Skip to content

Latest commit

 

History

History
23 lines (21 loc) · 9.57 KB

ds_sentinelone_vigilance.md

File metadata and controls

23 lines (21 loc) · 9.57 KB
Raw

Vendor: SentinelOne

Product: Vigilance

Rules Models MITRE ATT&CK® TTPs Activity Types Parsers
117 44 16 5 3
Use-Case Activity Types (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Abnormal Authentication & Access user-create:success (account-creation)
sentinelone-v-cef-user-create-success-newuseradded

scheduled_task-trigger:success (app-activity)
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-userdeleted
sentinelone-v-cef-app-activity-success-usercreatedrole

app-login:success (app-login)
sentinelone-v-cef-app-login-success-newconsole

app-login:fail (failed-app-login)
sentinelone-v-cef-app-login-login-failedconsole
 T1078 - Valid Accounts
T1133 - External Remote Services
  • 15 Rules
  • 4 Models
Account Manipulation user-create:success (account-creation)
sentinelone-v-cef-user-create-success-newuseradded

scheduled_task-trigger:success (app-activity)
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-userdeleted
sentinelone-v-cef-app-activity-success-usercreatedrole
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
T1136 - Create Account
T1136.001 - Create Account: Create: Local Account
T1136.002 - T1136.002
  • 23 Rules
  • 9 Models
Data Leak scheduled_task-trigger:success (app-activity)
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-userdeleted
sentinelone-v-cef-app-activity-success-usercreatedrole
 T1114 - Email Collection
T1114.003 - Email Collection: Email Forwarding Rule
  • 3 Rules
Malware app-login:success (app-login)
sentinelone-v-cef-app-login-success-newconsole

alert-trigger:success (security-alert)
sentinelone-v-cef-alert-trigger-success-threatdetected
sentinelone-v-cef-alert-trigger-success-activethreat
 T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Privilege Escalation scheduled_task-trigger:success (app-activity)
sentinelone-v-cef-app-activity-success-usermodified
sentinelone-v-cef-app-activity-success-userdeleted
sentinelone-v-cef-app-activity-success-usercreatedrole
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Ransomware app-login:success (app-login)
sentinelone-v-cef-app-login-success-newconsole

app-login:fail (failed-app-login)
sentinelone-v-cef-app-login-login-failedconsole
 T1078 - Valid Accounts
  • 2 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
External Remote Services

Valid Accounts

Exploit Public Fasing Application

 Create Account

External Remote Services

Valid Accounts

Account Manipulation

Create Account: Create: Local Account

Account Manipulation: Exchange Email Delegate Permissions

 Valid Accounts

Exploitation for Privilege Escalation

 Obfuscated Files or Information: Indicator Removal from Tools

Valid Accounts

Obfuscated Files or Information

 Email Collection

Email Collection: Email Forwarding Rule

 Proxy: Multi-hop Proxy

Proxy