Skip to content

Latest commit

 

History

History
20 lines (18 loc) · 13.4 KB

uc_privileged_asset_activity.md

File metadata and controls

20 lines (18 loc) · 13.4 KB
Raw

Use Case: Privileged Asset Activity

Vendor: CrowdStrike

Product Event Types MITRE TTP Content
Falcon
  • app-activity
  • app-activity-failed
  • app-login
  • authentication-failed
  • batch-logon
  • computer-logon
  • config-change
  • dlp-alert
  • dns-query
  • failed-app-login
  • file-alert
  • file-delete
  • file-download
  • file-read
  • file-write
  • local-logon
  • network-connection-successful
  • process-alert
  • process-created
  • process-network
  • remote-access
  • remote-logon
  • security-alert
  • service-logon
  • task-created
  • usb-activity
  • usb-insert
 T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.003 - Create or Modify System Process: Windows Service
  • 1 Rules
  • 1 Models

Vendor: Microsoft

Product Event Types MITRE TTP Content
Microsoft Windows
  • account-creation
  • account-deleted
  • account-disabled
  • account-enabled
  • account-lockout
  • account-password-change
  • account-password-change-failed
  • account-password-reset
  • account-switch
  • account-unlocked
  • app-login
  • audit-log-clear
  • audit-policy-change
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • database-failed-login
  • database-query
  • dcom-activation-failed
  • dns-query
  • dns-response
  • ds-access
  • failed-app-login
  • failed-logon
  • failed-vpn-login
  • file-close
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • logout-remote
  • member-added
  • member-removed
  • nac-failed-logon
  • nac-logon
  • network-connection-successful
  • ntlm-logon
  • privileged-access
  • privileged-object-access
  • process-created
  • process-network
  • process-network-failed
  • registry-write
  • remote-access
  • remote-logon
  • security-alert
  • service-created
  • service-logon
  • share-access
  • share-access-denied
  • task-created
  • usb-activity
  • usb-insert
  • vpn-login
  • winsession-disconnect
  • workstation-locked
  • workstation-unlocked
 T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.003 - Create or Modify System Process: Windows Service
  • 1 Rules
  • 1 Models

Vendor: SentinelOne

Product Event Types MITRE TTP Content
SentinelOne
  • app-activity
  • dns-query
  • dns-response
  • file-alert
  • file-delete
  • file-read
  • file-write
  • network-alert
  • network-connection-failed
  • network-connection-successful
  • process-created
  • security-alert
  • task-created
  • web-activity-allowed
 T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.003 - Create or Modify System Process: Windows Service
  • 1 Rules
  • 1 Models

Vendor: Unix

Product Event Types MITRE TTP Content
Unix
  • account-creation
  • account-deleted
  • account-lockout
  • account-password-change
  • account-switch
  • authentication-failed
  • authentication-successful
  • batch-logon
  • computer-logon
  • dlp-email-alert-in
  • dlp-email-alert-in-failed
  • dlp-email-alert-out
  • dlp-email-alert-out-failed
  • failed-logon
  • file-delete
  • file-read
  • file-write
  • kerberos-logon
  • local-logon
  • member-added
  • member-removed
  • process-created
  • process-created-failed
  • remote-access
  • remote-logon
  • security-alert
  • task-created
 T1053.005 - Scheduled Task/Job: Scheduled Task
T1543.003 - Create or Modify System Process: Windows Service
  • 1 Rules
  • 1 Models