Rules | Models | MITRE TTPs | Event Types | Parsers |
---|---|---|---|---|
70 | 36 | 8 | 4 | 4 |
Use-Case | Event Types/Parsers | MITRE TTP | Content |
---|---|---|---|
Data Exfiltration | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1071 - Application Layer Protocol T1204 - User Execution |
|
Data Leak | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071 - Application Layer Protocol T1204 - User Execution |
|
Malware | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1204 - User Execution |
|
Phishing | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
Privilege Abuse | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1078 - Valid Accounts |
|
Privilege Escalation | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1021.002 - Remote Services: SMB/Windows Admin Shares T1087 - Account Discovery |
|
Privileged Activity | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1078 - Valid Accounts |
|
Workforce Protection | dlp-alert ↳proofpoint-m1 dlp-email-alert-in ↳proofpoint-m1 dlp-email-alert-out ↳proofpoint-m1 dlp-email-alert-out-failed ↳proofpoint-m1 |
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol |
|
Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
---|---|---|---|---|---|---|---|---|---|---|---|
Valid Accounts |
User Execution |
Valid Accounts |
Valid Accounts |
Valid Accounts |
Account Discovery |
Remote Services Remote Services: SMB/Windows Admin Shares |
Application Layer Protocol |
Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Automated Exfiltration |