Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Cryptomining	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1496 - Resource Hijacking	1 Rules
Data Exfiltration	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	8 Rules 2 Models
Data Leak	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage	6 Rules 2 Models
Lateral Movement	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application	9 Rules
Malware	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204 - User Execution T1204.001 - T1204.001 T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms	25 Rules 7 Models
Phishing	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1189 - Drive-by Compromise T1204 - User Execution T1204.001 - T1204.001 T1534 - Internal Spearphishing T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1598 - T1598 T1598.003 - T1598.003	3 Rules
Privilege Abuse	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	1 Rules
Privileged Activity	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	2 Rules
Ransomware	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt http-session:fail (web-activity-denied) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	1 Rules
Workforce Protection	http-traffic:success (web-activity-allowed) ↳squid-s-str-http-session-squid ↳squid-s-str-http-session-squidproxy ↳squid-s-json-http-session-responsestatus ↳squid-s-str-http-session-squidaccess ↳squid-s-str-http-session-squidwebactivity ↳squid-s-csv-http-session-evt	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols	4 Rules 2 Models

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_squid_squid.md

2_ds_squid_squid.md

Files

2_ds_squid_squid.md

Latest commit

History

2_ds_squid_squid.md

File metadata and controls