2_ds_vmware_vmware_view.md

Use-Case	Activity Type (Legacy Event Type)/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	scheduled_task-trigger:success (app-activity) ↳vmware-view-kv-app-activity-success-desktopid app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1133 - External Remote Services T1190 - Exploit Public Fasing Application T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets	75 Rules 39 Models
Data Access	scheduled_task-trigger:success (app-activity) ↳vmware-view-kv-app-activity-success-desktopid app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed	T1078 - Valid Accounts	20 Rules 11 Models
Lateral Movement	app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1018 - Remote System Discovery T1021 - Remote Services T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy T1550 - Use Alternate Authentication Material T1550.002 - Use Alternate Authentication Material: Pass the Hash T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets T1558.003 - Steal or Forge Kerberos Tickets: Kerberoasting	29 Rules 12 Models
Malware	app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1078 - Valid Accounts T1550 - Use Alternate Authentication Material T1550.003 - Use Alternate Authentication Material: Pass the Ticket T1558 - Steal or Forge Kerberos Tickets TA0002 - TA0002	6 Rules 2 Models
Privilege Abuse	user-password-modify:success (account-password-change) ↳vmware-view-kv-user-password-modify-success-pwdchanged scheduled_task-trigger:success (app-activity) ↳vmware-view-kv-app-activity-success-desktopid app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1078 - Valid Accounts T1078.002 - T1078.002 T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	16 Rules 8 Models
Privileged Activity	scheduled_task-trigger:success (app-activity) ↳vmware-view-kv-app-activity-success-desktopid app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1021 - Remote Services T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts T1078.002 - T1078.002	17 Rules 8 Models
Ransomware	app-login:success (app-login) ↳vmware-view-str-app-login-success-viewuser ↳vmware-view-kv-app-login-success-viewuserloggedin app-login:fail (failed-app-login) ↳vmware-view-kv-app-login-fail-viewuserauthfailed endpoint-login:success (remote-logon) ↳vmware-view-kv-endpoint-login-success-agentconnected ↳vmware-view-str-endpoint-login-fail-viewuser	T1078 - Valid Accounts	2 Rules