Vendor: Cisco Product: Cisco ISE Rules Models MITRE ATT&CK® TTPs Activity Types Parsers 208 96 32 8 35 Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content Abnormal Authentication & Access scheduled_task-trigger:success (app-activity) ↳cisco-ise-kv-app-activity-success-appactivity endpoint-login:fail (authentication-failed) ↳cisco-ise-kv-endpoint-authentication-fail-warn ↳cisco-ise-cef-endpoint-login-fail-loginfailed ↳cisco-ise-kv-vpn-login-fail-authfailed ↳cisco-ise-kv-endpoint-login-fail-loginfailed endpoint-login:success (authentication-successful) ↳cisco-ise-kv-endpoint-authentication-cisepassed ↳cisco-ise-kv-endpoint-authentication-accounting ↳cisco-ise-kv-endpoint-authentication-flowdiagnostics ↳cisco-ise-cef-endpoint-login-success-authsuccess ↳cisco-ise-kv-endpoint-login-success-61025 ↳cisco-ise-kv-endpoint-authentication-success-authenok endpoint-login:fail (failed-logon) ↳cisco-ise-kv-endpoint-login-61025 vpn-login:fail (failed-vpn-login) ↳cisco-ise-kv-vpn-login-success-attempts endpoint-login:success (nac-logon) ↳cisco-ise-kv-radius-traffic-success-cscoacspassedauth ↳cisco-ise-kv-radius-traffic-success-commandauthsuccess ↳cisco-ise-kv-radius-traffic-success-tacacsaccouting ↳cisco-ise-kv-radius-traffic-success-accountstartreq ↳cisco-ise-kv-radius-traffic-success-networkdeviceprofile ↳cisco-ise-cef-endpoint-login-success-authenticationsucceeded ↳cisco-ise-cef-endpoint-login-success-authpassed ↳cisco-ise-kv-radius-traffic-success-deviceadminstrationsucceeded ↳cisco-ise-cef-radius-traffic-success-cisepassedauth ↳cisco-ise-kv-radius-traffic-success-authsucceeded ↳cisco-ise-kv-radius-traffic-success-radius ↳cisco-ise-kv-radius-traffic-success-start ↳cisco-ise-cef-endpoint-login-success-mcafeeesm ↳cisco-ise-cef-endpoint-login-success-accountingreqaccounting ↳cisco-ise-cef-endpoint-login-success-accounting endpoint-login:success (remote-logon) ↳cisco-ise-kv-ssh-traffic-success-60115 ↳cisco-ise-kv-ssh-traffic-success-60080 ↳cisco-ise-cef-endpoint-login-success-userloginsuccess ↳cisco-ise-cef-endpoint-login-success-adlogin ↳cisco-ise-kv-endpoint-login-success-51001 ↳cisco-ise-kv-endpoint-login-61025 vpn-login:success (vpn-login) ↳cisco-ise-kv-vpn-login-success-radiusaccounting vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1021 - Remote ServicesT1078 - Valid AccountsT1078.002 - T1078.002T1078.003 - Valid Accounts: Local AccountsT1110 - Brute ForceT1133 - External Remote Services 60 Rules22 Models Account Manipulation scheduled_task-trigger:success (app-activity) ↳cisco-ise-kv-app-activity-success-appactivity vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1098 - Account ManipulationT1098.002 - Account Manipulation: Exchange Email Delegate PermissionsT1484 - Group Policy Modification 10 Rules7 Models Brute Force Attack endpoint-login:fail (failed-logon) ↳cisco-ise-kv-endpoint-login-61025 vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1021 - Remote ServicesT1021.001 - Remote Services: Remote Desktop ProtocolT1110 - Brute ForceT1110.003 - T1110.003 10 Rules1 Models Data Access scheduled_task-trigger:success (app-activity) ↳cisco-ise-kv-app-activity-success-appactivity vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1078 - Valid AccountsT1110 - Brute Force 20 Rules12 Models Data Exfiltration vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1133 - External Remote ServicesTA0010 - TA0010 4 Rules4 Models Data Leak scheduled_task-trigger:success (app-activity) ↳cisco-ise-kv-app-activity-success-appactivity vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1048 - Exfiltration Over Alternative ProtocolT1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolT1052 - Exfiltration Over Physical MediumT1052.001 - Exfiltration Over Physical Medium: Exfiltration over USBT1114 - Email CollectionT1114.003 - Email Collection: Email Forwarding RuleT1133 - External Remote ServicesTA0010 - TA0010 14 Rules11 Models Phishing vpn-logout:success (vpn-logout) ↳cisco-ise-kv-vpn-logout-success-virtual ↳cisco-ise-cef-vpn-logout-success-stop T1566 - Phishing 2 Rules2 Models Physical Security vpn-login:success (vpn-login) ↳cisco-ise-kv-vpn-login-success-radiusaccounting T1133 - External Remote Services 1 Rules1 Models Next Page -->> MITRE ATT&CK® Framework for Enterprise Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact External Remote ServicesValid AccountsPhishing External Remote ServicesValid AccountsAccount ManipulationAccount Manipulation: Exchange Email Delegate Permissions Valid AccountsExploitation for Privilege EscalationGroup Policy Modification Group Policy ModificationValid AccountsUse Alternate Authentication MaterialUse Alternate Authentication Material: Pass the HashUse Alternate Authentication Material: Pass the TicketValid Accounts: Local Accounts Brute ForceSteal or Forge Kerberos TicketsCredentials from Password StoresSteal or Forge Kerberos Tickets: Kerberoasting Remote System Discovery Exploitation of Remote ServicesRemote ServicesUse Alternate Authentication MaterialRemote Services: Remote Desktop Protocol Email CollectionEmail Collection: Email Forwarding Rule Proxy: Multi-hop ProxyProxy Exfiltration Over Alternative ProtocolExfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolExfiltration Over Physical Medium: Exfiltration over USBExfiltration Over Physical Medium