Use Case: Account Switch

Vendor: APC

Product	Event Types	MITRE TTP	Content
APC	network-alert remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Amazon

Product	Event Types	MITRE TTP	Content
AWS Bastion	failed-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Axway

Product	Event Types	MITRE TTP	Content
Axway SFTP	file-upload remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Barracuda

Product	Event Types	MITRE TTP	Content
Barracuda Firewall	failed-logon failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: BeyondTrust

Product	Event Types	MITRE TTP	Content
BeyondTrust	account-switch app-activity app-login failed-app-login privileged-access	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models
BeyondTrust PasswordSafe	account-switch privileged-access	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models
BeyondTrust Privilege Management	local-logon process-created	T1078 - Valid Accounts	2 Rules 1 Models
BeyondTrust Privileged Identity	account-switch app-activity app-login privileged-access	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: CA Technologies

Product	Event Types	MITRE TTP	Content
CA Privileged Access Manager Server Control	account-switch app-login authentication-failed authentication-successful remote-logon	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models

Vendor: CDS

Product	Event Types	MITRE TTP	Content
CDS	failed-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: CatoNetworks

Product	Event Types	MITRE TTP	Content
Cato Cloud	network-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Centrify

Product	Event Types	MITRE TTP	Content
Centrify Authentication Service	account-password-reset authentication-failed authentication-successful failed-logon local-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
Centrify Zero Trust Privilege Services	account-switch app-activity app-login failed-app-login	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: Check Point Software

Product	Event Types	MITRE TTP	Content
Check Point Identity Awareness	failed-vpn-login network-connection-failed network-connection-successful vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models
Check Point NGFW	app-login dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-login web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules 1 Models
Check Point Security Gateway	failed-vpn-login vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
AnyConnect	process-network vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models
Cisco Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models
Cisco ISE	app-activity authentication-failed authentication-successful computer-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models
Cisco Meraki MX appliances	network-alert network-connection-failed network-connection-successful vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping	4 Rules 4 Models
Cisco Umbrella	config-change dns-query dns-response failed-logon network-connection-failed network-connection-successful remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Citrix Endpoint Management	app-activity remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
Citrix Netscaler	app-activity app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models
Citrix Netscaler VPN	authentication-failed authentication-successful remote-access remote-logon vpn-connection vpn-logout	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models
Citrix XenApp	app-login remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
Citrix XenDesktop	remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: CrowdStrike

Product	Event Types	MITRE TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon config-change dlp-alert dns-query failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon task-created usb-activity usb-insert	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: CyberArk

Product	Event Types	MITRE TTP	Content
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login failed-app-login failed-logon file-delete file-permission-change file-read file-write remote-logon security-alert	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models
Privileged Session Manager	account-switch app-activity app-login	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: Dell

Product	Event Types	MITRE TTP	Content
Dell EMC Isilon	file-delete file-read file-write remote-access	T1078 - Valid Accounts	2 Rules 1 Models
One Identity Manager	account-password-change account-switch app-activity	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models
SonicWALL Aventail	vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-activity dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon print-activity process-created usb-insert usb-write	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Dtex Systems

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: F5

Product	Event Types	MITRE TTP	Content
F5 BIG-IP	authentication-failed failed-logon failed-vpn-login network-connection-successful remote-logon vpn-login	T1078 - Valid Accounts	2 Rules 1 Models
F5 BIG-IP Access Policy Manager (APM)	authentication-failed authentication-successful vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Fortinet

Product	Event Types	MITRE TTP	Content
Fortinet VPN	authentication-successful failed-vpn-login vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: HP

Product	Event Types	MITRE TTP	Content
HP	local-logon nac-failed-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: HelpSystems

Product	Event Types	MITRE TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon process-created remote-logon	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM DB2	authentication-failed file-read remote-logon security-alert	T1078 - Valid Accounts	2 Rules 1 Models
IBM Sterling B2B Integrator	failed-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Infoblox

Product	Event Types	MITRE TTP	Content
Infoblox	computer-logon dns-query network-alert network-connection-failed network-connection-successful remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Juniper Networks

Product	Event Types	MITRE TTP	Content
Juniper SRX	account-deleted authentication-failed authentication-successful failed-vpn-login network-alert network-connection-failed network-connection-successful security-alert vpn-connection vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping	4 Rules 4 Models
Juniper VPN	account-deleted authentication-failed authentication-successful failed-vpn-login vpn-login vpn-logout web-activity-allowed	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Kemp

Product	Event Types	MITRE TTP	Content
Kemp LoadMaster	app-activity remote-logon security-alert	T1078 - Valid Accounts	2 Rules 1 Models
Load Balancer	authentication-failed remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: LanScope

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity local-logon print-activity usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Linux

Product	Event Types	MITRE TTP	Content
SSH	failed-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: LogMeIn

Product	Event Types	MITRE TTP	Content
RemotelyAnywhere	remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee Endpoint Security	dlp-alert failed-app-login file-write print-activity process-alert process-created-failed remote-logon security-alert usb-insert usb-write	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
Microsoft Office 365	account-disabled account-password-change account-unlocked app-activity app-activity-failed app-login database-query dlp-alert dlp-email-alert-in dlp-email-alert-out dns-query failed-app-login file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed network-connection-failed network-connection-successful process-created remote-logon security-alert usb-activity usb-insert	T1078 - Valid Accounts	2 Rules 1 Models
Microsoft Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon database-failed-login database-query dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login winsession-disconnect workstation-locked workstation-unlocked	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models
Web Application Proxy	remote-logon web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: NCP

Product	Event Types	MITRE TTP	Content
NCP	authentication-failed vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: NetMotion Wireless

Product	Event Types	MITRE TTP	Content
NetMotion Wireless	vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Nortel Contivity

Product	Event Types	MITRE TTP	Content
Nortel Contivity VPN	vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: ObserveIT

Product	Event Types	MITRE TTP	Content
ObserveIT	app-activity app-login database-access dlp-alert failed-app-login process-created remote-logon security-alert	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login remote-logon vpn-login vpn-logout	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models
NGFW	app-activity authentication-failed config-change dlp-alert failed-vpn-login file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Password Manager Pro

Product	Event Types	MITRE TTP	Content
Password Manager Pro	account-password-change account-switch	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: Quest Software

Product	Event Types	MITRE TTP	Content
Change Auditor	account-unlocked ds-access failed-ds-access failed-logon local-logon member-added member-removed remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: RSA

Product	Event Types	MITRE TTP	Content
SecurID	authentication-failed authentication-successful vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: SAP

Product	Event Types	MITRE TTP	Content
SAP	account-creation account-deleted account-lockout account-unlocked app-activity authentication-failed authentication-successful file-download remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: SSL Open VPN

Product	Event Types	MITRE TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed failed-vpn-login vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: SecureNet

Product	Event Types	MITRE TTP	Content
SecureNet	vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Sonicwall

Product	Event Types	MITRE TTP	Content
Sonicwall	failed-vpn-login network-alert remote-logon vpn-login vpn-logout web-activity-allowed web-activity-denied	T1003 - OS Credential Dumping T1078 - Valid Accounts	6 Rules 5 Models

Vendor: Sophos

Product	Event Types	MITRE TTP	Content
Sophos Endpoint Protection	dlp-alert failed-usb-activity failed-vpn-login file-alert network-alert network-connection-failed security-alert usb-insert usb-write vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Critical System Protection	account-switch failed-logon local-logon	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models

Vendor: Thycotic Secret Server

Product	Event Types	MITRE TTP	Content
Thycotic Secret Server	account-switch app-activity app-login failed-app-login	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: Unix

Product	Event Types	MITRE TTP	Content
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-read file-write kerberos-logon local-logon member-added member-removed process-created process-created-failed remote-access remote-logon security-alert task-created	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models
Unix Auditd	account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon file-read file-write local-logon member-added member-removed process-created process-created-failed remote-logon security-alert	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	7 Rules 5 Models
Unix Privilege Management	account-switch	T1003 - OS Credential Dumping T1078 - Valid Accounts T1098 - Account Manipulation	5 Rules 4 Models

Vendor: VMware

Product	Event Types	MITRE TTP	Content
VMware Carbon Black App Control	app-login file-alert file-delete file-download file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network security-alert usb-insert workstation-locked workstation-unlocked	T1078 - Valid Accounts	2 Rules 1 Models
VMware ESXi	remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
VMware Horizon	authentication-failed remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
VMware VCenter	app-activity app-login failed-logon remote-logon	T1078 - Valid Accounts	2 Rules 1 Models
VMware View	account-password-change app-activity app-login failed-app-login remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Vectra

Product	Event Types	MITRE TTP	Content
Vectra Cognito Stream	remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules 1 Models

Vendor: Zscaler

Product	Event Types	MITRE TTP	Content
Zscaler Private Access	vpn-login vpn-logout	T1003 - OS Credential Dumping	4 Rules 4 Models

Vendor: xsuite

Product	Event Types	MITRE TTP	Content
xsuite	remote-logon	T1078 - Valid Accounts	2 Rules 1 Models

Files

uc_account_switch.md

Latest commit

History

uc_account_switch.md

File metadata and controls

Use Case: Account Switch

Vendor: APC

Vendor: Amazon

Vendor: Axway

Vendor: Barracuda

Vendor: BeyondTrust

Vendor: CA Technologies

Vendor: CDS

Vendor: CatoNetworks

Vendor: Centrify

Vendor: Check Point Software

Vendor: Cisco

Vendor: Citrix

Vendor: CrowdStrike

Vendor: CyberArk

Vendor: Dell

Vendor: Digital Guardian

Vendor: Dtex Systems

Vendor: F5

Vendor: Fortinet

Vendor: HP

Vendor: HelpSystems

Vendor: IBM

Vendor: Infoblox

Vendor: Juniper Networks

Vendor: Kemp

Vendor: LanScope

Vendor: Linux

Vendor: LogMeIn

Vendor: McAfee

Vendor: Microsoft

Vendor: NCP

Vendor: NetMotion Wireless

Vendor: Nortel Contivity

Vendor: ObserveIT

Vendor: Palo Alto Networks

Vendor: Password Manager Pro

Vendor: Quest Software

Vendor: RSA

Vendor: SAP

Vendor: SSL Open VPN

Vendor: SecureNet

Vendor: Sonicwall

Vendor: Sophos

Vendor: Symantec

Vendor: Thycotic Secret Server

Vendor: Unix

Vendor: VMware

Vendor: Vectra

Vendor: Zeek

Vendor: Zscaler

Vendor: xsuite