Vendor: Check Point Software Product: Check Point NGFW Rules Models MITRE TTPs Event Types Parsers 303 130 31 13 13 Use-Case Event Types/Parsers MITRE TTP Content Abnormal Authentication & Access authentication-successful ↳checkpoint-vpn-connection database-update ↳checkpoint-local-logon dlp-email-alert-in ↳checkpoint-dlp-alert-out failed-vpn-login ↳checkpoint-vpn-logout ↳cef-checkpoint-logout-2 ↳cef-checkpoint-logout-1 ↳cef-checkpoint-vpn-login-3 ↳cef-checkpoint-vpn-login-4 ↳cef-checkpoint-vpn-login-2 ↳checkpoint-vpn-login-6 ↳checkpoint-dlp-email-alert file-permission-change ↳smartdashboard-app-login ↳syslog-checkpoint-app-login-1 ↳syslog-checkpoint-app-login network-alert ↳cef-checkpoint-auth-successful-2 ↳checkpoint-auth-successful ↳cef-checkpoint-auth-successful ↳checkpoint-auth-successful-1 ↳cef-checkpoint-auth-successful-1 network-connection-failed ↳checkpoint-firewall-accept ↳checkpoint-network-connection-1 ↳checkpoint-network-connection-2 ↳checkpoint-network-connection-3 ↳checkpoint-5599-network-connection ↳checkpoint-network-connection-4 ↳raw-checkpoint-firewall-allow ↳s-checkpoint-firewall-allow ↳s-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-3 ↳checkpoint-firewall-network-connection-2 ↳cef-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-1 ↳s-checkpoint-fw-network-connection ↳checkpoint-firewall-allow-1 ↳checkpoint-firewall-accept-2 ↳checkpoint-firewall-accept-1 ↳raw-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-accept ↳cef-checkpoint-firewall ↳raw-checkpoint-firewall-2 ↳raw-checkpoint-firewall-1 ↳leef-checkpoint-firewall-4 ↳leef-checkpoint-firewall-3 ↳leef-checkpoint-firewall-2 ↳cef-checkpoint-firewall-5 ↳leef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-3 ↳cef-checkpoint-firewall-4 ↳cef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-2 ↳checkpoint-firewall-1 network-connection-successful ↳checkpoint-firewall-drop-1 ↳checkpoint-firewall-drop ↳checkpoint-firewall-reject ↳checkpoint-firewall-network-connection-drop ↳checkpoint-firewall-reject-1 ↳s-checkpoint-firewall-drop ↳checkpoint-firewall-network-connection-4 ↳checkpoint-firewall-drop-2 ↳raw-checkpoint-firewall-drop ↳checkpoint-firewall-block ↳s-checkpoint-firewall-block ↳cef-checkpoint-firewall ↳raw-checkpoint-firewall-2 ↳raw-checkpoint-firewall-1 ↳leef-checkpoint-firewall-4 ↳leef-checkpoint-firewall-3 ↳leef-checkpoint-firewall-2 ↳cef-checkpoint-firewall-5 ↳leef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-3 ↳cef-checkpoint-firewall-4 ↳cef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-2 ↳checkpoint-firewall-1 security-alert ↳checkpoint-network-decrypt ↳leef-checkpoint-alert ↳checkpoint-firewall-network-alert ↳checkpoint-network-encrypt ↳checkpoint-network-alert-3 ↳checkpoint-firewall-network-alert-1 ↳checkpoint-vpn-firewall vpn-connection ↳checkpoint-auth-failed vpn-login ↳checkpoint-vpn-authentication vpn-logout ↳checkpoint-vpn-login-3 web-activity-allowed ↳checkpoint-vpn-authentication ↳s-checkpoint-proxy ↳checkpoint-url-filtering ↳checkpoint-proxy ↳checkpoint-proxy-2 ↳checkpoint-proxy-1 ↳checkpoint-web-activity ↳checkpoint-web-activity-1 web-activity-denied ↳s-checkpoint-proxy ↳checkpoint-url-filtering ↳checkpoint-proxy ↳checkpoint-proxy-2 ↳checkpoint-firewall-allow-2 ↳checkpoint-proxy-1 ↳checkpoint-web-activity ↳checkpoint-web-activity-1 T1021 - Remote ServicesT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1110 - Brute ForceT1133 - External Remote Services 59 Rules32 Models Account Manipulation authentication-successful ↳checkpoint-vpn-connection database-update ↳checkpoint-local-logon dlp-email-alert-in ↳checkpoint-dlp-alert-out failed-vpn-login ↳checkpoint-vpn-logout ↳cef-checkpoint-logout-2 ↳cef-checkpoint-logout-1 ↳cef-checkpoint-vpn-login-3 ↳cef-checkpoint-vpn-login-4 ↳cef-checkpoint-vpn-login-2 ↳checkpoint-vpn-login-6 ↳checkpoint-dlp-email-alert file-permission-change ↳smartdashboard-app-login ↳syslog-checkpoint-app-login-1 ↳syslog-checkpoint-app-login network-alert ↳cef-checkpoint-auth-successful-2 ↳checkpoint-auth-successful ↳cef-checkpoint-auth-successful ↳checkpoint-auth-successful-1 ↳cef-checkpoint-auth-successful-1 network-connection-failed ↳checkpoint-firewall-accept ↳checkpoint-network-connection-1 ↳checkpoint-network-connection-2 ↳checkpoint-network-connection-3 ↳checkpoint-5599-network-connection ↳checkpoint-network-connection-4 ↳raw-checkpoint-firewall-allow ↳s-checkpoint-firewall-allow ↳s-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-3 ↳checkpoint-firewall-network-connection-2 ↳cef-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-1 ↳s-checkpoint-fw-network-connection ↳checkpoint-firewall-allow-1 ↳checkpoint-firewall-accept-2 ↳checkpoint-firewall-accept-1 ↳raw-checkpoint-firewall-accept ↳checkpoint-firewall-network-connection-accept ↳cef-checkpoint-firewall ↳raw-checkpoint-firewall-2 ↳raw-checkpoint-firewall-1 ↳leef-checkpoint-firewall-4 ↳leef-checkpoint-firewall-3 ↳leef-checkpoint-firewall-2 ↳cef-checkpoint-firewall-5 ↳leef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-3 ↳cef-checkpoint-firewall-4 ↳cef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-2 ↳checkpoint-firewall-1 network-connection-successful ↳checkpoint-firewall-drop-1 ↳checkpoint-firewall-drop ↳checkpoint-firewall-reject ↳checkpoint-firewall-network-connection-drop ↳checkpoint-firewall-reject-1 ↳s-checkpoint-firewall-drop ↳checkpoint-firewall-network-connection-4 ↳checkpoint-firewall-drop-2 ↳raw-checkpoint-firewall-drop ↳checkpoint-firewall-block ↳s-checkpoint-firewall-block ↳cef-checkpoint-firewall ↳raw-checkpoint-firewall-2 ↳raw-checkpoint-firewall-1 ↳leef-checkpoint-firewall-4 ↳leef-checkpoint-firewall-3 ↳leef-checkpoint-firewall-2 ↳cef-checkpoint-firewall-5 ↳leef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-3 ↳cef-checkpoint-firewall-4 ↳cef-checkpoint-firewall-1 ↳cef-checkpoint-firewall-2 ↳checkpoint-firewall-1 security-alert ↳checkpoint-network-decrypt ↳leef-checkpoint-alert ↳checkpoint-firewall-network-alert ↳checkpoint-network-encrypt ↳checkpoint-network-alert-3 ↳checkpoint-firewall-network-alert-1 ↳checkpoint-vpn-firewall vpn-connection ↳checkpoint-auth-failed vpn-login ↳checkpoint-vpn-authentication vpn-logout ↳checkpoint-vpn-login-3 web-activity-allowed ↳checkpoint-vpn-authentication ↳s-checkpoint-proxy ↳checkpoint-url-filtering ↳checkpoint-proxy ↳checkpoint-proxy-2 ↳checkpoint-proxy-1 ↳checkpoint-web-activity ↳checkpoint-web-activity-1 web-activity-denied ↳s-checkpoint-proxy ↳checkpoint-url-filtering ↳checkpoint-proxy ↳checkpoint-proxy-2 ↳checkpoint-firewall-allow-2 ↳checkpoint-proxy-1 ↳checkpoint-web-activity ↳checkpoint-web-activity-1 T1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate Permissions 7 Rules7 Models Next Page -->> ATT&CK Matrix for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact Phishing: Spearphishing LinkExternal Remote ServicesValid AccountsDrive-by CompromisePhishing User Execution External Remote ServicesValid AccountsAccount ManipulationTraffic SignalingAccount Manipulation: Exchange Email Delegate Permissions Valid AccountsExploitation for Privilege Escalation Traffic SignalingObfuscated Files or Information: Indicator Removal from ToolsValid AccountsObfuscated Files or Information OS Credential DumpingBrute ForceSteal or Forge Kerberos TicketsSteal or Forge Kerberos Tickets: Kerberoasting Account DiscoveryFile and Directory Discovery Remote ServicesRemote Services: SMB/Windows Admin Shares Web ServiceNon-Standard PortApplication Layer Protocol: Web ProtocolsDynamic ResolutionTraffic SignalingDynamic Resolution: Domain Generation AlgorithmsProxy: Multi-hop ProxyProxy: External ProxyApplication Layer ProtocolProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBData Transfer Size LimitsExfiltration Over Physical MediumExfiltration Over Web Service: Exfiltration to Cloud StorageExfiltration Over Web Service Resource Hijacking