Skip to content

Latest commit

 

History

History
19 lines (17 loc) · 28.5 KB

ds_netskope_netskope_security_cloud.md

File metadata and controls

19 lines (17 loc) · 28.5 KB
Raw

Vendor: Netskope

Product: Netskope Security Cloud

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
337 137 52 17 104
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-create:success (account-creation)
netskope-sc-json-app-activity-success-sessionbegin
netskope-sc-json-file-auditlogevent

scheduled_task-trigger:success (app-activity)
netskope-sc-sk4-app-activity-success-view
netskope-sc-sk4-app-activity-success-post
netskope-sc-sk4-app-activity-success-upload
netskope-sc-sk4-app-activity-success-emaillogsearch
netskope-sc-sk4-app-activity-success-like
netskope-sc-sk4-app-activity-success-updatetimestamp
netskope-sc-json-app-activity-success-share
netskope-sc-sk4-app-activity-success-powerups
netskope-sc-sk4-app-activity-success-loginattempt
netskope-sc-sk4-app-activity-success-receive
netskope-sc-sk4-app-logout-success-logout
netskope-sc-sk4-app-activity-success-alertcenterlistchange
netskope-sc-sk4-app-activity-success-approve
netskope-sc-sk4-app-activity-success-download
netskope-sc-sk4-app-activity-success-follow
netskope-sc-sk4-app-activity-success-delete
netskope-sc-sk4-app-activity-success-creategmailsetting
netskope-sc-sk4-app-activity-success-searchqueryperformed
netskope-sc-sk4-app-activity-success-alertcentergetsitlink
netskope-sc-sk4-app-activity-success-alertcenterview
netskope-sc-sk4-app-activity-success-dislike
netskope-sc-sk4-app-activity-success-securityinvestigationquery
netskope-sc-sk4-app-activity-success-alertcenterlistrelatedalerts
netskope-sc-sk4-app-activity-success-create
netskope-sc-sk4-app-activity-success-pageprefetched
netskope-sc-sk4-app-activity-success-groupmembersdownload
netskope-sc-sk4-app-activity-success-invite
netskope-sc-sk4-app-activity-success-move
netskope-sc-sk4-app-activity-success-updategroupmember
netskope-sc-sk4-app-activity-success-mark
netskope-sc-sk4-app-activity-success-changegmailsetting
netskope-sc-sk4-app-activity-success-share
netskope-sc-sk4-app-activity-success-viewall
netskope-sc-sk4-app-activity-success-send
netskope-sc-sk4-app-activity-success-sitecolumncreated
netskope-sc-sk4-app-activity-success-alertcenterlistfeedback
netskope-sc-sk4-app-activity-success-edit
netskope-sc-sk4-app-activity-success-terminate
netskope-sc-json-app-activity-success-propertyupdated
netskope-sc-json-app-activity-success-browsersession
netskope-sc-json-app-activity-success-sessionbegin
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-app-activity-success-deletelevel
netskope-sc-sk4-app-activity-success-strongauthentication
netskope-sc-sk4-app-activity-success-deleteuser
netskope-sc-sk4-app-activity-success-requesttransfer
netskope-sc-sk4-app-activity-success-deleteobject
netskope-sc-sk4-app-activity-success-accesslevel
netskope-sc-json-app-activity-success-browsersessionid
netskope-sc-sk4-app-activity-success-copyobject
netskope-sc-sk4-app-activity-success-deletesetting
netskope-sc-sk4-app-activity-success-completeupload
netskope-sc-sk4-app-activity-success-driverestore
netskope-sc-sk4-app-activity-success-uploadpart
netskope-sc-sk4-app-activity-success-archiveuser
netskope-sc-sk4-app-activity-success-createlevel
netskope-sc-sk4-app-activity-success-multipartupload
netskope-sc-sk4-app-activity-success-putobject
netskope-sc-json-file-write-app-activity-success-rename

app-login:success (app-login)
netskope-sc-cef-app-login-success-loginsuccessful
netskope-sc-sk4-app-login-success-page
netskope-sc-json-app-login-success-login
netskope-sc-json-app-login-success-login-1
netskope-sc-json-app-login-success-loginsuccess
netskope-sc-json-app-login-success-loginsuccessful
netskope-sc-json-app-login-success-loginsuccessful-1
netskope-sc-json-app-login-success-ssologin-1

app-login:fail (failed-app-login)
netskope-sc-cef-app-login-fail-loginfailed
netskope-sc-json-app-login-fail-loginfailed
netskope-sc-cef-app-login-fail-flexstring1

http-traffic:success (web-activity-allowed)
netskope-sc-cef-http-session-success-cloudapp
netskope-sc-str-http-session-websocket
netskope-sc-str-http-session-success-webtransaction
netskope-sc-str-http-session-success-cloudapptransaction
netskope-sc-str-http-session-success-transaction
netskope-sc-json-network-traffic-traffictype
netskope-sc-cef-http-session-success-page

http-session:fail (web-activity-denied)
netskope-sc-cef-http-session-fail-block-1
netskope-sc-cef-http-session-fail-block
netskope-sc-str-http-session-websocket
netskope-sc-str-http-session-success-webtransaction
netskope-sc-str-http-session-success-cloudapptransaction
netskope-sc-str-http-session-success-transaction
 T1071 - Application Layer Protocol
T1071.001 - Application Layer Protocol: Web Protocols
T1078 - Valid Accounts
T1133 - External Remote Services
  • 21 Rules
  • 10 Models
Account Manipulation user-create:success (account-creation)
netskope-sc-json-app-activity-success-sessionbegin
netskope-sc-json-file-auditlogevent

scheduled_task-trigger:success (app-activity)
netskope-sc-sk4-app-activity-success-view
netskope-sc-sk4-app-activity-success-post
netskope-sc-sk4-app-activity-success-upload
netskope-sc-sk4-app-activity-success-emaillogsearch
netskope-sc-sk4-app-activity-success-like
netskope-sc-sk4-app-activity-success-updatetimestamp
netskope-sc-json-app-activity-success-share
netskope-sc-sk4-app-activity-success-powerups
netskope-sc-sk4-app-activity-success-loginattempt
netskope-sc-sk4-app-activity-success-receive
netskope-sc-sk4-app-logout-success-logout
netskope-sc-sk4-app-activity-success-alertcenterlistchange
netskope-sc-sk4-app-activity-success-approve
netskope-sc-sk4-app-activity-success-download
netskope-sc-sk4-app-activity-success-follow
netskope-sc-sk4-app-activity-success-delete
netskope-sc-sk4-app-activity-success-creategmailsetting
netskope-sc-sk4-app-activity-success-searchqueryperformed
netskope-sc-sk4-app-activity-success-alertcentergetsitlink
netskope-sc-sk4-app-activity-success-alertcenterview
netskope-sc-sk4-app-activity-success-dislike
netskope-sc-sk4-app-activity-success-securityinvestigationquery
netskope-sc-sk4-app-activity-success-alertcenterlistrelatedalerts
netskope-sc-sk4-app-activity-success-create
netskope-sc-sk4-app-activity-success-pageprefetched
netskope-sc-sk4-app-activity-success-groupmembersdownload
netskope-sc-sk4-app-activity-success-invite
netskope-sc-sk4-app-activity-success-move
netskope-sc-sk4-app-activity-success-updategroupmember
netskope-sc-sk4-app-activity-success-mark
netskope-sc-sk4-app-activity-success-changegmailsetting
netskope-sc-sk4-app-activity-success-share
netskope-sc-sk4-app-activity-success-viewall
netskope-sc-sk4-app-activity-success-send
netskope-sc-sk4-app-activity-success-sitecolumncreated
netskope-sc-sk4-app-activity-success-alertcenterlistfeedback
netskope-sc-sk4-app-activity-success-edit
netskope-sc-sk4-app-activity-success-terminate
netskope-sc-json-app-activity-success-propertyupdated
netskope-sc-json-app-activity-success-browsersession
netskope-sc-json-app-activity-success-sessionbegin
netskope-sc-json-file-auditlogevent
netskope-sc-sk4-app-activity-success-deletelevel
netskope-sc-sk4-app-activity-success-strongauthentication
netskope-sc-sk4-app-activity-success-deleteuser
netskope-sc-sk4-app-activity-success-requesttransfer
netskope-sc-sk4-app-activity-success-deleteobject
netskope-sc-sk4-app-activity-success-accesslevel
netskope-sc-json-app-activity-success-browsersessionid
netskope-sc-sk4-app-activity-success-copyobject
netskope-sc-sk4-app-activity-success-deletesetting
netskope-sc-sk4-app-activity-success-completeupload
netskope-sc-sk4-app-activity-success-driverestore
netskope-sc-sk4-app-activity-success-uploadpart
netskope-sc-sk4-app-activity-success-archiveuser
netskope-sc-sk4-app-activity-success-createlevel
netskope-sc-sk4-app-activity-success-multipartupload
netskope-sc-sk4-app-activity-success-putobject
netskope-sc-json-file-write-app-activity-success-rename
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 23 Rules
  • 9 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
Phishing: Spearphishing Link

External Remote Services

Valid Accounts

Drive-by Compromise

Exploit Public Fasing Application

Phishing

 User Execution

 Create Account

External Remote Services

Valid Accounts

Server Software Component: Web Shell

Account Manipulation

Server Software Component

Boot or Logon Autostart Execution

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

Boot or Logon Autostart Execution

 Obfuscated Files or Information: Indicator Removal from Tools

Indicator Removal on Host: File Deletion

Valid Accounts

Indicator Removal on Host

Obfuscated Files or Information

 OS Credential Dumping

 File and Directory Discovery

 Internal Spearphishing

 Email Collection

Email Collection: Email Forwarding Rule

 Web Service

Application Layer Protocol: Web Protocols

Dynamic Resolution

Dynamic Resolution: Domain Generation Algorithms

Proxy: Multi-hop Proxy

Application Layer Protocol

Proxy

 Exfiltration Over Alternative Protocol

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Exfiltration Over C2 Channel

Automated Exfiltration

Exfiltration Over Web Service: Exfiltration to Cloud Storage

Exfiltration Over Web Service

 Data Destruction

Resource Hijacking

Data Encrypted for Impact