2_ds_dell_sonicwall.md

Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	vpn-login:fail (failed-vpn-login) ↳dell-sw-kv-vpn-login-fail-sslvpn ↳dell-sw-cef-vpn-login-fail-userloginfailed ↳dell-sw-kv-vpn-login-fail-140 alert-trigger:success (network-alert) ↳dell-sw-kv-alert-trigger-success-security endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1021 - Remote Services T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1102 - Web Service T1110 - Brute Force T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204 - User Execution T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	119 Rules 58 Models
Data Exfiltration	vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1133 - External Remote Services T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0010 - TA0010	12 Rules 6 Models
Data Leak	vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1133 - External Remote Services T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage TA0010 - TA0010	17 Rules 13 Models
Lateral Movement	vpn-login:fail (failed-vpn-login) ↳dell-sw-kv-vpn-login-fail-sslvpn ↳dell-sw-cef-vpn-login-fail-userloginfailed ↳dell-sw-kv-vpn-login-fail-140 endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1018 - Remote System Discovery T1021 - Remote Services T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	44 Rules 15 Models
Malware	alert-trigger:success (network-alert) ↳dell-sw-kv-alert-trigger-success-security endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204 - User Execution T1204.001 - T1204.001 T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	31 Rules 9 Models
Phishing	vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1189 - Drive-by Compromise T1204 - User Execution T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1598 - T1598 T1598.003 - T1598.003	5 Rules 2 Models
Physical Security	vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment	T1133 - External Remote Services	1 Rules 1 Models
Privilege Abuse	endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1078.002 - T1078.002 T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1133 - External Remote Services	13 Rules 8 Models
Privilege Escalation	endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-logout:success (vpn-logout) ↳dell-sw-cef-vpn-logout-success-loggedout ↳dell-sw-kv-vpn-logout-success-sslvpn ↳sonicwall-sw-kv-vpn-logout-success-sslvpn ↳dell-sw-kv-vpn-logout-success-infosystem ↳dell-sw-cef-vpn-logout-success-sessionend	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1555 - Credentials from Password Stores T1555.005 - T1555.005	7 Rules 6 Models
Ransomware	vpn-login:fail (failed-vpn-login) ↳dell-sw-kv-vpn-login-fail-sslvpn ↳dell-sw-cef-vpn-login-fail-userloginfailed ↳dell-sw-kv-vpn-login-fail-140 endpoint-login:success (remote-logon) ↳dell-sw-cef-rdp-traffic-success-rdp vpn-login:success (vpn-login) ↳sonicwall-sw-kv-vpn-login-success-1080 ↳dell-sw-kv-vpn-login-success-netextenderconnected ↳dell-sw-cef-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-userloginsuccessful ↳dell-sw-kv-vpn-login-success-platformprefix ↳dell-sw-str-vpn-login-success-csacl ↳dell-sw-cef-vpn-login-success-userloginandzoneassignment http-traffic:success (web-activity-allowed) ↳dell-sw-kv-http-session-category http-session:fail (web-activity-denied) ↳dell-sw-kv-http-session-category	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	2 Rules