Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content Compromised Credentials app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail vpn-authentication:success (authentication-successful) ↳auth0-a-json-app-authentication-success-startauth ↳auth0-a-json-app-authentication-success-gd_auth_succeed ↳auth0-a-json-endpoint-login-success-verification ↳auth0-a-json-endpoint-login-success-exchange app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1021 - Remote ServicesT1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1102 - Web ServiceT1133 - External Remote ServicesT1189 - Drive-by CompromiseT1190 - Exploit Public Fasing ApplicationT1204 - User ExecutionT1204.001 - T1204.001T1550 - Use Alternate Authentication MaterialT1550.003 - Use Alternate Authentication Material: Pass the TicketT1558 - Steal or Forge Kerberos TicketsT1566 - PhishingT1566.002 - Phishing: Spearphishing LinkT1568 - Dynamic ResolutionT1568.002 - Dynamic Resolution: Domain Generation Algorithms 98 Rules54 Models Data Access app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu T1078 - Valid Accounts 6 Rules4 Models Lateral Movement app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail vpn-login:fail (authentication-failed) ↳auth0-a-json-app-authentication-fail-warning ↳auth0-a-json-app-authentication-fail-gd_auth_failed vpn-authentication:success (authentication-successful) ↳auth0-a-json-app-authentication-success-startauth ↳auth0-a-json-app-authentication-success-gd_auth_succeed ↳auth0-a-json-endpoint-login-success-verification ↳auth0-a-json-endpoint-login-success-exchange app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1018 - Remote System DiscoveryT1021 - Remote ServicesT1021.001 - Remote Services: Remote Desktop ProtocolT1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1090 - ProxyT1090.003 - Proxy: Multi-hop ProxyT1110 - Brute ForceT1110.003 - T1110.003T1190 - Exploit Public Fasing ApplicationT1550 - Use Alternate Authentication MaterialT1550.002 - Use Alternate Authentication Material: Pass the HashT1550.003 - Use Alternate Authentication Material: Pass the TicketT1558 - Steal or Forge Kerberos TicketsT1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting 48 Rules13 Models Malware app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail vpn-authentication:success (authentication-successful) ↳auth0-a-json-app-authentication-success-startauth ↳auth0-a-json-app-authentication-success-gd_auth_succeed ↳auth0-a-json-endpoint-login-success-verification ↳auth0-a-json-endpoint-login-success-exchange endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1189 - Drive-by CompromiseT1190 - Exploit Public Fasing ApplicationT1204 - User ExecutionT1204.001 - T1204.001T1210 - Exploitation of Remote ServicesT1550 - Use Alternate Authentication MaterialT1550.003 - Use Alternate Authentication Material: Pass the TicketT1558 - Steal or Forge Kerberos TicketsT1566 - PhishingT1566.002 - Phishing: Spearphishing LinkT1568 - Dynamic ResolutionT1568.002 - Dynamic Resolution: Domain Generation AlgorithmsTA0002 - TA0002 30 Rules9 Models Privilege Abuse user-delete:success (account-deleted) ↳auth0-a-json-user-delete-success-userdeletion user-password-modify:success (account-password-change) ↳auth0-a-json-user-password-modify-success-changepassword app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1078.002 - T1078.002T1098 - Account ManipulationT1531 - Account Access Removal 17 Rules7 Models Privileged Activity app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1021 - Remote ServicesT1068 - Exploitation for Privilege EscalationT1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid AccountsT1078.002 - T1078.002T1102 - Web Service 19 Rules7 Models Ransomware app-login:success (app-login) ↳auth0-a-json-app-login-success-s ↳auth0-a-json-app-login-success-seacft ↳auth0-a-json-app-login-success-ss ↳auth0-a-json-app-login-success-ssa ↳auth0-a-json-app-login-success-seccft ↳auth0-a-json-app-login-success-changeemail vpn-login:fail (authentication-failed) ↳auth0-a-json-app-authentication-fail-warning ↳auth0-a-json-app-authentication-fail-gd_auth_failed vpn-authentication:success (authentication-successful) ↳auth0-a-json-app-authentication-success-startauth ↳auth0-a-json-app-authentication-success-gd_auth_succeed ↳auth0-a-json-endpoint-login-success-verification ↳auth0-a-json-endpoint-login-success-exchange app-login:fail (failed-app-login) ↳auth0-a-json-app-login-fail-fcpr ↳auth0-a-json-app-login-fail-limitwc ↳auth0-a-json-app-login-fail-apilimit ↳auth0-a-json-app-login-fail-fu endpoint-login:fail (failed-logon) ↳eset-ep-leef-endpoint-login-fail-auditevent ssh-traffic:success (remote-logon) ↳ca-pamsc-kv-rdp-traffic-success-connection ↳vectra-cs-kv-rdp-traffic-success-metadatardp ↳vectra-cs-kv-ssh-traffic-success-metadatassh http-traffic:success (web-activity-allowed) ↳auth0-a-json-http-session-success-mgmt_api_read ↳auth0-a-json-http-session-success-sapi T1071 - Application Layer ProtocolT1071.001 - Application Layer Protocol: Web ProtocolsT1078 - Valid Accounts 3 Rules