Skip to content

Latest commit

 

History

History
50 lines (48 loc) · 146 KB

ds_netskope_netskope_security_cloud.md

File metadata and controls

50 lines (48 loc) · 146 KB
Raw

Vendor: Netskope

Product: Netskope Security Cloud

Rules Models MITRE TTPs Event Types Parsers
224 101 27 15 15
Use-Case Event Types/Parsers MITRE TTP Content
3rd Party Security Alerts app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1059.001 - Command and Scripting Interperter: PowerShell
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 21 Rules
  • 9 Models
Abnormal Application Access app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 16 Rules
  • 10 Models
Abnormal Authentication & Access app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
T1133 - External Remote Services
  • 2 Rules
Abnormal File Access app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Abnormal Network Connections app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1090.002 - Proxy: External Proxy
T1571 - Non-Standard Port
  • 33 Rules
  • 17 Models
Abnormal Remote Access app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
  • 1 Rules
Abnormal User Activity app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 24 Rules
  • 17 Models
Abnormal Web Access app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
T1550.002 - Use Alternate Authentication Material: Pass the Hash
  • 30 Rules
  • 13 Models
Access to Application Data app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 16 Rules
  • 10 Models
Access to File Data app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1083 - File and Directory Discovery
  • 3 Rules
  • 3 Models
Account Manipulation app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Activity on Domain Controllers app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Compromised Asset app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1003.003 - T1003.003
  • 5 Rules
  • 1 Models
Compromised Service Account app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 1 Rules
Cryptomining app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
  • 3 Rules
Data Exfiltration app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 17 Rules
  • 10 Models
Data Exfiltration via DNS app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1568 - Dynamic Resolution
  • 1 Rules
Data Exfiltration via Web app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 3 Rules
Data Leak app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1204 - User Execution
  • 15 Rules
  • 9 Models
Data Leak via Email app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1114.003 - Email Collection: Email Forwarding Rule
  • 31 Rules
  • 14 Models
Data Leak via Web app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1030 - Data Transfer Size Limits
T1071.001 - Application Layer Protocol: Web Protocols
T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage
  • 4 Rules
  • 1 Models
Disabled Account Abuse app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 2 Rules
Disabled Account Activity app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 2 Rules
Evasion app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071.001 - Application Layer Protocol: Web Protocols
T1090.003 - Proxy: Multi-hop Proxy
  • 4 Rules
  • 1 Models
Executive Account Activity app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1068 - Exploitation for Privilege Escalation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 2 Rules
Malware app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1003.002 - T1003.002
T1027 - Obfuscated Files or Information
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1085 - T1085
T1204 - User Execution
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 36 Rules
  • 11 Models
Membership and Permission Modifications app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Permission Changes app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Phishing app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1566.002 - Phishing: Spearphishing Link
  • 15 Rules
  • 7 Models
Privileged Account Abuse app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 2 Rules
  • 2 Models
Ransomware app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1071 - Application Layer Protocol
T1078 - Valid Accounts
  • 4 Rules
Risk of Attrition app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.001 - Application Layer Protocol: Web Protocols
  • 5 Rules
  • 2 Models
Service Account Abuse app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1078 - Valid Accounts
  • 1 Rules
Spam app-activity
netskope-activity
s-netskope-activity
cef-netskope-app-activity-51
netskope-app-activity

app-login
netskope-login
s-netskope-login

dlp-alert
cef-netskope-dlp-alert
cef-netskope-dlp-alert-1
netscope-dlp-alert-activity
netskope-dlp-alert

dlp-email-alert-out
cef-netskope-dlp-email-alert-1

file-delete
netskope-activity
s-netskope-activity

file-download
netskope-activity
s-netskope-activity

file-permission-change
netskope-activity
s-netskope-activity

file-read
netskope-activity
s-netskope-activity

file-upload
netskope-activity
s-netskope-activity

file-write
netskope-activity
s-netskope-activity

network-connection-failed
netskope-network-connection

network-connection-successful
netskope-network-connection

security-alert
cef-netskope-alert
cef-netskope-alert-anomaly
netskope-security-alert
cef-netskope-alert-malsite
netskope-alert
cef-netskope-alert-policy
cef-netskope-alert-1
cef-netskope-alert-2
cef-netskope-alert-compromise

web-activity-allowed
netskope-web-activity

web-activity-denied
netskope-web-activity
 T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 2 Rules
  • 1 Models

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Phishing

 Command and Scripting Interperter

User Execution

Command and Scripting Interperter: PowerShell

 External Remote Services

Valid Accounts

Account Manipulation

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Use Alternate Authentication Material

Use Alternate Authentication Material: Pass the Hash

Obfuscated Files or Information

 OS Credential Dumping

 File and Directory Discovery

 Use Alternate Authentication Material

 Email Collection

Email Collection: Email Forwarding Rule

 Web Service

Non-Standard Port

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Proxy: External Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Data Transfer Size Limits

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Resource Hijacking