Vendor: McAfee Product: McAfee Endpoint Security Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 254 102 42 9 51 Use-Case Activity Types/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access authentication-failed ↳mcafee-es-cef-file-delete-epolicyorchestrator ↳mcafee-es-cef-app-activity-ops ↳mcafee-es-json-app-logout-success-userlogout ↳mcafee-es-kv-app-notification-propertytranslator ↳mcafee-es-kv-policy-apply-fail-pointproduct ↳mcafee-es-kv-endpoint-notification-windowserror remote-logon ↳mcafee-es-json-endpoint-login-success-successfuluserlogin T1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1133 - External Remote Services 32 Rules14 Models Compromised Credentials file-write ↳mcafee-es-xml-file-write-success-epoevents process-alert ↳mcafee-es-cef-alert-trigger-success-epolicyorchestrator process-created-failed ↳mcafee-es-csv-process-create-fail-executiondenied remote-logon ↳mcafee-es-json-endpoint-login-success-successfuluserlogin security-alert ↳mcafee-es-cef-alert-trigger-success-portblocking ↳mcafee-es-cef-alert-trigger-success-infectedfiledeleted ↳mcafee-es-cef-alert-trigger-success-userdefinedrules ↳mcafee-es-csv-alert-trigger-success-alerttrigger ↳mcafee-es-cef-alert-trigger-success-accessprotectionrule ↳mcafee-es-csv-alert-trigger-success-epolicyorchestrator ↳mcafee-es-cef-alert-trigger-success-roguesystemdetected ↳mcafee-es-kv-alert-trigger-success-alerttrigger ↳mcafee-es-json-alert-trigger-success-threatcategory ↳mcafee-es-sk4-alert-trigger-success-analyzername ↳mcafee-es-csv-alert-trigger-success-security ↳mcafee-es-kv-alert-trigger-success-virusscanenterprise ↳mcafee-es-cef-alert-trigger-success-notauthorized ↳mcafee-es-kv-alert-trigger-success-moveavoffloadserver ↳mcafee-es-kv-alert-trigger-success-endpointsecurity ↳mcafee-es-kv-alert-trigger-success-hostintrusionprevention ↳mcafee-es-cef-alert-trigger-success-hostintrusion ↳mcafee-es-str-alert-trigger-success-epolicy ↳mcafee-es-cef-alert-trigger-success-virusscan ↳mcafee-es-json-alert-trigger-success-avdetect ↳mcafee-es-kv-alert-trigger-success-parametervalue ↳mcafee-es-csv-alert-trigger-success-cleanfailed ↳mcafee-es-kv-alert-trigger-success-367 ↳mcafee-es-str-alert-trigger-success-cleaned ↳mcafee-es-str-alert-trigger-success-deleted ↳mcafee-es-kv-alert-trigger-success-threathandled ↳mcafee-es-kv-alert-trigger-success-4 T1003.002 - T1003.002T1003.003 - T1003.003T1021 - Remote ServicesT1027.005 - Obfuscated Files or Information: Indicator Removal from ToolsT1036.004 - T1036.004T1059.001 - Command and Scripting Interperter: PowerShellT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1083 - File and Directory DiscoveryT1133 - External Remote ServicesT1190 - Exploit Public Fasing ApplicationT1550 - Use Alternate Authentication MaterialT1550.003 - Use Alternate Authentication Material: Pass the TicketT1558 - Steal or Forge Kerberos TicketsTA0002 - TA0002 106 Rules46 Models Data Access file-write ↳mcafee-es-xml-file-write-success-epoevents T1083 - File and Directory Discovery 32 Rules18 Models Data Exfiltration dlp-alert ↳mcafee-es-kv-alert-trigger-success-dataloss ↳mcafee-ep-kv-alert-trigger-success-islaptop file-write ↳mcafee-es-xml-file-write-success-epoevents T1020 - Automated ExfiltrationT1071 - Application Layer ProtocolTA0002 - TA0002TA0010 - TA0010 33 Rules18 Models Privilege Abuse file-write ↳mcafee-es-xml-file-write-success-epoevents remote-logon ↳mcafee-es-json-endpoint-login-success-successfuluserlogin T1078 - Valid AccountsT1078.002 - T1078.002T1083 - File and Directory Discovery 12 Rules8 Models Privilege Escalation remote-logon ↳mcafee-es-json-endpoint-login-success-successfuluserlogin T1078 - Valid AccountsT1555.005 - T1555.005 2 Rules1 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsExploit Public Fasing ApplicationReplication Through Removable Media Windows Management InstrumentationCommand and Scripting InterperterScheduled Task/JobCommand and Scripting Interperter: PowerShell External Remote ServicesValid AccountsServer Software Component: Web ShellScheduled Task/JobServer Software ComponentBoot or Logon Autostart Execution Valid AccountsExploitation for Privilege EscalationScheduled Task/JobBoot or Logon Autostart Execution Impair DefensesTrusted Developer Utilities Proxy ExecutionObfuscated Files or Information: Indicator Removal from ToolsMasqueradingValid AccountsUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketImpair Defenses: Disable or Modify System FirewallObfuscated Files or InformationSigned Binary Proxy Execution: Compiled HTML FileValid Accounts: Local AccountsSigned Binary Proxy ExecutionSigned Binary Proxy Execution: InstallUtilSigned Binary Proxy Execution: Regsvr32Trusted Developer Utilities Proxy Execution: MSBuild OS Credential DumpingSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: Kerberoasting File and Directory DiscoveryRemote System Discovery Remote ServicesUse Alternate Authentication MaterialReplication Through Removable Media Email Collection Proxy: Multi-hop ProxyApplication Layer ProtocolProxy Exfiltration Over Physical Medium: Exfiltration over USBExfiltration Over Physical MediumAutomated Exfiltration Data Encrypted for Impact