diff --git a/DataSources/Amazon/AWS_CloudTrail/2_ds_amazon_aws_cloudtrail.md b/DataSources/Amazon/AWS_CloudTrail/2_ds_amazon_aws_cloudtrail.md
index 8256918c83..e67e516d44 100644
--- a/DataSources/Amazon/AWS_CloudTrail/2_ds_amazon_aws_cloudtrail.md
+++ b/DataSources/Amazon/AWS_CloudTrail/2_ds_amazon_aws_cloudtrail.md
@@ -1,13 +1,12 @@
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Cloud Data Protection](../../../UseCases/uc_cloud_data_protection.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_amazon_aws_cloudtrail_Cloud_Data_Protection.md) |
| [Compromised Credentials](../../../UseCases/uc_compromised_credentials.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1046 - Network Service Scanning
T1078 - Valid Accounts
T1133 - External Remote Services
| [](RM/r_m_amazon_aws_cloudtrail_Compromised_Credentials.md) |
| [Data Access](../../../UseCases/uc_data_access.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
| [](RM/r_m_amazon_aws_cloudtrail_Data_Access.md) |
| [Data Exfiltration](../../../UseCases/uc_data_exfiltration.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071.002 - Application Layer Protocol: File Transfer Protocols
| [](RM/r_m_amazon_aws_cloudtrail_Data_Exfiltration.md) |
| [Data Leak](../../../UseCases/uc_data_leak.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1114.003 - Email Collection: Email Forwarding Rule
| [](RM/r_m_amazon_aws_cloudtrail_Data_Leak.md) |
| [Lateral Movement](../../../UseCases/uc_lateral_movement.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1018 - Remote System Discovery
T1021 - Remote Services
T1046 - Network Service Scanning
T1071 - Application Layer Protocol
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
TA0008 - TA0008
TA0010 - TA0010
TA0011 - TA0011
| [](RM/r_m_amazon_aws_cloudtrail_Lateral_Movement.md) |
| [Malware](../../../UseCases/uc_malware.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
TA0011 - TA0011
| [](RM/r_m_amazon_aws_cloudtrail_Malware.md) |
-| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md) |
+| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
| [](RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md) |
| [Privilege Escalation](../../../UseCases/uc_privilege_escalation.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_amazon_aws_cloudtrail_Privilege_Escalation.md) |
| [Privileged Activity](../../../UseCases/uc_privileged_activity.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
| [](RM/r_m_amazon_aws_cloudtrail_Privileged_Activity.md) |
| [Ransomware](../../../UseCases/uc_ransomware.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
| [](RM/r_m_amazon_aws_cloudtrail_Ransomware.md) |
\ No newline at end of file
diff --git a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md
index 1187c4df31..325d50a86b 100644
--- a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md
+++ b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md
@@ -5,10 +5,15 @@ Vendor: Amazon
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 14 | 4 | 2 | 9 | 9 |
+| 32 | 12 | 5 | 9 | 9 |
-| Event Type | Rules | Models |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| account-password-change | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
-| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
-| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-password-change | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
+| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| storage-activity | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| storage-activity-failed | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md
index 42ba6804da..1543ab153f 100644
--- a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md
+++ b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md
@@ -5,9 +5,14 @@ Vendor: Amazon
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 4 | 1 | 2 | 9 | 9 |
+| 14 | 6 | 5 | 9 | 9 |
-| Event Type | Rules | Models |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
-| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Universal-Policy: Users creating universal '*' policies |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization | • B-CS-Buckets: Buckets seen in the organization |
+| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
+| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
\ No newline at end of file
diff --git a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Cloud_Data_Protection.md b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Cloud_Data_Protection.md
deleted file mode 100644
index f27c3d8f28..0000000000
--- a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Cloud_Data_Protection.md
+++ /dev/null
@@ -1,16 +0,0 @@
-Vendor: Amazon
-==============
-### Product: [AWS CloudTrail](../ds_amazon_aws_cloudtrail.md)
-### Use-Case: [Cloud Data Protection](../../../../UseCases/uc_cloud_data_protection.md)
-
-| Rules | Models | MITRE TTPs | Event Types | Parsers |
-|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 31 | 14 | 3 | 9 | 9 |
-
-| Event Type | Rules | Models |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Policies: Cloud Policies seen in the organization
• CS-Universal-Policy: Users creating universal '*' policies |
-| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
-| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
-| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
-| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md
index 4bb3da8302..97e0cbd291 100644
--- a/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md
+++ b/DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md
@@ -5,10 +5,12 @@ Vendor: Amazon
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 7 | 2 | 3 | 9 | 9 |
+| 10 | 4 | 5 | 9 | 9 |
-| Event Type | Rules | Models |
-| ----------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
-| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
-| app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application | |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
+| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
+| app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application | |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-Policies: Cloud Policies seen in the organization |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Admin-Activity: Cloud administrative activities performed by user |
\ No newline at end of file
diff --git a/DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md b/DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md
index 8095c75d7c..efa8ba354e 100644
--- a/DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md
+++ b/DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md
@@ -8,8 +8,8 @@ Product: AWS CloudTrail
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md) |
-| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md) |
+| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md) |
+| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | account-password-change
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
app-activity
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
app-login
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
cloud-admin-activity
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
cloud-admin-activity-failed
↳[s-aws-cloudtrail-assumedrole-json](Ps/pC_sawscloudtrailassumedrolejson.md)
↳[s-aws-cloudtrail-activity-json](Ps/pC_sawscloudtrailactivityjson.md)
↳[aws-cloudtrail-app-activity](Ps/pC_awscloudtrailappactivity.md)
netflow-connection
↳[s-aws-cloudtrail-login-json](Ps/pC_sawscloudtrailloginjson.md)
storage-access
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity
↳[s-aws-cloudtrail-s3-activity](Ps/pC_sawscloudtrails3activity.md)
↳[s-aws-s3-cloud-storage-activity](Ps/pC_sawss3cloudstorageactivity.md)
↳[s-aws-data-access](Ps/pC_sawsdataaccess.md)
storage-activity-failed
↳[s-aws-cloudtrail-iam](Ps/pC_sawscloudtrailiam.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md) |
[Next Page -->>](2_ds_amazon_aws_cloudtrail.md)
ATT&CK Matrix for Enterprise
diff --git a/DataSources/Google/Cloud_Platform/2_ds_google_cloud_platform.md b/DataSources/Google/Cloud_Platform/2_ds_google_cloud_platform.md
index 328f8545e4..d4b6375d5f 100644
--- a/DataSources/Google/Cloud_Platform/2_ds_google_cloud_platform.md
+++ b/DataSources/Google/Cloud_Platform/2_ds_google_cloud_platform.md
@@ -1,6 +1,5 @@
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Cloud Data Protection](../../../UseCases/uc_cloud_data_protection.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_google_cloud_platform_Cloud_Data_Protection.md) |
| [Compromised Credentials](../../../UseCases/uc_compromised_credentials.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1046 - Network Service Scanning
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
| [](RM/r_m_google_cloud_platform_Compromised_Credentials.md) |
| [Cryptomining](../../../UseCases/uc_cryptomining.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1496 - Resource Hijacking
| [](RM/r_m_google_cloud_platform_Cryptomining.md) |
| [Data Access](../../../UseCases/uc_data_access.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1078 - Valid Accounts
| [](RM/r_m_google_cloud_platform_Data_Access.md) |
@@ -9,7 +8,7 @@
| [Lateral Movement](../../../UseCases/uc_lateral_movement.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1018 - Remote System Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1046 - Network Service Scanning
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1090.003 - Proxy: Multi-hop Proxy
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
TA0008 - TA0008
TA0010 - TA0010
TA0011 - TA0011
| [](RM/r_m_google_cloud_platform_Lateral_Movement.md) |
| [Malware](../../../UseCases/uc_malware.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1566.002 - Phishing: Spearphishing Link
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
TA0011 - TA0011
| [](RM/r_m_google_cloud_platform_Malware.md) |
| [Phishing](../../../UseCases/uc_phishing.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1189 - Drive-by Compromise
T1204.001 - T1204.001
T1534 - Internal Spearphishing
T1566.002 - Phishing: Spearphishing Link
T1598.003 - T1598.003
| [](RM/r_m_google_cloud_platform_Phishing.md) |
-| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_google_cloud_platform_Privilege_Abuse.md) |
+| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
| [](RM/r_m_google_cloud_platform_Privilege_Abuse.md) |
| [Privilege Escalation](../../../UseCases/uc_privilege_escalation.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1021.002 - Remote Services: SMB/Windows Admin Shares
T1087 - Account Discovery
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_google_cloud_platform_Privilege_Escalation.md) |
| [Privileged Activity](../../../UseCases/uc_privileged_activity.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1068 - Exploitation for Privilege Escalation
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1102 - Web Service
| [](RM/r_m_google_cloud_platform_Privileged_Activity.md) |
| [Ransomware](../../../UseCases/uc_ransomware.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
| [](RM/r_m_google_cloud_platform_Ransomware.md) |
diff --git a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md
index 02cdfd75fe..3679fc0d76 100644
--- a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md
+++ b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md
@@ -5,9 +5,14 @@ Vendor: Google
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 20 | 10 | 3 | 10 | 10 |
+| 38 | 18 | 6 | 10 | 10 |
-| Event Type | Rules | Models |
-| -------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
-| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols
↳ WEB-UUa-OS-F: First web activity using this operating system for this user
↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain
↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system
↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization
↳ WEB-UZ-F: First web activity for this user in this zone
↳ WEB-GZ-F: First web activity from this zone for the peer group | • WEB-GZ: Network zones where users performs web activity in the peer group
• WEB-UZ: Network zones where a user performs web activity from
• WEB-UT-TOW: Web activity activity time for user
• WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device
• WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user
• WEB-UUa-OS-New: Top operating systems being used to connect to the web for user |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| storage-activity | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| storage-activity-failed | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols
↳ WEB-UUa-OS-F: First web activity using this operating system for this user
↳ WEB-UUa-MobileBrowser-F: First activity using this mobile web browser/app for this user to a new domain
↳ WEB-OsUa-MobileBrowser-F: First activity using this mobile web browser for this mobile operating system
↳ WEB-UT-TOW-A: Abnormal day for this user to access the web via the organization
↳ WEB-UZ-F: First web activity for this user in this zone
↳ WEB-GZ-F: First web activity from this zone for the peer group | • WEB-GZ: Network zones where users performs web activity in the peer group
• WEB-UZ: Network zones where a user performs web activity from
• WEB-UT-TOW: Web activity activity time for user
• WEB-OsUa-MobileBrowser-New: Top mobile apps/web browsers being used in the organization for this type of device
• WEB-UUa-MobileBrowser-New: Top mobile apps/web browsers being used by user
• WEB-UUa-OS-New: Top operating systems being used to connect to the web for user |
\ No newline at end of file
diff --git a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md
index c89c0a8799..62e8bd5a50 100644
--- a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md
+++ b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md
@@ -5,8 +5,13 @@ Vendor: Google
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 3 | 1 | 1 | 10 | 10 |
+| 13 | 6 | 4 | 10 | 10 |
-| Event Type | Rules | Models |
-| ------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------ |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Universal-Policy: Users creating universal '*' policies |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization | • B-CS-Buckets: Buckets seen in the organization |
+| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
+| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
\ No newline at end of file
diff --git a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Cloud_Data_Protection.md b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Cloud_Data_Protection.md
deleted file mode 100644
index bb0ce3051a..0000000000
--- a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Cloud_Data_Protection.md
+++ /dev/null
@@ -1,16 +0,0 @@
-Vendor: Google
-==============
-### Product: [Cloud Platform](../ds_google_cloud_platform.md)
-### Use-Case: [Cloud Data Protection](../../../../UseCases/uc_cloud_data_protection.md)
-
-| Rules | Models | MITRE TTPs | Event Types | Parsers |
-|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 31 | 14 | 3 | 10 | 10 |
-
-| Event Type | Rules | Models |
-| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Policies: Cloud Policies seen in the organization
• CS-Universal-Policy: Users creating universal '*' policies |
-| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
-| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
-| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
-| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md
index c7f398962f..d00c408323 100644
--- a/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md
+++ b/DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md
@@ -5,10 +5,12 @@ Vendor: Google
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 8 | 2 | 3 | 10 | 10 |
+| 11 | 4 | 5 | 10 | 10 |
-| Event Type | Rules | Models |
-| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
-| file-download | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
-| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols
↳ WEB-ALERT-EXEC: Security violation by Executive in web activity
T1078 - Valid Accounts
↳ WEB-ALERT-EXEC: Security violation by Executive in web activity | |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-Policies: Cloud Policies seen in the organization |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Admin-Activity: Cloud administrative activities performed by user |
+| file-download | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
+| web-activity-allowed | T1071.001 - Application Layer Protocol: Web Protocols
↳ WEB-ALERT-EXEC: Security violation by Executive in web activity
T1078 - Valid Accounts
↳ WEB-ALERT-EXEC: Security violation by Executive in web activity | |
\ No newline at end of file
diff --git a/DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md b/DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md
index 7f09d61a83..357a852d84 100644
--- a/DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md
+++ b/DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md
@@ -8,8 +8,8 @@ Product: Cloud Platform
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
| [](RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md) |
-| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](RM/r_m_google_cloud_platform_Account_Manipulation.md) |
+| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md) |
+| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | app-activity
↳[gcp-ids-network-alert](Ps/pC_gcpidsnetworkalert.md)
cloud-admin-activity
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
cloud-admin-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
file-download
↳[googlecloud-iam-activity](Ps/pC_googlecloudiamactivity.md)
↳[googlecloud-cloudresourcemanager-activity](Ps/pC_googlecloudcloudresourcemanageractivity.md)
netflow-connection
↳[gcpvpc-netflow-connection](Ps/pC_gcpvpcnetflowconnection.md)
security-alert
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
storage-access
↳[googlecloud-app-activity](Ps/pC_googlecloudappactivity.md)
storage-activity
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
storage-activity-failed
↳[googlecloud-storage-activity](Ps/pC_googlecloudstorageactivity.md)
web-activity-allowed
↳[googlecloud-web-activity](Ps/pC_googlecloudwebactivity.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_google_cloud_platform_Account_Manipulation.md) |
[Next Page -->>](2_ds_google_cloud_platform.md)
ATT&CK Matrix for Enterprise
diff --git a/DataSources/Microsoft/Azure/2_ds_microsoft_azure.md b/DataSources/Microsoft/Azure/2_ds_microsoft_azure.md
index 826a032261..27ed780dcc 100644
--- a/DataSources/Microsoft/Azure/2_ds_microsoft_azure.md
+++ b/DataSources/Microsoft/Azure/2_ds_microsoft_azure.md
@@ -2,7 +2,6 @@
|:----:| ---- | ---- | ---- |
| [Audit Tampering](../../../UseCases/uc_audit_tampering.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1059 - Command and Scripting Interperter
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1546.003 - T1546.003
T1562 - Impair Defenses
T1562.006 - T1562.006
| [](RM/r_m_microsoft_azure_Audit_Tampering.md) |
| [Brute Force Attack](../../../UseCases/uc_brute_force_attack.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1110 - Brute Force
T1110.003 - T1110.003
| [](RM/r_m_microsoft_azure_Brute_Force_Attack.md) |
-| [Cloud Data Protection](../../../UseCases/uc_cloud_data_protection.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_microsoft_azure_Cloud_Data_Protection.md) |
| [Compromised Credentials](../../../UseCases/uc_compromised_credentials.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1003.005 - T1003.005
T1016 - System Network Configuration Discovery
T1021 - Remote Services
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1036.004 - T1036.004
T1040 - Network Sniffing
T1059.001 - Command and Scripting Interperter: PowerShell
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1213 - Data from Information Repositories
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
TA0002 - TA0002
| [](RM/r_m_microsoft_azure_Compromised_Credentials.md) |
| [Cryptomining](../../../UseCases/uc_cryptomining.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1496 - Resource Hijacking
| [](RM/r_m_microsoft_azure_Cryptomining.md) |
| [Data Access](../../../UseCases/uc_data_access.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1213 - Data from Information Repositories
| [](RM/r_m_microsoft_azure_Data_Access.md) |
@@ -13,7 +12,7 @@
| [Lateral Movement](../../../UseCases/uc_lateral_movement.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1021.003 - T1021.003
T1021.006 - T1021.006
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1047 - Windows Management Instrumentation
T1059.001 - Command and Scripting Interperter: PowerShell
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1190 - Exploit Public Fasing Application
T1210 - Exploitation of Remote Services
T1219 - Remote Access Software
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1563.002 - T1563.002
TA0010 - TA0010
TA0011 - TA0011
| [](RM/r_m_microsoft_azure_Lateral_Movement.md) |
| [Malware](../../../UseCases/uc_malware.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1012 - Query Registry
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1036 - Masquerading
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1053 - Scheduled Task/Job
T1053.005 - Scheduled Task/Job: Scheduled Task
T1055 - Process Injection
T1055.001 - Process Injection: Dynamic-link Library Injection
T1059 - Command and Scripting Interperter
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1059.005 - T1059.005
T1059.007 - T1059.007
T1071 - Application Layer Protocol
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1105 - Ingress Tool Transfer
T1112 - Modify Registry
T1113 - Screen Capture
T1123 - Audio Capture
T1127 - Trusted Developer Utilities Proxy Execution
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1197 - BITS Jobs
T1202 - Indirect Command Execution
T1203 - Exploitation for Client Execution
T1204.002 - T1204.002
T1210 - Exploitation of Remote Services
T1218 - Signed Binary Proxy Execution
T1218.001 - Signed Binary Proxy Execution: Compiled HTML File
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.004 - Signed Binary Proxy Execution: InstallUtil
T1218.005 - T1218.005
T1218.007 - Signed Binary Proxy Execution: Msiexec
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1482 - Domain Trust Discovery
T1490 - Inhibit System Recovery
T1505.003 - Server Software Component: Web Shell
T1543.003 - Create or Modify System Process: Windows Service
T1546.001 - T1546.001
T1546.003 - T1546.003
T1546.011 - T1546.011
T1547.001 - T1547.001
T1547.002 - T1547.002
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1555 - Credentials from Password Stores
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1562 - Impair Defenses
T1563.002 - T1563.002
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
T1569 - System Services
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.010 - T1574.010
T1574.011 - T1574.011
TA0002 - TA0002
TA0011 - TA0011
| [](RM/r_m_microsoft_azure_Malware.md) |
| [Phishing](../../../UseCases/uc_phishing.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1566.001 - T1566.001
| [](RM/r_m_microsoft_azure_Phishing.md) |
-| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](RM/r_m_microsoft_azure_Privilege_Abuse.md) |
+| [Privilege Abuse](../../../UseCases/uc_privilege_abuse.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_microsoft_azure_Privilege_Abuse.md) |
| [Privilege Escalation](../../../UseCases/uc_privilege_escalation.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1007 - System Service Discovery
T1012 - Query Registry
T1016 - System Network Configuration Discovery
T1018 - Remote System Discovery
T1021.002 - Remote Services: SMB/Windows Admin Shares
T1027 - Obfuscated Files or Information
T1027.004 - Obfuscated Files or Information: Compile After Delivery
T1033 - System Owner/User Discovery
T1036.004 - T1036.004
T1047 - Windows Management Instrumentation
T1049 - System Network Connections Discovery
T1053.002 - Scheduled Task/Job: At (Windows)
T1053.005 - Scheduled Task/Job: Scheduled Task
T1056.004 - T1056.004
T1057 - Process Discovery
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1068 - Exploitation for Privilege Escalation
T1070.004 - Indicator Removal on Host: File Deletion
T1078 - Valid Accounts
T1082 - System Information Discovery
T1087 - Account Discovery
T1087.001 - Account Discovery: Local Account
T1087.002 - Account Discovery: Domain Account
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild
T1134.001 - Access Token Manipulation: Token Impersonation/Theft
T1134.002 - T1134.002
T1135 - Network Share Discovery
T1210 - Exploitation of Remote Services
T1218.002 - Signed Binary Proxy Execution: Control Panel
T1218.003 - Signed Binary Proxy Execution: CMSTP
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1482 - Domain Trust Discovery
T1484.001 - T1484.001
T1518.001 - T1518.001
T1543.003 - Create or Modify System Process: Windows Service
T1547.002 - T1547.002
T1547.006 - T1547.006
T1548.002 - Abuse Elevation Control Mechanism: Bypass User Account Control
T1552.006 - T1552.006
T1555.005 - T1555.005
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
T1560 - Archive Collected Data
T1574 - Hijack Execution Flow
T1574.002 - Hijack Execution Flow: DLL Side-Loading
T1574.011 - T1574.011
| [](RM/r_m_microsoft_azure_Privilege_Escalation.md) |
| [Privileged Activity](../../../UseCases/uc_privileged_activity.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1482 - Domain Trust Discovery
TA0002 - TA0002
| [](RM/r_m_microsoft_azure_Privileged_Activity.md) |
| [Ransomware](../../../UseCases/uc_ransomware.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003.001 - T1003.001
T1059.003 - T1059.003
T1070 - Indicator Removal on Host
T1070.001 - Indicator Removal on Host: Clear Windows Event Logs
T1078 - Valid Accounts
T1218.011 - Signed Binary Proxy Execution: Rundll32
T1222.001 - File and Directory Permissions Modification: Windows File and Directory Permissions Modification
T1486 - Data Encrypted for Impact
T1490 - Inhibit System Recovery
| [](RM/r_m_microsoft_azure_Ransomware.md) |
\ No newline at end of file
diff --git a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md
index 4365372ea8..596e782caa 100644
--- a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md
+++ b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md
@@ -5,19 +5,23 @@ Vendor: Microsoft
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 40 | 15 | 6 | 30 | 30 |
+| 53 | 21 | 9 | 30 | 30 |
-| Event Type | Rules | Models |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| account-password-change | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
-| account-password-reset | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
-| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
-| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
-| authentication-failed | T1133 - External Remote Services
↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity
↳ FA-GC-F: First Failed activity in session from country in which peer group has never had a successful activity | • UA-GC: Countries for peer groups
• UA-OC: Countries for organization |
-| authentication-successful | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
-| failed-app-login | T1133 - External Remote Services
↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity
↳ FA-GC-F: First Failed activity in session from country in which peer group has never had a successful activity | • UA-GC: Countries for peer groups
• UA-OC: Countries for organization |
-| failed-logon | T1110 - Brute Force
↳ SEQ-UH-09: Abnormal time of the week for a failed logon for user
↳ SEQ-UH-10: Failed logons had multiple reasons
T1078 - Valid Accounts
↳ SEQ-UH-03: Failed logon to a top failed logon asset by user
↳ SEQ-UH-06: Abnormal failed logon to asset by user
↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed | • FL-UH: All Failed Logons per user
• FL-OH: All Failed Logons in the organization |
-| member-added | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ NEW-USER-F: User with no event history | • AE-UA: All activity for users |
-| member-removed | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
-| privileged-access | T1078 - Valid Accounts
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
-| remote-logon | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ AL-UT-F: Logon to New Asset Type
↳ AL-UT-A: Logon to Abnormal asset type
↳ AL-F-F-CS: First logon to a critical system for user
↳ AL-F-A-CS: Abnormal logon to a critical system for user
↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed
↳ RL-UH-F: First remote logon to asset
↳ RL-UH-A: Abnormal remote logon to asset
↳ AL-UZ-F: First logon to network zone
↳ AL-UZ-A: Abnormal logon to network zone
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ AL-F-MultiWs: Multiple workstations in a single session
↳ NEW-USER-F: User with no event history
↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user
↳ RL-GH-F-new: First remote logon to asset for group by new user
↳ AL-GZ-F-new: First logon to network zone for new user of group
↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user
↳ RL-HU-F-new: Remote logon to private asset for new user
↳ PA-IT-NoPA: IT presence without badge access
T1021 - Remote Services
↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user
↳ RL-UH-F: First remote logon to asset
↳ RL-UH-A: Abnormal remote logon to asset
↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user
↳ RL-GH-F-new: First remote logon to asset for group by new user
↳ RL-HU-F-new: Remote logon to private asset for new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
T1078.002 - T1078.002
↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user
T1078.003 - Valid Accounts: Local Accounts
↳ AL-HLocU-F: First local user logon to this asset
↳ AL-HLocU-A: Abnormal local user logon to this asset | • PA-OU: Badge access by users in the organization
• RL-HU: Remote logon users
• AL-GZ: Network zones accessed by this peer group
• RL-GH-A: Assets accessed remotely by this peer group
• UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• RL-UH: Remote logons
• RL-UZ-DC: Source zones per user logging into domain controller
• AL-OU-CS: Logon to critical servers
• AL-UT: Types of hosts
• AE-UA: All activity for users
• NKL-HU: Users logging into this host remotely |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-password-change | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
+| account-password-reset | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
+| app-activity | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| authentication-failed | T1133 - External Remote Services
↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity
↳ FA-GC-F: First Failed activity in session from country in which peer group has never had a successful activity | • UA-GC: Countries for peer groups
• UA-OC: Countries for organization |
+| authentication-successful | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization | • CS-Critical-Activities: Users who perform critical IAM activites |
+| failed-app-login | T1133 - External Remote Services
↳ FA-OC-F: First Failed activity in session from country in which organization has never had a successful activity
↳ FA-GC-F: First Failed activity in session from country in which peer group has never had a successful activity | • UA-GC: Countries for peer groups
• UA-OC: Countries for organization |
+| failed-logon | T1110 - Brute Force
↳ SEQ-UH-09: Abnormal time of the week for a failed logon for user
↳ SEQ-UH-10: Failed logons had multiple reasons
T1078 - Valid Accounts
↳ SEQ-UH-03: Failed logon to a top failed logon asset by user
↳ SEQ-UH-06: Abnormal failed logon to asset by user
↳ SEQ-UH-07: Failed logon to an asset that user has not previously accessed | • FL-UH: All Failed Logons per user
• FL-OH: All Failed Logons in the organization |
+| member-added | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ NEW-USER-F: User with no event history | • AE-UA: All activity for users |
+| member-removed | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
+| privileged-access | T1078 - Valid Accounts
↳ AE-UA-F: First activity type for user | • AE-UA: All activity for users |
+| remote-logon | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ AL-UT-F: Logon to New Asset Type
↳ AL-UT-A: Logon to Abnormal asset type
↳ AL-F-F-CS: First logon to a critical system for user
↳ AL-F-A-CS: Abnormal logon to a critical system for user
↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed
↳ RL-UH-F: First remote logon to asset
↳ RL-UH-A: Abnormal remote logon to asset
↳ AL-UZ-F: First logon to network zone
↳ AL-UZ-A: Abnormal logon to network zone
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ AL-F-MultiWs: Multiple workstations in a single session
↳ NEW-USER-F: User with no event history
↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user
↳ RL-GH-F-new: First remote logon to asset for group by new user
↳ AL-GZ-F-new: First logon to network zone for new user of group
↳ AL-GZ-A-new: Abnormal logon to network zone for group of new user
↳ RL-HU-F-new: Remote logon to private asset for new user
↳ PA-IT-NoPA: IT presence without badge access
T1021 - Remote Services
↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user
↳ RL-UH-F: First remote logon to asset
↳ RL-UH-A: Abnormal remote logon to asset
↳ RL-GH-A-new: Abnormal remote logon to asset for group by new user
↳ RL-GH-F-new: First remote logon to asset for group by new user
↳ RL-HU-F-new: Remote logon to private asset for new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
T1078.002 - T1078.002
↳ RL-UZ-F-DC: First logon to a Domain Controller from zone for user
T1078.003 - Valid Accounts: Local Accounts
↳ AL-HLocU-F: First local user logon to this asset
↳ AL-HLocU-A: Abnormal local user logon to this asset | • PA-OU: Badge access by users in the organization
• RL-HU: Remote logon users
• AL-GZ: Network zones accessed by this peer group
• RL-GH-A: Assets accessed remotely by this peer group
• UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• RL-UH: Remote logons
• RL-UZ-DC: Source zones per user logging into domain controller
• AL-OU-CS: Logon to critical servers
• AL-UT: Types of hosts
• AE-UA: All activity for users
• NKL-HU: Users logging into this host remotely |
+| storage-activity | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
+| storage-activity-failed | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md
index 8ecf91e739..042347e253 100644
--- a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md
+++ b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md
@@ -5,13 +5,17 @@ Vendor: Microsoft
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 43 | 19 | 13 | 30 | 30 |
+| 53 | 24 | 16 | 30 | 30 |
-| Event Type | Rules | Models |
-| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| account-password-reset | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
-| member-added | T1098 - Account Manipulation
↳ A-GM-DhU-system-F: First group management by system account on asset
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ MA-SELF: User added themself to a group
↳ MA-PRIV-F-local: First addition to privileged group by local user
↳ MA-PRIV-A: Abnormal addition to privileged group by user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group
↳ AM-OG-F: First member addition to this group for the organization
↳ AM-OG-A: Abnormal account addition to this group for the organization
↳ AM-GOU-F: First account OU addition to this group
↳ AM-GOU-A: Abnormal account OU addition to this group
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user
T1136 - Create Account
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user | • AE-GA: All activity for peer groups
• AM-GOU: Account management, OUs that are added to security groups
• AM-AG: Account management, groups which users are being added to
• AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user
• AM-OU-PG: Account group management of high privileges in the organization
• A-GM-DhU-system: System accounts performing group management activities |
-| member-removed | T1098 - Account Manipulation
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-UA-MA-F: First account group management activity for user
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-GA: All activity for peer groups
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user |
-| process-created | T1531 - Account Access Removal
↳ NET-EXE-DELETE-ORG-F: First time net.exe has been used to delete a user account by this user.
↳ NET-EXE-DELETE-ORG-A: Abnormal usage of net.exe to delete a user account by this user.
T1078 - Valid Accounts
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1098 - Account Manipulation
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1136 - Create Account
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
T1136.001 - Create Account: Create: Local Account
↳ AC-OZ-CLI-F: First zone on which account was created using CLI command
↳ AC-OH-CLI-F: First host on which account was created using CLI command
↳ NET-EXE-ADD-ORG-F: First time net.exe has been used to create a user account by this user.
↳ NET-EXE-ADD-ORG-A: Abnormal usage of net.exe to create a user account by this user.
T1021.003 - T1021.003
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1059.001 - Command and Scripting Interperter: PowerShell
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1059.003 - T1059.003
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1218.010 - Signed Binary Proxy Execution: Regsvr32
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1559.002 - T1559.002
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1003 - OS Credential Dumping
↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset
↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities
T1003.003 - T1003.003
↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. | • NET-EXE-DELETE-ORG: Using net.exe to delete a user account
• NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account
• NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account
• NET-EXE-ADD-ORG: Using net.exe to add a user account
• AC-OH-CLI: Hosts on which account was created using CLI command
• AC-OZ-CLI: Zones on which account was created using CLI command |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| account-password-reset | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions | • EM-InB-Perm-N: Models users who give mailbox permissions |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Universal-Policy: Users creating universal '*' policies |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
+| member-added | T1098 - Account Manipulation
↳ A-GM-DhU-system-F: First group management by system account on asset
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ MA-SELF: User added themself to a group
↳ MA-PRIV-F-local: First addition to privileged group by local user
↳ MA-PRIV-A: Abnormal addition to privileged group by user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group
↳ AM-OG-F: First member addition to this group for the organization
↳ AM-OG-A: Abnormal account addition to this group for the organization
↳ AM-GOU-F: First account OU addition to this group
↳ AM-GOU-A: Abnormal account OU addition to this group
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user
T1136 - Create Account
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user | • AE-GA: All activity for peer groups
• AM-GOU: Account management, OUs that are added to security groups
• AM-AG: Account management, groups which users are being added to
• AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user
• AM-OU-PG: Account group management of high privileges in the organization
• A-GM-DhU-system: System accounts performing group management activities |
+| member-removed | T1098 - Account Manipulation
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-UA-MA-F: First account group management activity for user
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-GA: All activity for peer groups
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user |
+| process-created | T1531 - Account Access Removal
↳ NET-EXE-DELETE-ORG-F: First time net.exe has been used to delete a user account by this user.
↳ NET-EXE-DELETE-ORG-A: Abnormal usage of net.exe to delete a user account by this user.
T1078 - Valid Accounts
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1098 - Account Manipulation
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1136 - Create Account
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
T1136.001 - Create Account: Create: Local Account
↳ AC-OZ-CLI-F: First zone on which account was created using CLI command
↳ AC-OH-CLI-F: First host on which account was created using CLI command
↳ NET-EXE-ADD-ORG-F: First time net.exe has been used to create a user account by this user.
↳ NET-EXE-ADD-ORG-A: Abnormal usage of net.exe to create a user account by this user.
T1021.003 - T1021.003
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1059.001 - Command and Scripting Interperter: PowerShell
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1059.003 - T1059.003
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1218.010 - Signed Binary Proxy Execution: Regsvr32
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1559.002 - T1559.002
↳ A-Netsh-RDP-Port-Fwd: Netsh commands used to configure port forwarding for port 3389, used for RDP, were detected on this asset.
↳ MMC-Spawn-Win-Shell: MMC (Microsoft Management Console) started a Windows command line executable.
T1003 - OS Credential Dumping
↳ A-ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities on this asset
↳ ShadowCP-OSUtilities: Shadow Copies Creation Using Operating Systems Utilities
T1003.003 - T1003.003
↳ A-Sus-Procdump: Suspicious Use of Procdump on this asset. | • NET-EXE-DELETE-ORG: Using net.exe to delete a user account
• NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account
• NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account
• NET-EXE-ADD-ORG: Using net.exe to add a user account
• AC-OH-CLI: Hosts on which account was created using CLI command
• AC-OZ-CLI: Zones on which account was created using CLI command |
+| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
+| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration | • CS-Bucket-C-D: Users who create or delete storage containers
• B-CS-Buckets: Buckets seen in the organization |
\ No newline at end of file
diff --git a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Cloud_Data_Protection.md b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Cloud_Data_Protection.md
deleted file mode 100644
index 8c3238c87e..0000000000
--- a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Cloud_Data_Protection.md
+++ /dev/null
@@ -1,15 +0,0 @@
-Vendor: Microsoft
-=================
-### Product: [Azure](../ds_microsoft_azure.md)
-### Use-Case: [Cloud Data Protection](../../../../UseCases/uc_cloud_data_protection.md)
-
-| Rules | Models | MITRE TTPs | Event Types | Parsers |
-|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 26 | 12 | 3 | 30 | 30 |
-
-| Event Type | Rules | Models |
-| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| cloud-admin-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CA-UniversalPolicy-F: First time this user has created/attached a 'universal' resource/action policy
↳ CA-UniversalPolicy-A: Abnormal for this user to create/attach a 'universal' resource/action policy
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud
• CS-Policies: Cloud Policies seen in the organization
• CS-Universal-Policy: Users creating universal '*' policies |
-| cloud-admin-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-User-Creation-F: First time for this user to create an account in the cloud
↳ CS-Failed-User-Creation: User attempted and failed to create a Cloud user/account
↳ CS-Critical-Activity-F: First time for this user to perform a critical Cloud Administrative operation
↳ CS-Critical-Activity-A: Abnormal user to perform a critical Cloud Administrative operation
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-IAM-Enumeration: Enumeration of Cloud account roles/users
↳ CS-Admin-Activty-F: First time seeing this Cloud administrative operation
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Critical-Activities: Users who perform critical IAM activites
• CS-Admin-Activity: Cloud administrative activities performed by user
• CS-User-Creation: Users who create users/accounts in the cloud |
-| storage-activity | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
-| storage-activity-failed | T1136.003 - Create Account: Create: Cloud Account
↳ CS-Bucket-C-D-F: Cloud Storage bucket/storage container creation/deletion for the first time
↳ CS-Bucket-Created: Cloud storage bucket/storage container creation
T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-S3-Enumeration: Cloud Storage container/bucket enumeration
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • CS-Bucket-C-D: Users who create or delete storage containers
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md
index 21ed272dde..38a473ad79 100644
--- a/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md
+++ b/DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md
@@ -5,24 +5,26 @@ Vendor: Microsoft
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 59 | 31 | 7 | 30 | 30 |
+| 62 | 33 | 9 | 30 | 30 |
-| Event Type | Rules | Models |
-| ------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| account-password-reset | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
-| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
-| app-activity-failed | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
-| app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application | |
-| dlp-email-alert-in-failed | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
-| failed-app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
-| failed-logon | T1078 - Valid Accounts
↳ SEQ-UH-04: Failed logon by a service account
↳ SEQ-UH-05: Failed interactive logon by a service account
↳ SEQ-UH-12: Logon attempt on a disabled account | • AE-UA: All activity for users |
-| file-delete | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
-| file-download | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
-| file-read | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
-| file-write | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
-| member-added | T1098 - Account Manipulation
↳ A-GM-DhU-system-F: First group management by system account on asset
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ MA-SELF: User added themself to a group
↳ MA-PRIV-F-local: First addition to privileged group by local user
↳ MA-PRIV-A: Abnormal addition to privileged group by user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group
↳ AM-OG-F: First member addition to this group for the organization
↳ AM-OG-A: Abnormal account addition to this group for the organization
↳ AM-GOU-F: First account OU addition to this group
↳ AM-GOU-A: Abnormal account OU addition to this group
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user
T1136 - Create Account
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user | • AE-GA: All activity for peer groups
• AM-GOU: Account management, OUs that are added to security groups
• AM-AG: Account management, groups which users are being added to
• AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user
• AM-OU-PG: Account group management of high privileges in the organization
• A-GM-DhU-system: System accounts performing group management activities |
-| member-removed | T1098 - Account Manipulation
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-UA-MA-F: First account group management activity for user
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-GA: All activity for peer groups
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user |
-| privileged-access | T1078 - Valid Accounts
↳ WPA-OU-F: First privileged access event for user for organization
↳ WPA-OG-F: First privileged access event for user for peer group
↳ WPA-UH-F: First privileged access event on host for user
↳ WPA-HZ-F: First privileged access event on host from zone
↳ WPA-USH-F: First privileged access event on source host for user | • WPA-USH: Source hosts with privileged access events for user
• WPA-HZ: Source zones with privileged access events for host
• WPA-UH: Hosts with privileged access events for user
• WPA-OG: Privileged access activity for users in the peer group
• WPA-OU: Privileged access activity for users in the organization |
-| process-created | T1047 - Windows Management Instrumentation
↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user.
↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user.
↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user.
T1098 - Account Manipulation
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user.
↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user.
↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user.
T1078 - Valid Accounts
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1136 - Create Account
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
T1136.001 - Create Account: Create: Local Account
↳ AC-OZ-CLI-F: First zone on which account was created using CLI command
↳ AC-OH-CLI-F: First host on which account was created using CLI command | • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group
• WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account
• NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account
• NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account
• AC-OH-CLI: Hosts on which account was created using CLI command
• AC-OZ-CLI: Zones on which account was created using CLI command |
-| remote-logon | T1078 - Valid Accounts
↳ AL-F-F-CS: First logon to a critical system for user
↳ AL-F-A-CS: Abnormal logon to a critical system for user
↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed
↳ DC20b: High-privilege domain account used during session
↳ AL-HT-PRIV: Non-Privileged logon to privileged asset
↳ AL-HT-EXEC-new: New user logon to executive asset
↳ DC18-new: Account switch by new user
T1078.002 - T1078.002
↳ SL-UH-I: Interactive logon using a service account
↳ SL-UH-F: First access from asset for a service account
↳ SL-UH-A: Abnormal access from asset for a service account | • DC18: Secondary accounts
• AL-HT-EXEC: Executive Assets
• AL-HT-PRIV: Privilege Users Assets
• AL-OU-CS: Logon to critical servers
• AL-UsH: Source hosts per User
• IL-UH-SA: Interactive logon hosts for service accounts |
\ No newline at end of file
+| Event Type | Rules | Models |
+| --------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-password-change | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| account-password-reset | T1098 - Account Manipulation
↳ AM-UA-APLocU-F: First account password change for local user | |
+| app-activity | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
↳ EM-InB-Ex: A user has been given mailbox permissions for an executive user
↳ EM-InB-Perm-N-F: First time a user has given mailbox permissions on another mailbox that is not their own
↳ EM-InB-Perm-N-A: Abnormal for user to give mailbox permissions
T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application
↳ APP-AT-PRIV: Non-privileged user performing privileged application activity | • EM-InB-Perm-N: Models users who give mailbox permissions
• APP-AT-PRIV: Privileged application activities |
+| app-activity-failed | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
+| app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account
↳ APP-F-SA-NC: New service account access to application | |
+| cloud-admin-activity | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity
T1530 - Data from Cloud Storage Object
↳ CS-Policies-F: First time seeing this cloud policy
↳ CS-Policies-A: Abnormal cloud policy seen | • CS-Admin-Activity: Cloud administrative activities performed by user
• CS-Policies: Cloud Policies seen in the organization |
+| cloud-admin-activity-failed | T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-Admin-Activity-A: Abnormal invocation of this specific admin activity | • CS-Admin-Activity: Cloud administrative activities performed by user |
+| dlp-email-alert-in-failed | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
+| failed-app-login | T1078 - Valid Accounts
↳ APP-Account-deactivated: Activity from a de-activated user account | |
+| failed-logon | T1078 - Valid Accounts
↳ SEQ-UH-04: Failed logon by a service account
↳ SEQ-UH-05: Failed interactive logon by a service account
↳ SEQ-UH-12: Logon attempt on a disabled account | • AE-UA: All activity for users |
+| file-delete | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
+| file-download | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
+| file-read | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
+| file-write | T1078 - Valid Accounts
↳ FA-Account-deactivated: File Activity from a de-activated user account | |
+| member-added | T1098 - Account Manipulation
↳ A-GM-DhU-system-F: First group management by system account on asset
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ MA-SELF: User added themself to a group
↳ MA-PRIV-F-local: First addition to privileged group by local user
↳ MA-PRIV-A: Abnormal addition to privileged group by user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group
↳ AM-OG-F: First member addition to this group for the organization
↳ AM-OG-A: Abnormal account addition to this group for the organization
↳ AM-GOU-F: First account OU addition to this group
↳ AM-GOU-A: Abnormal account OU addition to this group
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user
T1136 - Create Account
↳ AM-UA-MA-F-new: Account management activity for new user
↳ AM-GA-new: First account management activity for group of a new user | • AE-GA: All activity for peer groups
• AM-GOU: Account management, OUs that are added to security groups
• AM-AG: Account management, groups which users are being added to
• AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user
• AM-OU-PG: Account group management of high privileges in the organization
• A-GM-DhU-system: System accounts performing group management activities |
+| member-removed | T1098 - Account Manipulation
↳ GM-LocUA-F-new: First group management activity by a new local user
↳ GM-LocUA-A: Abnormal group management activity by local user
↳ GM-UH-F: First group management activity from asset for user
↳ GM-UH-A: Abnormal group management activity from asset for user
↳ GM-OZ-F: First group management activity from network zone
↳ GM-OZ-A: Abnormal group management activity from network zone
↳ GM-OH-F: First group management activity from asset in the organization
↳ GM-OH-A: Abnormal group management activity from asset in the organization
↳ GM-UT-TOW-A: Abnormal day for user to perform group management activity
↳ AM-UA-MA-F: First account group management activity for user
↳ AM-GA-MA-F: First account group management activity for peer group
↳ AM-OU-SS-F: First addition and removal of member from a group by user in a single session for organization
↳ AM-OU-SS-A: Abnormal addition and removal of member from a group in a single session in the organization
↳ AM-OG-SS-F: First addition and removal of member from a group by user in a single session for peer group
↳ AM-OG-SS-A: Abnormal addition and removal of member from a group in a single session in the peer group | • AM-OG-SS: Models the peer groups who perform addition and removal of members from group in same session
• AM-OU-SS: Models the users who perform addition and removal of members from group in same session in the organization
• AE-GA: All activity for peer groups
• AE-UA: All activity for users
• GM-UT-TOW: Group management activity time for user
• GM-OH: Group management hosts in organization
• GM-OZ: Group management activity from zone
• GM-UH: Group management activity on host for user |
+| privileged-access | T1078 - Valid Accounts
↳ WPA-OU-F: First privileged access event for user for organization
↳ WPA-OG-F: First privileged access event for user for peer group
↳ WPA-UH-F: First privileged access event on host for user
↳ WPA-HZ-F: First privileged access event on host from zone
↳ WPA-USH-F: First privileged access event on source host for user | • WPA-USH: Source hosts with privileged access events for user
• WPA-HZ: Source zones with privileged access events for host
• WPA-UH: Hosts with privileged access events for user
• WPA-OG: Privileged access activity for users in the peer group
• WPA-OU: Privileged access activity for users in the organization |
+| process-created | T1047 - Windows Management Instrumentation
↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user.
↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user.
↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user.
T1098 - Account Manipulation
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
↳ WMIC-EXE-RENAME-ORG-F: First time WMIC.exe has been used to rename a user account by this user.
↳ WMIC-EXE-RENAME-GRP-ORG-F: First time WMIC.exe has been used to rename a group by this user.
↳ WMIC-EXE-RENAME-ORG-A: Abnormal usage of WMIC.exe to rename a group by this user.
T1078 - Valid Accounts
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
↳ NET-EXE-ACTIVE-ORG-F: First time net.exe has been used to disable/enable a user account by this user.
↳ NET-EXE-ACTIVE-ORG-A: Abnormal usage of net.exe to disable/enable a user account by this user.
T1136 - Create Account
↳ NET-EXE-ADD-GRP-ORG-F: First time net.exe has been used to create/add to a group by this user.
↳ NET-EXE-ADD-GRP-ORG-A: Abnormal usage of net.exe to create/add to a group by this user.
T1136.001 - Create Account: Create: Local Account
↳ AC-OZ-CLI-F: First zone on which account was created using CLI command
↳ AC-OH-CLI-F: First host on which account was created using CLI command | • WMIC-EXE-RENAME-GRP-ORG: Using WMIC.exe to rename a group
• WMIC-EXE-RENAME-ORG: Using WMIC.exe to rename a user account
• NET-EXE-ACTIVE-ORG: Using net.exe to disable/enable a user account
• NET-EXE-ADD-GRP-ORG: Using net.exe to add a group account
• AC-OH-CLI: Hosts on which account was created using CLI command
• AC-OZ-CLI: Zones on which account was created using CLI command |
+| remote-logon | T1078 - Valid Accounts
↳ AL-F-F-CS: First logon to a critical system for user
↳ AL-F-A-CS: Abnormal logon to a critical system for user
↳ AL-OU-F-CS: First logon to a critical system that user has not previously accessed
↳ DC20b: High-privilege domain account used during session
↳ AL-HT-PRIV: Non-Privileged logon to privileged asset
↳ AL-HT-EXEC-new: New user logon to executive asset
↳ DC18-new: Account switch by new user
T1078.002 - T1078.002
↳ SL-UH-I: Interactive logon using a service account
↳ SL-UH-F: First access from asset for a service account
↳ SL-UH-A: Abnormal access from asset for a service account | • DC18: Secondary accounts
• AL-HT-EXEC: Executive Assets
• AL-HT-PRIV: Privilege Users Assets
• AL-OU-CS: Logon to critical servers
• AL-UsH: Source hosts per User
• IL-UH-SA: Interactive logon hosts for service accounts |
\ No newline at end of file
diff --git a/DataSources/Microsoft/Azure/ds_microsoft_azure.md b/DataSources/Microsoft/Azure/ds_microsoft_azure.md
index 81a11edfa4..15f4199cd1 100644
--- a/DataSources/Microsoft/Azure/ds_microsoft_azure.md
+++ b/DataSources/Microsoft/Azure/ds_microsoft_azure.md
@@ -4,12 +4,12 @@ Product: Azure
--------------
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 828 | 203 | 140 | 30 | 30 |
+| 828 | 203 | 139 | 30 | 30 |
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md) |
-| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](RM/r_m_microsoft_azure_Account_Manipulation.md) |
+| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1110 - Brute Force
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md) |
+| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | account-password-change
↳[cef-microsoft-failed-app-login](Ps/pC_cefmicrosoftfailedapplogin.md)
account-password-reset
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
app-activity
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[cef-azure-app-activity-5](Ps/pC_cefazureappactivity5.md)
↳[cef-azure-app-activity-3](Ps/pC_cefazureappactivity3.md)
↳[cef-azure-app-activity-4](Ps/pC_cefazureappactivity4.md)
↳[cef-azure-app-activity-1](Ps/pC_cefazureappactivity1.md)
↳[azure-app-activity-3](Ps/pC_azureappactivity3.md)
↳[cef-azure-app-activity-2](Ps/pC_cefazureappactivity2.md)
↳[azure-app-activity-2](Ps/pC_azureappactivity2.md)
↳[azure-app-activity-1](Ps/pC_azureappactivity1.md)
↳[azure-app-activity-7](Ps/pC_azureappactivity7.md)
↳[azure-app-activity-6](Ps/pC_azureappactivity6.md)
↳[azure-app-activity-5](Ps/pC_azureappactivity5.md)
↳[azure-app-activity-4](Ps/pC_azureappactivity4.md)
↳[ms-azure-eventhubs-app-activity](Ps/pC_msazureeventhubsappactivity.md)
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
app-activity-failed
↳[cef-azure-app-login](Ps/pC_cefazureapplogin.md)
↳[azure-event-hub-app-service-audit-logs](Ps/pC_azureeventhubappserviceauditlogs.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[azure-event-hub-key-vault-auth](Ps/pC_azureeventhubkeyvaultauth.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
app-login
↳[cef-azure-failed-app-login](Ps/pC_cefazurefailedapplogin.md)
↳[s-azure-app-login](Ps/pC_sazureapplogin.md)
↳[ms-azure-signin-app-login](Ps/pC_msazuresigninapplogin.md)
↳[ms-azure-eventhubs-login](Ps/pC_msazureeventhubslogin.md)
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
↳[cef-microsoft-password-change](Ps/pC_cefmicrosoftpasswordchange.md)
authentication-failed
↳[azure-file-read-1](Ps/pC_azurefileread1.md)
↳[azure-file-read](Ps/pC_azurefileread.md)
↳[azure-file-read-3](Ps/pC_azurefileread3.md)
↳[azure-file-read-2](Ps/pC_azurefileread2.md)
↳[microsoft-network-alert](Ps/pC_microsoftnetworkalert.md)
↳[azure-file-write](Ps/pC_azurefilewrite.md)
authentication-successful
↳[s-azure-authentication](Ps/pC_sazureauthentication.md)
cloud-admin-activity
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
cloud-admin-activity-failed
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
database-query
↳[cef-azure-event-hub-security](Ps/pC_cefazureeventhubsecurity.md)
↳[cef-microsoft-dns-query](Ps/pC_cefmicrosoftdnsquery.md)
dlp-email-alert-in-failed
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
dns-response
↳[cef-microsoft-app-login](Ps/pC_cefmicrosoftapplogin.md)
failed-app-login
↳[azure-event-hub-application-gateway-access-log](Ps/pC_azureeventhubapplicationgatewayaccesslog.md)
↳[cef-microsoft-remote-logon](Ps/pC_cefmicrosoftremotelogon.md)
failed-logon
↳[azure-event-hub-process-events](Ps/pC_azureeventhubprocessevents.md)
↳[azure-event-hub-process-events-1](Ps/pC_azureeventhubprocessevents1.md)
failed-usb-activity
↳[azure-app-login](Ps/pC_azureapplogin.md)
file-delete
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-process-created-1](Ps/pC_azureprocesscreated1.md)
file-download
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-read
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
file-write
↳[cef-microsoft-app-activity-13](Ps/pC_cefmicrosoftappactivity13.md)
↳[cef-microsoft-app-activity-44](Ps/pC_cefmicrosoftappactivity44.md)
↳[cef-microsoft-app-activity-43](Ps/pC_cefmicrosoftappactivity43.md)
↳[cef-microsoft-app-activity-38](Ps/pC_cefmicrosoftappactivity38.md)
↳[azure-event-hub-usb-activity](Ps/pC_azureeventhubusbactivity.md)
member-added
↳[azure-event-hub-member-removed](Ps/pC_azureeventhubmemberremoved.md)
↳[azure-ad-member-removed-1](Ps/pC_azureadmemberremoved1.md)
member-removed
↳[azure-event-hub-file-read](Ps/pC_azureeventhubfileread.md)
network-connection-failed
↳[azure-event-hub-sql-security-event](Ps/pC_azureeventhubsqlsecurityevent.md)
network-connection-successful
↳[azure-event-hub-network-security-group-event](Ps/pC_azureeventhubnetworksecuritygroupevent.md)
↳[azure-event-hub-network-security-group-rule-counter](Ps/pC_azureeventhubnetworksecuritygrouprulecounter.md)
↳[azure-event-hub-network-connection](Ps/pC_azureeventhubnetworkconnection.md)
↳[azure-event-hub-application-gateway-firewall-log](Ps/pC_azureeventhubapplicationgatewayfirewalllog.md)
privileged-access
↳[s-azure-authorization-activity](Ps/pC_sazureauthorizationactivity.md)
↳[s-azure-api-management](Ps/pC_sazureapimanagement.md)
↳[s-azure-authorization-activity-3](Ps/pC_sazureauthorizationactivity3.md)
↳[s-azure-authorization-activity-2](Ps/pC_sazureauthorizationactivity2.md)
↳[s-azure-managed-identity](Ps/pC_sazuremanagedidentity.md)
↳[s-azure-pim-activity](Ps/pC_sazurepimactivity.md)
↳[s-azure-core-directory](Ps/pC_sazurecoredirectory.md)
process-created
↳[azure-event-hub-remote-logon](Ps/pC_azureeventhubremotelogon.md)
remote-logon
↳[azure-event-hub-file-events](Ps/pC_azureeventhubfileevents.md)
security-alert
↳[cef-microsoft-database-query](Ps/pC_cefmicrosoftdatabasequery.md)
storage-activity
↳[s-azure-storage-activity-2](Ps/pC_sazurestorageactivity2.md)
↳[s-azure-storage-activity-3](Ps/pC_sazurestorageactivity3.md)
↳[s-azure-storage-activity](Ps/pC_sazurestorageactivity.md)
storage-activity-failed
↳[s-azure-storage-access](Ps/pC_sazurestorageaccess.md)
↳[json-azure-storage-access](Ps/pC_jsonazurestorageaccess.md)
usb-activity
↳[azure-event-hub-usb-insert](Ps/pC_azureeventhubusbinsert.md)
usb-insert
↳[azure-event-hub-member-added](Ps/pC_azureeventhubmemberadded.md)
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.003 - Create Account: Create: Cloud Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1530 - Data from Cloud Storage Object
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](RM/r_m_microsoft_azure_Account_Manipulation.md) |
[Next Page -->>](2_ds_microsoft_azure.md)
ATT&CK Matrix for Enterprise
diff --git a/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md b/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md
index 862dd923d4..e006298ea8 100644
--- a/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md
+++ b/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md
@@ -5,9 +5,10 @@ Vendor: ServiceNow
| Rules | Models | MITRE TTPs | Event Types | Parsers |
|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 14 | 4 | 2 | 8 | 8 |
+| 30 | 11 | 4 | 8 | 8 |
-| Event Type | Rules | Models |
-| -------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| account-switch | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week | • AE-UA: All activity for users |
-| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
\ No newline at end of file
+| Event Type | Rules | Models |
+| -------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| account-switch | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week | • AE-UA: All activity for users |
+| app-login | T1078 - Valid Accounts
↳ DORMANT-USER: Dormant User
↳ AE-UA-F: First activity type for user
↳ DC23: Abnormal session start time
↳ DC24: Abnormal day of week
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ NEW-USER-F: User with no event history
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user
T1133 - External Remote Services
↳ UA-UC-F: First activity from country for user
↳ UA-UC-A: Abnormal activity from country for user
↳ UA-GC-F: First activity from country for group
↳ UA-GC-A: Abnormal activity from country for group
↳ UA-OC-F: First activity from country for organization
↳ UA-OC-A: Abnormal activity from country for organization
↳ UA-UC-new: Abnormal country for user by new user
↳ UA-GC-new: Abnormal country for group by new user
↳ UA-OC-new: Abnormal country for organization by new user | • UA-OC: Countries for organization
• UA-GC: Countries for peer groups
• UA-UC: Countries for user activity
• AE-UA: All activity for users |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Account_Manipulation.md b/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Account_Manipulation.md
new file mode 100644
index 0000000000..66b7064405
--- /dev/null
+++ b/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Account_Manipulation.md
@@ -0,0 +1,12 @@
+Vendor: ServiceNow
+==================
+### Product: [ServiceNow](../ds_servicenow_servicenow.md)
+### Use-Case: [Account Manipulation](../../../../UseCases/uc_account_manipulation.md)
+
+| Rules | Models | MITRE TTPs | Event Types | Parsers |
+|:-----:|:------:|:----------:|:-----------:|:-------:|
+| 1 | 1 | 1 | 8 | 8 |
+
+| Event Type | Rules | Models |
+| -------------- | ------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- |
+| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization | • B-CS-Buckets: Buckets seen in the organization |
\ No newline at end of file
diff --git a/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Cloud_Data_Protection.md b/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Cloud_Data_Protection.md
deleted file mode 100644
index f2eeeee57c..0000000000
--- a/DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Cloud_Data_Protection.md
+++ /dev/null
@@ -1,12 +0,0 @@
-Vendor: ServiceNow
-==================
-### Product: [ServiceNow](../ds_servicenow_servicenow.md)
-### Use-Case: [Cloud Data Protection](../../../../UseCases/uc_cloud_data_protection.md)
-
-| Rules | Models | MITRE TTPs | Event Types | Parsers |
-|:-----:|:------:|:----------:|:-----------:|:-------:|
-| 17 | 8 | 2 | 8 | 8 |
-
-| Event Type | Rules | Models |
-| -------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| storage-access | T1530 - Data from Cloud Storage Object
↳ B-CS-Buckets-F: First cloud storage/bucket in the organization
↳ B-CS-Bucket-UA-F: New user agent has accessed this bucket, possible exfiltration
↳ B-CS-Bucket-UA-A: Abnormal user agent access to this bucket, possible exfiltration
↳ B-CS-Bucket-Users-F: First time for user to access this bucket
↳ B-CS-Bucket-Users-A: Abnormal user accessing this storage container/bucket
↳ B-CS-Bucket-Activity-F: First type of object access against this bucket
↳ B-CS-Bucket-Activity-A: Abnormal type of object access against this bucket
↳ CS-Storage-Activity-F: First time using this event activity against the cloud storage service
↳ CS-Storage-Activity-A: Abnormal activity against the cloud storage service
↳ CS-Users-F: First time this user is seen accessing the cloud storage service
↳ CS-Users-A: Abnormal user is seen accessing the cloud storage service
↳ B-CS-UType-F: First time this specific user type has accessed this bucket
↳ B-CS-UType-A: Abnormal for this user type to access this bucket
T1078.004 - Valid Accounts: Cloud Accounts
↳ CS-UA-O-F: First user agent to access cloud services in the organization
↳ CS-UA-O-A: Abnormal user agent accessing cloud services in the organization
↳ CS-UA-P-F: First user agent for peer group to access cloud services
↳ CS-UA-P-A: Abnormal user agent for the peer group accessing cloud service | • B-CS-IType: User Identity types per cloud storage container
• CS-Users: Users accessing cloud storage in the org
• CS-Storage-Activity: Cloud storage activities for the user
• B-CS-Bucket-Activity: Activities per storage container/bucket
• B-CS-Bucket-Users: Users per storage container/bucket
• B-CS-Bucket-UA: User agents per bucket
• B-CS-Buckets: Buckets seen in the organization
• CS-P-UA: User agents accessing cloud storage per peer group |
\ No newline at end of file
diff --git a/DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md b/DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md
index 94bbed1596..6808c0849a 100644
--- a/DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md
+++ b/DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md
@@ -8,8 +8,8 @@ Product: ServiceNow
| Use-Case | Event Types/Parsers | MITRE TTP | Content |
|:----:| ---- | ---- | ---- |
-| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-switch
↳[snow-app-activity](Ps/pC_snowappactivity.md)
app-login
↳[cef-servicenow-login-failed](Ps/pC_cefservicenowloginfailed.md)
file-delete
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-download
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-read
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-upload
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
security-alert
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
storage-access
↳[cef-servicenow-login-1](Ps/pC_cefservicenowlogin1.md)
↳[cef-servicenow-login-2](Ps/pC_cefservicenowlogin2.md)
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md) |
-| [Cloud Data Protection](../../../UseCases/uc_cloud_data_protection.md) | account-switch
↳[snow-app-activity](Ps/pC_snowappactivity.md)
app-login
↳[cef-servicenow-login-failed](Ps/pC_cefservicenowloginfailed.md)
file-delete
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-download
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-read
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-upload
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
security-alert
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
storage-access
↳[cef-servicenow-login-1](Ps/pC_cefservicenowlogin1.md)
↳[cef-servicenow-login-2](Ps/pC_cefservicenowlogin2.md)
| T1078.004 - Valid Accounts: Cloud Accounts
T1530 - Data from Cloud Storage Object
| [](RM/r_m_servicenow_servicenow_Cloud_Data_Protection.md) |
+| [Abnormal Authentication & Access](../../../UseCases/uc_abnormal_authentication_&_access.md) | account-switch
↳[snow-app-activity](Ps/pC_snowappactivity.md)
app-login
↳[cef-servicenow-login-failed](Ps/pC_cefservicenowloginfailed.md)
file-delete
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-download
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-read
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-upload
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
security-alert
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
storage-access
↳[cef-servicenow-login-1](Ps/pC_cefservicenowlogin1.md)
↳[cef-servicenow-login-2](Ps/pC_cefservicenowlogin2.md)
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1530 - Data from Cloud Storage Object
| [](RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md) |
+| [Account Manipulation](../../../UseCases/uc_account_manipulation.md) | account-switch
↳[snow-app-activity](Ps/pC_snowappactivity.md)
app-login
↳[cef-servicenow-login-failed](Ps/pC_cefservicenowloginfailed.md)
file-delete
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-download
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-read
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
file-upload
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
security-alert
↳[cef-servicenow-file-operation-2](Ps/pC_cefservicenowfileoperation2.md)
storage-access
↳[cef-servicenow-login-1](Ps/pC_cefservicenowlogin1.md)
↳[cef-servicenow-login-2](Ps/pC_cefservicenowlogin2.md)
| T1530 - Data from Cloud Storage Object
| [](RM/r_m_servicenow_servicenow_Account_Manipulation.md) |
[Next Page -->>](2_ds_servicenow_servicenow.md)
ATT&CK Matrix for Enterprise
diff --git a/Exabeam Use Cases.md b/Exabeam Use Cases.md
index 41e2e84600..c1d5de9fb5 100644
--- a/Exabeam Use Cases.md
+++ b/Exabeam Use Cases.md
@@ -1,6 +1,6 @@
Exabeam Supported Use Cases
===========================
-| Compromised Insiders | Malicious Insiders | External Threats |
-| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Account Manipulation](UseCases/uc_account_manipulation.md)
[Cloud Data Protection](UseCases/uc_cloud_data_protection.md)
[Compromised Credentials](UseCases/uc_compromised_credentials.md)
[Data Exfiltration](UseCases/uc_data_exfiltration.md)
[Evasion](UseCases/uc_evasion.md)
[Lateral Movement](UseCases/uc_lateral_movement.md)
[Privilege Escalation](UseCases/uc_privilege_escalation.md)
[Privileged Activity](UseCases/uc_privileged_activity.md)
| [Abnormal Authentication & Access](UseCases/uc_abnormal_authentication_&_access.md)
[Audit Tampering](UseCases/uc_audit_tampering.md)
[Data Access](UseCases/uc_data_access.md)
[Data Leak](UseCases/uc_data_leak.md)
[Destruction of Data](UseCases/uc_destruction_of_data.md)
[Physical Security](UseCases/uc_physical_security.md)
[Privilege Abuse](UseCases/uc_privilege_abuse.md)
[Workforce Protection](UseCases/uc_workforce_protection.md)
| [Brute Force Attack](UseCases/uc_brute_force_attack.md)
[Cryptomining](UseCases/uc_cryptomining.md)
[Malware](UseCases/uc_malware.md)
[Phishing](UseCases/uc_phishing.md)
[Ransomware](UseCases/uc_ransomware.md)
|
\ No newline at end of file
+| Compromised Insiders | Malicious Insiders | External Threats |
+| --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Account Manipulation](UseCases/uc_account_manipulation.md)
[Compromised Credentials](UseCases/uc_compromised_credentials.md)
[Data Exfiltration](UseCases/uc_data_exfiltration.md)
[Evasion](UseCases/uc_evasion.md)
[Lateral Movement](UseCases/uc_lateral_movement.md)
[Privilege Escalation](UseCases/uc_privilege_escalation.md)
[Privileged Activity](UseCases/uc_privileged_activity.md)
| [Abnormal Authentication & Access](UseCases/uc_abnormal_authentication_&_access.md)
[Audit Tampering](UseCases/uc_audit_tampering.md)
[Data Access](UseCases/uc_data_access.md)
[Data Leak](UseCases/uc_data_leak.md)
[Destruction of Data](UseCases/uc_destruction_of_data.md)
[Physical Security](UseCases/uc_physical_security.md)
[Privilege Abuse](UseCases/uc_privilege_abuse.md)
[Workforce Protection](UseCases/uc_workforce_protection.md)
| [Brute Force Attack](UseCases/uc_brute_force_attack.md)
[Cryptomining](UseCases/uc_cryptomining.md)
[Malware](UseCases/uc_malware.md)
[Phishing](UseCases/uc_phishing.md)
[Ransomware](UseCases/uc_ransomware.md)
|
\ No newline at end of file
diff --git a/UseCases/uc_abnormal_authentication_&_access.md b/UseCases/uc_abnormal_authentication_&_access.md
index eb652cb059..33cf48454c 100644
--- a/UseCases/uc_abnormal_authentication_&_access.md
+++ b/UseCases/uc_abnormal_authentication_&_access.md
@@ -52,10 +52,10 @@ Use Case: Abnormal Authentication & Access
|:---------------------------------------------------------------------------------------------:| --------------------------------------------- | -------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Firewall Analyzer](../DataSources/AlgoSec/Firewall_Analyzer/ds_algosec_firewall_analyzer.md) | | T1078 - Valid Accounts
| [](../DataSources/AlgoSec/Firewall_Analyzer/RM/r_m_algosec_firewall_analyzer_Abnormal_Authentication_&_Access.md) |
### Vendor: Amazon
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Abnormal_Authentication_&_Access.md) |
-| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Abnormal_Authentication_&_Access.md) |
+| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Abnormal_Authentication_&_Access.md) |
### Vendor: Anywhere365
| Product | Event Types | MITRE TTP | Content |
|:-----------------------------------------------------------------------------------:| --------------------------------------- | ------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -391,10 +391,10 @@ Use Case: Abnormal Authentication & Access
|:------------------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [GoAnywhere MFT](../DataSources/GoAnywhere/GoAnywhere_MFT/ds_goanywhere_goanywhere_mft.md) | - dlp-email-alert-out-failed
- failed-logon
- file-delete
- file-download
- remote-logon
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/GoAnywhere/GoAnywhere_MFT/RM/r_m_goanywhere_goanywhere_mft_Abnormal_Authentication_&_Access.md) |
### Vendor: Google
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md) |
-| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Abnormal_Authentication_&_Access.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Abnormal_Authentication_&_Access.md) |
+| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Abnormal_Authentication_&_Access.md) |
### Vendor: HP
| Product | Event Types | MITRE TTP | Content |
|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -557,27 +557,27 @@ Use Case: Abnormal Authentication & Access
| [Mcafee EPO](../DataSources/McAfee/Mcafee_EPO/ds_mcafee_mcafee_epo.md) | | T1133 - External Remote Services
| [](../DataSources/McAfee/Mcafee_EPO/RM/r_m_mcafee_mcafee_epo_Abnormal_Authentication_&_Access.md) |
| [Skyhigh Networks CASB](../DataSources/McAfee/Skyhigh_Networks_CASB/ds_mcafee_skyhigh_networks_casb.md) | - account-creation
- app-activity
- app-login
- dlp-alert
- failed-app-login
- security-alert
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/McAfee/Skyhigh_Networks_CASB/RM/r_m_mcafee_skyhigh_networks_casb_Abnormal_Authentication_&_Access.md) |
### Vendor: Microsoft
-| Product | Event Types | MITRE TTP | Content |
-|:-------------------------------------------------------------------------------------------------------------------------------------------------:| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md) |
-| [Azure AD Identity Protection](../DataSources/Microsoft/Azure_AD_Identity_Protection/ds_microsoft_azure_ad_identity_protection.md) | | T1021 - Remote Services
T1078 - Valid Accounts
| [](../DataSources/Microsoft/Azure_AD_Identity_Protection/RM/r_m_microsoft_azure_ad_identity_protection_Abnormal_Authentication_&_Access.md) |
-| [Azure Active Directory](../DataSources/Microsoft/Azure_Active_Directory/ds_microsoft_azure_active_directory.md) | - account-password-change
- account-unlocked
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-out
- failed-app-login
- member-added
- process-created
- security-alert
- usb-insert
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Azure_Active_Directory/RM/r_m_microsoft_azure_active_directory_Abnormal_Authentication_&_Access.md) |
-| [Azure MFA](../DataSources/Microsoft/Azure_MFA/ds_microsoft_azure_mfa.md) | - account-password-reset
- authentication-successful
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Azure_MFA/RM/r_m_microsoft_azure_mfa_Abnormal_Authentication_&_Access.md) |
-| [Cloud App Security (MCAS)](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/ds_microsoft_cloud_app_security_(mcas).md) | - account-password-change
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in-failed
- failed-app-login
- file-delete
- file-download
- file-read
- file-upload
- file-write
- security-alert
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/RM/r_m_microsoft_cloud_app_security_(mcas)_Abnormal_Authentication_&_Access.md) |
-| [Defender ATP](../DataSources/Microsoft/Defender_ATP/ds_microsoft_defender_atp.md) | - app-login
- batch-logon
- file-delete
- file-write
- local-logon
- member-removed
- network-alert
- process-alert
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- usb-write
- web-activity-denied
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Defender_ATP/RM/r_m_microsoft_defender_atp_Abnormal_Authentication_&_Access.md) |
-| [DirectAccess](../DataSources/Microsoft/DirectAccess/ds_microsoft_directaccess.md) | | T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/DirectAccess/RM/r_m_microsoft_directaccess_Abnormal_Authentication_&_Access.md) |
-| [Exchange](../DataSources/Microsoft/Exchange/ds_microsoft_exchange.md) | - app-activity
- app-activity-failed
- app-login
- dlp-alert
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- member-removed
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Exchange/RM/r_m_microsoft_exchange_Abnormal_Authentication_&_Access.md) |
-| [IIS](../DataSources/Microsoft/IIS/ds_microsoft_iis.md) | - network-connection-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
| [](../DataSources/Microsoft/IIS/RM/r_m_microsoft_iis_Abnormal_Authentication_&_Access.md) |
-| [Network Policy Server](../DataSources/Microsoft/Network_Policy_Server/ds_microsoft_network_policy_server.md) | - nac-failed-logon
- nac-logon
| T1021 - Remote Services
T1078 - Valid Accounts
| [](../DataSources/Microsoft/Network_Policy_Server/RM/r_m_microsoft_network_policy_server_Abnormal_Authentication_&_Access.md) |
-| [Office 365](../DataSources/Microsoft/Office_365/ds_microsoft_office_365.md) | - account-disabled
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- failed-logon
- file-delete
- file-download
- file-permission-change
- file-read
- file-upload
- file-write
- ntlm-logon
- process-created
- remote-logon
- security-alert
- web-activity-denied
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/Microsoft/Office_365/RM/r_m_microsoft_office_365_Abnormal_Authentication_&_Access.md) |
-| [OneDrive](../DataSources/Microsoft/OneDrive/ds_microsoft_onedrive.md) | - app-activity
- file-read
- file-upload
- local-logon
| T1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/OneDrive/RM/r_m_microsoft_onedrive_Abnormal_Authentication_&_Access.md) |
-| [Routing and Remote Access Service](../DataSources/Microsoft/Routing_and_Remote_Access_Service/ds_microsoft_routing_and_remote_access_service.md) | - authentication-successful
- vpn-login
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Routing_and_Remote_Access_Service/RM/r_m_microsoft_routing_and_remote_access_service_Abnormal_Authentication_&_Access.md) |
-| [SQL Server](../DataSources/Microsoft/SQL_Server/ds_microsoft_sql_server.md) | - database-access
- database-failed-login
- database-login
- database-query
- failed-app-login
- file-read
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
| [](../DataSources/Microsoft/SQL_Server/RM/r_m_microsoft_sql_server_Abnormal_Authentication_&_Access.md) |
-| [Sysmon](../DataSources/Microsoft/Sysmon/ds_microsoft_sysmon.md) | - app-activity
- dns-response
- file-delete
- process-created
- process-network
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Sysmon/RM/r_m_microsoft_sysmon_Abnormal_Authentication_&_Access.md) |
-| [Web Application Proxy](../DataSources/Microsoft/Web_Application_Proxy/ds_microsoft_web_application_proxy.md) | - failed-logon
- network-connection-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1110 - Brute Force
| [](../DataSources/Microsoft/Web_Application_Proxy/RM/r_m_microsoft_web_application_proxy_Abnormal_Authentication_&_Access.md) |
-| [Web Application Proxy-TLS Gateway](../DataSources/Microsoft/Web_Application_Proxy-TLS_Gateway/ds_microsoft_web_application_proxy-tls_gateway.md) | - web-activity-allowed
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
| [](../DataSources/Microsoft/Web_Application_Proxy-TLS_Gateway/RM/r_m_microsoft_web_application_proxy-tls_gateway_Abnormal_Authentication_&_Access.md) |
-| [Windows](../DataSources/Microsoft/Windows/ds_microsoft_windows.md) | - account-creation
- account-deleted
- account-disabled
- account-enabled
- account-lockout
- account-password-change
- account-password-reset
- account-switch
- account-unlocked
- app-activity
- app-login
- audit-log-clear
- audit-policy-change
- authentication-failed
- authentication-successful
- computer-logon
- database-query
- dcom-activation-failed
- dlp-alert
- dlp-email-alert-out-failed
- dns-query
- dns-response
- ds-access
- failed-app-login
- failed-logon
- failed-vpn-login
- file-close
- file-delete
- file-read
- file-write
- kerberos-logon
- local-logon
- logout-remote
- member-added
- member-removed
- nac-logon
- netflow-connection
- network-alert
- network-connection-successful
- privileged-access
- privileged-object-access
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- service-created
- service-logon
- share-access
- task-created
- usb-activity
- usb-write
- vpn-login
- vpn-logout
- web-activity-denied
- winsession-disconnect
- workstation-locked
- workstation-unlocked
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/Microsoft/Windows/RM/r_m_microsoft_windows_Abnormal_Authentication_&_Access.md) |
-| [Windows PrintService](../DataSources/Microsoft/Windows_PrintService/ds_microsoft_windows_printservice.md) | | T1078 - Valid Accounts
| [](../DataSources/Microsoft/Windows_PrintService/RM/r_m_microsoft_windows_printservice_Abnormal_Authentication_&_Access.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:-------------------------------------------------------------------------------------------------------------------------------------------------:| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1110 - Brute Force
T1133 - External Remote Services
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Abnormal_Authentication_&_Access.md) |
+| [Azure AD Identity Protection](../DataSources/Microsoft/Azure_AD_Identity_Protection/ds_microsoft_azure_ad_identity_protection.md) | | T1021 - Remote Services
T1078 - Valid Accounts
| [](../DataSources/Microsoft/Azure_AD_Identity_Protection/RM/r_m_microsoft_azure_ad_identity_protection_Abnormal_Authentication_&_Access.md) |
+| [Azure Active Directory](../DataSources/Microsoft/Azure_Active_Directory/ds_microsoft_azure_active_directory.md) | - account-password-change
- account-unlocked
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-out
- failed-app-login
- member-added
- process-created
- security-alert
- usb-insert
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Azure_Active_Directory/RM/r_m_microsoft_azure_active_directory_Abnormal_Authentication_&_Access.md) |
+| [Azure MFA](../DataSources/Microsoft/Azure_MFA/ds_microsoft_azure_mfa.md) | - account-password-reset
- authentication-successful
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Azure_MFA/RM/r_m_microsoft_azure_mfa_Abnormal_Authentication_&_Access.md) |
+| [Cloud App Security (MCAS)](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/ds_microsoft_cloud_app_security_(mcas).md) | - account-password-change
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in-failed
- failed-app-login
- file-delete
- file-download
- file-read
- file-upload
- file-write
- security-alert
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/RM/r_m_microsoft_cloud_app_security_(mcas)_Abnormal_Authentication_&_Access.md) |
+| [Defender ATP](../DataSources/Microsoft/Defender_ATP/ds_microsoft_defender_atp.md) | - app-login
- batch-logon
- file-delete
- file-write
- local-logon
- member-removed
- network-alert
- process-alert
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- usb-write
- web-activity-denied
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Defender_ATP/RM/r_m_microsoft_defender_atp_Abnormal_Authentication_&_Access.md) |
+| [DirectAccess](../DataSources/Microsoft/DirectAccess/ds_microsoft_directaccess.md) | | T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/DirectAccess/RM/r_m_microsoft_directaccess_Abnormal_Authentication_&_Access.md) |
+| [Exchange](../DataSources/Microsoft/Exchange/ds_microsoft_exchange.md) | - app-activity
- app-activity-failed
- app-login
- dlp-alert
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- member-removed
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Exchange/RM/r_m_microsoft_exchange_Abnormal_Authentication_&_Access.md) |
+| [IIS](../DataSources/Microsoft/IIS/ds_microsoft_iis.md) | - network-connection-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
| [](../DataSources/Microsoft/IIS/RM/r_m_microsoft_iis_Abnormal_Authentication_&_Access.md) |
+| [Network Policy Server](../DataSources/Microsoft/Network_Policy_Server/ds_microsoft_network_policy_server.md) | - nac-failed-logon
- nac-logon
| T1021 - Remote Services
T1078 - Valid Accounts
| [](../DataSources/Microsoft/Network_Policy_Server/RM/r_m_microsoft_network_policy_server_Abnormal_Authentication_&_Access.md) |
+| [Office 365](../DataSources/Microsoft/Office_365/ds_microsoft_office_365.md) | - account-disabled
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- failed-logon
- file-delete
- file-download
- file-permission-change
- file-read
- file-upload
- file-write
- ntlm-logon
- process-created
- remote-logon
- security-alert
- web-activity-denied
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/Microsoft/Office_365/RM/r_m_microsoft_office_365_Abnormal_Authentication_&_Access.md) |
+| [OneDrive](../DataSources/Microsoft/OneDrive/ds_microsoft_onedrive.md) | - app-activity
- file-read
- file-upload
- local-logon
| T1078 - Valid Accounts
T1078.003 - Valid Accounts: Local Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/OneDrive/RM/r_m_microsoft_onedrive_Abnormal_Authentication_&_Access.md) |
+| [Routing and Remote Access Service](../DataSources/Microsoft/Routing_and_Remote_Access_Service/ds_microsoft_routing_and_remote_access_service.md) | - authentication-successful
- vpn-login
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Routing_and_Remote_Access_Service/RM/r_m_microsoft_routing_and_remote_access_service_Abnormal_Authentication_&_Access.md) |
+| [SQL Server](../DataSources/Microsoft/SQL_Server/ds_microsoft_sql_server.md) | - database-access
- database-failed-login
- database-login
- database-query
- failed-app-login
- file-read
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
T1133 - External Remote Services
| [](../DataSources/Microsoft/SQL_Server/RM/r_m_microsoft_sql_server_Abnormal_Authentication_&_Access.md) |
+| [Sysmon](../DataSources/Microsoft/Sysmon/ds_microsoft_sysmon.md) | - app-activity
- dns-response
- file-delete
- process-created
- process-network
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/Microsoft/Sysmon/RM/r_m_microsoft_sysmon_Abnormal_Authentication_&_Access.md) |
+| [Web Application Proxy](../DataSources/Microsoft/Web_Application_Proxy/ds_microsoft_web_application_proxy.md) | - failed-logon
- network-connection-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1110 - Brute Force
| [](../DataSources/Microsoft/Web_Application_Proxy/RM/r_m_microsoft_web_application_proxy_Abnormal_Authentication_&_Access.md) |
+| [Web Application Proxy-TLS Gateway](../DataSources/Microsoft/Web_Application_Proxy-TLS_Gateway/ds_microsoft_web_application_proxy-tls_gateway.md) | - web-activity-allowed
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
| [](../DataSources/Microsoft/Web_Application_Proxy-TLS_Gateway/RM/r_m_microsoft_web_application_proxy-tls_gateway_Abnormal_Authentication_&_Access.md) |
+| [Windows](../DataSources/Microsoft/Windows/ds_microsoft_windows.md) | - account-creation
- account-deleted
- account-disabled
- account-enabled
- account-lockout
- account-password-change
- account-password-reset
- account-switch
- account-unlocked
- app-activity
- app-login
- audit-log-clear
- audit-policy-change
- authentication-failed
- authentication-successful
- computer-logon
- database-query
- dcom-activation-failed
- dlp-alert
- dlp-email-alert-out-failed
- dns-query
- dns-response
- ds-access
- failed-app-login
- failed-logon
- failed-vpn-login
- file-close
- file-delete
- file-read
- file-write
- kerberos-logon
- local-logon
- logout-remote
- member-added
- member-removed
- nac-logon
- netflow-connection
- network-alert
- network-connection-successful
- privileged-access
- privileged-object-access
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- service-created
- service-logon
- share-access
- task-created
- usb-activity
- usb-write
- vpn-login
- vpn-logout
- web-activity-denied
- winsession-disconnect
- workstation-locked
- workstation-unlocked
| T1021 - Remote Services
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1110 - Brute Force
T1133 - External Remote Services
| [](../DataSources/Microsoft/Windows/RM/r_m_microsoft_windows_Abnormal_Authentication_&_Access.md) |
+| [Windows PrintService](../DataSources/Microsoft/Windows_PrintService/ds_microsoft_windows_printservice.md) | | T1078 - Valid Accounts
| [](../DataSources/Microsoft/Windows_PrintService/RM/r_m_microsoft_windows_printservice_Abnormal_Authentication_&_Access.md) |
### Vendor: Mimecast
| Product | Event Types | MITRE TTP | Content |
|:--------------------------------------------------------------------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -833,9 +833,9 @@ Use Case: Abnormal Authentication & Access
| [SentinelOne](../DataSources/SentinelOne/SentinelOne/ds_sentinelone_sentinelone.md) | | T1078 - Valid Accounts
| [](../DataSources/SentinelOne/SentinelOne/RM/r_m_sentinelone_sentinelone_Abnormal_Authentication_&_Access.md) |
| [Singularity](../DataSources/SentinelOne/Singularity/ds_sentinelone_singularity.md) | - app-activity
- dns-query
- dns-response
- file-alert
- file-delete
- file-read
- file-write
- network-connection-failed
- network-connection-successful
- process-created
- security-alert
- web-activity-allowed
- web-activity-denied
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/SentinelOne/Singularity/RM/r_m_sentinelone_singularity_Abnormal_Authentication_&_Access.md) |
### Vendor: ServiceNow
-| Product | Event Types | MITRE TTP | Content |
-|:------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [ServiceNow](../DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md) | - account-switch
- app-login
- file-delete
- file-download
- file-read
- file-upload
- security-alert
- storage-access
| T1078 - Valid Accounts
T1133 - External Remote Services
| [](../DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [ServiceNow](../DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md) | - account-switch
- app-login
- file-delete
- file-download
- file-read
- file-upload
- security-alert
- storage-access
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1133 - External Remote Services
T1530 - Data from Cloud Storage Object
| [](../DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Abnormal_Authentication_&_Access.md) |
### Vendor: Shibboleth
| Product | Event Types | MITRE TTP | Content |
|:------------------------------------------------------------------------------------------:| --------------------------------------------------------- | -------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
diff --git a/UseCases/uc_account_manipulation.md b/UseCases/uc_account_manipulation.md
index a02f7c1f4c..da90d5c858 100644
--- a/UseCases/uc_account_manipulation.md
+++ b/UseCases/uc_account_manipulation.md
@@ -15,11 +15,11 @@ Use Case: Account Manipulation
|:---------------------------------------------------------------------------------------------:| --------------------------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------------ |
| [Firewall Analyzer](../DataSources/AlgoSec/Firewall_Analyzer/ds_algosec_firewall_analyzer.md) | | T1098 - Account Manipulation
| [](../DataSources/AlgoSec/Firewall_Analyzer/RM/r_m_algosec_firewall_analyzer_Account_Manipulation.md) |
### Vendor: Amazon
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |
-| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Account_Manipulation.md) |
-| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md) |
-| [AWS GuardDuty](../DataSources/Amazon/AWS_GuardDuty/ds_amazon_aws_guardduty.md) | | T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Amazon/AWS_GuardDuty/RM/r_m_amazon_aws_guardduty_Account_Manipulation.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Account_Manipulation.md) |
+| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Account_Manipulation.md) |
+| [AWS GuardDuty](../DataSources/Amazon/AWS_GuardDuty/ds_amazon_aws_guardduty.md) | | T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Amazon/AWS_GuardDuty/RM/r_m_amazon_aws_guardduty_Account_Manipulation.md) |
### Vendor: Arista Networks
| Product | Event Types | MITRE TTP | Content |
|:----------------------------------------------------------------------------------------------------:| --------------------------------------------- | -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
@@ -163,10 +163,10 @@ Use Case: Account Manipulation
|:----------------------------------------------------------:| --------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------- |
| [GitHub](../DataSources/GitHub/GitHub/ds_github_github.md) | - app-activity
- app-activity-failed
- app-login
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/GitHub/GitHub/RM/r_m_github_github_Account_Manipulation.md) |
### Vendor: Google
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------ |
-| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md) |
-| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Account_Manipulation.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1078.004 - Valid Accounts: Cloud Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Account_Manipulation.md) |
+| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Account_Manipulation.md) |
### Vendor: HP
| Product | Event Types | MITRE TTP | Content |
|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
@@ -247,20 +247,20 @@ Use Case: Account Manipulation
| [McAfee IDPS](../DataSources/McAfee/McAfee_IDPS/ds_mcafee_mcafee_idps.md) | | T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1484 - Group Policy Modification
| [](../DataSources/McAfee/McAfee_IDPS/RM/r_m_mcafee_mcafee_idps_Account_Manipulation.md) |
| [Skyhigh Networks CASB](../DataSources/McAfee/Skyhigh_Networks_CASB/ds_mcafee_skyhigh_networks_casb.md) | - account-creation
- app-activity
- app-login
- dlp-alert
- failed-app-login
- security-alert
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
| [](../DataSources/McAfee/Skyhigh_Networks_CASB/RM/r_m_mcafee_skyhigh_networks_casb_Account_Manipulation.md) |
### Vendor: Microsoft
-| Product | Event Types | MITRE TTP | Content |
-|:-------------------------------------------------------------------------------------------------------------------------------------------:| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Advanced Threat Analytics (ATA)](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/ds_microsoft_advanced_threat_analytics_(ata).md) | | T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/RM/r_m_microsoft_advanced_threat_analytics_(ata)_Account_Manipulation.md) |
-| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md) |
-| [Azure Active Directory](../DataSources/Microsoft/Azure_Active_Directory/ds_microsoft_azure_active_directory.md) | - account-password-change
- account-unlocked
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-out
- failed-app-login
- member-added
- process-created
- security-alert
- usb-insert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Azure_Active_Directory/RM/r_m_microsoft_azure_active_directory_Account_Manipulation.md) |
-| [Azure MFA](../DataSources/Microsoft/Azure_MFA/ds_microsoft_azure_mfa.md) | - account-password-reset
- authentication-successful
| T1098 - Account Manipulation
| [](../DataSources/Microsoft/Azure_MFA/RM/r_m_microsoft_azure_mfa_Account_Manipulation.md) |
-| [Cloud App Security (MCAS)](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/ds_microsoft_cloud_app_security_(mcas).md) | - account-password-change
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in-failed
- failed-app-login
- file-delete
- file-download
- file-read
- file-upload
- file-write
- security-alert
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/RM/r_m_microsoft_cloud_app_security_(mcas)_Account_Manipulation.md) |
-| [Defender ATP](../DataSources/Microsoft/Defender_ATP/ds_microsoft_defender_atp.md) | - app-login
- batch-logon
- file-delete
- file-write
- local-logon
- member-removed
- network-alert
- process-alert
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- usb-write
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Defender_ATP/RM/r_m_microsoft_defender_atp_Account_Manipulation.md) |
-| [Exchange](../DataSources/Microsoft/Exchange/ds_microsoft_exchange.md) | - app-activity
- app-activity-failed
- app-login
- dlp-alert
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- member-removed
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/Exchange/RM/r_m_microsoft_exchange_Account_Manipulation.md) |
-| [Office 365](../DataSources/Microsoft/Office_365/ds_microsoft_office_365.md) | - account-disabled
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- failed-logon
- file-delete
- file-download
- file-permission-change
- file-read
- file-upload
- file-write
- ntlm-logon
- process-created
- remote-logon
- security-alert
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Office_365/RM/r_m_microsoft_office_365_Account_Manipulation.md) |
-| [OneDrive](../DataSources/Microsoft/OneDrive/ds_microsoft_onedrive.md) | - app-activity
- file-read
- file-upload
- local-logon
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/OneDrive/RM/r_m_microsoft_onedrive_Account_Manipulation.md) |
-| [Sysmon](../DataSources/Microsoft/Sysmon/ds_microsoft_sysmon.md) | - app-activity
- dns-response
- file-delete
- process-created
- process-network
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Sysmon/RM/r_m_microsoft_sysmon_Account_Manipulation.md) |
-| [Windows](../DataSources/Microsoft/Windows/ds_microsoft_windows.md) | - account-creation
- account-deleted
- account-disabled
- account-enabled
- account-lockout
- account-password-change
- account-password-reset
- account-switch
- account-unlocked
- app-activity
- app-login
- audit-log-clear
- audit-policy-change
- authentication-failed
- authentication-successful
- computer-logon
- database-query
- dcom-activation-failed
- dlp-alert
- dlp-email-alert-out-failed
- dns-query
- dns-response
- ds-access
- failed-app-login
- failed-logon
- failed-vpn-login
- file-close
- file-delete
- file-read
- file-write
- kerberos-logon
- local-logon
- logout-remote
- member-added
- member-removed
- nac-logon
- netflow-connection
- network-alert
- network-connection-successful
- privileged-access
- privileged-object-access
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- service-created
- service-logon
- share-access
- task-created
- usb-activity
- usb-write
- vpn-login
- vpn-logout
- web-activity-denied
- winsession-disconnect
- workstation-locked
- workstation-unlocked
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1207 - Rogue Domain Controller
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Windows/RM/r_m_microsoft_windows_Account_Manipulation.md) |
-| [Windows Defender](../DataSources/Microsoft/Windows_Defender/ds_microsoft_windows_defender.md) | - computer-logon
- file-alert
- process-created
- security-alert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Windows_Defender/RM/r_m_microsoft_windows_defender_Account_Manipulation.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:-------------------------------------------------------------------------------------------------------------------------------------------:| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Advanced Threat Analytics (ATA)](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/ds_microsoft_advanced_threat_analytics_(ata).md) | | T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/RM/r_m_microsoft_advanced_threat_analytics_(ata)_Account_Manipulation.md) |
+| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.003 - Create Account: Create: Cloud Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1530 - Data from Cloud Storage Object
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Account_Manipulation.md) |
+| [Azure Active Directory](../DataSources/Microsoft/Azure_Active_Directory/ds_microsoft_azure_active_directory.md) | - account-password-change
- account-unlocked
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-out
- failed-app-login
- member-added
- process-created
- security-alert
- usb-insert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Azure_Active_Directory/RM/r_m_microsoft_azure_active_directory_Account_Manipulation.md) |
+| [Azure MFA](../DataSources/Microsoft/Azure_MFA/ds_microsoft_azure_mfa.md) | - account-password-reset
- authentication-successful
| T1098 - Account Manipulation
| [](../DataSources/Microsoft/Azure_MFA/RM/r_m_microsoft_azure_mfa_Account_Manipulation.md) |
+| [Cloud App Security (MCAS)](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/ds_microsoft_cloud_app_security_(mcas).md) | - account-password-change
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in-failed
- failed-app-login
- file-delete
- file-download
- file-read
- file-upload
- file-write
- security-alert
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/Cloud_App_Security_(MCAS)/RM/r_m_microsoft_cloud_app_security_(mcas)_Account_Manipulation.md) |
+| [Defender ATP](../DataSources/Microsoft/Defender_ATP/ds_microsoft_defender_atp.md) | - app-login
- batch-logon
- file-delete
- file-write
- local-logon
- member-removed
- network-alert
- process-alert
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- usb-write
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Defender_ATP/RM/r_m_microsoft_defender_atp_Account_Manipulation.md) |
+| [Exchange](../DataSources/Microsoft/Exchange/ds_microsoft_exchange.md) | - app-activity
- app-activity-failed
- app-login
- dlp-alert
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- member-removed
| T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/Exchange/RM/r_m_microsoft_exchange_Account_Manipulation.md) |
+| [Office 365](../DataSources/Microsoft/Office_365/ds_microsoft_office_365.md) | - account-disabled
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- failed-app-login
- failed-logon
- file-delete
- file-download
- file-permission-change
- file-read
- file-upload
- file-write
- ntlm-logon
- process-created
- remote-logon
- security-alert
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Office_365/RM/r_m_microsoft_office_365_Account_Manipulation.md) |
+| [OneDrive](../DataSources/Microsoft/OneDrive/ds_microsoft_onedrive.md) | - app-activity
- file-read
- file-upload
- local-logon
| T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Microsoft/OneDrive/RM/r_m_microsoft_onedrive_Account_Manipulation.md) |
+| [Sysmon](../DataSources/Microsoft/Sysmon/ds_microsoft_sysmon.md) | - app-activity
- dns-response
- file-delete
- process-created
- process-network
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Sysmon/RM/r_m_microsoft_sysmon_Account_Manipulation.md) |
+| [Windows](../DataSources/Microsoft/Windows/ds_microsoft_windows.md) | - account-creation
- account-deleted
- account-disabled
- account-enabled
- account-lockout
- account-password-change
- account-password-reset
- account-switch
- account-unlocked
- app-activity
- app-login
- audit-log-clear
- audit-policy-change
- authentication-failed
- authentication-successful
- computer-logon
- database-query
- dcom-activation-failed
- dlp-alert
- dlp-email-alert-out-failed
- dns-query
- dns-response
- ds-access
- failed-app-login
- failed-logon
- failed-vpn-login
- file-close
- file-delete
- file-read
- file-write
- kerberos-logon
- local-logon
- logout-remote
- member-added
- member-removed
- nac-logon
- netflow-connection
- network-alert
- network-connection-successful
- privileged-access
- privileged-object-access
- process-created
- process-network
- process-network-failed
- remote-access
- remote-logon
- security-alert
- service-created
- service-logon
- share-access
- task-created
- usb-activity
- usb-write
- vpn-login
- vpn-logout
- web-activity-denied
- winsession-disconnect
- workstation-locked
- workstation-unlocked
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
T1207 - Rogue Domain Controller
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1484 - Group Policy Modification
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Windows/RM/r_m_microsoft_windows_Account_Manipulation.md) |
+| [Windows Defender](../DataSources/Microsoft/Windows_Defender/ds_microsoft_windows_defender.md) | - computer-logon
- file-alert
- process-created
- security-alert
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/Microsoft/Windows_Defender/RM/r_m_microsoft_windows_defender_Account_Manipulation.md) |
### Vendor: Mimecast
| Product | Event Types | MITRE TTP | Content |
|:--------------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -378,6 +378,10 @@ Use Case: Account Manipulation
| Product | Event Types | MITRE TTP | Content |
|:-----------------------------------------------------------------------------------:| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------- |
| [Singularity](../DataSources/SentinelOne/Singularity/ds_sentinelone_singularity.md) | - app-activity
- dns-query
- dns-response
- file-alert
- file-delete
- file-read
- file-write
- network-connection-failed
- network-connection-successful
- process-created
- security-alert
- web-activity-allowed
- web-activity-denied
| T1003 - OS Credential Dumping
T1003.003 - T1003.003
T1021.003 - T1021.003
T1059.001 - Command and Scripting Interperter: PowerShell
T1059.003 - T1059.003
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1218.010 - Signed Binary Proxy Execution: Regsvr32
T1531 - Account Access Removal
T1559.002 - T1559.002
| [](../DataSources/SentinelOne/Singularity/RM/r_m_sentinelone_singularity_Account_Manipulation.md) |
+### Vendor: ServiceNow
+| Product | Event Types | MITRE TTP | Content |
+|:------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------ |
+| [ServiceNow](../DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md) | - account-switch
- app-login
- file-delete
- file-download
- file-read
- file-upload
- security-alert
- storage-access
| T1530 - Data from Cloud Storage Object
| [](../DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Account_Manipulation.md) |
### Vendor: SkySea
| Product | Event Types | MITRE TTP | Content |
|:----------------------------------------------------------------------:| -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------- |
diff --git a/UseCases/uc_cloud_data_protection.md b/UseCases/uc_cloud_data_protection.md
deleted file mode 100644
index 25e75e658b..0000000000
--- a/UseCases/uc_cloud_data_protection.md
+++ /dev/null
@@ -1,20 +0,0 @@
-
-Use Case: Cloud Data Protection
-===============================
-
-### Vendor: Amazon
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Cloud_Data_Protection.md) |
-### Vendor: Google
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Cloud_Data_Protection.md) |
-### Vendor: Microsoft
-| Product | Event Types | MITRE TTP | Content |
-|:-------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------- |
-| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1078.004 - Valid Accounts: Cloud Accounts
T1136.003 - Create Account: Create: Cloud Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Cloud_Data_Protection.md) |
-### Vendor: ServiceNow
-| Product | Event Types | MITRE TTP | Content |
-|:------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
-| [ServiceNow](../DataSources/ServiceNow/ServiceNow/ds_servicenow_servicenow.md) | - account-switch
- app-login
- file-delete
- file-download
- file-read
- file-upload
- security-alert
- storage-access
| T1078.004 - Valid Accounts: Cloud Accounts
T1530 - Data from Cloud Storage Object
| [](../DataSources/ServiceNow/ServiceNow/RM/r_m_servicenow_servicenow_Cloud_Data_Protection.md) |
\ No newline at end of file
diff --git a/UseCases/uc_privilege_abuse.md b/UseCases/uc_privilege_abuse.md
index 4dee519bba..a07f5af31f 100644
--- a/UseCases/uc_privilege_abuse.md
+++ b/UseCases/uc_privilege_abuse.md
@@ -43,12 +43,12 @@ Use Case: Privilege Abuse
|:---------------------------------------------------------------------------------------------:| --------------------------------------------- | -------------------------------- | ------------------------------------------------------------------------------------------------------------------------- |
| [Firewall Analyzer](../DataSources/AlgoSec/Firewall_Analyzer/ds_algosec_firewall_analyzer.md) | | T1098 - Account Manipulation
| [](../DataSources/AlgoSec/Firewall_Analyzer/RM/r_m_algosec_firewall_analyzer_Privilege_Abuse.md) |
### Vendor: Amazon
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Privilege_Abuse.md) |
-| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md) |
-| [AWS CloudWatch](../DataSources/Amazon/AWS_CloudWatch/ds_amazon_aws_cloudwatch.md) | - app-activity-failed
- security-alert
| T1078 - Valid Accounts
| [](../DataSources/Amazon/AWS_CloudWatch/RM/r_m_amazon_aws_cloudwatch_Privilege_Abuse.md) |
-| [AWS GuardDuty](../DataSources/Amazon/AWS_GuardDuty/ds_amazon_aws_guardduty.md) | | T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](../DataSources/Amazon/AWS_GuardDuty/RM/r_m_amazon_aws_guardduty_Privilege_Abuse.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| [AWS Bastion](../DataSources/Amazon/AWS_Bastion/ds_amazon_aws_bastion.md) | | T1078 - Valid Accounts
T1078.002 - T1078.002
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Amazon/AWS_Bastion/RM/r_m_amazon_aws_bastion_Privilege_Abuse.md) |
+| [AWS CloudTrail](../DataSources/Amazon/AWS_CloudTrail/ds_amazon_aws_cloudtrail.md) | - account-password-change
- app-activity
- app-login
- cloud-admin-activity
- cloud-admin-activity-failed
- netflow-connection
- storage-access
- storage-activity
- storage-activity-failed
| T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
| [](../DataSources/Amazon/AWS_CloudTrail/RM/r_m_amazon_aws_cloudtrail_Privilege_Abuse.md) |
+| [AWS CloudWatch](../DataSources/Amazon/AWS_CloudWatch/ds_amazon_aws_cloudwatch.md) | - app-activity-failed
- security-alert
| T1078 - Valid Accounts
| [](../DataSources/Amazon/AWS_CloudWatch/RM/r_m_amazon_aws_cloudwatch_Privilege_Abuse.md) |
+| [AWS GuardDuty](../DataSources/Amazon/AWS_GuardDuty/ds_amazon_aws_guardduty.md) | | T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](../DataSources/Amazon/AWS_GuardDuty/RM/r_m_amazon_aws_guardduty_Privilege_Abuse.md) |
### Vendor: Anywhere365
| Product | Event Types | MITRE TTP | Content |
|:-----------------------------------------------------------------------------------:| --------------------------------------- | -------------------------- | --------------------------------------------------------------------------------------------------------------------- |
@@ -378,10 +378,10 @@ Use Case: Privilege Abuse
|:------------------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------- |
| [GoAnywhere MFT](../DataSources/GoAnywhere/GoAnywhere_MFT/ds_goanywhere_goanywhere_mft.md) | - dlp-email-alert-out-failed
- failed-logon
- file-delete
- file-download
- remote-logon
| T1078 - Valid Accounts
T1078.002 - T1078.002
| [](../DataSources/GoAnywhere/GoAnywhere_MFT/RM/r_m_goanywhere_goanywhere_mft_Privilege_Abuse.md) |
### Vendor: Google
-| Product | Event Types | MITRE TTP | Content |
-|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------- |
-| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md) |
-| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Privilege_Abuse.md) |
+| Product | Event Types | MITRE TTP | Content |
+|:----------------------------------------------------------------------------------:| ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------- |
+| [Cloud Platform](../DataSources/Google/Cloud_Platform/ds_google_cloud_platform.md) | - app-activity
- cloud-admin-activity
- cloud-admin-activity-failed
- file-download
- netflow-connection
- security-alert
- storage-access
- storage-activity
- storage-activity-failed
- web-activity-allowed
| T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.004 - Valid Accounts: Cloud Accounts
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1530 - Data from Cloud Storage Object
| [](../DataSources/Google/Cloud_Platform/RM/r_m_google_cloud_platform_Privilege_Abuse.md) |
+| [Workspace](../DataSources/Google/Workspace/ds_google_workspace.md) | - account-password-change
- app-activity
- app-login
- authentication-failed
- dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- failed-app-login
- file-delete
- file-permission-change
- file-read
- file-write
- vpn-login
| T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1133 - External Remote Services
| [](../DataSources/Google/Workspace/RM/r_m_google_workspace_Privilege_Abuse.md) |
### Vendor: HP
| Product | Event Types | MITRE TTP | Content |
|:--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------:| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
@@ -555,7 +555,7 @@ Use Case: Privilege Abuse
|:-------------------------------------------------------------------------------------------------------------------------------------------------:| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| [365 Defender](../DataSources/Microsoft/365_Defender/ds_microsoft_365_defender.md) | - dlp-email-alert-in
- dlp-email-alert-in-failed
- dlp-email-alert-out
- dlp-email-alert-out-failed
- security-alert
| T1078 - Valid Accounts
| [](../DataSources/Microsoft/365_Defender/RM/r_m_microsoft_365_defender_Privilege_Abuse.md) |
| [Advanced Threat Analytics (ATA)](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/ds_microsoft_advanced_threat_analytics_(ata).md) | | T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](../DataSources/Microsoft/Advanced_Threat_Analytics_(ATA)/RM/r_m_microsoft_advanced_threat_analytics_(ata)_Privilege_Abuse.md) |
-| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md) |
+| [Azure](../DataSources/Microsoft/Azure/ds_microsoft_azure.md) | - account-password-change
- account-password-reset
- app-activity
- app-activity-failed
- app-login
- authentication-failed
- authentication-successful
- cloud-admin-activity
- cloud-admin-activity-failed
- database-query
- dlp-email-alert-in-failed
- dns-response
- failed-app-login
- failed-logon
- failed-usb-activity
- file-delete
- file-download
- file-read
- file-write
- member-added
- member-removed
- network-connection-failed
- network-connection-successful
- privileged-access
- process-created
- remote-logon
- security-alert
- storage-activity
- storage-activity-failed
- usb-activity
- usb-insert
| T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.004 - Valid Accounts: Cloud Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1530 - Data from Cloud Storage Object
| [](../DataSources/Microsoft/Azure/RM/r_m_microsoft_azure_Privilege_Abuse.md) |
| [Azure AD Identity Protection](../DataSources/Microsoft/Azure_AD_Identity_Protection/ds_microsoft_azure_ad_identity_protection.md) | | T1021 - Remote Services
T1078 - Valid Accounts
T1078.002 - T1078.002
| [](../DataSources/Microsoft/Azure_AD_Identity_Protection/RM/r_m_microsoft_azure_ad_identity_protection_Privilege_Abuse.md) |
| [Azure Active Directory](../DataSources/Microsoft/Azure_Active_Directory/ds_microsoft_azure_active_directory.md) | - account-password-change
- account-unlocked
- app-activity
- app-activity-failed
- app-login
- dlp-email-alert-out
- failed-app-login
- member-added
- process-created
- security-alert
- usb-insert
| T1047 - Windows Management Instrumentation
T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
| [](../DataSources/Microsoft/Azure_Active_Directory/RM/r_m_microsoft_azure_active_directory_Privilege_Abuse.md) |
| [Azure MFA](../DataSources/Microsoft/Azure_MFA/ds_microsoft_azure_mfa.md) | - account-password-reset
- authentication-successful
| T1098 - Account Manipulation
| [](../DataSources/Microsoft/Azure_MFA/RM/r_m_microsoft_azure_mfa_Privilege_Abuse.md) |