Rules | Models | MITRE TTPs | Event Types | Parsers |
---|---|---|---|---|
135 | 53 | 18 | 3 | 3 |
Use-Case | Event Types/Parsers | MITRE TTP | Content |
---|---|---|---|
Abnormal Authentication & Access | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1110 - Brute Force T1133 - External Remote Services |
|
Account Manipulation | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
Compromised Credentials | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1020 - Automated Exfiltration T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
Cryptomining | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking |
|
Data Access | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1078 - Valid Accounts |
|
Data Exfiltration | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1030 - Data Transfer Size Limits T1071.001 - Application Layer Protocol: Web Protocols T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution |
|
Data Leak | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1030 - Data Transfer Size Limits T1048 - Exfiltration Over Alternative Protocol T1052 - Exfiltration Over Physical Medium T1071.001 - Application Layer Protocol: Web Protocols T1114.003 - Email Collection: Email Forwarding Rule T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
Evasion | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols T1090.003 - Proxy: Multi-hop Proxy |
|
Malware | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090.003 - Proxy: Multi-hop Proxy T1189 - Drive-by Compromise T1204.001 - T1204.001 T1566.002 - Phishing: Spearphishing Link T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
Phishing | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols T1566.002 - Phishing: Spearphishing Link |
|
Privilege Abuse | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
Privilege Escalation | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
Privileged Activity | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1102 - Web Service |
|
Ransomware | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts |
|
Workforce Protection | app-activity ↳cisco-umbrella-proxy print-activity ↳cisco-umbrella-network-connection web-activity-allowed ↳cisco-umbrella-proxy |
T1071.001 - Application Layer Protocol: Web Protocols |
|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|
Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Phishing |
User Execution |
External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions |
Valid Accounts |
Valid Accounts |
Brute Force |
Email Collection Email Collection: Email Forwarding Rule |
Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy |
Exfiltration Over Alternative Protocol Data Transfer Size Limits Exfiltration Over Physical Medium Automated Exfiltration Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service |
Resource Hijacking |