Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 9.4 KB

ds_microsoft_azure_security_center.md

File metadata and controls

19 lines (17 loc) · 9.4 KB
Raw

Vendor: Microsoft

Product: Azure Security Center

Rules Models MITRE TTPs Event Types Parsers
56 22 17 4 4
Use-Case Event Types/Parsers MITRE TTP Content
Compromised Credentials app-activity-failed
azure-security-alert-2

dlp-email-alert-out-failed
cef-security-graph-alert

process-alert
azure-security-center-process-alert

security-alert
azure-security-center-security-alert-2
azure-security-center-security-alert-1
azure-security-center-security-alert
azure-security-center-security-alert-4
azure-security-center-security-alert-3
azure-security-center-network-alert
 T1003 - OS Credential Dumping
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1204 - User Execution
  • 23 Rules
  • 11 Models
Data Leak app-activity-failed
azure-security-alert-2

dlp-email-alert-out-failed
cef-security-graph-alert

process-alert
azure-security-center-process-alert

security-alert
azure-security-center-security-alert-2
azure-security-center-security-alert-1
azure-security-center-security-alert
azure-security-center-security-alert-4
azure-security-center-security-alert-3
azure-security-center-network-alert
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
  • 3 Rules
  • 2 Models
Next Page -->>

ATT&CK Matrix for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

 User Execution

 External Remote Services

Valid Accounts

Boot or Logon Autostart Execution

 Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

 Obfuscated Files or Information: Indicator Removal from Tools

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

 OS Credential Dumping

Input Capture

 Account Discovery

Query Registry

 Remote Services

Remote Services: SMB/Windows Admin Shares

 Input Capture

Archive Collected Data

 Proxy: Multi-hop Proxy

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Automated Exfiltration