Rules by Product and UseCase
December 5, 2023 · View on GitHub
Vendor:
Product:
Use-Case: Workforce Protection
| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 8 | 3 | 2 | 2 | 2 |
| Event Type | Rules | Models |
|---|---|---|
| dlp-email-alert-out | T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol ↳ EM-Competition: Email to competition ↳ EM-OutSpam-M: Email sent to more recipients than usual, at least one external. (M) ↳ EM-OutSpam-L: Email sent to more recipients than usual, at least one external. (L) ↳ EM-Personal-Job: Email with job seeking keywords in subject is sent to personal email address from company email address | • EM-Recipients-usr: Recipients per Email for user |
| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols ↳ WEB-OU-JS-F: First job search activity for user in the organization ↳ WEB-OU-JS-A: Abnormal job search activity for user in the organization ↳ WEB-OG-JS-F: First job search activity for user in the peer group ↳ WEB-OG-JS-A: Abnormal job search activity for user in the peer group | • WEB-OG-JS: Job search activities of users in the peer group • WEB-OU-JS: Job search activities of users in the organization |