Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Data Exfiltration	alert-trigger:success (dlp-alert) ↳trendmicro-officescan-kv-alert-trigger-success-transmissiondetected ↳trendmicro-officescan-cef-alert-trigger-success-dlp ↳trendmicro-officescan-cef-alert-trigger-success-blocked http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1020 - Automated Exfiltration T1041 - Exfiltration Over C2 Channel T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0010 - TA0010	36 Rules 19 Models
Data Leak	alert-trigger:success (dlp-alert) ↳trendmicro-officescan-kv-alert-trigger-success-transmissiondetected ↳trendmicro-officescan-cef-alert-trigger-success-dlp ↳trendmicro-officescan-cef-alert-trigger-success-blocked email-send:success (dlp-email-alert-out) ↳trendmicro-officescan-cef-email-send-success-controlmanager file-write:success (usb-write) ↳trendmicro-officescan-cef-file-write-success-passed http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1020 - Automated Exfiltration T1041 - Exfiltration Over C2 Channel T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1052 - Exfiltration Over Physical Medium T1052.001 - Exfiltration Over Physical Medium: Exfiltration over USB T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1091 - Replication Through Removable Media T1567 - Exfiltration Over Web Service T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage TA0010 - TA0010	80 Rules 38 Models
Lateral Movement	alert-trigger:success (security-alert) ↳trendmicro-officescan-kv-alert-trigger-success-deepsecuritymanager ↳trendmicro-officescan-kv-alert-trigger-success-logvirus ↳trendmicro-officescan-str-alert-trigger-success-virus ↳trendmicro-officescan-kv-alert-trigger-success-contentfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logdevicecontrol ↳trendmicro-officescan-kv-alert-trigger-success-logurlfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logspyware ↳trendmicro-officescan-kv-alert-trigger-success-trendmicro ↳trendmicro-officescan-kv-alert-trigger-success-logbehavior ↳trendmicro-officescan-kv-alert-trigger-success-officescanserver ↳trendmicro-officescan-kv-alert-trigger-success-ccca ↳trendmicro-officescan-kv-alert-trigger-success-logpredictive ↳trendmicro-officescan-kv-alert-trigger-success-webreputation ↳trendmicro-officescan-str-alert-trigger-success-officescan ↳trendmicro-officescan-kv-alert-trigger-success-callbackdetected ↳trendmicro-officescan-kv-alert-trigger-success-lognetworkvirus ↳trendmicro-officescan-cef-email-send-success-controlmanager http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1190 - Exploit Public Fasing Application	9 Rules
Malware	alert-trigger:success (dlp-alert) ↳trendmicro-officescan-kv-alert-trigger-success-transmissiondetected ↳trendmicro-officescan-cef-alert-trigger-success-dlp ↳trendmicro-officescan-cef-alert-trigger-success-blocked email-receive:success (dlp-email-alert-in) ↳trendmicro-officescan-cef-email-send-success-controlmanager email-send:success (dlp-email-alert-out) ↳trendmicro-officescan-cef-email-send-success-controlmanager alert-trigger:success (security-alert) ↳trendmicro-officescan-kv-alert-trigger-success-deepsecuritymanager ↳trendmicro-officescan-kv-alert-trigger-success-logvirus ↳trendmicro-officescan-str-alert-trigger-success-virus ↳trendmicro-officescan-kv-alert-trigger-success-contentfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logdevicecontrol ↳trendmicro-officescan-kv-alert-trigger-success-logurlfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logspyware ↳trendmicro-officescan-kv-alert-trigger-success-trendmicro ↳trendmicro-officescan-kv-alert-trigger-success-logbehavior ↳trendmicro-officescan-kv-alert-trigger-success-officescanserver ↳trendmicro-officescan-kv-alert-trigger-success-ccca ↳trendmicro-officescan-kv-alert-trigger-success-logpredictive ↳trendmicro-officescan-kv-alert-trigger-success-webreputation ↳trendmicro-officescan-str-alert-trigger-success-officescan ↳trendmicro-officescan-kv-alert-trigger-success-callbackdetected ↳trendmicro-officescan-kv-alert-trigger-success-lognetworkvirus ↳trendmicro-officescan-cef-email-send-success-controlmanager file-write:success (usb-write) ↳trendmicro-officescan-cef-file-write-success-passed http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1189 - Drive-by Compromise T1190 - Exploit Public Fasing Application T1204 - User Execution T1204.001 - T1204.001 T1566 - Phishing T1566.002 - Phishing: Spearphishing Link T1568 - Dynamic Resolution T1568.002 - Dynamic Resolution: Domain Generation Algorithms TA0002 - TA0002	28 Rules 9 Models
Privilege Abuse	email-receive:success (dlp-email-alert-in) ↳trendmicro-officescan-cef-email-send-success-controlmanager email-send:success (dlp-email-alert-out) ↳trendmicro-officescan-cef-email-send-success-controlmanager http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts	2 Rules
Privileged Activity	email-receive:success (dlp-email-alert-in) ↳trendmicro-officescan-cef-email-send-success-controlmanager email-send:success (dlp-email-alert-out) ↳trendmicro-officescan-cef-email-send-success-controlmanager alert-trigger:success (security-alert) ↳trendmicro-officescan-kv-alert-trigger-success-deepsecuritymanager ↳trendmicro-officescan-kv-alert-trigger-success-logvirus ↳trendmicro-officescan-str-alert-trigger-success-virus ↳trendmicro-officescan-kv-alert-trigger-success-contentfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logdevicecontrol ↳trendmicro-officescan-kv-alert-trigger-success-logurlfiltering ↳trendmicro-officescan-kv-alert-trigger-success-logspyware ↳trendmicro-officescan-kv-alert-trigger-success-trendmicro ↳trendmicro-officescan-kv-alert-trigger-success-logbehavior ↳trendmicro-officescan-kv-alert-trigger-success-officescanserver ↳trendmicro-officescan-kv-alert-trigger-success-ccca ↳trendmicro-officescan-kv-alert-trigger-success-logpredictive ↳trendmicro-officescan-kv-alert-trigger-success-webreputation ↳trendmicro-officescan-str-alert-trigger-success-officescan ↳trendmicro-officescan-kv-alert-trigger-success-callbackdetected ↳trendmicro-officescan-kv-alert-trigger-success-lognetworkvirus ↳trendmicro-officescan-cef-email-send-success-controlmanager http-traffic:success (web-activity-allowed) ↳trendmicro-officescan-cef-http-session-success-controlmanager	T1068 - Exploitation for Privilege Escalation T1071 - Application Layer Protocol T1071.001 - Application Layer Protocol: Web Protocols T1078 - Valid Accounts T1102 - Web Service	4 Rules

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

2_ds_trend_micro_officescan.md

2_ds_trend_micro_officescan.md

Files

2_ds_trend_micro_officescan.md

Latest commit

History

2_ds_trend_micro_officescan.md

File metadata and controls