| Rules | Models | MITRE ATT&CK® TTPs | Activity Types | Parsers |
|---|---|---|---|---|
| 104 | 38 | 26 | 3 | 8 |
| Use-Case | Activity Types (Legacy Event Type)/Parsers | MITRE ATT&CK® TTP | Content |
|---|---|---|---|
| Abnormal Authentication & Access | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols |
|
| Compromised Credentials | alert-trigger:success (security-alert) ↳fireeye-networksecurity-json-alert-trigger-success-srcipv4 ↳fireeye-escm-json-alert-trigger-success-fireeyecm ↳fireeye-networksecurity-cef-alert-trigger-success-deviceseverity ↳fireeye-networksecurity-leef-alert-trigger-success-malwareobject ↳fireeye-networksecurity-cef-alert-trigger-success-fireeye ↳fireeye-networksecurity-json-alert-trigger-success-product ↳fireeye-networksecurity-leef-alert-trigger-success-fireeyemps ↳fireeye-emailsecurity-cef-alert-trigger-success-fireeye ↳fireeye-networksecurity-xml-alert-trigger-success-fenotify http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service T1133 - External Remote Services T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204 - User Execution T1204.001 - T1204.001 T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
| Cryptomining | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking |
|
| Data Exfiltration | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms |
|
| Data Leak | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage |
|
| Phishing | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1189 - Drive-by Compromise T1204 - User Execution T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1598 - T1598 T1598.003 - T1598.003 |
|
| Privilege Abuse | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts |
|
| Ransomware | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain http-session:fail (web-activity-denied) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols |
|
| Workforce Protection | http-traffic:success (web-activity-allowed) ↳fireeye-networksecurity-json-http-session-dstdomain |
T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols |
|
| Next Page -->> |
| Initial Access | Execution | Persistence | Privilege Escalation | Defense Evasion | Credential Access | Discovery | Lateral Movement | Collection | Command and Control | Exfiltration | Impact |
|---|---|---|---|---|---|---|---|---|---|---|---|
| Phishing: Spearphishing Link External Remote Services Valid Accounts Drive-by Compromise Exploit Public Fasing Application Phishing |
User Execution |
External Remote Services Valid Accounts |
Valid Accounts Exploitation for Privilege Escalation |
Obfuscated Files or Information: Indicator Removal from Tools Valid Accounts Obfuscated Files or Information |
Internal Spearphishing |
Web Service Application Layer Protocol: Web Protocols Dynamic Resolution Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy |
Exfiltration Over C2 Channel Exfiltration Over Web Service: Exfiltration to Cloud Storage Exfiltration Over Web Service |
Resource Hijacking |