Use Case: Disabled Account Activity

Vendor: AWS

Product	Event Types	MITRE TTP	Content
AWS CloudTrail	app-activity app-activity-failed	T1078 - Valid Accounts	1 Rules

Vendor: Abnormal Security

Product	Event Types	MITRE TTP	Content
Abnormal Security	dlp-email-alert-out security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Accellion

Product	Event Types	MITRE TTP	Content
Accellion	account-password-change account-password-reset app-activity app-login dlp-email-alert-out failed-app-login file-delete file-download file-read file-upload	T1078 - Valid Accounts	2 Rules
Kiteworks	account-lockout account-password-change account-unlocked dlp-alert failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Adaxes

Product	Event Types	MITRE TTP	Content
Adaxes	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Airlock

Product	Event Types	MITRE TTP	Content
Airlock	app-activity-failed failed-app-login file-write	T1078 - Valid Accounts	2 Rules

Vendor: Amazon

Product	Event Types	MITRE TTP	Content
AWS CloudTrail	app-activity app-login cloud-admin-activity cloud-admin-activity-failed failed-app-login storage-access storage-activity storage-activity-failed	T1078 - Valid Accounts	1 Rules

Vendor: Apache Subversion

Product	Event Types	MITRE TTP	Content
Apache Subversion	app-activity app-activity-failed	T1078 - Valid Accounts	1 Rules

Vendor: Apache

Product	Event Types	MITRE TTP	Content
Apache Guacamole	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: AssetView

Product	Event Types	MITRE TTP	Content
AssetView	file-download file-write print-activity security-alert usb-insert	T1078 - Valid Accounts	1 Rules

Vendor: Atlassian

Product	Event Types	MITRE TTP	Content
Atlassian BitBucket	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Axway

Product	Event Types	MITRE TTP	Content
Axway SFTP	file-upload remote-logon	T1078 - Valid Accounts	1 Rules

Vendor: Barracuda

Product	Event Types	MITRE TTP	Content
Barracuda Email Security Gateway	dlp-email-alert-in	T1078 - Valid Accounts	1 Rules

Vendor: BeyondTrust

Product	Event Types	MITRE TTP	Content
BeyondTrust	account-switch app-activity app-login failed-app-login privileged-access	T1078 - Valid Accounts	1 Rules
BeyondTrust Privileged Identity	account-switch app-activity app-login privileged-access	T1078 - Valid Accounts	1 Rules
BeyondTrust Secure Remote Access	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Bitdefender

Product	Event Types	MITRE TTP	Content
Bitdefender	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Bitglass

Product	Event Types	MITRE TTP	Content
Bitglass CASB	app-login dlp-alert dlp-email-alert-out failed-app-login file-read file-write	T1078 - Valid Accounts	2 Rules

Vendor: BlackBerry

Product	Event Types	MITRE TTP	Content
BlackBerry Protect	app-activity app-login dlp-alert file-alert process-alert security-alert	T1078 - Valid Accounts	2 Rules

Vendor: Box

Product	Event Types	MITRE TTP	Content
Box Cloud Content Management	app-activity app-login file-delete file-download file-permission-change file-read file-upload file-write	T1078 - Valid Accounts	2 Rules

Vendor: Bromium

Product	Event Types	MITRE TTP	Content
Bromium Secure Platform	file-permission-change file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: CA Technologies

Product	Event Types	MITRE TTP	Content
CA Privileged Access Manager Server Control	account-switch app-login authentication-failed authentication-successful remote-logon	T1078 - Valid Accounts	1 Rules

Vendor: Centrify

Product	Event Types	MITRE TTP	Content
Centrify Audit and Monitoring Service	file-delete file-read file-write	T1078 - Valid Accounts	1 Rules
Centrify Zero Trust Privilege Services	account-switch app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Check Point Software

Product	Event Types	MITRE TTP	Content
Check Point NGFW	app-login dlp-email-alert-in dlp-email-alert-out failed-vpn-login local-logon network-alert network-connection-failed network-connection-successful vpn-login web-activity-allowed web-activity-denied	T1078 - Valid Accounts	1 Rules

Vendor: Cisco

Product	Event Types	MITRE TTP	Content
Cisco ACS	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
Cisco Adaptive Security Appliance	authentication-failed authentication-successful dns-response failed-logon failed-vpn-login file-download file-upload nac-logon network-connection-successful process-created remote-logon vpn-login vpn-logout web-activity-denied	T1078 - Valid Accounts	1 Rules
Cisco Call Manager	app-activity app-activity-failed authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
Cisco ISE	app-activity authentication-failed authentication-successful computer-logon failed-vpn-login nac-failed-logon nac-logon remote-logon vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules
Cisco Secure Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules
Duo Access Security	account-creation app-activity app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts	1 Rules
IronPort Email	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules

Vendor: Citrix

Product	Event Types	MITRE TTP	Content
Citrix Endpoint Management	app-activity remote-logon	T1078 - Valid Accounts	1 Rules
Citrix Gateway ActiveSync Connector	app-activity app-activity-failed	T1078 - Valid Accounts	1 Rules
Citrix Netscaler	app-activity app-login authentication-failed failed-vpn-login process-created vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules
Citrix ShareFile	app-activity app-login failed-app-login file-download file-upload	T1078 - Valid Accounts	2 Rules
Citrix XenApp	app-login remote-logon	T1078 - Valid Accounts	1 Rules

Vendor: Clearswift SEG

Product	Event Types	MITRE TTP	Content
Clearswift SEG	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules

Vendor: Cloud Application

Product	Event Types	MITRE TTP	Content
Cloud Application	account-password-change app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Cloudflare

Product	Event Types	MITRE TTP	Content
Cloudflare Insights	app-activity app-login member-added member-removed	T1078 - Valid Accounts	1 Rules

Vendor: Code42

Product	Event Types	MITRE TTP	Content
Code42 Incydr	dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity usb-activity usb-insert	T1078 - Valid Accounts	2 Rules

Vendor: Cohesity

Product	Event Types	MITRE TTP	Content
Cohesity DataPlatform	app-login	T1078 - Valid Accounts	1 Rules

Vendor: CrowdStrike

Product	Event Types	MITRE TTP	Content
Falcon	app-activity app-activity-failed app-login authentication-failed batch-logon computer-logon config-change dlp-alert dns-query failed-app-login file-alert file-delete file-download file-read file-write local-logon network-connection-successful process-alert process-created process-network remote-access remote-logon security-alert service-logon task-created usb-activity usb-insert	T1078 - Valid Accounts	2 Rules

Vendor: CyberArk

Product	Event Types	MITRE TTP	Content
CyberArk Vault	account-password-change account-password-change-failed account-password-reset account-switch app-activity app-activity-failed app-login failed-app-login failed-logon file-delete file-permission-change file-read file-write remote-logon security-alert	T1078 - Valid Accounts	2 Rules
Privileged Session Manager	account-switch app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: DTEX InTERCEPT

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-delete file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: Darktrace

Product	Event Types	MITRE TTP	Content
Darktrace	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Dell

Product	Event Types	MITRE TTP	Content
Dell EMC Isilon	file-delete file-read file-write remote-access	T1078 - Valid Accounts	1 Rules
One Identity Manager	account-password-change account-switch app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Digital Guardian

Product	Event Types	MITRE TTP	Content
Digital Guardian Endpoint Protection	app-activity dlp-email-alert-out file-delete file-download file-read file-upload file-write local-logon print-activity process-created usb-insert usb-write	T1078 - Valid Accounts	2 Rules
Digital Guardian Network DLP	dlp-alert dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules

Vendor: Dropbox

Product	Event Types	MITRE TTP	Content
Dropbox	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: Dtex Systems

Product	Event Types	MITRE TTP	Content
DTEX InTERCEPT	file-write local-logon print-activity process-created remote-logon usb-write web-activity-allowed workstation-locked workstation-unlocked	T1078 - Valid Accounts	1 Rules

Vendor: Duo Access Security

Product	Event Types	MITRE TTP	Content
Duo Access Security	app-activity failed-vpn-login vpn-login	T1078 - Valid Accounts	1 Rules

Vendor: EMP

Product	Event Types	MITRE TTP	Content
EMP	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: ESET

Product	Event Types	MITRE TTP	Content
ESET Endpoint Security	app-login authentication-failed authentication-successful failed-logon network-alert security-alert web-activity-denied	T1078 - Valid Accounts	1 Rules

Vendor: ESector

Product	Event Types	MITRE TTP	Content
ESector DEFESA	file-delete file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: Egnyte

Product	Event Types	MITRE TTP	Content
Egnyte	app-activity app-login failed-app-login file-delete file-download file-permission-change file-upload file-write	T1078 - Valid Accounts	2 Rules

Vendor: Epic SIEM

Product	Event Types	MITRE TTP	Content
Epic SIEM	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Epic

Product	Event Types	MITRE TTP	Content
Epic SIEM	account-password-change account-password-change-failed app-activity app-login authentication-successful failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Exabeam

Product	Event Types	MITRE TTP	Content
Exabeam Advanced Analytics	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: FTP

Product	Event Types	MITRE TTP	Content
FTP	app-activity app-activity-failed app-login failed-app-login file-delete file-read file-write	T1078 - Valid Accounts	2 Rules

Vendor: Fast Enterprises

Product	Event Types	MITRE TTP	Content
Fast Enterprises GenTax	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Fidelis

Product	Event Types	MITRE TTP	Content
Fidelis XPS	dlp-email-alert-in dlp-email-alert-out security-alert	T1078 - Valid Accounts	1 Rules

Vendor: FireEye

Product	Event Types	MITRE TTP	Content
FireEye Email Threat Prevention (ETP)	dlp-email-alert-in dlp-email-alert-in-failed	T1078 - Valid Accounts	1 Rules
FireEye Endpoint Security (HX)	file-write network-alert process-alert security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Forcepoint

Product	Event Types	MITRE TTP	Content
Forcepoint CASB	app-activity app-login failed-app-login security-alert	T1078 - Valid Accounts	1 Rules
Forcepoint DLP	dlp-alert dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed usb-insert	T1078 - Valid Accounts	1 Rules
Forcepoint Email Security	dlp-email-alert-in dlp-email-alert-out	T1078 - Valid Accounts	1 Rules
Websense ESG	dlp-email-alert-in	T1078 - Valid Accounts	1 Rules

Vendor: Fortinet

Product	Event Types	MITRE TTP	Content
Fortinet Enterprise Firewall	app-activity app-activity-failed computer-logon netflow-connection network-connection-failed network-connection-successful	T1078 - Valid Accounts	1 Rules
Fortinet UTM	app-activity app-activity-failed authentication-failed authentication-successful dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed network-alert security-alert web-activity-allowed web-activity-denied	T1078 - Valid Accounts	1 Rules

Vendor: GitHub

Product	Event Types	MITRE TTP	Content
GitHub	app-activity app-activity-failed app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Google

Product	Event Types	MITRE TTP	Content
Google	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules
Google Calendar	app-activity	T1078 - Valid Accounts	1 Rules
Google Cloud Platform	app-activity cloud-admin-activity cloud-admin-activity-failed storage-access storage-activity storage-activity-failed	T1078 - Valid Accounts	1 Rules
Google Drive	file-delete file-download file-permission-change file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: HP

Product	Event Types	MITRE TTP	Content
HP Virtual Connect Enterprise Manager	app-login	T1078 - Valid Accounts	1 Rules

Vendor: HashiCorp

Product	Event Types	MITRE TTP	Content
HashiCorp Vault	account-password-reset app-login	T1078 - Valid Accounts	1 Rules

Vendor: HelpSystems

Product	Event Types	MITRE TTP	Content
Powertech Identity Access Manager (BoKs)	account-switch file-delete file-read file-write local-logon process-created remote-logon	T1078 - Valid Accounts	1 Rules

Vendor: IBM

Product	Event Types	MITRE TTP	Content
IBM DB2	authentication-failed file-read remote-logon security-alert	T1078 - Valid Accounts	1 Rules
IBM Racf	app-activity app-login database-access database-failed-login failed-app-login	T1078 - Valid Accounts	1 Rules
IBM Sametime	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: ICDB

Product	Event Types	MITRE TTP	Content
ICDB	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: IMSVA

Product	Event Types	MITRE TTP	Content
IMSVA	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out	T1078 - Valid Accounts	1 Rules

Vendor: Imperva

Product	Event Types	MITRE TTP	Content
Imperva File Activity Monitoring (FAM)	file-delete file-permission-change file-read file-write	T1078 - Valid Accounts	1 Rules
Imperva SecureSphere	app-login database-alert database-delete database-failed-login database-login database-query database-update failed-app-login network-alert security-alert	T1078 - Valid Accounts	1 Rules

Vendor: InfoWatch

Product	Event Types	MITRE TTP	Content
InfoWatch	app-login dlp-email-alert-in dlp-email-alert-out print-activity usb-write web-activity-allowed	T1078 - Valid Accounts	1 Rules

Vendor: Ipswitch

Product	Event Types	MITRE TTP	Content
IPswitch MoveIt	app-activity app-login failed-app-login file-read file-write	T1078 - Valid Accounts	2 Rules
MoveIt DMZ	account-password-change authentication-failed authentication-successful failed-logon file-delete file-download file-upload file-write member-added	T1078 - Valid Accounts	1 Rules

Vendor: JH

Product	Event Types	MITRE TTP	Content
JH	file-download	T1078 - Valid Accounts	1 Rules

Vendor: Juniper Networks

Product	Event Types	MITRE TTP	Content
Juniper Networks Pulse Secure	account-deleted app-activity vpn-login	T1078 - Valid Accounts	1 Rules
Juniper OWA	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Kaspersky

Product	Event Types	MITRE TTP	Content
Kaspersky AV	dlp-email-alert-in file-alert	T1078 - Valid Accounts	2 Rules

Vendor: Kemp

Product	Event Types	MITRE TTP	Content
Kemp LoadMaster	app-activity remote-logon security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Kiteworks

Product	Event Types	MITRE TTP	Content
Kiteworks	account-password-change app-activity app-login dlp-email-alert-out file-delete file-download file-permission-change file-read file-upload file-write	T1078 - Valid Accounts	2 Rules

Vendor: LEAP

Product	Event Types	MITRE TTP	Content
LEAP	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: LOGBinder

Product	Event Types	MITRE TTP	Content
SharePoint	app-activity file-read file-write	T1078 - Valid Accounts	2 Rules

Vendor: LanScope Cat

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity file-delete file-write process-created process-created-failed process-network	T1078 - Valid Accounts	2 Rules

Vendor: LanScope

Product	Event Types	MITRE TTP	Content
LanScope Cat	app-activity dlp-alert failed-usb-activity local-logon print-activity usb-activity usb-write web-activity-allowed workstation-locked workstation-unlocked	T1078 - Valid Accounts	1 Rules

Vendor: LastPass

Product	Event Types	MITRE TTP	Content
LastPass	app-activity app-login	T1078 - Valid Accounts	1 Rules

Vendor: McAfee

Product	Event Types	MITRE TTP	Content
McAfee DLP	dlp-alert dlp-email-alert-out dlp-email-alert-out-failed failed-usb-activity print-activity usb-write	T1078 - Valid Accounts	1 Rules
McAfee Email Protection	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules
McAfee Endpoint Security	dlp-alert failed-app-login file-write print-activity process-alert process-created-failed remote-logon security-alert usb-insert usb-write	T1078 - Valid Accounts	2 Rules
Skyhigh Networks CASB	app-activity app-login dlp-alert	T1078 - Valid Accounts	1 Rules

Vendor: Microsoft

Product	Event Types	MITRE TTP	Content
Exchange	app-activity app-activity-failed dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-app-login	T1078 - Valid Accounts	1 Rules
Microsoft Azure	app-activity app-activity-failed app-login authentication-failed authentication-successful cloud-admin-activity cloud-admin-activity-failed failed-app-login file-delete file-download file-read file-upload file-write network-alert process-created storage-access storage-activity storage-activity-failed	T1078 - Valid Accounts	2 Rules
Microsoft Azure Active Directory	account-password-change app-activity app-activity-failed app-login authentication-failed failed-app-login	T1078 - Valid Accounts	1 Rules
Microsoft Azure MFA	app-activity authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
Microsoft Cloud App Security (MCAS)	app-activity app-login failed-app-login file-upload file-write security-alert	T1078 - Valid Accounts	2 Rules
Microsoft Office 365	account-disabled account-password-change account-unlocked app-activity app-activity-failed app-login database-query dlp-alert dlp-email-alert-in dlp-email-alert-out dns-query failed-app-login file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed network-connection-failed network-connection-successful process-created remote-logon security-alert usb-activity usb-insert	T1078 - Valid Accounts	2 Rules
Microsoft OneDrive	file-read	T1078 - Valid Accounts	1 Rules
Microsoft SQL Server	database-access database-activity-failed database-delete database-failed-login database-login database-query failed-app-login	T1078 - Valid Accounts	1 Rules
Microsoft Sysmon	dns-query file-delete file-write image-loaded process-created process-network registry-write	T1078 - Valid Accounts	1 Rules
Microsoft Windows	account-creation account-deleted account-disabled account-enabled account-lockout account-password-change account-password-change-failed account-password-reset account-switch account-unlocked app-login audit-log-clear audit-policy-change authentication-failed authentication-successful batch-logon computer-logon database-failed-login database-query dcom-activation-failed dns-query dns-response ds-access failed-app-login failed-logon failed-vpn-login file-close file-delete file-read file-write kerberos-logon local-logon logout-remote member-added member-removed nac-failed-logon nac-logon network-connection-successful ntlm-logon privileged-access privileged-object-access process-created process-network process-network-failed registry-write remote-access remote-logon security-alert service-created service-logon share-access share-access-denied task-created usb-activity usb-insert vpn-login winsession-disconnect workstation-locked workstation-unlocked	T1078 - Valid Accounts	2 Rules

Vendor: Mimecast

Product	Event Types	MITRE TTP	Content
Mimecast	app-activity	T1078 - Valid Accounts	1 Rules
Mimecast Email Security	app-activity app-login dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: NNT

Product	Event Types	MITRE TTP	Content
NNT ChangeTracker	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Nasuni

Product	Event Types	MITRE TTP	Content
Nasuni	file-delete file-permission-change file-write	T1078 - Valid Accounts	1 Rules

Vendor: NetApp

Product	Event Types	MITRE TTP	Content
NetApp	file-alert file-delete file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: NetDocs

Product	Event Types	MITRE TTP	Content
NetDocs	app-activity file-delete file-read file-upload file-write	T1078 - Valid Accounts	2 Rules

Vendor: NetIQ

Product	Event Types	MITRE TTP	Content
NetIQ	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Netskope

Product	Event Types	MITRE TTP	Content
Netskope Security Cloud	app-activity app-login dlp-alert dlp-email-alert-out file-delete file-download file-permission-change file-read file-upload file-write network-connection-failed network-connection-successful security-alert web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules

Vendor: Netwrix

Product	Event Types	MITRE TTP	Content
Netwrix Auditor	account-disabled account-lockout account-password-reset account-unlocked app-activity app-login database-access database-failed-login ds-access failed-app-login failed-logon file-delete file-write member-added member-removed	T1078 - Valid Accounts	2 Rules

Vendor: ObserveIT

Product	Event Types	MITRE TTP	Content
ObserveIT	app-activity app-login database-access dlp-alert failed-app-login process-created remote-logon security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Okta

Product	Event Types	MITRE TTP	Content
Okta Adaptive MFA	account-lockout account-password-reset account-unlocked app-activity app-activity-failed app-login authentication-failed authentication-successful failed-app-login member-added security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Onapsis

Product	Event Types	MITRE TTP	Content
Onapsis	app-login database-update failed-app-login security-alert	T1078 - Valid Accounts	1 Rules

Vendor: OneLogin

Product	Event Types	MITRE TTP	Content
OneLogin	account-password-reset app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Oracle

Product	Event Types	MITRE TTP	Content
Oracle Access Manager	app-login authentication-failed authentication-successful failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Osirium

Product	Event Types	MITRE TTP	Content
Osirium	app-login	T1078 - Valid Accounts	1 Rules

Vendor: Palo Alto Networks

Product	Event Types	MITRE TTP	Content
Cortex XDR	app-activity app-login security-alert	T1078 - Valid Accounts	1 Rules
GlobalProtect	app-activity authentication-failed authentication-successful config-change failed-logon failed-vpn-login remote-logon vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules
NGFW	app-activity authentication-failed config-change dlp-alert failed-vpn-login file-alert network-alert network-connection-failed network-connection-successful remote-logon security-alert vpn-login web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules
Palo Alto Aperture	app-activity app-login dlp-alert file-delete file-download file-read file-write	T1078 - Valid Accounts	2 Rules

Vendor: Perforce

Product	Event Types	MITRE TTP	Content
Perforce	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Phantom

Product	Event Types	MITRE TTP	Content
Phantom	dlp-email-alert-in	T1078 - Valid Accounts	1 Rules

Vendor: Ping Identity

Product	Event Types	MITRE TTP	Content
Ping Identity	app-login authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
PingOne	app-login authentication-successful failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: PowerSentry

Product	Event Types	MITRE TTP	Content
PowerSentry	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Procad

Product	Event Types	MITRE TTP	Content
Pro.File DMS	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Proofpoint

Product	Event Types	MITRE TTP	Content
Proofpoint Enterprise Protection	dlp-alert dlp-email-alert-in-failed	T1078 - Valid Accounts	1 Rules
Proofpoint TAP	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules
Proofpoint TAP/POD	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed	T1078 - Valid Accounts	1 Rules

Vendor: RSA

Product	Event Types	MITRE TTP	Content
RSA DLP	dlp-alert dlp-email-alert-out	T1078 - Valid Accounts	1 Rules
RSA NetWitness	app-login	T1078 - Valid Accounts	1 Rules

Vendor: RangerAudit

Product	Event Types	MITRE TTP	Content
RangerAudit	app-activity app-login database-activity-failed database-query failed-app-login file-read file-write	T1078 - Valid Accounts	2 Rules

Vendor: SAP

Product	Event Types	MITRE TTP	Content
SAP	account-creation account-deleted account-lockout account-unlocked app-activity authentication-failed authentication-successful file-download remote-logon	T1078 - Valid Accounts	2 Rules

Vendor: SSL Open VPN

Product	Event Types	MITRE TTP	Content
SSL Open VPN	app-activity app-activity-failed authentication-failed failed-vpn-login vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules

Vendor: SafeSend

Product	Event Types	MITRE TTP	Content
SafeSend	dlp-email-alert-out	T1078 - Valid Accounts	1 Rules

Vendor: Sailpoint

Product	Event Types	MITRE TTP	Content
IdentityNow	account-password-change account-password-change-failed app-activity app-login authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules
SecurityIQ	account-creation account-deleted account-lockout account-password-reset file-delete file-download file-permission-change file-read file-upload file-write member-added member-removed	T1078 - Valid Accounts	1 Rules

Vendor: Salesforce

Product	Event Types	MITRE TTP	Content
Salesforce	app-activity app-login failed-app-login file-download file-upload	T1078 - Valid Accounts	2 Rules

Vendor: SecureAuth

Product	Event Types	MITRE TTP	Content
SecureAuth Login	app-login authentication-successful	T1078 - Valid Accounts	1 Rules

Vendor: SecureLink

Product	Event Types	MITRE TTP	Content
SecureLink	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: SentinelOne

Product	Event Types	MITRE TTP	Content
SentinelOne	app-activity dns-query dns-response file-alert file-delete file-read file-write network-alert network-connection-failed network-connection-successful process-created security-alert task-created web-activity-allowed	T1078 - Valid Accounts	2 Rules

Vendor: ServiceNow

Product	Event Types	MITRE TTP	Content
ServiceNow	app-activity file-delete file-download file-read file-upload file-write	T1078 - Valid Accounts	2 Rules

Vendor: Shibboleth

Product	Event Types	MITRE TTP	Content
Shibboleth SSO	account-password-change app-login	T1078 - Valid Accounts	1 Rules

Vendor: Silverfort

Product	Event Types	MITRE TTP	Content
Silverfort	app-login authentication-failed failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: SkySea

Product	Event Types	MITRE TTP	Content
ClientView	app-activity app-login dlp-email-alert-out file-delete file-download file-read file-upload file-write print-activity process-created security-alert share-access usb-activity web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules

Vendor: Slack

Product	Event Types	MITRE TTP	Content
Slack	app-activity file-download file-upload	T1078 - Valid Accounts	2 Rules

Vendor: Sophos

Product	Event Types	MITRE TTP	Content
Sophos Endpoint Protection	dlp-alert failed-usb-activity failed-vpn-login file-alert network-alert network-connection-failed security-alert usb-insert usb-write vpn-login vpn-logout	T1078 - Valid Accounts	1 Rules
Sophos SafeGuard	app-activity app-activity-failed	T1078 - Valid Accounts	1 Rules

Vendor: StealthBits

Product	Event Types	MITRE TTP	Content
StealthIntercept	account-disabled account-enabled ds-access failed-ds-access file-permission-change file-read file-write member-added member-removed	T1078 - Valid Accounts	1 Rules

Vendor: Swift

Product	Event Types	MITRE TTP	Content
Swift	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Swivel

Product	Event Types	MITRE TTP	Content
Swivel	app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Symantec

Product	Event Types	MITRE TTP	Content
Symantec Brightmail	dlp-email-alert-in dlp-email-alert-out	T1078 - Valid Accounts	1 Rules
Symantec CloudSOC	app-activity app-login dlp-alert failed-app-login file-delete file-download file-upload	T1078 - Valid Accounts	2 Rules
Symantec DLP	config-change dlp-alert dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon failed-usb-activity file-alert file-delete file-write member-added member-removed network-alert process-alert security-alert usb-insert usb-read usb-write	T1078 - Valid Accounts	2 Rules
Symantec Email Security.cloud	dlp-email-alert-in dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1078 - Valid Accounts	1 Rules
Symantec Endpoint Protection	app-activity network-alert network-connection-failed network-connection-successful process-alert security-alert	T1078 - Valid Accounts	1 Rules
Symantec VIP	app-activity app-activity-failed authentication-failed authentication-successful	T1078 - Valid Accounts	1 Rules

Vendor: Thycotic Secret Server

Product	Event Types	MITRE TTP	Content
Thycotic Secret Server	account-switch app-activity app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Trend Micro

Product	Event Types	MITRE TTP	Content
Deep Discovery Email Inspector	dlp-email-alert-in	T1078 - Valid Accounts	1 Rules
Deep Discovery Inspector	account-password-change app-login security-alert	T1078 - Valid Accounts	1 Rules
OfficeScan	dlp-alert dlp-email-alert-in dlp-email-alert-out privileged-object-access security-alert usb-write web-activity-allowed	T1078 - Valid Accounts	1 Rules
Trend Micro Apex One	dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Tripwire Enterprise

Product	Event Types	MITRE TTP	Content
Tripwire Enterprise	file-alert	T1078 - Valid Accounts	1 Rules

Vendor: Tyco

Product	Event Types	MITRE TTP	Content
CCURE Building Management System	app-activity app-login failed-physical-access physical-access	T1078 - Valid Accounts	1 Rules

Vendor: Unix

Product	Event Types	MITRE TTP	Content
Auditbeat	app-activity app-activity-failed authentication-successful process-created process-network process-network-failed	T1078 - Valid Accounts	1 Rules
Unix	account-creation account-deleted account-lockout account-password-change account-switch authentication-failed authentication-successful batch-logon computer-logon dlp-email-alert-in dlp-email-alert-in-failed dlp-email-alert-out dlp-email-alert-out-failed failed-logon file-delete file-read file-write kerberos-logon local-logon member-added member-removed process-created process-created-failed remote-access remote-logon security-alert task-created	T1078 - Valid Accounts	2 Rules
Unix Auditd	account-deleted account-password-change account-switch app-activity-failed authentication-failed authentication-successful failed-logon file-read file-write local-logon member-added member-removed process-created process-created-failed remote-logon security-alert	T1078 - Valid Accounts	2 Rules

Vendor: VMware

Product	Event Types	MITRE TTP	Content
VMware Carbon Black App Control	app-login file-alert file-delete file-download file-read file-write local-logon network-connection-failed network-connection-successful process-alert process-created process-network security-alert usb-insert workstation-locked workstation-unlocked	T1078 - Valid Accounts	2 Rules
VMware Carbon Black Cloud Endpoint Standard	file-write process-created security-alert	T1078 - Valid Accounts	1 Rules
VMware VCenter	app-activity app-login failed-logon remote-logon	T1078 - Valid Accounts	1 Rules
VMware View	account-password-change app-activity app-login failed-app-login remote-logon	T1078 - Valid Accounts	1 Rules

Vendor: Varonis

Product	Event Types	MITRE TTP	Content
Data Security Platform	dlp-alert file-delete file-permission-change file-read file-write	T1078 - Valid Accounts	1 Rules

Vendor: Vectra

Product	Event Types	MITRE TTP	Content
Vectra Cognito Detect	app-activity security-alert	T1078 - Valid Accounts	1 Rules

Vendor: Vormetric

Product	Event Types	MITRE TTP	Content
Vormetric	file-alert file-read	T1078 - Valid Accounts	1 Rules

Vendor: Workday

Product	Event Types	MITRE TTP	Content
Workday	app-activity app-login authentication-failed failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Xceedium

Product	Event Types	MITRE TTP	Content
Xceedium	app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Vendor: Zeek

Product	Event Types	MITRE TTP	Content
Zeek Network Security Monitor	app-activity authentication-failed authentication-successful computer-logon dlp-email-alert-in dlp-email-alert-out dns-query dns-response failed-logon file-delete file-read file-write kerberos-logon nac-failed-logon nac-logon network-alert network-connection-failed network-connection-successful ntlm-logon remote-access remote-logon share-access web-activity-allowed web-activity-denied	T1078 - Valid Accounts	2 Rules

Vendor: Zlock

Product	Event Types	MITRE TTP	Content
Zlock	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: Zscaler

Product	Event Types	MITRE TTP	Content
Zscaler Internet Access	app-login dlp-alert network-connection-failed network-connection-successful web-activity-allowed web-activity-denied	T1078 - Valid Accounts	1 Rules

Vendor: eDocs

Product	Event Types	MITRE TTP	Content
eDocs	app-activity	T1078 - Valid Accounts	1 Rules

Vendor: iManage

Product	Event Types	MITRE TTP	Content
iManage	app-activity dlp-alert	T1078 - Valid Accounts	1 Rules

Vendor: oVirt

Product	Event Types	MITRE TTP	Content
oVirt	app-activity app-activity-failed app-login failed-app-login	T1078 - Valid Accounts	1 Rules

Files

uc_disabled_account_activity.md

Latest commit

History

uc_disabled_account_activity.md

File metadata and controls

Use Case: Disabled Account Activity

Vendor: AWS

Vendor: Abnormal Security

Vendor: Accellion

Vendor: Adaxes

Vendor: Airlock

Vendor: Amazon

Vendor: Apache Subversion

Vendor: Apache

Vendor: AssetView

Vendor: Atlassian

Vendor: Axway

Vendor: Barracuda

Vendor: BeyondTrust

Vendor: Bitdefender

Vendor: Bitglass

Vendor: BlackBerry

Vendor: Box

Vendor: Bromium

Vendor: CA Technologies

Vendor: Centrify

Vendor: Check Point Software

Vendor: Cisco

Vendor: Citrix

Vendor: Clearswift SEG

Vendor: Cloud Application

Vendor: Cloudflare

Vendor: Code42

Vendor: Cohesity

Vendor: CrowdStrike

Vendor: CyberArk

Vendor: DTEX InTERCEPT

Vendor: Darktrace

Vendor: Dell

Vendor: Digital Guardian

Vendor: Dropbox

Vendor: Dtex Systems

Vendor: Duo Access Security

Vendor: EMP

Vendor: ESET

Vendor: ESector

Vendor: Egnyte

Vendor: Epic SIEM

Vendor: Epic

Vendor: Exabeam

Vendor: FTP

Vendor: Fast Enterprises

Vendor: Fidelis

Vendor: FireEye

Vendor: Forcepoint

Vendor: Fortinet

Vendor: GitHub

Vendor: Google

Vendor: HP

Vendor: HashiCorp

Vendor: HelpSystems

Vendor: IBM

Vendor: ICDB

Vendor: IMSVA

Vendor: Imperva

Vendor: InfoWatch

Vendor: Ipswitch

Vendor: JH

Vendor: Juniper Networks

Vendor: Kaspersky

Vendor: Kemp

Vendor: Kiteworks

Vendor: LEAP

Vendor: LOGBinder

Vendor: LanScope Cat

Vendor: LanScope

Vendor: LastPass

Vendor: McAfee

Vendor: Microsoft