| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 169 | 68 | 28 | 5 | 16 |
| Use-Case | Activity Types (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | scheduled_task-trigger:success (app-activity) ↳cisco-umbrella-csv-configuration-modify-success-admin http-traffic:success (web-activity-allowed) ↳cisco-umbrella-cef-http-session-proxy ↳cisco-umbrella-csv-http-session-proxy ↳cisco-umbrella-json-http-session-verdicts http-session:fail (web-activity-denied) ↳cisco-umbrella-cef-http-session-proxy ↳cisco-umbrella-csv-http-session-proxy ↳cisco-umbrella-json-http-session-verdicts |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1133 - External Remote Services |
|
| Account Manipulation | scheduled_task-trigger:success (app-activity) ↳cisco-umbrella-csv-configuration-modify-success-admin |
T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
| Data Access | scheduled_task-trigger:success (app-activity) ↳cisco-umbrella-csv-configuration-modify-success-admin |
T1078 - Valid Accounts |
|
| Privilege Escalation | scheduled_task-trigger:success (app-activity) ↳cisco-umbrella-csv-configuration-modify-success-admin |
T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions |
|
| Workforce Protection | http-traffic:success (web-activity-allowed) ↳cisco-umbrella-cef-http-session-proxy ↳cisco-umbrella-csv-http-session-proxy ↳cisco-umbrella-json-http-session-verdicts |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols |
|
| Next Page -->> |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing |
User Execution |
External Remote Services Valid Accounts Account Manipulation Account Manipulation: Exchange Email Delegate Permissions |
Valid Accounts |
Valid Accounts |
Internal Spearphishing |
Email Collection Email Collection: Email Forwarding Rule |
Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy |
Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service |
Resource Hijacking |