Vendor: Symantec

Product: Symantec CloudSOC

Rules	Models	MITRE TTPs	Event Types	Parsers
79	39	9	7	7

Use-Case	Event Types/Parsers	MITRE TTP	Content
Abnormal Application Access	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	17 Rules 10 Models
Abnormal Authentication & Access	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts T1133 - External Remote Services	2 Rules
Abnormal File Access	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1083 - File and Directory Discovery	3 Rules 3 Models
Abnormal User Activity	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts T1133 - External Remote Services	22 Rules 13 Models
Access to Application Data	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	17 Rules 10 Models
Access to File Data	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1083 - File and Directory Discovery	3 Rules 3 Models
Account Manipulation	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Compromised Service Account	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	1 Rules
Data Exfiltration	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1204 - User Execution	15 Rules 9 Models
Data Leak	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1204 - User Execution	15 Rules 9 Models
Data Leak via Email	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1114.003 - Email Collection: Email Forwarding Rule	2 Rules
Disabled Account Abuse	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	2 Rules
Disabled Account Activity	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	2 Rules
Evasion	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1090.003 - Proxy: Multi-hop Proxy	2 Rules
Executive Account Activity	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	1 Rules
Malware	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1204 - User Execution	6 Rules 2 Models
Membership and Permission Modifications	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Permission Changes	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Account Abuse	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	2 Rules 2 Models
Ransomware	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	2 Rules
Service Account Abuse	app-activity ↳ symantec-cloud-activity app-login ↳ symantec-cloud-activity dlp-alert ↳ symantec-cloud-dlp-alert failed-app-login ↳ symantec-cloud-activity file-delete ↳ symantec-cloud-activity file-download ↳ symantec-cloud-activity file-upload ↳ symantec-cloud-activity	T1078 - Valid Accounts	1 Rules

ATT&CK Matrix for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts	User Execution	External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts	Valid Accounts		File and Directory Discovery		Email Collection Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Proxy	Exfiltration Over Alternative Protocol Automated Exfiltration

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ds_symantec_symantec_cloudsoc.md

ds_symantec_symantec_cloudsoc.md

Vendor: Symantec

Product: Symantec CloudSOC

ATT&CK Matrix for Enterprise

Files

ds_symantec_symantec_cloudsoc.md

Latest commit

History

ds_symantec_symantec_cloudsoc.md

File metadata and controls

Vendor: Symantec

Product: Symantec CloudSOC

ATT&CK Matrix for Enterprise