-trigger-success-exploitprevented
sophos-ep-sk4-alert-trigger-success-threatclean
sophos-ep-sk4-alert-trigger-success-applicationblock
sophos-ep-sk4-alert-trigger-success-controlviolation
sophos-ep-sk4-alert-trigger-success-savdisable
trendmicro-officescan-kv-alert-trigger-success-graywarefound
trendmicro-officescan-leef-alert-trigger-success-antimalware
proofpoint-tap-json-email-receive-emailthreat-1
sophos-ep-cef-alert-trigger-success-hmpacredguard
sophos-ep-sk4-alert-trigger-success-privilegeexploitprevented
sophos-ep-cef-alert-trigger-success-threat
sophos-ep-sk4-alert-trigger-success-threatdetected-1
kaspersky-endpointsecurity-cef-alert-trigger-success-endpointsecurity
pan-wildfire-cef-alert-trigger-success-filethreat
checkpoint-ngfw-kv-network-traffic-outbound

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1102 - Web Service
T1482 - Domain Trust Discovery
TA0002 - TA0002
  • 33 Rules
  • 15 Models
Ransomwareapp-activity
crowdstrike-falcon-cef-app-activity-useraccountadded
pan-ngfw-cef-app-activity-success-tunnellatency
pan-ngfw-cef-app-activity-success-getconfig
pan-ngfw-cef-app-activity-success-hipreport
pan-ngfw-cef-app-activity-success-ipsec
pan-gp-cef-app-activity-success-globalprotect
pan-ngfw-cef-app-activity-success-globalprotect-1
pan-ngfw-cef-app-activity-success-globalprotect
microsoft-azure-mix-app-activity-success-caller
netskope-sc-json-app-activity-success-upload
github-g-json-app-activity-success-pullrequestreviewcommentcreate
github-g-json-app-activity-success-pullrequestreviewsubmit
github-g-json-branch-protection-enable-success-protectedbranchcreate
github-g-json-branch-protection-disable-success-protectedbranchdestroy
github-g-json-repository-create-success-gitclone
microsoft-evsecurity-json-endpoint-endpoint-logout-success-userinitiatedlogoff
github-g-json-app-activity-success-pullrequest
github-g-json-app-activity-success-workflows
github-g-json-app-activity-success-team
github-g-json-app-activity-success-org
accellion-kw-json-file-upload-success-addfile
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
cisco-duo-sk4-app-activity-success-admincreate
imprivata-i-kv-app-activity-success-agentshutdown
imprivata-i-kv-app-activity-success-passwordreset
microsoft-o365-json-app-activity-success-graphdirectoryauditlogs
exabeam-search-json-app-activity-success-groupmodified
exabeam-search-json-app-activity-success-permissionchange
exabeam-search-json-app-activity-success-logsourceadded
sentinelone-singularityp-json-registry-delete-success-valuedelete
sentinelone-singularityp-json-registry-delete-success-keydelete
sentinelone-singularityp-json-group-create-success-groupcreation
github-g-json-repository-push-success-gitpush
github-g-json-repository-pull-success-gitfetch
github-g-json-hook-create-success-repocreate
github-g-json-repository-create-success-repocreate
github-g-json-branch-protection-modify-success-policyoverride
github-g-json-branch-protection-modify-success-protectedbranchupdateadminenforced
github-g-json-branch-protection-modify-success-protectedbranchupdate
github-g-json-repository-modify-success-repo
github-g-json-repository-modify-success-repo

app-activity-failed
crowdstrike-falcon-cef-app-activity-useraccountadded
crowdstrike-falcon-json-app-activity-awsec2securitygroup
crowdstrike-falcon-json-app-activity-awsec2networkaclentry
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface
crowdstrike-falcon-sk4-app-activity-awsec2networkinterface

app-login
rubrik-cdm-kv-app-login-success-loggedin-1
microsoft-defenderep-cef-service-create-serviceinstalled
symantec-edr-json-app-notification-success-2-1
sap-sf-mix-group-create-mulee
sap-sf-mix-group-modify-update
sap-sf-mix-group-modify-mulee
sap-sf-mix-app-activity-processmulee
accellion-kw-json-app-login-success-adminloggedin
microsoft-windows-json-app-login-wazuhalerts

authentication-failed
zscaler-pa-json-app-activity-success-create
zscaler-pa-json-app-activity-success-delete
zscaler-pa-json-app-activity-success-update
forcepoint-ngfw-cef-network-close-connectionclosed
forcepoint-ngfw-cef-app-activity-log
rsa-ram-kv-app-logout-success-sessiontimeout
rsa-ram-kv-app-logout-success-userlogout
rsa-ram-kv-user-modify-success-condition
rsa-ram-kv-app-login-success-userlogin
rsa-ram-kv-app-login-success-singlepoint
rsa-ram-kv-app-authentication-success-userauthenticated-1
rsa-ram-kv-app-authentication-success-userstepup
rsa-ram-csv-app-authentication-success-request
rsa-ram-csv-app-authentication-success-validuser
rsa-ram-kv-app-authentication-success-radius
rsa-ram-kv-app-authentication-success-userauthenticated
rsa-ram-kv-app-authentication-success-decisionpoint
rsa-ram-kv-app-authentication-fail-singlepoint
rsa-ram-kv-app-authentication-fail-userprotected
rsa-ram-csv-app-notification-success-servertest
rsa-ram-csv-app-notification-success-resourcecheck
rsa-ram-csv-app-notification-success-validgroup
rsa-ram-csv-app-notification-success-notingroup
rsa-ram-csv-app-notification-success-checkresource
rsa-ram-str-configuration-routing-modify-success-systemconfig
rsa-ram-kv-configuration-modify-success-confighost
rsa-ram-str-configuration-modify-success-configupdate
banyansecurity-bnn-json-endpoint-authentication-fail-connectionunauthorized
banyansecurity-bnn-json-app-authentication-fail-accessunauthorized
banyansecurity-bnn-json-app-authentication-fail-identitydeny

authentication-successful
wazuh-w-json-endpoint-activity-success-typewazuhalerts
pan-ngfw-leef-endpoint-authentication-success-authsuccess
github-g-json-app-authentication-success-orgssoresponse

failed-app-login
microsoft-windows-json-app-login-wazuhalerts
sailpoint-identityiq-json-app-login-fail-faillogin

failed-logon
cyberark-pam-kv-endpoint-login-fail-failedtoinit
auth0-a-json-endpoint-login-fail-invalidrequest-1
auth0-a-json-endpoint-login-fail-fp
auth0-a-json-endpoint-login-fail-invalidrequest

failed-vpn-login
pan-gp-csv-vpn-login-fail-loginfailure

file-write
cyberark-pam-kv-file-write-success-storefile
cyberark-pam-kv-file-write-success-openfile
microsoft-defenderep-cef-file-devicefileevents
sentinelone-singularityp-json-file-edreventcategory

process-created
microsoft-defenderep-json-process-create-success-processevents

remote-logon
vmware-carbonblackedr-sk4-dll-load-moduleload
vmware-carbonblackedr-sk4-dll-load-moduleload
cyberark-pam-kv-ssh-traffic-success-keystrokelogin
cyberark-pam-kv-rdp-traffic-success-windowtitle
cyberark-pam-kv-rdp-traffic-success-secureconnect
cyberark-pam-kv-rdp-traffic-success-psmconnect
dell-sw-kv-rdp-traffic-success-sslvpn

vpn-login
pan-gp-csv-vpn-login-success-connected

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication

web-activity-denied
trendmicro-iws-cef-http-session-mcafeeesm
T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
  • 7 Rules
Workforce Protectiondlp-email-alert-out
dg-ndlp-kv-email-send-success-28-1
dg-ndlp-kv-email-send-success-sendmail
microsoft-o365-cef-email-send-workload
accellion-kw-json-email-send-success-sendemail
proofpoint-pep-cef-email-alert-success-emaildelivery
proofpoint-tap-json-email-emailthreat
checkpoint-avanan-json-email-send-securityevent
checkpoint-avanan-json-email-send-avanansecurityevent

web-activity-allowed
trendmicro-iws-cef-http-session-mcafeeesm
vmware-carbonblackedr-sk4-registry-modify-success-requestclientapplication
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 8 Rules
  • 3 Models