| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 182 | 71 | 28 | 6 | 7 |
| Use-Case | Activity Types (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | app-activity:success (app-activity) ↳watchguard-w-leef-http-request-httprequest http-traffic:success (web-activity-allowed) ↳watchguard-w-kv-http-session-success-httprequest ↳watchguard-w-kv-http-session-success-proxyallow ↳watchguard-w-kv-http-session-httpsrequest http-session:fail (web-activity-denied) ↳watchguard-w-kv-http-session-httpsrequest ↳watchguard-w-kv-http-session-fail-proxydeny ↳watchguard-w-kv-http-session-fail-proxydrop |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1133 - External Remote Services |
|
| Account Manipulation | app-activity:success (app-activity) ↳watchguard-w-leef-http-request-httprequest |
T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
| Data Access | app-activity:success (app-activity) ↳watchguard-w-leef-http-request-httprequest |
T1078 - Valid Accounts |
|
| Privilege Escalation | app-activity:success (app-activity) ↳watchguard-w-leef-http-request-httprequest |
T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
| Workforce Protection | http-traffic:success (web-activity-allowed) ↳watchguard-w-kv-http-session-success-httprequest ↳watchguard-w-kv-http-session-success-proxyallow ↳watchguard-w-kv-http-session-httpsrequest |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols |
|
| Next Page -->> |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing |
User Execution |
External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions |
Valid Accounts |
Valid Accounts |
Internal Spearphishing |
Email Collection Email Collection: Email Forwarding Rule |
Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy |
Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service |
Resource Hijacking |