Skip to content

Latest commit

 

History

History
209 lines (207 loc) · 90.4 KB

uc_activity_on_domain_controllers.md

File metadata and controls

209 lines (207 loc) · 90.4 KB
Raw

Use Case: Activity on Domain Controllers

Vendor: Akamai

Product Event Types MITRE TTP Content
Cloud Akamai
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Apache

Product Event Types MITRE TTP Content
Apache
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Bitdefender

Product Event Types MITRE TTP Content
Bitdefender GravityZone
  • security-alert
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: CatoNetworks

Product Event Types MITRE TTP Content
Cato Cloud
  • network-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Check Point Software

Product Event Types MITRE TTP Content
Check Point NGFW
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • failed-vpn-login
  • local-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Cisco

Product Event Types MITRE TTP Content
Cisco ADC
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Adaptive Security Appliance
  • authentication-failed
  • authentication-successful
  • dns-response
  • failed-logon
  • failed-vpn-login
  • file-download
  • file-upload
  • nac-logon
  • network-connection-successful
  • process-created
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Cloud Web Security
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Firepower
  • authentication-successful
  • dns-query
  • dns-response
  • nac-logon
  • netflow-connection
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Meraki MX appliances
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Secure Web Appliance
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Cisco Umbrella
  • config-change
  • dns-query
  • dns-response
  • failed-logon
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
IronPort Web Security
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Proxy Umbrella
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Citrix

Product Event Types MITRE TTP Content
Web Logging
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Cloudflare

Product Event Types MITRE TTP Content
Cloudflare WAF
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Digital Arts

Product Event Types MITRE TTP Content
Digital Arts i-FILTER for Business
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Dtex Systems

Product Event Types MITRE TTP Content
DTEX InTERCEPT
  • file-write
  • local-logon
  • print-activity
  • process-created
  • remote-logon
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: ESET

Product Event Types MITRE TTP Content
ESET Endpoint Security
  • app-login
  • authentication-failed
  • authentication-successful
  • failed-logon
  • network-alert
  • security-alert
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: EdgeWave

Product Event Types MITRE TTP Content
EdgeWave iPrism
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: F5

Product Event Types MITRE TTP Content
F5 BIG-IP Application Security Manager (ASM)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
WebSafe
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: FireEye

Product Event Types MITRE TTP Content
FireEye Network Security (NX)
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Forcepoint

Product Event Types MITRE TTP Content
Websense Secure Gateway
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Fortinet

Product Event Types MITRE TTP Content
Fortinet FortiWeb
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Fortinet UTM
  • app-activity
  • app-activity-failed
  • authentication-failed
  • authentication-successful
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • network-alert
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Google

Product Event Types MITRE TTP Content
GCP Squid Proxy
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: HashiCorp

Product Event Types MITRE TTP Content
Terraform
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: IBM

Product Event Types MITRE TTP Content
IBM Security Access Manager
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Imperva

Product Event Types MITRE TTP Content
Incapsula
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: InfoWatch

Product Event Types MITRE TTP Content
InfoWatch
  • app-login
  • dlp-email-alert-in
  • dlp-email-alert-out
  • print-activity
  • usb-write
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: IronPort Web Security

Product Event Types MITRE TTP Content
IronPort Web Security
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Juniper Networks

Product Event Types MITRE TTP Content
Juniper SRX
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • vpn-connection
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Juniper VPN
  • account-deleted
  • authentication-failed
  • authentication-successful
  • failed-vpn-login
  • vpn-login
  • vpn-logout
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: LanScope

Product Event Types MITRE TTP Content
LanScope Cat
  • app-activity
  • dlp-alert
  • failed-usb-activity
  • local-logon
  • print-activity
  • usb-activity
  • usb-write
  • web-activity-allowed
  • workstation-locked
  • workstation-unlocked
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: McAfee

Product Event Types MITRE TTP Content
McAfee Web Gateway
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Microsoft

Product Event Types MITRE TTP Content
IIS
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Microsoft Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • database-failed-login
  • database-query
  • dcom-activation-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-failed-logon
  • nac-logon
  • network-connection-successful
  • ntlm-logon
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • registry-write
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • share-access-denied
  • task-created
  • usb-activity
  • usb-insert
  • vpn-login
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
 T1003.006 - OS Credential Dumping: DCSync
  • 2 Rules
  • 1 Models
Web Application Proxy
  • remote-logon
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Web Application Proxy-TLS Gateway
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Mimecast

Product Event Types MITRE TTP Content
Targeted Threat Protection - URL
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Namespace rDirectory

Product Event Types MITRE TTP Content
Namespace rDirectory
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-password-change
  • ds-access
  • member-added
 T1003.006 - OS Credential Dumping: DCSync
  • 2 Rules
  • 1 Models

Vendor: Netskope

Product Event Types MITRE TTP Content
Netskope Security Cloud
  • app-activity
  • app-login
  • dlp-alert
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-permission-change
  • file-read
  • file-upload
  • file-write
  • network-connection-failed
  • network-connection-successful
  • security-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Netwrix

Product Event Types MITRE TTP Content
Netwrix Auditor
  • account-disabled
  • account-lockout
  • account-password-reset
  • account-unlocked
  • app-activity
  • app-login
  • database-access
  • database-failed-login
  • ds-access
  • failed-app-login
  • failed-logon
  • file-delete
  • file-write
  • member-added
  • member-removed
 T1003.006 - OS Credential Dumping: DCSync
  • 2 Rules
  • 1 Models

Vendor: Palo Alto Networks

Product Event Types MITRE TTP Content
NGFW
  • app-activity
  • authentication-failed
  • config-change
  • dlp-alert
  • failed-vpn-login
  • file-alert
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • remote-logon
  • security-alert
  • vpn-login
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Quest Software

Product Event Types MITRE TTP Content
Change Auditor
  • account-unlocked
  • ds-access
  • failed-ds-access
  • failed-logon
  • local-logon
  • member-added
  • member-removed
  • remote-logon
 T1003.006 - OS Credential Dumping: DCSync
  • 2 Rules
  • 1 Models

Vendor: SIGSCI

Product Event Types MITRE TTP Content
SIGSCI
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Sangfor

Product Event Types MITRE TTP Content
NGAF
  • network-alert
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: SentinelOne

Product Event Types MITRE TTP Content
SentinelOne
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • task-created
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: SkySea

Product Event Types MITRE TTP Content
ClientView
  • app-activity
  • app-login
  • dlp-email-alert-out
  • file-delete
  • file-download
  • file-read
  • file-upload
  • file-write
  • print-activity
  • process-created
  • security-alert
  • share-access
  • usb-activity
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Sonicwall

Product Event Types MITRE TTP Content
Sonicwall
  • failed-vpn-login
  • network-alert
  • remote-logon
  • vpn-login
  • vpn-logout
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Sophos

Product Event Types MITRE TTP Content
Sophos UTM
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Sophos XG Firewall
  • network-connection-failed
  • network-connection-successful
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Squid

Product Event Types MITRE TTP Content
Squid
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: StealthBits

Product Event Types MITRE TTP Content
StealthIntercept
  • account-disabled
  • account-enabled
  • ds-access
  • failed-ds-access
  • file-permission-change
  • file-read
  • file-write
  • member-added
  • member-removed
 T1003.006 - OS Credential Dumping: DCSync
  • 2 Rules
  • 1 Models

Vendor: Symantec

Product Event Types MITRE TTP Content
Symantec Blue Coat ProxySG Appliance
  • network-connection-failed
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Symantec Fireglass
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules
Symantec WSS
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Trend Micro

Product Event Types MITRE TTP Content
OfficeScan
  • dlp-alert
  • dlp-email-alert-in
  • dlp-email-alert-out
  • privileged-object-access
  • security-alert
  • usb-write
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Watchguard

Product Event Types MITRE TTP Content
Watchguard
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Weblogin

Product Event Types MITRE TTP Content
Weblogin
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Websense Secure Gateway

Product Event Types MITRE TTP Content
Websense Secure Gateway
  • web-activity-allowed
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Zeek

Product Event Types MITRE TTP Content
Zeek Network Security Monitor
  • app-activity
  • authentication-failed
  • authentication-successful
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-out
  • dns-query
  • dns-response
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • nac-failed-logon
  • nac-logon
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • ntlm-logon
  • remote-access
  • remote-logon
  • share-access
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules

Vendor: Zscaler

Product Event Types MITRE TTP Content
Zscaler Internet Access
  • app-login
  • dlp-alert
  • network-connection-failed
  • network-connection-successful
  • web-activity-allowed
  • web-activity-denied
 T1071.001 - Application Layer Protocol: Web Protocols
T1102 - Web Service
  • 1 Rules