Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	scheduled_task-trigger:success (app-activity) ↳manageengine-adauditplus-json-app-activity-success-301 ↳manageengine-adauditplus-json-app-activity-success-301 endpoint-login:success (authentication-successful) ↳manageengine-adauditplus-json-app-activity-302 ds_object-activity:success (ds-access) ↳manageengine-adauditplus-json-ds-object-modify-success-4742 ↳manageengine-adauditplus-json-ds-object-modify-success-5136 ↳manageengine-adauditplus-json-ds-object-modify-success-4738 ↳manageengine-adauditplus-json-ds-object-create-success-5137 ↳manageengine-adauditplus-json-ds-object-move-success-5139	T1003 - OS Credential Dumping T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1133 - External Remote Services T1207 - Rogue Domain Controller T1558 - Steal or Forge Kerberos Tickets	46 Rules 25 Models
Privilege Abuse	scheduled_task-trigger:success (app-activity) ↳manageengine-adauditplus-json-app-activity-success-301 ↳manageengine-adauditplus-json-app-activity-success-301 ds_object-activity:success (ds-access) ↳manageengine-adauditplus-json-ds-object-modify-success-4742 ↳manageengine-adauditplus-json-ds-object-modify-success-5136 ↳manageengine-adauditplus-json-ds-object-modify-success-4738 ↳manageengine-adauditplus-json-ds-object-create-success-5137 ↳manageengine-adauditplus-json-ds-object-move-success-5139 group-member-add:success (member-added) ↳manageengine-adauditplus-json-group-member-add-success-4728 ↳manageengine-adauditplus-json-group-member-add-success-4732 ↳manageengine-adauditplus-json-group-member-add-success-addmember-301 group-member-remove:success (member-removed) ↳manageengine-adauditplus-json-group-member-remove-success-removemember-301 ↳manageengine-adauditplus-json-group-member-remove-success-4757 ↳manageengine-adauditplus-json-group-member-remove-success-4733 ↳manageengine-adauditplus-json-group-member-remove-success-4729	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1484 - Group Policy Modification	32 Rules 16 Models
Privileged Activity	scheduled_task-trigger:success (app-activity) ↳manageengine-adauditplus-json-app-activity-success-301 ↳manageengine-adauditplus-json-app-activity-success-301 ds_object-activity:success (ds-access) ↳manageengine-adauditplus-json-ds-object-modify-success-4742 ↳manageengine-adauditplus-json-ds-object-modify-success-5136 ↳manageengine-adauditplus-json-ds-object-modify-success-4738 ↳manageengine-adauditplus-json-ds-object-create-success-5137 ↳manageengine-adauditplus-json-ds-object-move-success-5139	T1003 - OS Credential Dumping T1003.006 - OS Credential Dumping: DCSync T1078 - Valid Accounts T1207 - Rogue Domain Controller T1484 - Group Policy Modification	9 Rules 3 Models

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_manageengine_adauditplus.md

2_ds_manageengine_adauditplus.md

Files

2_ds_manageengine_adauditplus.md

Latest commit

History

2_ds_manageengine_adauditplus.md

File metadata and controls