Skip to content

Latest commit

 

History

History
6 lines (6 loc) · 4.41 KB

2_ds_wiz_wiz.md

File metadata and controls

6 lines (6 loc) · 4.41 KB
Raw
Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials app-login:success (app-login)
wiz-w-json-app-login-success-federatedauth
wiz-w-json-app-login-success-fail-login

app-login:fail (failed-app-login)
wiz-w-json-app-login-success-fail-login

alert-trigger:success (security-alert)
wiz-w-json-alert-trigger-success-malwareinstance
wiz-w-json-alert-trigger-success-ddosattack
wiz-w-json-alert-trigger-success-cloudevents
wiz-w-json-alert-trigger-success-virtualmachine
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 51 Rules
  • 25 Models
Lateral Movement app-login:success (app-login)
wiz-w-json-app-login-success-federatedauth
wiz-w-json-app-login-success-fail-login

app-login:fail (failed-app-login)
wiz-w-json-app-login-success-fail-login

alert-trigger:success (security-alert)
wiz-w-json-alert-trigger-success-malwareinstance
wiz-w-json-alert-trigger-success-ddosattack
wiz-w-json-alert-trigger-success-cloudevents
wiz-w-json-alert-trigger-success-virtualmachine
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
  • 4 Rules
Malware app-login:success (app-login)
wiz-w-json-app-login-success-federatedauth
wiz-w-json-app-login-success-fail-login

alert-trigger:success (security-alert)
wiz-w-json-alert-trigger-success-malwareinstance
wiz-w-json-alert-trigger-success-ddosattack
wiz-w-json-alert-trigger-success-cloudevents
wiz-w-json-alert-trigger-success-virtualmachine
 T1078 - Valid Accounts
TA0002 - TA0002
  • 5 Rules
  • 2 Models
Privileged Activity app-login:success (app-login)
wiz-w-json-app-login-success-federatedauth
wiz-w-json-app-login-success-fail-login

app-login:fail (failed-app-login)
wiz-w-json-app-login-success-fail-login

alert-trigger:success (security-alert)
wiz-w-json-alert-trigger-success-malwareinstance
wiz-w-json-alert-trigger-success-ddosattack
wiz-w-json-alert-trigger-success-cloudevents
wiz-w-json-alert-trigger-success-virtualmachine
 T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 2 Rules