Skip to content

Latest commit

 

History

History
9 lines (9 loc) · 17.1 KB

2_ds_auth0_auth0.md

File metadata and controls

9 lines (9 loc) · 17.1 KB
Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

vpn-authentication:success (authentication-successful)
auth0-a-json-app-authentication-success-startauth
auth0-a-json-app-authentication-success-gd_auth_succeed
auth0-a-json-endpoint-login-success-verification
auth0-a-json-endpoint-login-success-exchange

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1021 - Remote Services
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1078.003 - Valid Accounts: Local Accounts
T1102 - Web Service
T1133 - External Remote Services
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
  • 98 Rules
  • 54 Models
Data Access app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu
T1078 - Valid Accounts
  • 6 Rules
  • 4 Models
Lateral Movement app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

vpn-login:fail (authentication-failed)
auth0-a-json-app-authentication-fail-warning
auth0-a-json-app-authentication-fail-gd_auth_failed

vpn-authentication:success (authentication-successful)
auth0-a-json-app-authentication-success-startauth
auth0-a-json-app-authentication-success-gd_auth_succeed
auth0-a-json-endpoint-login-success-verification
auth0-a-json-endpoint-login-success-exchange

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1018 - Remote System Discovery
T1021 - Remote Services
T1021.001 - Remote Services: Remote Desktop Protocol
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
T1110 - Brute Force
T1110.003 - T1110.003
T1190 - Exploit Public Fasing Application
T1550 - Use Alternate Authentication Material
T1550.002 - Use Alternate Authentication Material: Pass the Hash
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting
  • 48 Rules
  • 13 Models
Malware app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

vpn-authentication:success (authentication-successful)
auth0-a-json-app-authentication-success-startauth
auth0-a-json-app-authentication-success-gd_auth_succeed
auth0-a-json-endpoint-login-success-verification
auth0-a-json-endpoint-login-success-exchange

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1189 - Drive-by Compromise
T1190 - Exploit Public Fasing Application
T1204 - User Execution
T1204.001 - T1204.001
T1210 - Exploitation of Remote Services
T1550 - Use Alternate Authentication Material
T1550.003 - Use Alternate Authentication Material: Pass the Ticket
T1558 - Steal or Forge Kerberos Tickets
T1566 - Phishing
T1566.002 - Phishing: Spearphishing Link
T1568 - Dynamic Resolution
T1568.002 - Dynamic Resolution: Domain Generation Algorithms
TA0002 - TA0002
  • 30 Rules
  • 9 Models
Privilege Abuse user-delete:success (account-deleted)
auth0-a-json-user-delete-success-userdeletion

user-password-modify:success (account-password-change)
auth0-a-json-user-password-modify-success-changepassword

app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1098 - Account Manipulation
T1531 - Account Access Removal
  • 17 Rules
  • 7 Models
Privileged Activity app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1021 - Remote Services
T1068 - Exploitation for Privilege Escalation
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1078.002 - T1078.002
T1102 - Web Service
  • 19 Rules
  • 7 Models
Ransomware app-login:success (app-login)
auth0-a-json-app-login-success-s
auth0-a-json-app-login-success-seacft
auth0-a-json-app-login-success-ss
auth0-a-json-app-login-success-ssa
auth0-a-json-app-login-success-seccft
auth0-a-json-app-login-success-changeemail

vpn-login:fail (authentication-failed)
auth0-a-json-app-authentication-fail-warning
auth0-a-json-app-authentication-fail-gd_auth_failed

vpn-authentication:success (authentication-successful)
auth0-a-json-app-authentication-success-startauth
auth0-a-json-app-authentication-success-gd_auth_succeed
auth0-a-json-endpoint-login-success-verification
auth0-a-json-endpoint-login-success-exchange

app-login:fail (failed-app-login)
auth0-a-json-app-login-fail-fcpr
auth0-a-json-app-login-fail-limitwc
auth0-a-json-app-login-fail-apilimit
auth0-a-json-app-login-fail-fu

endpoint-login:fail (failed-logon)
eset-ep-leef-endpoint-login-fail-auditevent

ssh-traffic:success (remote-logon)
ca-pamsc-kv-rdp-traffic-success-connection
vectra-cs-kv-rdp-traffic-success-metadatardp
vectra-cs-kv-ssh-traffic-success-metadatassh

http-traffic:success (web-activity-allowed)
auth0-a-json-http-session-success-mgmt_api_read
auth0-a-json-http-session-success-sapi
T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
  • 3 Rules